It is a misconception that the job of an auditor can be summed up to individuals that examine financial records with the goal of forming an opinion about the fairness of information presented within a company’s financial statements

Audit risk assessments are an integral part of any company’s internal control structure and are relevant to compliance frameworks, including SOC 2, HIPAA, and ISO 27001. Risk assessments can be daunting as they encapsulate risks across an entire company, and it can be difficult to understand what considerations should be taken and even where to […]

Many cloud services and SaaS providers are eager to enter the federal market, but many underestimate what it really takes to achieve a FedRAMP authorization. FedRAMP is not just a checklist or an exercise in paperwork; it’s a high stakes, high complexity, and high-cost project that demands the right people, the right systems, the right […]

In an era where organizations increasingly rely on the cloud to manage sensitive information, protecting personal data is no longer just a best practice—it’s a business imperative. ISO/IEC 27018 steps in as a purpose-built privacy standard designed to help public cloud service providers handle personally identifiable information (PII) responsibly and transparently. Focused on real-world challenges […]

With the frequent personnel changes that many companies are experiencing right now, it’s important to consider how turnover affects companies’ compliance efforts. Almost every company is required to comply with some type of law, rule, regulation, or reporting standard.  This blog post will provide some ideas for helping to provide sufficient compliance training as part […]

Effective incident response is no longer just a best practice—it’s a critical business function. As cyber threats grow more complex, organizations must ensure their incident response plans are aligned with the latest standards. In April 2025, the National Institute of Standards and Technology (NIST) officially withdrew Special Publication 800-61 Revision 2 and released Revision 3: […]

HITRUST has issued an interesting third-party report on the ROI of a HITRUST certification. It focuses on quantifiable and qualitative outcomes such as ROI, operational efficiency, business growth, and risk reduction. As an external HITRUST assessor with many years of experience with HITRUST and many completed assessments, it piqued my interest, and I wanted to […]

PCI DSS v4.0, which took effect on April 1, 2024, introduced 47 new requirements. A 12-month transition period allowed organizations to adopt these new requirements. As of March  31,  2025, these formerly “best-practice” requirements become mandatory. For many whose report on compliance (ROC) was issued before that deadline, these requirements were simply marked as Not Applicable […]

It’s a chilly Monday morning in Denver, and I’m standing in the glass-walled conference room of a mid-sized SaaS company. The CTO looks at me, exhausted. “This is our third audit this year,” she says, showing me a color-coded spreadsheet with over 200 controls. “SOC 2, ISO 27001, and now HIPAA. There’s got to be […]

From time to time my clients ask what an unqualified opinion means when discussing the opinion being issued for an attestation engagement such as a SOC 1 or SOC 2 report. It is a funny-sounding term used for attestation engagements (engagements where the auditor is issuing an opinion over the audit performed of the identified […]