Healthcare organizations handling electronic protected health information (ePHI) must stay vigilant and protect their data from cyber-attacks. Complying with HIPAA standards is essential for these businesses to show they have the correct controls in place to safeguard sensitive information.

Getting started with your HIPAA compliance journey can be confusing, but we have created a HIPAA readiness checklist to set your business up for success as you pursue your upcoming HIPAA assessment.

Download the HIPAA checklist PDF!

The importance of HIPAA compliance

HIPAA (Health Insurance Portability and Accountability Act) is a federal law requiring organizations to uphold stringent privacy safeguards for individually identifiable health information, ensuring security of patient data.

Organizations managing ePHI are expected to undergo a HIPAA compliance assessment to validate the business has controls in place to safeguard data.

By complying with HIPAA standards, companies not only meet legal obligations, but also avoid severe financial penalties due to non-compliance. Most importantly, HIPAA compliance instills peace of mind and showcases the business’s commitment to cybersecurity to their valued clients and other stakeholders.

Understanding the HIPAA readiness checklist

Once your team is prepared and has knowledge of HIPAA compliance and the assessment process, you can kick off your compliance journey with our HIPAA readiness checklist.

By adhering to these comprehensive steps, your organization not only showcases its commitment to compliance, but also fosters a culture of security that lasts far beyond the audit.

Security rule – administrative safeguard

Security management process

Establish and audit key policies and procedures to prevent, detect, contain, and correct security violations, such as:

• HIPAA Policies and Procedures
• Information Security Policies and procedures (should include key assignments for security responsibilities)
• Access and Authorization Policies and Procedures (if not included in Information Security Policies)
• Workforce Clearance Policies and Procedures
• Physical Security Policies and Procedures
• Incident Management and Incident Response Policies and Procedures
• Network Diagrams
• Risk Management Process Policies and Procedures
• Completed Risk Assessment
• Vulnerability Assessment
• Sanctions

Assign security responsibility

Identify the security official who is responsible for the development and implementation of the policies and procedures required under HIPAA. This individual will be responsible for the development, implementation, and enforcement of HIPAA Security Rule policies and procedures. The HIPAA Privacy Officer can also hold these responsibilities.

Workforce security and information and access management

Define policies and procedures to ensure that all members of the workforce have appropriate access to ePHI, as provided under the Information Access Management standard and to prevent those who do not have appropriate access from obtaining access to ePHI. Management should also formally define policies and procedures surrounding workforce management with access to PHI/ePHI to include:

• Authorization and/or Supervision procedures
• Access Modifications
• Hiring and Workforce Clearance Procedure (including background checks)
• Termination Procedures
• Isolating Health Care Clearinghouse functions

Security awareness and training

Establish a security awareness and training program for all members of the workforce, including management. Management should then implement a Security Awareness and Training program that is completed at least annually and includes:

• Frequent Security Reminders
• Protection Malicious Software
• Log-in Monitoring and Password Management

Security incident procedures

Management should create policies and procedures to address security incidents as well as Incident Management policies and procedures that include the following:

• Incident identification & classification
• Incident response
• Incident tracking
• Root cause and system impact analysis
• Escalation
• Changes implemented for remediating incidents
• Critical security incident response
• Incident reporting

Contingency plan

Management should establish and implement policies and procedures for responding to an emergency or other occurrence that damages systems that contain ePHI. Management should also establish Business Continuity and Disaster Recovery (BCDR) policies and procedures that include:

• BCDR Plan
• BCDR Testing, on at least an annual basis
• Backup configurations (incremental and full backups)
• Offsite backup rotation and/or replication
• Backup restoration

Evaluations

Management should perform a periodic technical and nontechnical evaluation based initially upon the standards implemented under the HIPAA Security Rule. Evaluations of controls should be documented to mitigate identified risks, vulnerabilities, deviations, and control gaps identified as part of the various evaluations (e.g. risk assessments, vulnerability scans). Note that having a HIPAA security rule risk assessment is a stringent requirement within the HIPAA law. Organizations could have legal or compliance ramifications if they have not performed a risk assessment of their ePHI data.

