Menu
Outsourcing

Home / Services  / Outsourcing / SOC & HITRUST Reporting

SOC & HITRUST Reporting

SOC Reporting

SOC abbreviates for System and Organization Controls (as mandated by SSAE18). An SOC Report is a verifiable auditing report and a compendium of safeguards built within the control base of the data in an organization and is also a check if those safeguards work or not. If you are an organization which is regulated by the law, then you must be asking your suppliers/vendors to provide a SOC report, as it becomes more critical for those suppliers which you consider to be dealing with the high-risk operations of your business.

Compliance Standards mandating SOC Reports during the years:

  • SAS 70 (superseded by SSAE 16)
  • SSAE 16 (superseded by SSAE 18)
  • SSAE 18 (currently in place)

Types of SOC Reports

SOC 1 report checks for a company's internal control over financial reporting. It is the audit of a third-party vendor’s accounting and financial controls which impact the user entity.

SOC 2 deals with the checking of the controls of a service organization over, one or more of the ensuing Trust Service Criterias (TSCs):

  • Privacy
  • Confidentiality
  • Processing Integrity
  • Availability
  • Security (mandatory criteria)

SOC 3 is a summarized report of the SOC 2 Type II report and is designated to be a less technical and less detailed audit report with a seal of approval which could be put up on the vendor's website for public display.

Classification of SOC 1 and SOC 2 Reports

Type I - This pertains to the audit taken place on a particular point of time, that is, at a specific single date and confirms that the controls exist.

Type II - A Type II report is more rigorous and is based on rigorous testing of controls over a duration of time and are generally more reliable as they pertain to the efficiency and effectiveness of controls over a more extended period of time taken into consideration.

Types of Testing performed by us based on Sampling Method:

  • Administrative Items
  • Change Management Testing
  • New/Existing/Terminated Employee Testing
  • Admin Access Testing
  • SOC Memos (Mostly based on the SOC 1, Type II Reports already prepared by CPA firms based in US and provided to us by the client, we then prepare the Memos as per the defined format)

HITRUST CSF Reporting

WHAT & WHY? - HITRUST Common Security Framework defines and prescribes a specific prescriptive set of controls that meet the requirements of multiple regulations and standards. The HITRUST framework provides a way to comply with standards such as ISO / IEC 27000 series and HIPAA. It incorporates various security, privacy, and other regulatory requirements from existing frameworks and standards which organizations utilize to demonstrate their security and compliance in a consistent and streamlined manner.

HOW? - HITRUST CSF is a comprehensive and a certifiable framework, that can be used by all organizations that create, access, store or exchange sensitive and/or regulated data from/within their systems.

Regulator? - Governed by an Executive Council and led by a management team comprising leaders from across various industries.

Types of Policy/Procedures Testing performed by us:

  • Readiness Assessment – This is somewhat like a pre-check assessment which an entity pursues while getting ready for a Validated Assessment. We check the policies/procedures to make sure the assessed organization adheres to the defined policies and have appropriate procedures in place to comply with the policy.
  • Validated Assessment – This comprehensive assessment provides an entity with HITRUST Certification, which says that the entity is complying with various security baselines as given by HITRUST CSF and has appropriate policies/procedures in place for various Security & Privacy Regulations. This is performed by HITRUST Certified External Assessor, i.e., a Certified CSF Practitioner (CCSFP).

HITRUST Documentation Upload – This is done by uploading the testing evidences at the HITRUST Portal and further submitting the Assessment Object online for Certification. Then, the HITRUST reviews the assessment and provides a Certification to the assessed entity if all the compliance requirements are found adequate.