What it is: A mapping between the HITRUST CSF requirements and AICPA’s Trust Services Categories and Criteria has been developed and made available to enable service organizations to provide information to users of their system about whether controls relevant to security, availability and confidentiality are suitably designed and operating effectively to meet the applicable trust services criteria (TSC) and HITRUST CSF requirements. This enables the service organization to communicate information about the processes and procedures it uses to meet the HITRUST CSF, in addition to the applicable TSC. This increases transparency and provides information for decision making.
What it is: This reporting option is used when a service organization wants to obtain both a SOC 2 + HITRUST CSF report in addition to a HITRUST CSF certification.
| Attribute | SOC 2 | HITRUST Certification | SOC 2 + HITRUST | SOC 2 + HITRUST CSF + CSF Certfication |
|---|---|---|---|---|
| Framework | AICPA TSC | Tes | A/C/P TSC and HITRUST CFS+ Certification | This reporting option is used when a service organization wants to obtain both a SOC 2 + HITRUST CSF report in addition to a HITRUST CSF certification. Please contact us if you are considering this reporting option. |
| Requires HITRUST scoping factors | NO | CSF Assesor | Yes | |
| Independent third party examiner | CPA Firm | HITRUST Alliance | CPA Firm with valid licensure | |
| Governing body for the report | AICPA | HITRUST Alliance | AICPA | |
| Who prepares the report? | CPA FIRM | No | Yes | |
| Incorporate SOC 2 Trust Services Criteria (TSC) | Yes | No | Yes | |
| Allows Type 1 (point in time) explanation option | Yes | Yes | Yes | |
| Requires a risk rating to be established for controls | Yes | No, but CorrectiveAction Plans are issued | Yes | |
| Reporting control gaps (exceptions) | Yes (Type 2) | Yes (Type 2) | Yes (Type 2) | |
| Allow for Corrective Action Plans | No | No | Yes | |
| Requires a full scope examinations each year | Yes | Yes | Yes | |
| List of attestation | 1 year | 2 years, plus an interim review within 1 year | 1 year |
Schneider Downs’ team of experienced risk advisory professionals focus on collaborating with your organization to identify and effectively mitigate risks. Our goal is to understand not only the risks related to potential loss to the organization but to drive solutions that add value to your organization and advise on opportunities to ensure minimal disruption to your business.
To learn more, visit our dedicated IT Risk Advisory page.
Our Thoughts On
Receive all the latest insights and industry tips.
Schneider Downs is a Top 60 independent Certified Public Accounting (CPA) firm providing accounting, tax, audit and business advisory services to public and private companies, not-for-profit organizations and global companies. We also offer Internal Audit; Technology Consulting; Software Solutions; Personal Financial Services; Retirement Plan Solutions and Corporate Finance Services. Schneider Downs is the 13th largest accounting firm in the Mid-Atlantic region and serves individuals and companies in Pennsylvania (PA), Ohio (OH), West Virginia (WV), New York (NY), Maryland (MD), and additional states in the United States with offices in Pittsburgh, PA, Columbus, OH, and McLean, VA.
© 2024 Schneider Downs & Co., Inc. Maryland license number 35239.
Every moment counts. For urgent requests, contact the Schneider Downs digital forensics and incident response team at 1-800-993-8937. For all other requests, please complete the form below.