These controls should be documented in an Internal Controls Matrix (ICM) that includes the following attributes for each control:

• Control owner
• Control frequency
• Control type (i.e., preventative, detective or corrective)
• Control execution (i.e., automatic vs. manual)

Security rule – physical safeguard

Facility access controls

Management should implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. Management should establish Physical Access policies and procedures that include:

• Facility access
• Visitor access and badge inventory
• Surveillance retention periods
• Emergency procedures
• Facility Maintenance
• Access to areas containing PHI

Workstation security and use

The organization should determine whether they are a covered entity. Management should implement physical safeguards for all workstations that access ePHI to restrict access to authorized users. Management should also define policies and procedures regarding the safeguarding and use of workstations (workstations on wheels) to include:

• Physical Access to workstations limited to authorize personnel
• Prohibiting non-business activity on workstations

Device and media controls

Management should implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into, out of, and within the facility. Management should also formally define policies and procedures regarding hardware and removable media that include:

• Hardware and media accountability
• Acceptable Use
• Maintenance records for the movement of hardware and media
• Data disposal and destruction
• Asset Inventory
• Removable Media
• Bring your own device (BYOD)

Security rule – technical safeguards

Access controls

Management should implement technical policies and procedures for electronic information systems that maintain ePHI to allow access only to those persons or software programs that are required. Management should also formally define and follow key information security controls that include:

• Access provisioning and removal
• Role-based access privileges
• Standardized authentication procedures for all systems
• Standardized, minimum password requirements for all user and system accounts
• External access procedures
• Emergency access procedures

Audit controls

Management should implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI. Management should also formally document policies and procedures regarding information systems activity review and internal audit functions and include:

• Documented review process
• Audit logging
• Physical access logs
• Policy and Procedure Review
• Periodic internal controls reviews

Integrity controls and transmission security

Management should outline and implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of. Management should also implement standardized encryption mechanisms that provide encryption at rest and encryption in transit.

File Integrity Monitoring (FIM) should also be utilized to ensure only authorized changes are deployed into production environments.

Person or entity authentication

Management should develop policies and procedures to verify that a person or entity seeking access to ePHI is the one claimed, as well as formally document policies and procedures around information security that include:

• Authentication into Networks, Databases, Applications and VPN in the production environments
• Administrative access
• Password Configurations
• Audit Logs

Security rule – organizational requirements

Business associate contracts and documentation

Management should maintain business associate agreements (BAA) with businesses that create, receive maintain, or transmit ePHI. Management should also maintain documentation of HIPAA policies and procedures as required for 6 years and maintain business associate agreements in compliance with the HIPAA Security Rule.

• Business Associates who utilize subcontractors in the processing, transmission, or storage of ePHI must maintain a BAA.
• Business associates are required to adhere to security, incident response, and breach notification procedures outlined by the covered entity entered into an agreement with.
• Documentation should be maintained for a minimum of 6 years per HIPAA Security Rule guidelines.

Breach notification

If the organization creates, receives, maintains, or transmits PHI/ ePHI, management should document Breach Notification policies and procedures. Breach Notification policies and procedures address the following:

• Breach Risk Assessment
  • Was ePHI encrypted?
  • What data was exposed?
  • Who accessed the PHI/ePHI?
  • What is the likelihood of further use of exposed data?
  • What controls are in place to mitigate impact?
• Breach Notification Letters or Emails

Privacy rule and individual rights

If your organization is a covered entity or if your organization creates, processes, transmits, or stores PHI, if applicable, management should designate a HIPAA Privacy Officer who is responsible for the development, implementation, and enforcement of HIPAA compliant policies and procedures.

Management should formally document HIPAA Privacy policies and procedures, Privacy Notices and/or a Statement of Privacy Practices that address the following:

• Obtaining authorizations
• Address individual rights to consent or opt-out.
• Methods of collection
• Use, disclosure, retention for a minimum of six years, and disposal of PHI
• Disclosure of PHI to third parties and the purpose of use
• Security for privacy
• Monitoring and enforcement of sanctions for inappropriate use and disclosure of PHI

Partner with A-LIGN for your HIPAA compliance journey

Achieving and maintaining HIPAA compliance is paramount for organizations handling ePHI. Not only is it essential to assure stakeholders their sensitive data is safe in your hands, but it is also critical to stay compliant to avoid cyber-attacks and financial penalties.

By working with an experienced 3PAO like A-LIGN, your business can expect a world-class audit experience unparalleled in quality and efficiency. Stay ahead of the curve and get audit ready by taking advantage of our comprehensive HIPAA readiness checklist. Download our readiness checklist now!

