IT Audit & Compliance Blog

The Linford & Company Blog is written by our very own auditors, who are experts in IT audits, information security, and compliance topics. Their auditing experience encompasses a broad spectrum of industries and organizations, and their specialized expertise can help your company or organization make the right decision for your auditing needs. Our specific areas of focus in our IT Audit & Compliance Blog include SOC 1 reports, SOC 2 reports, HIPAA reports, Royalty audits, HITRUST and FedRAMP assessments.

Detective Controls

Detective Controls & Their Impact on the Overall Control Structure

Every organization should design a control structure to identify and address risks related to internal and external forces that impact an organization.  This control structure includes four main types of Internal Controls: Manual Controls IT Dependent Manual Controls Application Controls IT General Controls Preventive and Detective controls can be found within each of these four […]

De-identification of personal data

De-Identification of Personal Information: What is It & What You Should Know

Many organizations may be retaining personal data and it is important for this information to be properly protected and or anonymized. One method to ensure personal information is appropriately anonymized is through de-identification. This article will explain what de-identification is, how to go about de-identifying personal data, and why it is important. To start, a […]

DFARS compliance: What to know

DFARS Compliance: What You Need to Know

Due to the multitude of breaches where defense information has been compromised, the Department of Defense (DOD) has been working to impose additional requirements on defense contractors that process, store, or transmit sensitive information in support of the DOD and its mission. It has taken specific measures to help shore up the defense industrial base […]

vendor vs subservice organization

Vendor vs Subservice Organizations: Understanding the Difference & How it Affects You

A service organization may have a number of vendors and subservice organizations engaged to assist them in meeting their objectives or achieving the service commitments to their user entities along with the system requirements necessary to do so. This article will explain the difference between a vendor and a subservice organization and provide some tips […]

Leveraging the Google Cloud SOC 2

Leveraging the Google Cloud SOC 2: How to Build a SOC 2 Compliant SaaS

When building Software-as-a-Service (SaaS) applications over the last few years, more and more companies are electing to leverage an infrastructure-as-a-service provider like Google Cloud Platform (GCP). One of the main reasons companies do so is to leverage the GCP SOC 2 compliant infrastructure. These SaaS companies, also labeled as service organizations by the American Institute […]

Understanding the limitations of internal control

Understanding the Limitations of Internal Controls – Learning to Mitigate Your Risk

You just received the draft SOC 1 or SOC 2 report from your auditor and as you’re scrolling through the opinion, you notice a reference to “Inherent Limitations.”  Inherent Limitations? Is your SOC report suggesting your controls are inadequate? Your auditor is not telling the world you have weak controls; however, every auditor opinion will reference […]

Risk of Material Misstatement

Risk of Material Misstatement – Audit Risk Components Related to SOC Reports

Obtaining evidence to confirm the design and operating effectiveness of controls used to support business objectives are completed during the audit process. One objective of this process is to look at the rate of deviations in an effort to determine if there is risk of material misstatement. In this post, we will look at different […]