IT Audit & Compliance Blog

The Linford & Company Blog is written by our very own auditors, who are experts in IT audits, information security, and compliance topics. Their auditing experience encompasses a broad spectrum of industries and organizations, and their specialized expertise can help your company or organization make the right decision for your auditing needs. Our specific areas of focus in our IT Audit & Compliance Blog include SOC 1 reports, SOC 2 reports, HIPAA reports, Royalty audits, HITRUST and FedRAMP assessments.

Security awareness training

Security Awareness Training: Implementing End-User Information Security Awareness Training

Exposing employees to the security threats that exploit businesses, seemingly weekly these days, can help companies protect themselves against those threats. This blog will present the importance of security training, options, and resources, and the frequency that training should be provided. What is Security Awareness Training? Security awareness training is the process of providing information […]

Detective Controls

Detective Controls & Their Impact on the Overall Control Structure

Every organization should design a control structure to identify and address risks related to internal and external forces that impact an organization.  This control structure includes four main types of Internal Controls: Manual Controls IT Dependent Manual Controls Application Controls IT General Controls Preventive and Detective controls can be found within each of these four […]

De-identification of personal data

De-Identification of Personal Information: What is It & What You Should Know

Many organizations may be retaining personal data and it is important for this information to be properly protected and or anonymized. One method to ensure personal information is appropriately anonymized is through de-identification. This article will explain what de-identification is, how to go about de-identifying personal data, and why it is important. To start, a […]

DFARS compliance: What to know

DFARS Compliance: What You Need to Know

Due to the multitude of breaches where defense information has been compromised, the Department of Defense (DOD) has been working to impose additional requirements on defense contractors that process, store, or transmit sensitive information in support of the DOD and its mission. It has taken specific measures to help shore up the defense industrial base […]

vendor vs subservice organization

Vendor vs Subservice Organizations: Understanding the Difference & How it Affects You

A service organization may have a number of vendors and subservice organizations engaged to assist them in meeting their objectives or achieving the service commitments to their user entities along with the system requirements necessary to do so. This article will explain the difference between a vendor and a subservice organization and provide some tips […]

Leveraging the Google Cloud SOC 2

Leveraging the Google Cloud SOC 2: How to Build a SOC 2 Compliant SaaS

When building Software-as-a-Service (SaaS) applications over the last few years, more and more companies are electing to leverage an infrastructure-as-a-service provider like Google Cloud Platform (GCP). One of the main reasons companies do so is to leverage the GCP SOC 2 compliant infrastructure. These SaaS companies, also labeled as service organizations by the American Institute […]

Understanding the limitations of internal control

Understanding the Limitations of Internal Controls – Learning to Mitigate Your Risk

You just received the draft SOC 1 or SOC 2 report from your auditor and as you’re scrolling through the opinion, you notice a reference to “Inherent Limitations.”  Inherent Limitations? Is your SOC report suggesting your controls are inadequate? Your auditor is not telling the world you have weak controls; however, every auditor opinion will reference […]