IT Audit & Compliance Blog

It’s 2:00 AM on a Friday and your phone begins to ring. On the other end is the desperate voice of your IT Security manager trying to communicate that your company has just been hacked and that it looks like customer data may have been stolen. “How can this have happened?” you exclaim. “Didn’t we [...]

In the ever-evolving realm of business, where external vendors and third-party collaborations are pivotal for enhancing efficiency and innovation, the significance of effective vendor and third-party risk management has never been more pronounced. Additionally, it has become the norm for companies to rely on third parties to provide critical operational functionality for a business. As [...]

The Privacy Rule protects most individually identifiable health information held or transmitted by a covered entity or its business associate in any form or media, whether electronic, paper or oral. [...]

If you have recently completed a Type I SOC report, congratulations! It is no small task to prepare and complete a SOC examination. However, for most companies, a Type I SOC report is just a step in the process of eventually completing a Type II SOC report, as that is what most user entities expect [...]

During my time as an auditor, I have had the privilege of working with many clients of all shapes and sizes. As clients prepare for an audit, especially a first-time audit, I often get asked for recommendations on how to help ensure a successful audit outcome. One of the most crucial areas related to security [...]

Today’s information age mandates organizations take appropriate action to ensure effective security and privacy practices are embedded throughout the entire organization. The effectiveness of privacy and security practices should continually be assessed to ensure they remain adequate and sufficient to support the organization’s ever-changing risk profile. It’s imperative that organizations not only assess their own [...]

Any organization that has completed a HITRUST® assessment knows they represent a significant amount of effort and a significant commitment to compliance and certification. While many HITRUST levels of certification are only good for one year, HITRUST’s r2 certification is good for two years, but…the HITRUST r2 certification requires an ‘interim’ assessment every other year [...]

Auditors performing financial statement audits are already aware of the Public Company Accounting Oversight Board (PCAOB) auditing standard AS 3101, The Auditor’s Report on an Audit of Financial Statements When the Auditor Expresses an Unqualified Opinion effective for audits of fiscal years ending on or after December 15, 2017. Within this standard are the requirements [...]

Disaster recovery plans and business continuity plans are unique to each and every company. In this article, we will walk through the purpose of these documents, their similarities and differences, the relevant controls, and common scenarios for disaster recovery. What Is the Purpose of a DRP? How Is It Different Than a BCP, BIA, & [...]

Our firm has been a HITRUST® External Assessor Organization since 2017, and in that time we have successfully helped dozens of organizations obtain and maintain HITRUST certifications. We have identified common pitfalls and other barriers to success and we’ve also learned some keys to success. In this article, I’ll break down some of the most [...]