In the ever-evolving landscape of cybersecurity and compliance, staying ahead of the curve has become imperative for businesses worldwide. As technology advances, so do the methods employed by bad actors seeking to exploit vulnerabilities. Recent surveys and reports reveal several notable cybersecurity and compliance trends that businesses should pay attention to. 

In this blog, we delve into key trends and strategies that define the current state of cybersecurity and compliance, shedding light on the importance of continuous monitoring, the role of artificial intelligence, and the need for a comprehensive audit strategy. 

AI and machine learning gain traction 

Artificial intelligence (AI) is revolutionizing how organizations approach cybersecurity and compliance. The U.S. Census Bureau anticipates that the use of AI by businesses to directly produce goods and services will dramatically increase in the first half of 2024, particularly for the information sector and the professional, technical, and scientific services sector. Another recent survey found that 78% of C-suite leaders reported their companies using AI in some capacity. 

The increasing use of AI and machine learning (ML) tools enables companies to swiftly analyze vast amounts of data, identifying security risks more efficiently than ever. For example, a team that leverages AI in their security information and event management (SIEM) will build efficiency as AI filters out false positives, enabling the Security Analysts to focus and remediate real threats. Also, AI integrated in firewalls and malware solutions can help automate some controls and save the organization time and money.

The efficiency created by AI tools can make it more practical for businesses to monitor risk proactively, rather than waiting for a major security incident to arise and kick staff into gear. Staying ahead of the curve makes compliance with major security and privacy standards less of a headache because controls are already integrated into regular business operations.

However, using AI and ML for compliance is a double-edged sword that requires vigilance, as malicious actors are also harnessing AI to accelerate hacking attempts. As regulatory bodies adapt — illustrated by the progression of ISO 42001 — organizations must proactively embrace AI while remaining cognizant of the associated risks.

Continuous monitoring wins over point-in-time audits

In the past, compliance was seen as an annual checkpoint activity — something businesses had to do once per year to check a box. But with the threat landscape evolving so rapidly, performing compliance assessments at a single point in time is no longer enough. To safeguard vital company information and avoid catastrophic financial losses, catching potential threats early on is key. According to an IBM report, the global average cost of a data breach in 2023 was $4.45 million, a 15% increase over three years. 

Leading organizations are embracing continuous monitoring to regularly validate security controls and compliance with standards. Incorporating regular vulnerability scans and automated attack surface scans ensures that security best practices are implemented across the business throughout the year. This approach is more than a mere checkbox for compliance; it is a commitment to safeguarding sensitive data.

To get a real-time look at compliance within an organization, many cybersecurity teams are turning to software. Depending on the software, organizations can view their current status and potential vulnerabilities, conduct automated scans, track data security metrics, monitor changes in their systems, and more. With the right tools in place, it is easier for teams to see a big picture view of the security landscape and proactively identify threats.

No business is safe from cyber crime

The year 2023 witnessed high-profile cyberattacks that underscored the vulnerability of organizations, regardless of size or industry. Here are a few notable examples:

• MGM Resorts International experienced a cyberattack in September 2023 that it expected would cost the company $100 million. Hackers breached MGM’s systems to steal data for extortion, and the company was forced to shut down some of its systems at its casino resorts across the nation.
• In May, a ransomware group infiltrated Progress Software’s managed file transfer (MFT) solution known as MOVEit Transfer, stealing sensitive data from hundreds of organizations.

Despite these high-profile stories involving massive corporations, 43% of cyberattacks target small businesses, and the average employee of a small business with less than 100 employees will receive 350% more social engineering attacks than an employee of a larger enterprise.

Cybercriminals frequently target startups and smaller organizations specifically because of their lack of security resources. Even businesses with substantial security teams and resources are not immune, raising a crucial question for smaller entities: Can your business withstand a cyberattack?

When it comes to compliance, quality matters

In the Compliance Benchmark Report of 2023, 28% of respondents identified the quality of the final report as the most important factor when selecting cybersecurity and compliance auditors. This underscores the value of audit reports for maintaining compliance and satisfying business partners and to enhance overall IT processes.

