IT Audit & Compliance Blog

As I was discussing cloud governance with a client recently, a recurring question came up: “We have ISO 27001, so why do we need ISO 27017?” It’s a fair question. While ISO/IEC 27001 provides the foundational framework for an Information Security Management System (ISMS), the unique risks of cloud environments, including multi-tenancy, shared responsibility, and [...]

A mobile workforce has shifted from a “nice to have” to a critical capability. As employees expect flexibility and organizations rely more on cloud resources, expand globally, and look to reduce overhead, mobility brings both significant benefits and new responsibilities. Whether you’re evaluating a mobile device management (MDM) solution or strengthening or implementing a bring [...]

Having a sound data analytics function within the internal audit department is increasingly critical as the world continues its drive toward digitization. Tools and trends like big data, cloud computing, robotics and automation, machine learning, and artificial intelligence are altering how businesses operate, and internal audits should be no different. The traditional audit approach of [...]

Artificial Intelligence (AI) is no longer a “future state” technology; it’s here and is moving at a breakneck pace. Unless you’re a “frontier” organization, your company isn’t deploying fully autonomous AI systems. However, AI is reshaping your businesses; sometimes through official initiatives, other times through employees quietly adopting tools on their own. It’s driving financial [...]

Imagine an employee at your organization is terminated, but due to a communication gap or manual off-boarding process, their account isn’t disabled. Weeks later, another employee needs access to restricted data but hasn’t yet received approval for such access. Frustrated with delays, this employee uses the former employee’s still-active credentials to access the restricted data. [...]

In today’s market, clients and partners expect more than promises — they expect proof that their data is safe in your hands. Achieving SOC 2 compliance is one of the best ways to demonstrate that commitment. But to stand out, you need more than a checklist approach. You need a security strategy built to withstand [...]

Let’s be honest—when you’re juggling daily priorities and a never-ending to-do list, audit risk probably isn’t the first thing on your mind. And hey, maybe the “out of sight, out of mind” approach feels easier. After all, it doesn’t exactly scream excitement, and there’s always something more urgent to handle. But here’s the thing: while [...]

In the past several years, as SOC 2 reports have increased in popularity, one of the first things prospective clients ask when meeting with me is if there is a checklist of things they can have that will help them prepare for the audit and become SOC 2 compliant. There seems to be a common [...]

A service organization may have a number of vendors and subservice organizations engaged to assist it in meeting its objectives or achieving the service commitments to its user entities, along with the system requirements necessary to do so. This article will explain the difference between a vendor and a subservice organization and provide some tips [...]

When I audit small to mid-sized SaaS companies in the healthcare space, there’s one assumption I encounter over and over again: “We’re in the cloud, so compliance is handled.” It’s an easy misconception to fall into. After all, AWS, Azure, and Google Cloud talk extensively about HIPAA and HITRUST capabilities. But here’s the quiet truth—moving [...]