The results of recently completed audits performed by a third-party auditor against the scoped environment can—at the External Assessor’s discretion—be relied upon to reduce the extent of the External Assessor’s direct testing. The following requirements must be met for reliance to be placed on the results of third-party audits:
12.3.1 A valid business justification must exist for relying on the third-party report. For example, it is inappropriate to rely on a SOC 2 Type II report covering a service provider not used by the Assessed Entity.
12.3.2 A formal, final report documenting the results of the third-party audit must exist prior to the end of the External Assessor’s fieldwork period. Third-party audits failing to produce a final report inclusive of the following elements should not be relied upon by the External Assessor:
i. a description of the audit’s scope;
ii. the timeframe that the testing covers (for period-of-time reports), the date that the final report was issued (for point-in-time reports), or the timeframe that the report is valid (for forward-looking reports);
iii. the auditor’s procedures performed;
iv. the conclusions reached for each control/requirement tested; and
v. the compliance gaps / testing exceptions noted.
12.3.3 The third-party auditor must be independent of management and objective of the controls and processes audited. “Objectivity” refers to a lack of bias, judgment, or prejudice, and “independent” means not being influenced or controlled by others in matters of opinion, conduct, etc. Only third-party audits performed by individuals sufficiently independent of the Assessed Entity and objective of the controls / requirements tested should be relied upon.
12.3.4 Third-party audits older than one year in age should not be relied upon. This one-year reliance threshold is determined by comparing the start date of the External Assessor’s fieldwork to the following:
- For point-in-time reports (such as a PCI DSS ROC): To the date of the third-party auditor’s final report.
- For period-of-time reports (such as a SOC 2 Type II report): To the end date of the reporting period.
- For future-looking certifications (such as a HITRUST certification): To the certification date or to the date of the most recent surveillance audit / interim assessment.
12.3.5 The External Assessor and HITRUST must both be authorized recipients of the third-party audit report. While the External Assessor and HITRUST do not need to be explicitly named as authorized recipients, the owner of the report must be allowed to distribute the report to such parties. This requirement exists specifically to avoid situations in which reliance was placed on a report that cannot be shared with HITRUST, thus restricting HITRUST’s ability to perform meaningful QA procedures. Reliance cannot be placed on third-party audit reports for which neither HITRUST nor the External Assessor are authorized to receive. For example:
- The AICPA specifically states for SOC 1 reports: “Use of these reports is restricted to the management of the service organization, user entities, and user auditors.” As HITRUST (and likely the External Assessor) is not a member of any of those recipient groups, a SOC 1 report cannot be used as a valid report for third-party reliance.
12.3.6 The scope of the third-party audit (in terms of systems, facilities, and business units) must overlap with that of the HITRUST validated assessment. Third-party audits of only systems or organizational elements outside the scope of the validated assessment should not be relied upon.
12.3.7 The controls assessed in the third-party audit must overlap with that of the HITRUST validated assessment. Third-party audits of only controls or compliance requirements outside the scope of the validated assessment should not be relied upon.
12.3.8 When designing a reliance strategy, the External Assessor must map the requirement statements and evaluative elements included in the HITRUST validated assessment to the controls / requirements tested in the third-party audit. In the absence of this mapping, the External Assessor cannot form a meaningful reliance strategy and therefore lacks an adequate basis for reliance. To support HITRUST’s QA efforts, this mapping as well as the third-party audit report must be attached to or referenced in MyCSF.
12.3.9 The depth / rigor of testing performed by the third-party auditor must reasonably align with the testing expectations placed upon External Assessors by HITRUST. Only those audits and assessments featuring tests of control design / operation / implementation / effectiveness using audit procedures such as inspection of evidentiary matter and sampling (utilizing statistically meaningful sample sizes as applicable) are suitable reliance. For example, procedures executed by a service organization’s auditor during a SOC 2 Type I examination should not be relied upon given a SOC 2 Type I examination’s lack of substantive testing.
12.3.10 The third-party audit report must be prepared in accordance with the corresponding professional standards. A third-party audit report that is not prepared in accordance with the corresponding professional standards should not be relied upon.
12.3.11 When reliance is placed on a third-party audit report to reduce the extent of the External Assessor’s direct testing, the External Assessor’s workpaper documentation must include:
- The third-party audit report upon which reliance was placed. The report must be attached to or referenced within MyCSF.
- The type or focus of the third-party audit (e.g., SOC 2 Type II).
- The third-party audit’s final report date and timeframe covered.
- The scope of the assessment that is covered by the third-party audit report.
- The External Assessor’s mapping of the requirement statements and evaluative elements included in the HITRUST validated assessment to the controls / requirements tested in the third-party audit.
- Procedures performed and results of testing in the third-party report for the control(s) mapped to the HITRUST requirement statement, including any noted exceptions and External Assessor’s treatment of exceptions in the HITRUST maturity scoring.