Quality is equally crucial for other cybersecurity services such as penetration testing. As the stats we’ve covered illustrate, the difference between a comprehensive cybersecurity program and an inadequate one can add up to millions of dollars in remediation measures and lost revenue. Although the cost of services may be a factor, the focus should be on finding an experienced team that conducts thorough assessments of security controls to help organizations identify vulnerabilities before hackers do. Businesses that value cybersecurity are already making quality a priority.

Audit consolidation improves efficiency and reduces risk

Navigating the audit landscape requires a thoughtful and strategic approach. Spreading out compliance audits throughout the year aligns with the concept of continuous monitoring and helps organizations evaluate threats and vulnerabilities on a regular basis. But because of the ongoing resource requirements involved with cybersecurity and compliance, it’s no surprise that organizations are looking for ways to make the process more efficient. Instead of hiring multiple auditors in an ad hoc fashion, businesses are more frequently opting for audit consolidation with a single, trusted partner.

Constant audits may not sound enjoyable, but if organizations make cybersecurity a priority year-round, compliance will be easy, efficient, and cost-effective. The right compliance partner can help businesses streamline compliance so that a singular audit process will result in multiple assessment reports. That means audits are less of a headache and the business minimizes cyber-related risks — a win-win.

The importance of proactive cybersecurity in 2024 and beyond

The current state of cybersecurity and compliance demands a proactive and adaptive approach. As technology evolves, so do the threats, making continuous monitoring, AI integration, and quality assurance crucial components of a comprehensive strategy. Acknowledging that no business is immune to cyber threats is the first step toward building a resilient defense. By embracing a culture of security, prioritizing quality in audits and cybersecurity measures, and adopting a consolidated and strategic approach to compliance, organizations can navigate the complex landscape and safeguard their digital assets in an era where cybersecurity is more critical than ever.

We are pleased to announce the appointment of Jennifer Hawks as the new Federal Practice Lead. Jennifer has been a guiding force in U.S. Government cybersecurity governance, risk, and compliance for over two decades.

Prior to joining A-LIGN, Jennifer held the role of VP of Government Services at NCC Group and provided assessment and advisory services for various cybersecurity frameworks, including FedRAMP, StateRAMP, TXRAMP, CMMC/NIST 800-171, NIST Cybersecurity Framework (CSF), and FISMA/NIST RMF. Earlier in her career, Jennifer led a cybersecurity startup to become a FedRAMP third-party assessment organization (3PAO) and assessed security risks in the federal government’s vendor and supplier ecosystem within the US Department of Defense (DoD) supply chain at Booz Allen Hamilton.

In addition to the appointment of Jennifer, we are excited to introduce LaTara Allen as the Associate Director of Federal Services. LaTara has over 20 years of experience navigating the complexities of federal programs while optimizing the processes and service delivery of FedRAMP, StateRAMP, and CMMC/NIST 800-171 assessments.

“As a top 3 FedRAMP 3PAO and serving more than 150 clients, A-LIGN is committed to providing best-in-class compliance and cybersecurity solutions for our clients,” stated Steve Simmons, COO. “With Jennifer Hawks leading our federal practice and working alongside LaTara Allen, our strengthened staff will enable us to guide our clients through complex federal compliance requirements, providing them with the assurance and guidance they need to achieve their goals.”

Latest Additions Solidify Leadership in Delivering High-Quality and Efficient Federal Assessments

As a leading assessor for the US Government, A-LIGN is pleased to offer an end-to-end compliance solution that simplifies the complex reporting process to deliver high-quality reports and certifications government agencies require from their cloud service providers. With an extensive network of resources, experience, and professional relationships, we are dedicated to ensuring organizations are prepared and authorized to support government agencies by minimizing risks and safeguarding data.

These additions are a commitment from A-LIGN to provide a world-class audit experience with senior talent to allow our clients to continue to win federal contracts and grow their business.

To learn more about A-LIGN’s trusted federal services including FedRAMP, StateRAMP, CMMC, FISMA, and more, visit https://www.a-lign.com/government.

Sensitive data is becoming increasingly vulnerable to cyber threats. Ensuring robust data security and regulatory compliance is paramount, especially in the healthcare industry. HITRUST is a comprehensive framework that provides the necessary guidelines to safeguard electronic protected health information (ePHI).

Since many organizations don’t know where to start on their journey to HITRUST compliance, we created a valuable HITRUST readiness checklist to help your business get started on a successful path.

Download the HITRUST checklist PDF!

