Make A Payment
Client Portal
Contact us
Contact us

HITRUST

HITRUST CSF Reporting
Deliver sound risk management practices, internal control systems and compliance frameworks.

SOC 2 + HITRUST CSF Report

What it is: A mapping between the HITRUST CSF requirements and AICPA’s Trust Services Categories and Criteria has been developed and made available to enable service organizations to provide information to users of their system about whether controls relevant to security, availability and confidentiality are suitably designed and operating effectively to meet the applicable trust services criteria (TSC) and HITRUST CSF requirements. This enables the service organization to communicate information about the processes and procedures it uses to meet the HITRUST CSF, in addition to the applicable TSC. This increases transparency and provides information for decision making.

Benefits:

  • SOC 2 engagements are performed under the professional standards of the AICPA
  • It is substantially less expensive than obtaining a validated report and certification from HITRUST
  • It is often the preferred method of compliance reporting from organizations that perform third-party risk assurance activities
  • Each organization’s risk appetite is unique to them, so they decide to determine what level of third-party assurance is necessary. If you’re not sure whether your customers accept the SOC 2 + HITRUST CSF Report, ask your customers whether it will be sufficient to give them appropriate assurance of your controls.

HITRUST CSF Validated Report and Certification

  • This option is used when a service organization wants to provide its stakeholders with a HITRUST CSF certification report but does not choose to provide them with a SOC 2 report. This engagement is performed by an approved HITRUST CSF assessor based on the HITRUST CSF requirements. The engagement consists of an assessment that is submitted to HITRUST for evaluation. If the service organization controls meet the HITRUST CSF requirements based on a determination by HITRUST, the result is the issuance of a certification report by HITRUST.

Benefits:

  • Validation is performed against all 135 control references
  • Assessment requirements are assessed based on the 5 PRISMA-based maturity levels (Non-Compliant, Somewhat Compliant, Partially Compliant, Mostly Compliant, Fully Compliant)
  • You receive a validated certification report, based on the assessor and HITRUST’s evaluation and determination.

SOC 2 + HITRUST CSF + CSF Certification

What it is: This reporting option is used when a service organization wants to obtain both a SOC 2 + HITRUST CSF report in addition to a HITRUST CSF certification.

AttributeSOC 2HITRUST CertificationSOC 2 + HITRUSTSOC 2 + HITRUST CSF + CSF Certfication
FrameworkAICPA TSCTesA/C/P TSC and HITRUST CFS+ CertificationThis reporting option is used when a service organization wants to obtain both a SOC 2 + HITRUST CSF report in addition to a HITRUST CSF certification. Please contact us if you are considering this reporting option.
Requires HITRUST scoping factorsNOCSF AssesorYes
Independent third party examinerCPA FirmHITRUST AllianceCPA Firm with valid licensure
Governing body for the reportAICPAHITRUST AllianceAICPA
Who prepares the report?CPA FIRMNoYes
Incorporate SOC 2 Trust Services Criteria (TSC)YesNoYes
Allows Type 1 (point in time) explanation optionYesYesYes
Requires a risk rating to be established for controlsYesNo, but CorrectiveAction Plans are issuedYes
Reporting control gaps (exceptions)Yes (Type 2)Yes (Type 2)Yes (Type 2)
Allow for Corrective Action PlansNoNoYes
Requires a full scope examinations each yearYesYesYes
List of attestation1 year2 years, plus an interim review within 1 year1 year

About Schneider Downs IT Risk Advisory 

Schneider Downs’ team of experienced risk advisory professionals focus on collaborating with your organization to identify and effectively mitigate risks. Our goal is to understand not only the risks related to potential loss to the organization but to drive solutions that add value to your organization and advise on opportunities to ensure minimal disruption to your business.  

To learn more, visit our dedicated IT Risk Advisory page. 

Cybersecurity Resources

View our additional IT Risk Advisory services and capabilities

Learn More
Contact us

Our Thoughts On

Who Owns Your DNA Now? 23andMe's Bankruptcy Raises Privacy Concerns

What does 23andMe’s bankruptcy and potential sale mean for your genetic data? 23andMe was once a leading genetic testing company,…

Read More >
Turning Threats to Stone: CISA and FBI Issue Alert on Surging Medusa Ransomware Attacks

Beware the Ides of March… or in this case, suspicious emails if you’re one of the 1.8 billion Gmail accounts…

Read More >
Our Thoughts on the IIA's Cybersecurity Topical Requirement

The Institute of Internal Auditors (IIA) has taken a significant step forward with the release of the Cybersecurity Topical Requirement…

Read More >
How Scammers Are Using AI to Enhance Family Emergency Scams – What You Need to Know

Family emergency scams are on the rise and evolving thanks to AI. Who makes phone calls nowadays anyway? Scammers, that’s…

Read More >
Understanding and Mitigating Fraud Risk Amid Employee Layoffs

How can organizations prepare for and reduce the increased risk of fraud during employee layoffs? Layoffs are sometimes necessary for…

Read More >
Subscribe For Updates
Receive all the latest insights and industry tips.  

Email us: [email protected]

Follow Us:
Facebook-f Linkedin-in

Office Locations

Pittsburgh

One PPG Place,
Suite 1700
Pittsburgh, PA 15222

p:
412.261.3644
f:
412.261.4876
Columbus

65 East State Street,
Suite 2000
Columbus, OH 43215

p:
614.621.4060
f:
614.621.4062
Metropolitan Washington

1660 International Drive,
Suite 600
McLean, VA 22102

p:
571.380.9003

Links

Inside Public Accounting Best of the Best 2024
Accounting Today Top 100 2024
Accounting Today Regional Leaders
Best Of Accounting Diamond Award

Schneider Downs is a Top 60 independent Certified Public Accounting (CPA) firm providing accounting, tax, audit and consulting services to public and private companies, not-for-profit organizations and global companies. We also offer risk advisory, transaction advisory, digital consulting, wealth management, retirement plan solutions and investment banking services. Schneider Downs serves individuals and companies in Pennsylvania (PA), Ohio (OH), West Virginia (WV), New York (NY), Maryland (MD), metropolitan Washington (DC) and additional states in the United States with offices in Pittsburgh, PA, Columbus, OH, and McLean, VA.

© 2024 Schneider Downs & Co., Inc. Maryland license number 35239.

Breached?

Every moment counts. For urgent requests, contact the Schneider Downs digital forensics and incident response team at 1-800-993-8937. For all other requests, please complete the form below.

"*" indicates required fields

This field is for validation purposes and should be left unchanged.