Data has become the most important asset for many organizations, so sharing that data in any capacity can bring significant risk. Businesses and organizations that share, process, or store data for others understand the growing challenges of building a trusted relationship.
To help bring confidence to those you serve, System and Organization Controls (SOC) 2 and HITRUST assessments are recognized across many industries as ways to demonstrate quality, security, and privacy practices. But which framework is right for you, and what are the differences?
More:YOUR MONEY: Common questions about the expanded employee retention credit
SOC 2 reports are designed to provide clients or customers of service organizations reasonable assurance that the internal controls and security practices are fairly presented and operating effectively. The reports outline whether the service organization meets the AICPA’s set of benchmarks known as “description criteria.” These criteria are used when preparing and evaluating the description of the service organization’s system in a SOC 2 examination.
Additionally, the American Institute of Certified Public Accountant’s (AICPA) “trust services criteria” evaluate whether controls over security, availability, processing integrity, confidentiality, and privacy were adequately designed and operated effectively over a period of time. The description criteria and the trust services criteria are the control frameworks that must be used in a SOC 2 examination.
More:YOUR MONEY: The Wayfair decision and what it means to MA sellers three years later
SOC 2 reports are issued under the AICPA Statement on Standards for Attestation Engagements (SSAE), assertion-based examination engagements. CPA firms must follow specific AICPA rules when conducting a SOC 2 engagement.
HITRUST CSF certifications are issued by HITRUST Alliance, which was originally developed to help the health care industry manage information security and privacy risks — but has now expanded across a broad range of industries. The reporting framework for a HITRUST certification is the HITRUST CSF Assurance Program and the HITRUST Validated Assessment Report.
So, what are the differences between SOC 2 and HITRUST?
A SOC 2 includes the description criteria and five Trust Service Criteria. The Trust Service Criteria for security, also known as the common criteria, is the only required one of the five. The other four should be included as applicable to both the customer and client’s needs of the service organization.
The scope of a HITRUST is determined based on how an organization answers specific organizational, technical, and regulatory questions. Responses are used to help scope and build a custom assessment with specific requirement statements.
HITRUST assessment requirement statements are organized into 19 domains designed to align with the structure of common security and risk management programs. One of the questions that greatly impacts the size of a HITRUST assessment is the number of health-related records an organization holds.
More:YOUR MONEY: surround yourself with professionals when planning your business transition
During a Validated Assessment, an organization scores its compliance on five maturity levels (policy, process, implemented, measured, and managed) for each requirement statement in scope.
Despite the common misconception, SOC 2 is not a certification. A SOC 2 is an independent auditor report including an opinion issued by a CPA firm. The opinion can be unqualified, qualified, or adverse, similar to a financial audit opinion. A qualified opinion can still have deviations or exceptions noted within the results of tests performed by the auditor. The SOC 2 examination is typically performed every year, covering the full scope of applicable trust service criteria.
The result of a HITRUST Validated Assessment can be a certification — which is the goal for most organizations — or just the Validated Assessment report. The HITRUST certification is issued by HITRUST and not the external assessor firm.
More:YOUR MONEY: Navigating the first 100 days following an acquisition
To obtain the certification, an organization does not need a perfect score across all requirement statements but needs to have an average score over a certain threshold on each of the 19 domains. For scores that fall below the threshold on specific requirement statements, a Corrective Action Plan may need to be documented to address the gap and improve the score going forward.
If a certification is achieved, it is good for two years with a few qualifiers. During the second year, an external assessor performs an interim assessment to test a random selection of requirement statements and determine that sufficient progress has been made on any Corrective Action Plans.
Choosing an independent assessment to better understand your risk and to demonstrate quality, security, and privacy practices can be a challenging task. Start by assessing your contractual requirements with customers and clients to see if there is a specific type of assessment included. Consider your industry and the various applicable regulatory requirements for which you may have to demonstrate compliance.
For organizations storing or processing electronic health information, HITRUST may be the best option. For organizations that serve a broad range of industries or operate in a regulated industry such as financial institutions or governmental entities, then SOC 2 may better meet needs. Both assessments have different costs and level of effort involved, so it is important to consider your budget and size.
For more information on data security risks in the Northeast, contact Phillip Del Bello at phillip.delbello@CLAconnect.com or 410-308-8181.For more information about CliftonLarsonAllen LLP,visit CLAconnect.com.