Why HITRUST compliance matters

The HITRUST CSF is an industry-leading framework that establishes guidelines and standards for organizations in the healthcare industry to ensure the protection and privacy of sensitive information.

HITRUST compliance is essential for healthcare organizations due to the ever-growing complexity of the regulatory landscape and the increasing prevalence of cyber threats. Achieving HITRUST compliance demonstrates a commitment to meeting industry standards, mitigating the risk of data breaches, and safeguarding patient information.

By meeting HITRUST compliance requirements, organizations can enhance their credibility, build trust with stakeholders, and showcase their dedication to maintaining the highest levels of data security and privacy.

Understanding the HITRUST readiness checklist

Having a well-rounded understanding of the importance of the HITRUST CSF is the first step on the road to compliance. Once your business is aware of the components of the framework, you can start taking steps to ensure you have the correct controls in place to protect information.

By following the HITRUST checklist steps below, your organization can show your dedication to following the framework while also fostering a culture of security that extends beyond the audit process.

Build an information protection program

Formally establish an Information Security Management Program (ISMP) highlighting key responsibilities, oversight structures, organization objectives, and a commitment to ethical values.

Establish endpoint protection

Holistically apply anti-virus/anti-malware and/or equivalent endpoint protection throughout your entire environment for all in scope endpoints such as desktops, laptops, servers, mobile devices, and more.

Initiate media, mobile device, and wireless security controls

To demonstrate media, mobile device, and wireless security, your organization should implement controls over:

• Laptops
• Mobile phones
• Firewalls
• Security configurations
• Placements
• Scanning tools
• Removable media
  • USBs
  • Removable hard drives
  • Backup tapes
  • CDs/DVDs
• Restricted usage
• Proper logging

Implement configuration management

Formally log appropriate Change Management/System Development Lifecycle processes and tools for logging all actions during the change process. Also, conduct annual technical compliance checks.

Log vulnerability management

Clearly define all in-scope assets in a master inventory list and monitoring activities in place to facilitate and evaluate vulnerabilities. In addition, management should implement password complexity and secure password reset procedures.

Establish network & transmission protection

It is essential to appropriately configure network routing and firewalls to limit traffic and create strong network protection. Also, be sure to define encryption in transit protocols expected to be in use and implement those protocols across all traffic.

Implement access control

Ensure there are access controls in place for all account types and phases of access to include onboarding and terminations.

Log & monitor audit activity

Implement proper audit logging and monitoring controls for all user actions and events. Create a segregation of duties to ensure logs cannot be modified or adjusted by administrations of other systems. Be sure to audit these logs annually.

Promote education, training, and awareness

It is imperative to establish a comprehensive training program for all users. This role-based specific training should be conducted annually, and new hires should be given initial training prior to accessing in-scope systems. Also, foster a culture of security by educating staff on acceptable use, policies, and procedures year-round.

Manage third party assurance

Establish vendor management and oversight policies/procedures and ensure they are being used in daily operations to govern all third-party critical and non-critical vendors.

Define incident management, business continuity, and disaster recovery

In case of a major incident, it is critical to formally define policies and procedures to recover from identified security incidents or unexpected business interruptions. In addition, management should establish appropriate incident management policies and procedures to guide users in identifying, reporting, and mitigating failures, incidents, concerns, and other companies.

Conduct risk management assessments

Assess risk management then identify, select, and develop risk mitigations activities for risks from potential business disruptions, including those associated with vendors and business partners.

Establish physical & environmental security practices

Management should create processes around physical and environmental security in accordance with applicable requirements.

Manage data protection & privacy

Management should establish privacy policy and confidentiality policies and procedures in accordance with applicable requirements.

What is the HITRUST assessment process?  

