When relying on third-party reports (such as SOC 2 reports) to satisfy HITRUST requirements, only reports with sufficient detail can be used. HITRUST requires:
A clear description of scope (A) to confirm applicability to the assessed environment.
A list of procedures performed (C) so assessors can evaluate whether testing covered relevant controls.
Conclusions reached for each test (E) to provide assurance about the effectiveness of tested controls.
While an executive summary may be helpful for context, it lacks sufficient detail to serve as valid reliance evidence. Similarly, “completed remediation” of exceptions (B) is not required; rather, the report must document exceptions transparently. Assessors remain responsible for verifying that reliance reports are current, relevant, and issued by qualified independent auditors.
[References: HITRUST External Reliance Guidance – “Requirements for Third-Party Reports”; CCSFP Study Guide – “Use of SOC 2 and Similar Reports.”, , ]
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit