IT Audit & Compliance Blog

The Linford & Company Blog is written by our very own auditors, who are experts in IT audits, information security, and compliance topics. Their auditing experience encompasses a broad spectrum of industries and organizations, and their specialized expertise can help your company or organization make the right decision for your auditing needs. Our specific areas of focus in our IT Audit & Compliance Blog include SOC 1 reports, SOC 2 reports, HIPAA reports, Royalty audits, HITRUST and FedRAMP assessments.

Types of controls

What Are Internal Controls? The 4 Main Types of Controls

Internal controls (which include manual, IT-dependent manual, IT general, and application controls)  are essential process steps that allow for one to determine or confirm whether certain requirements are being done per a certain expectation, law, or policy. Additionally, internal controls allow auditors to perform tests to gain assurance that a process is designed and operating […]

Establishing an internal control environment

Establishing an Effective Internal Control Environment

Organizations flourish when they establish control environments that foster the efficient execution of operations. When done properly, good internal controls help organizations deliver value to their stakeholders and achieve their strategic objectives while aligning with industry best practices, laws, and regulations to manage risks facing them. This blog will help you understand 1) what a […]

Third party risk management

Vendor/Third-Party Risk Management: Best Practices

How to Appropriately Select Vendors and Also Manage and Monitor Their Associated Risks In this article, I will discuss what vendor risks are and the importance of why risk associated with vendors, in support of your business, should be identified and then monitored on an ongoing basis. Further, I will discuss how organizations can actually […]

NIST password guidelines

NIST Password Guidelines – What You Need to Know

Passwords have always been a hot topic of discussion both in and out of security circles. Users have always hated being forced to come up with schemes to meet the complexity rules or change their password at defined intervals. The multitude of password requirements of the past have frustrated users and have led to bad […]

SOC audit failure

SOC Audit Failure: Common Audit Mistakes to Avoid

In performing SOC audits for Linford & CO, the clear majority of organizations do a great job providing reasonable assurance they are meeting all their controls. But I wanted to hit on a list of seven common mistakes that seem to pop up to hopefully help your organization identify them before they become

Cloud Audits & Compliance: What you need to know

Cloud Audits & Compliance: What You Need to Know

As the popularity of cloud computing has increased over the last decade, so has the maturity of standards used to govern these resources. This article will provide a definition of cloud computing and cloud computing audit, the objectives of cloud computing, the scope of a cloud computing audit and understanding cloud compliance, and audit steps […]

Risk Management

Information Security Risk Management: A Comprehensive Guide

Some people may not believe this, but information security’s purpose is, or should be, to serve the business and help the company understand and manage its overall risk. Sure, there are some security professionals that appear to have the goal of spending as much money as possible and getting the latest and greatest software, and there are also some that like to say “no”…for everything…all the time, but the good ones are there to help.

HITRUST Framework

An Expert’s Guide to the HITRUST Framework

“What is HITRUST?” is typically the first question asked of Linford by organizations exploring HITRUST for the first time. Formerly, HITRUST stood for Health Information Trust Alliance but recently it rebranded to simply HITRUST to align with changes to the “framework” making it industry agnostic (more below). HITRUST is an organization and a security framework. […]