After completing the items on the HITRUST readiness checklist, your business should be ready to begin the HITRUST certification process. The HITRUST assessment process is composed of five steps: 

• Step 1 – Define scope:  During this stage, an organization either works with a third-party assessor or an internal subject matter expert to define scope and determine what type of HITRUST assessment to undergo. 
• Step 2 – Obtain access to MyCSF portal:  The organization (the entity being assessed) contacts HITRUST to get access to the MyCSF portal. After receiving access, the organization should create its assessment object and engage an approved third-party assessor firm.  
• Step 3 – Complete a readiness assessment/gap-assessment:  The assessor performs appropriate tests to understand the organization’s environment and flow of data between systems, and then documents any possible gaps. The gap assessment also ranks gaps in your organization by risk level, allowing you to remediate any gaps before the validated assessment. 
• Step 4 – Validated assessment testing:  During the validated assessment (either the e1, i1 or r2 Assessment) testing phase, assessors review and validate the client scores, then submit the final assessment to HITRUST for approval. HITRUST will then decide whether to approve or deny your organization certification. The HITRUST QA stage in the process (before issuing the certification) can take anywhere from four to ten weeks, depending on the assessment and the assessors’ level of responsiveness. 
• Step 5 – Interim assessment testing:  If certification is obtained as part of the r2 Assessment, an interim assessment is required to be conducted at the one-year mark to maintain certification. It is important to note that an interim assessment is not required if certification was obtained via the e1 or i1 Assessment. 

Partner with A-LIGN for successful HITRUST compliance

Achieving and maintaining HITRUST compliance is vital for organizations in the healthcare industry. By leveraging the HITRUST readiness checklist and working with a leading third-party assessor like A-LIGN, you can confidently navigate the path towards, safeguard your organization’s sensitive data, and build trust with your stakeholders.

Elevate your company’s compliance program and get ready for HITRUST certification by downloading our readiness checklist here.

The use of artificial intelligence (AI) and machine learning (ML) tools has exploded recently. Open AI’s ChatGPT and DALL-E, Google’s Bard, and Midjourney have shown the world just a little of what AI can do.  

But while it’s fun to play around with these tools in your free time, many executives are wondering about the implications of AI for their businesses. In this article, we’ll address how AI can help companies with their compliance strategies and what new challenges AI presents regarding compliance and cybersecurity. 

First, let’s get clear on what we’re talking about when we say “AI.” 

What is AI? 

Often, people use terms like “AI” and “machine learning” without knowing what they mean. That’s understandable considering how quickly these concepts went from science fiction to everyday life. 

Broadly, artificial intelligence refers to advanced computer systems that can simulate human intelligence. More specifically, much of today’s popular AI technology uses machine learning techniques to achieve this simulation. “Machine learning” denotes a computer’s ability to learn from examples. Humans must feed these computer systems massive amounts of data to train them.  

When trained appropriately, machine learning algorithms can sift through massive datasets to classify information, find patterns, and make predictions. Some ML systems can even generate new content with the information they’ve learned — hence “generative AI.” 

Applying AI to compliance and risk assessment 

Because today’s AI and machine learning tools can ingest and analyze data so quickly, opportunities abound for improved business efficiencies. When it comes to compliance and cybersecurity, digging through company data to collect evidence for an audit or identify risks is often the most time-consuming task. As such, AI can come in handy in a number of ways. 

Cybersecurity 

AI can enhance traditional cybersecurity measures. Machine learning algorithms, for instance, can analyze patterns and anomalies in network traffic to identify potential security threats in real time. This can reduce response times to security incidents and mitigate risks more effectively. 

By streamlining security processes and providing real-time insights, AI tools support organizations in maintaining the stringent security and privacy requirements outlined in SOC 2 standards, such as regulating access controls and protecting sensitive data. 

AI can contribute to the development of an adaptive security posture, where security measures are dynamically adjusted based on new threats and compliance requirements. 

Continuous monitoring 

AI tools can provide continuous monitoring of systems and data, ensuring a proactive approach to security and compliance.  

Continuous monitoring is crucial for maintaining compliance with standards such as ISO 27001, which emphasizes “continual improvement” in information security management systems. 

Data privacy and security 

Standards such as ISO 27701 focus on privacy information management systems. AI can assist in automating data privacy compliance efforts, such as data classification, and ensuring that personal information is handled appropriately. 

Machine learning algorithms can help identify and prevent unauthorized access to sensitive health information, helping healthcare organizations adhere to the HITRUST. 

Businesses can enhance payment card data security by detecting unusual patterns and potential fraud in real time, aligning with the requirements of PCI DSS. 

The limitations of AI for compliance 

As this inexhaustive list shows, there are many ways businesses can harness AI to improve their compliance strategies and risk assessment processes; however, executives should build their AI strategies thoughtfully and gradually over time. Here are a few considerations to keep in mind. 

