IT Audit & Compliance Blog

The Linford & Company Blog is written by our very own auditors, who are experts in IT audits, information security, and compliance topics. Their auditing experience encompasses a broad spectrum of industries and organizations, and their specialized expertise can help your company or organization make the right decision for your auditing needs. Our specific areas of focus in our IT Audit & Compliance Blog include SOC 1 reports, SOC 2 reports, HIPAA reports, HITRUST and FedRAMP assessments.

SOC 2 vs SOC 3

SOC 2 vs SOC 3 Reports: What is the Difference?

When deciding what kind of SOC report your service organization needs or what kind of report to request from your service organization, the options can be a little confusing. Especially when considering whether you need a SOC 2 vs a SOC 3 report. Many of our clients ask us what a SOC 3 report is, […]

What is SOC 2?

What is SOC 2? An Expert’s Guide to Audits, Reports, Attestation, & Compliance

With the proliferation of data breaches and hacks that occur today, it’s no wonder there is a greater focus on information security. SOC 2 reports are general use reports that provide assurance to user organizations and stakeholders that a particular service is being provided securely. A SOC 2 can also include criteria related to Availability, […]

Operational risk management

What is Operational Risk Management? Expert Guidance for Managing Risk

What is operational risk management? And why is operational risk important? Simply defined, operational risk management is a continual process performed to identify and manage the risks inherent to running a business. Risk is fundamental to operating a business, and all businesses have to manage risk of all types, ranging from financial to operational to […]

Cloud audit compliance

Cloud Compliance Audits: What You Need to Know

As the popularity of cloud computing has increased over the last decade, so has the maturity of standards used to govern these resources. This article will provide a definition of cloud computing and cloud computing audits – the objectives of cloud computing, the scope of a cloud computing audit, understanding cloud compliance, and audit steps […]


Understanding the HITRUST CSF: A Guide for Beginners

“What is HITRUST?” is typically the first question asked by organizations exploring HITRUST for the first time. Formerly, HITRUST stood for Health Information Trust Alliance but several years ago it rebranded to simply HITRUST to align with changes to the “framework,” making it industry agnostic. Is HITRUST a Framework? HITRUST is far more than a […]

What are HITRUST correction action plans (CAPs)

What are HITRUST Correction Action Plans (CAPs)? Answers to Common Questions

Following months of hard work, you and your External HITRUST Assessor finally “complete” the assessment and the assessment dashboard now displays 100% of requirements under the “External Assessor Review Complete” status – now what? For most Assessed Entities, that phase is followed by formulating CAPs for requirement statements as part of a control reference required […]

Risk matrix 101

When, How, And Why To Use A Risk Matrix

All SOC 2 examinations must include security common criteria. This includes reviewing a company’s (i.e. entity’s) risk assessment process (risks identified, risk matrix, controls in place to address the risks, etc.). However, one of the challenges that the AICPA has found when it comes to doing risk assessments is that companies are unclear on what […]

SOC 2 risk assessment criteria

The SOC 2 Risk Assessment Criteria: Through the Eyes of an Auditor

The most important common criteria tested within the SOC 2 report is the risk assessment. An organization’s risk assessment is the heart and soul of the SOC 2 report. Unfortunately, there are many consequences for lacking well-defined risk assessment and risk management processes: Business/system failure Financial loss Noncompliance with national and foreign laws, regulations, and […]

Audit data analytics in internal audits

Audit Analytics: How to Use Data for Internal Audits & Why It’s Important

Having a sound data analytics function within the internal audit department is increasingly critical as the world continues its drive toward digitization. Tools and trends like big data, cloud computing, robotics and automation, machine learning, and artificial intelligence are altering how businesses operate, and internal audits should be no different. The traditional audit approach of […]

Data retention policies & SOC 2

Data Retention Policy: What is it & How Does it Relate to a SOC 2?

Data has become a valuable resource for organizations across the world, and large amounts of data are being collected every day. At the same time, there has been an increase in or emphasis on the laws and regulations aimed at providing safeguards for data collected. A tool that can be used to help manage data […]