IT Audit & Compliance Blog

In today’s market, clients and partners expect more than promises — they expect proof that their data is safe in your hands. Achieving SOC 2 compliance is one of the best ways to demonstrate that commitment. But to stand out, you need more than a checklist approach. You need a security strategy built to withstand [...]

Let’s be honest—when you’re juggling daily priorities and a never-ending to-do list, audit risk probably isn’t the first thing on your mind. And hey, maybe the “out of sight, out of mind” approach feels easier. After all, it doesn’t exactly scream excitement, and there’s always something more urgent to handle. But here’s the thing: while [...]

In the past several years, as SOC 2 reports have increased in popularity, one of the first things prospective clients ask when meeting with me is if there is a checklist of things they can have that will help them prepare for the audit and become SOC 2 compliant. There seems to be a common [...]

A service organization may have a number of vendors and subservice organizations engaged to assist it in meeting its objectives or achieving the service commitments to its user entities, along with the system requirements necessary to do so. This article will explain the difference between a vendor and a subservice organization and provide some tips [...]

When I audit small to mid-sized SaaS companies in the healthcare space, there’s one assumption I encounter over and over again: “We’re in the cloud, so compliance is handled.” It’s an easy misconception to fall into. After all, AWS, Azure, and Google Cloud talk extensively about HIPAA and HITRUST capabilities. But here’s the quiet truth—moving [...]

When organizations pursue ISO 27001 certification, most of the focus is on building, maintaining, and auditing an Information Security Management System (ISMS). But who makes sure the auditors themselves are qualified and that the certification process is credible? That’s where ISO/IEC 27006 comes in. This standard governs how certification bodies (CBs) operate when auditing and [...]

We have a few blogs written on penetration testing. These blogs include information on the steps or phases to properly conduct a penetration test, how penetration tests relate to satisfying SOC 2 requirements, information on how penetration testing compares to vulnerability assessments, and more. Feel free to check out these related blogs: External Penetration Testing [...]

What is GovRAMP? In 2011, the Federal Risk and Authorization Management Program (FedRAMP) was introduced, establishing a standardized assessment methodology for federal agencies to manage risk within commercial cloud service provider environments. Acknowledging the “do once, use many” benefits of FedRAMP within the federal sector, the State Risk and Authorization Management Program (StateRAMP) was launched [...]

I spent many years in the hospitality industry, helping guide hospitality companies through their compliance journeys, working with ownership groups to meet their compliance needs and goals, and reviewing technology vendors and their solutions to ensure we were not putting our properties at unnecessary risk. Today, I lead audit engagements at a CPA firm that [...]

Risk governance, as defined by NIST, is the “process by which risk management evaluation, decisions, and actions are connected to enterprise strategy and objectives. It provides the transparency, responsibility, and accountability that enables managers to acceptably manage risk.” While this concept is seemingly straightforward, a robust risk governance program has a lot of varied components! [...]