Megan Kovash, Author at Linford & Company LLP

SOC 2 vs. HIPAA Compliance: What Auditors See When Organizations Confuse the Two

By Megan Kovash Published on May 13, 2026

Linford & Company offers two types of reports that address security, the SOC 2 Security report and the AT 601 HIPAA Security report. [...]

SOC 2 Compliance Checklist: Why it Doesn’t Exist (And What to Do Instead)

By Megan Kovash Published on November 5, 2025

In the past several years, as SOC 2 reports have increased in popularity, one of the first things prospective clients ask when meeting with me is if there is a checklist of things they can have that will help them prepare for the audit and become SOC 2 compliant. There seems to be a common [...]

SOC Review Guidance: Tips for Reading SOC 1 & SOC 2 Reports

By Megan Kovash Published on March 26, 2025

Many U.S. companies receive what, until recently, were called SAS 70 audit reports from certain types of vendors. [...]

The Cloud Security Alliance (CSA) and the AICPA

By Megan Kovash Published on September 11, 2024

With all the commerce and other types of transactions and information that traverse the Internet, it is useful that there are organizations such as the CSA, AICPA, and many others, which are focused on serving the public’s interests. And while nothing will ever give complete assurance as to the internal controls for a service organization, [...]

Navigating SOC 2 Scope for a Successful Audit – Professional Insights

By Megan Kovash Published on January 24, 2024

When discussing the SOC audit process with clients, one of the first questions we are often asked is what the scope of a SOC 2 audit is. The answer is almost always, “It depends.” This answer can often be a point of frustration for many, as there is no quick answer. This is due to [...]

Access Control Management – Guidance for Audit Compliance

By Megan Kovash Published on September 13, 2023

One of the key points of focus when it comes to security compliance is the strength of access management controls. Whether your organization is aiming for compliance with the AICPA’s SOC criteria, NIST framework, GDPR, or HIPAA certification, to name a few, access controls play a key role in the internal control environment. Throughout this [...]

SOC 2 vs SOC 3 Reports: What is the Difference?

By Megan Kovash Published on November 30, 2022

When deciding what kind of SOC report your service organization needs or what kind of report to request from your service organization, the options can be a little confusing. Especially when considering whether you need a SOC 2 vs a SOC 3 report. Many of our clients ask us what a SOC 3 report is, [...]

Risk Evaluation & Mitigation Strategies for SOC 2 Compliance

By Megan Kovash Published on June 22, 2022

Risk evaluation and mitigation strategies for SOC 2 compliance is something I am being asked more frequently about by many first-time clients. In the following paragraphs, I will be discussing requirements for service organizations to consider when contemplating or undergoing a SOC 2 audit. Specifically, risk assessment and mitigation strategies in place at the service [...]

What Are Bridge (aka Gap) Letters & How Do They Relate to SOC Reports?

By Megan Kovash Published on February 15, 2022

Every year as summer draws to a close, one of the most sought-after topics for discussion that clients, business associates, and others reach out to our firm about is regarding Gap Letters— sometimes called Bridge Letters. [...]

Inherent Risk vs Control Risk: Audit Risk for SOC 2 Reports

By Megan Kovash Published on July 20, 2021

What is inherent risk and control risk and how do they relate to a SOC 2 audit? Inherent risk occurs due to the nature of the service provided and operation of the Company without consideration of any controls in place. Control risk is present as a result of the internal controls in place at the [...]

Megan Kovash

Partner | CPA