CSF to Support SOC 2 Repor(ng Ken Vander Wal, CPA, CISA, HCISPP Chief Compliance Officer, HITRUST * ken.vanderwal@hitrustalliance.net
Agenda Introduction to SOC Reporting SOC 2 and HITRUST CSF AICPA and HITRUST Collaboration SOC 2 and HITRUST CSF Reporting Engagement Considerations Questions
Introduction to SOC Reporting Three Types SOC 1/SSAE 16 replaced SAS 70 SOC 2 restricted report based on AICPA Trust Services Principles and Criteria SOC 3 general distribution report SOC 2 is a reporting framework (HITRUST CSF is a security framework)
HITRUST CSF SOC 2 Owned by HITRUST Leverages and enhances existing standards and regulations to provide organizations of varying sizes and risk profiles with prescriptive implementation requirements Intended to be used by any and all organizations that create, access, store, or exchange protected health information (PHI) Two major components Information security implementation requirements Mapping and regulations Updated annually currently Version 7 https://hitrustalliance.net/hitrust-csf/ Owned by the American Institute of Certified Public Accountants (AICPA) Designed to provide information on processes and controls at a service organization, together with an independent service auditor s opinion Processes do not have to be related to financial statement processing unlike SOC1 (ISAE 3402 / SSAE 16) Criteria updated in early 2014 except for privacy which is currently being updated http://www.aicpa.org/interestareas/frc/ AssuranceAdvisoryServices/Pages/SORHome.aspx
HITRUST CSF SOC 2 CSF Framework 14 Control Categories, 46 Control Objectives 149 Control Specifications Risk factors drive control specification implementation requirements up to 3 levels Must meet all requirement specifications based on risk factors Assurance program Self Assessments Third-Party Assessments Certified Validated Trust Services Principles Security Availability Confidentiality Privacy Processing Integrity Select principles based on expected user needs Must then address ALL criteria for the selected principles Type 1 design Type 2 operating effectiveness
What Does SOC 2 / HITRUST Give Users? SOC 2 HITRUST CSF Management Assertion Independent service auditor s report Description fairly presents the in-scope services Controls suitable designed to meet in-scope criteria Controls have operated effectively to deliver criteria (Type 2) Description of System Description of Controls, Tests and Results of Tests Certified/validated report issued by HITRUST based on work of independent third party assessors Business/functional/organizational units that meet the associated criteria Assessment context and scope of systems included in assessment Breakdown of CSF control areas with a comparison to industry Includes maturity scores Testing summary, corrective action plans and completed questionnaire
Benefits of Combining SOC 2 & CSF Assurance Leverage the HITRUST CSF controls in SOC 2 engagements Realize significant time efficiencies and cost savings by synergies between the HITRUST CSF controls and Trust Services Principles and Criteria Reduce the inefficiencies and costs associated with multiple reporting requirements Increase transparency and communicate to stakeholders through a single deliverable Service organizations controls can be considered both from the SOC 2 criteria and HITRUST CSF
Press Release http://www.aicpa.org/press/pressreleases/2015/pages/newaicpaandhitrustillustrativereportwillhelpcpas.aspx
AICPA and HITRUST Collaboration Collaborated to develop and publish guidance to streamline and simplify the process of leveraging the HITRUST CSF and CSF Assurance programs for SOC 2 reporting. Work products include: Mapping of CSF to Trust Services Principles and Criteria Security Confidentiality Availability SOC 2 + HITRUST Reporting Template Practitioner document with frequently asked questions
HITRUST CSF & Trust Services Criteria Mapping
Types of Reports HITRUST CSF Certification organizations can obtain a HITRUST CSF certification report through an assessment by a HITRUST approved assessor and issuance of the certification report by HITRUST SOC 2 only organizations that may have adopted the HITRUST CSF framework but NOT requested their service auditor to express an opinion on whether the controls at the service organization are suitably designed and operating effectively to meet the HITRUST CSF SOC 2 + HITRUST CSF - service auditor s report expresses an opinion on the fairness of presentation of description and suitability of design and operating effectiveness of controls based on 1) the Trust Services Principles and Criteria relevant to Security, Availability and Confidentiality, and, 2) the HITRUST CSF SOC 2 + HITRUST CSF + CSF Certification organizations that have engaged a service auditor to express a SOC 2 + HITRUST CSF opinion and have achieved HITRUST CSF certification can obtain one combined report HITRUST One Framework
HITRUST + SOC 2 Reporting Template Report Sections Management Assertion Independent Service Auditor s Report Entity s Description of its System Trust Services Principles/HITRUST CSF Controls Tested and Results of Tests Mapping of Applicable Trust Services Principles and Criteria to the HITRUST CSF, and HITRUST CSF certification report
Draft of Opinion Wording In our opinion, in all material respects, based on the description criteria identified in Example Health Service Organization s assertion and the applicable trust services criteria and CSF criteria, a. the description fairly presents the system that was designed and implemented throughout the period January 1, 20X1, to December 31, 20X1; b. the controls stated in the description were suitably designed to provide reasonable assurance that the applicable trust services criteria and CSF criteria would be met if the controls operated effectively throughout the period January 1, 20X1, to December 31, 20X1
Examples of FAQs Is inclusion of the mapping mandatory in a SOC 2 + HITRUST CSF report? One of the requirements of an attestation engagement under AT section 101 is that the criteria used to assess the subject matter be suitable. Does the HITRUST CSF meet the definition of suitable criteria as defined by the AICPA? Should the maturity of control attributes (for example, the HITRUST maturity characteristics of measured and managed) be assessed when performing a SOC 2 + HITRUST CSF engagement? In a SOC 2 + HITRUST CSF report, how does a modified opinion related to the applicable trust services criteria affect the opinion related to the HITRUST CSF requirements and vice versa? How are exceptions addressed in a SOC 2 + HITRUST CSF Report? Can any CPA issue a SOC 2 + HITRUST CSF report or a SOC 2 + HITRUST CSF + CSF certification report? Must the CPA also be an approved HITRUST CSF assessor to perform either a SOC 2 + HITRUST CSF engagement or a SOC 2 + HITRUST CSF + CSF certification engagement? Are there licensing considerations when a CPA uses the HITRUST CSF in an engagement, including a SOC 2 + HITRUST CSF engagement?
Engagement Considerations Performance of SOC 2 engagements by CPA firms Performance of HITRUST CSF certification engagements by approved HITRUST assessors Licensing considerations AICPA HITRUST CSF AICPA and HITRUST periodically issue new versions of Trust Services Principles and HITRUST CSF respectively For SOC 2 opinion on adoption of the HITRUST CSF, all control requirements must be addressed; HITRUST CSF certification is based on a subset of the controls
Downloadable Engagement Resources (1) Practitioner Guidance and FAQs https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/ downloadabledocuments/hitrust_faq.pdf SOC 2 + HITRUST CSF + CSF illustrative report https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/ downloadabledocuments/soc_2_hitrust_csf_report.pdf Mapping of HITRUST CSF to Trust Services Principles https://www.aicpa.org/interestareas/frc/assurance advisoryservices/downloadabledocuments/ soc_ii_to_hitrust_mapping.xlsx
Downloadable Engagement Resources (2) HITRUST CSF Version 7 https://www.hitrustalliance.net/csf-license-agreement/ HITRUST CSF Assurance and Related Program https://www.hitrustalliance.net/csf-assurance-related-programs/ HITRUST CSF Approved Assessors https://www.hitrustalliance.net/csf-assessors/
Visit www.hitrustalliance.net for more information To view our latest documents, visit the Content Spotlight
Thank You! QUESTIONS