Its Tuesday and it’s time for our TPRM Tuesday posting. Today we will be discussing the Additional Control Framework that was added in the SOC 2 audit and which any service organization can choose based on their targeted client base. You may have already started receiving new SOC 2 audit reports as well, and there might be some confusion with the inclusion of additional testing of different frameworks like HITRUST and ISO 27001 as part of SOC 2 testing. We will attempt to remove any confusion!
🙋🏾♀️Can Service Organization include an additional control frameworks (HITRUST, HIPAA, ISO27001, NIST 800-171, etc.) in their SOC2 audit?
👍🏽 Yes, this is known as a “SOC2+” audit.
✅ The most common frameworks included are HITRUST, HIPAA, and the Cloud Security Alliance’s Cloud Control Matrix (CCM). An additional framework can be included if it is considered “suitable criteria” according to the attestation standards (standardized control frameworks meet requirements for “suitable criteria”).
🙋🏼♀️How is a SOC2+ different from a standard SOC 2?
✅Controls must meet both the SOC2 Trust Service Criteria (TSC) and the additional framework’s requirements. This will inherently create more work for the auditor and service organization.
✅SOC2+ reports include the auditor’s opinion the SOC2 Trust Service Criteria (TSC) and the additional framework’s requirements.
✅Service Organization can receive a clean opinion for the SOC2 TSC and a qualified opinion for the additional framework.
🚨What does the SOC2+ report not provide?
⛔️ SOC2+ reports do not serve as “certifications” to other frameworks. If you need a “HITRUST certification”, a SOC2+ HITRUST audit will not serve this purpose.
💥 Any CPA firm can perform SOC2+ audits. However, that doesn’t mean they have experience with the additional framework. A Service Organization should make sure to find a CPA firm that has experience with the additional framework.
Please refer for more details: https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/soc2additionalsubjectmatter.html
We are glad to bring you these postings. Please let us know if you have questions and how we can help you continue to have an effective and efficient third party risk management program.