IT Audit & Compliance Blog

We are frequently asked how long it takes to complete a SOC examination. Unfortunately there is not an answer that fits for every examination because every service organization is different. But, if an organization has controls in place the average time taken for a SOC examination is typically one to three months for Type I [...]

Today’s information environments are always changing, whether through the development of new capabilities, patching systems, responding to new threats and vulnerabilities, or fixing discrepancies within the system. Each change to the system carries with it an inherent security risk. Therefore, that security risk must be evaluated in the context of the security posture of the [...]

The ten generally accepted privacy principles that are essential to the proper protection and management of personal information are: [...]

There are five trust services criteria that can be included in a SOC 2 report, including: security, availability, processing integrity, confidentiality, and privacy (see definitions from the AICPA below). Only one of the five criteria is required in the SOC 2 — security. The other four trust services criteria are optional, and we get many [...]

One of the areas we are required to evaluate on every HIPAA audit or compliance assessment is whether our client is compliant with HIPAA’s record retention requirements. [...]

Risk management is a basic component of everything we do. Subconsciously, we assess and manage risk with each decision we make—from getting up in the morning to going back to sleep. So, in a way, most of us are already seasoned risk managers. Yet many find organizational risk management to be an overwhelming task. Managing [...]

More and more companies are popping up that require their consumers to insert sensitive information into a cloud for safe keeping but is the cloud actually safe? This article will address that question and provide consumers some insight into steps they can take and what to look for to help ensure that their information is [...]

The AICPA has recently developed a cybersecurity risk management reporting framework that is being added to the suite of System and Organization Controls (SOC) report offerings. This framework will assist organizations in communicating relevant and useful information about their cybersecurity risk management program. Companies need to be able to evidence that they can manage cybersecurity [...]

The number of companies utilizing cloud service providers (CSPs) that provide Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) is on the rise and making it important for consumers to understand the services—including the benefits—of what they are purchasing in order to maximize their return on investment. [...]