Insights - Articles, Blogs and on-demand webcasts

Articles & E-Books

SOC 2? HITRUST? Which of these 7 third-party assurance audits should you choose?

Nov 20, 2019

By: Karen Johnston, Durward J. Ferland, Jr.

If you’re a service provider, you’ve probably been asked by your customers to perform different types of assessments, audits and checklists.

Although you want to meet your customers’ third-party assurance demands, it can be confusing to determine which assurance audit to perform. Can you consolidate these requests and pare down your compliance efforts? Is there a one-size-fits-all assessment? How do you even get started?

With quite a few assurance audit options to choose from, getting started means first understanding these options, their benefits and their costs. We cover the top seven options below:

1. SOC 1

When it comes to System and Organization Controls (SOC) audits, it all boils down to whether you handle or store data on behalf of your customers. If you do, it’s recommended to perform at least one of the SOC audits.

The SOC 1 audit helps a service organization examine and report on its internal controls relevant to its customers’ financial statements. If your customers also want an in-depth look at your IT controls, you can incorporate General IT Controls (GITC) into your SOC 1 audit.

SOC 1 pros: For the services you provide that affect your customers’ financial statements, you will demonstrate to them the design, fairness and operating effectiveness of your internal controls. A SOC 1 is the industry standard for third-party service providers who perform financial processing on behalf of their customers.
SOC 1 cons: A SOC 1 audit does not have a standard scope, so a customer needs to read the audit report to determine if the controls that they require are included.

2. SOC 2

This brings us to SOC 2 audits. SOC 2 differs from SOC 1 in that the SOC 2 audit’s scope is based on the criteria that the service organization selects: security (required in all SOC 2 audits), availability, processing integrity, confidentiality and/or privacy. Undergoing a SOC 2 audit helps a service organization examine and report on its internal controls relevant to those five criteria as they relate to customer data.

With SOC 2, you can determine which of those criteria cover the scope of the services your customers are looking for assurance on. This includes IT controls.

SOC 2 pros: It can be tailored to fit your environment, and there is flexibility in the controls you implement to meet the criteria. You can also have an opinion included on another assessment type/audit. Like SOC 1, a SOC 2 audit is an industry-standard assurance audit for third-party service providers.
SOC 2 cons: If you have multiple services and one of them affects your customers’ financial statements, you may also need a SOC 1 audit.

3. SOC for Cybersecurity

SOC for Cybersecurity was developed in 2017 by the American Institute of Certified Public Accountants (AICPA). Their goal was to standardize reporting on the effectiveness of an organization’s cyber risk management controls. SOC for Cybersecurity provides information to the clients of a service organization about the performance of that service organization’s cybersecurity risk management program, giving clients assurance that their data is being protected by adequate controls.

SOC for Cybersecurity pros: It can be performed at any organization, not just at service providers. It provides an extra level of confidence in your organization’s cybersecurity controls as they are audited by an independent CPA firm, and gives you an audit opinion based on a recognized standard.
SOC for Cybersecurity cons: Newly introduced by the AICPA, SOC for Cybersecurity is still gaining traction and is not yet as popular as SOC 1 and SOC 2.

4. HITRUST

HITRUST is a comprehensive security and privacy program. With HITRUST certification, you can include security and privacy along with other regulatory factors that your customers are looking for assurance on.

HITRUST pros: HITRUST isn’t just for the healthcare industry anymore. Any organization, including service providers, can also use it for assurance purposes. It’s a two-year certification with an interim assessment in between, so it’s not an annual event like a SOC audit. Plus, when you become HITRUST certified, you also receive a NIST certification letter.
HITRUST cons: On the years you are up for recertification, the cost is generally higher than a SOC audit. HITRUST audits also have a larger number of defined requirements. First-year costs to get prepared for certification can be daunting, and there tends to be a larger time commitment.

5. PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed for organizations that accept, process, store or transmit credit card data. It helps organizations ensure they are maintaining a secure environment.

