Should Your HITRUST CSF Assessor Be a CPA Firm?
Aug 29, 2022
In today’s hyperconnected environment, many different stakeholders expect assurance regarding your information security practices. Increasingly, major companies are expecting their business partners to achieve certification against the HITRUST Common Security Framework (CSF). This robust risk management framework builds on many established security and data privacy standards, such as the ISO 27000 series, HIPAA, PCI Data Security Standards, the EU General Data Protection Regulation, and the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
The HITRUST CSF rationalizes all these regulations and standards into a single overarching security framework so that a single assessment can be used to meet many different information assurance needs. In a world where uncertainty and risk abound, this ability to reduce the complexity, risk, and cost of compliance represents a significant competitive advantage.
However, a HITRUST assessment takes significant time and resources from the entity being assessed, as well as the third party that performs the validated assessment. To achieve HITRUST Certification, an entity must perform a self-assessment of its internal controls, which must then be tested by a third-party CSF assessor — typically either a CPA firm or an IT consulting firm — that has been vetted by the HITRUST Alliance. These in-depth assessments take time, and are therefore expensive. But a mishandled HITRUST assessment will likely take even more time and money, especially if HITRUST kicks the assessment back during its quality assurance process.
If a major customer has recently requested a HITRUST CSF certification, or you’re reading the tea leaves and want to be prepared when you do receive such a request, you need to start vetting HITRUST assessor firms.
CPAs: A Cut Above
HITRUST maintains a high bar for firms seeking to be a CSF assessor. In addition to annual licensing fees, firms must maintain at least five Certified CSF Practitioners on staff at all times, and those practitioners must participate in up-front and ongoing training. However, when your business relationships depend on delivering assurance of effective security and privacy controls, only an assessor firm that is just right for your needs will do.
Independent CPA firms that have the expertise and track record to lead you through a HITRUST certification can add significant value. Consider the following:
- Gold standard of audit quality. When it comes to assurance, an audit by an independent CPA firm is considered the gold standard. Peer-reviewed members of the AICPA have stringent audit quality standards that apply to every engagement they perform, including CSF assessments. CPA firms are used to constant oversight of their engagements, including checking whether evidence is adequate, complete, and accurate. Such attention to detail can save the assessed organization time and money by reducing the risk of a control failing the rigorous HITRUST quality assurance review.
- A trained eye. Established CPA firms have experience with a wide variety of industries and client types. CPA firms acting as HITRUST assessors can draw on this deep well of experience to assess the adequacy of controls and documentation. CPA firms’ experience typically lets them anticipate what the HITRUST quality assurance team will consider appropriate for each requirement statement.
- SOC 2 reporting. If your organization seeks to issue a joint SOC 2 and CSF Certified report, then a CPA firm that is also a HITRUST-authorized assessor is the only option. Leveraging the CSF to report on the AICPA Trust Services Criteria can cut down on audit time and increase efficiency.
- Breadth of expertise. CPA firms typically have many different types of professionals on staff, including those with information security expertise, which adds another dimension of quality to a HITRUST assessment. Some designations to look for include the Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), and Healthcare Certified Information Systems Security Professional (HCISSP). These certifications ensure you get the technical expertise you need.
Don’t fall into the trap of selecting a HITRUST assessor firm based on price alone, which could incur more cost for your organization in the long run. Contact CRI to discuss how to prepare for your HITRUST CSF assessment.