PCI DSS pros: Formal validation is not mandatory for all organizations. The assessment level of effort is based on the volume of credit card transactions, so performing this assurance doesn't always have to be a heavy lift. It can also be done at any organization, not just at service providers.
PCI DSS cons: Fines can be levied for not being in compliance.

6. ISO 27001

ISO 27001 is an internationally recognized certification that provides requirements around your information security management system (ISMS), ultimately helping you create a high-quality system. It’s set by the International Organization for Standardization (ISO).

ISO 27001 pros: It’s internationally known, and it gives you an opportunity to improve internal processes. It can be done at any organization, not just at service providers.
ISO 27001 cons: It provides a management standard for managing security, not for implementing security. You may need an additional certification to satisfy customer demands for third-party assurance.

7. NIST

Created by the National Institute of Standards and Technology (NIST), these are a set of information system security standards that help federal agencies (and other organizations) meet the requirements of the Federal Information Security Management Act (FISMA).

NIST pros: When followed, NIST helps organizations ensure they have appropriate security controls in place. It lays out a plan to help organizations comply with other regulations (such as HIPAA, SOX and FISMA) and meet other frameworks (such as SOC 1, SOC 2 and HITRUST). It can also be done at any organization, not just at service providers.
NIST cons: There is no certification from the National Institute of Standards and Technology (NIST) regarding security, but there are some related assessments to show compliance (e.g., FISMA, MARS-E, Fedramp). HITRUST offers their own branded NIST certification, but it is not an official NIST-sanctioned designation/certification.

Which assurance audit is right for you?

So which audit, assessment or certification should you pursue? It all depends on:

What industries you are in.
Who’s asking you for assurance and what types they are asking for.
Whether you have a strong relationship built with your customers to enable an open and honest conversation that determines a mutually agreeable plan.
Whether you can find one audit/assessment that meets all of your customers’ needs.

What we recommend at Wipfli is talking internally with your team to discuss all of your customers’ assurance demands and then bring in an outside compliance expert to help you go through your options and make the best decision on which audit/assessment to perform.

By understanding your options and using the input you’ve collected from your customers, you can make a decision based on the costs and benefits. Then you can go back to your customers and have those open and honest conversations with them on the ways the single audit you’ve chosen can satisfy their needs.

If you need assistance choosing which audit/assessment to perform, contact us. We have deep experience performing assurance audits, especially SOC and HITRUST. We can also help you strengthen your internal controls before performing an audit, setting you up for success.

HITRUST vs SOC 2: Leveraging the best path to assurance

The business associate’s path to HITRUST CSF Certification

SOC 1 vs SOC 2: What’s the difference?

What will my first SOC audit be like?

Author(s)

Karen Johnston, CCSFP, CIA, CISA, CCSFP-CHQP
Principal
View Profile

Durward J. Ferland, Jr., CISA, CISM, CRISC
Principal
View Profile

INSIGHTS

Healthcare Connections: Strategic planning 2.0 – building an implementation road map for organization success

11/21/2023

By: Tara Cohn, Sydney Diekmann, Robert H. Zondag...

NAIC cybersecurity model rule implementation

11/19/2023

By: Greg Foster, Tom Wojcinski

Elevate your Sage Intacct: Q4 2023

11/11/2023

Read All Wipfli Insights

EVENTS

12/20/2023 12:00 PM

Achieving a seamless close to 2023 and renewed focus for 2024

1/9/2024 1:00 PM

Webinar: Streamlining grant management for tribal organizations

View All Wipfli Events

News

11/13/2023

Wipfli survey results show manufacturers’ optimism

10/10/2023

Wipfli furthers DEI goals with Disability:IN partnership

1/19/2023

New research shows state of credit unions as 2023 starts

Read All Wipfli News

© 2022 Wipfli LLP. "Wipfli" refers to Wipfli LLP, a Wisconsin limited liability partnership, and its subsidiaries. Assurance, tax and consulting services are offered through Wipfli LLP. Investment banking and related services are offered through Wipfli Corporate Finance LLC. Wipfli LLP is a member of Allinial Global, an association of legally independent firms. ”Wipfli CPA” is the DBA name of Wipfli LLP in New York state, and refers to Wipfli LLP.