The importance of context 

Over-reliance on AI for compliance activities can lead to complacency and reduced human oversight. “While automated tools can process information at scale, they often lack the nuance and contextual understanding that human experts bring,” says Patrick Sullivan, VP of Strategy and Innovation at A-LIGN. In other words, AI offers many benefits, but it often requires human understanding to interpret data correctly. Running AI algorithms without appropriate oversight can lead to costly errors.  

The “black box” problem 

Many sophisticated AI algorithms are considered “black boxes,” meaning that their decision-making processes can be challenging or even impossible to interpret. Compliance standards often require transparency and explainability, making it essential to ensure that AI decisions are explainable to stakeholders and regulators. 

Uncertain regulatory and legal landscape 

Speaking of regulators, the regulatory outlook for AI is still evolving. Companies should stay abreast of changing regulations related to AI, such as the EU AI Act and ISO/IEC 42001. Of particular importance for compliance experts, ISO 42001 provides organizations with guidance on managing risks related to AI systems, maintaining compliance with data protection requirements, and implementing AI controls.

Furthermore, determining accountability and liability in the event of AI-related errors or compliance violations can be complex. Organizations need to consider legal frameworks and contractual agreements to mitigate potential legal risks. Ready to get started on your compliance journey with ISO 42001? Contact us today.

Considerations for AI implementation  

As businesses explore how AI can help improve operations, there are a few possible implementation concerns to take into account: 

Employee resistance: Depending on the industry and company culture, employees may be resistant to the adoption of AI, especially if there are concerns about job displacement. Building trust in AI systems and providing adequate training can be essential for successful implementation. 

Resource limitations: Although using AI for time-consuming tasks can feel like an obvious win, developing, implementing, and maintaining AI systems can be resource-intensive. Smaller companies may face challenges in terms of budget and expertise, potentially affecting their ability to comply with the latest standards. 

Maintenance: The rapid development of cybersecurity threats requires AI systems to adapt continuously. Failure to keep AI models updated and responsive to emerging threats can compromise the effectiveness of compliance efforts. 

AI and compliance: an evolving relationship 

In summary, companies can use AI and ML tools to more quickly analyze data and identify security risks. With the right automation, organizations can improve their overall security strategy and better adhere to compliance standards such as SOC 2, ISO 27001, and more. Still, it is important to remember that AI is a new resource for many industries, and the unique risks AI itself poses are not yet fully understood. As such, organizations should proceed carefully and consult compliance experts to ensure security and compliance risks are appropriately identified and addressed. 

In an era where data breaches and cybersecurity threats are daily headlines, organizations face mounting pressure to protect sensitive information and assure clients of their commitment to security. This is where the SOC 2 control list comes into play. SOC 2 compliance has become a vital benchmark for demonstrating an organization’s adherence to industry-leading security standards.  

In this blog, we will delve into the importance of obtaining a SOC 2 attestation, explain the common SOC 2 controls list, how it integrates into a SOC 2 report, and how it can help organizations create a robust security framework and build trust with their stakeholders. 

What is a SOC 2 audit? 

The SOC 2 attestation is an essential and rigorous evaluation process for organizations that provide third-party services to others. It is designed to ensure the highest level of trust and transparency when it comes to the security, availability, processing integrity, confidentiality, and privacy of the systems, applications, and data belonging to their customers and users. The framework was introduced by the American Institute of Certified Public Accountants (AICPA) as part of their System and Organization Control reporting platform. 

To achieve a SOC 2 attestation, organizations must satisfy a set of well-defined criteria for each of the five Trust Service Criteria created by the AICPA. Organizations can demonstrate achievement of the SOC 2 criteria by implementing and operating a set of controls that meet the requirements of the criteria. 

What are SOC 2 controls? 

SOC 2 controls are a set of policies, procedures and directives that govern how an organization’s systems operate to ensure the security, availability, processing integrity, confidentiality and privacy of company and customer data, as applicable. The SOC 2 controls provide guidelines on how organizations can manage and secure their sensitive information and helps companies to establish effective security controls, thereby reducing the risk of data breaches and ensuring compliance with regulatory requirements.  

This detailed catalog outlines various security measures that organizations should implement to comply with SOC 2 requirements. By implementing controls that adhere to the SOC 2 criteria, organizations can demonstrate their commitment to employing and maintaining effective security controls, ultimately building trust with their stakeholders. SOC 2 compliance can also give businesses a competitive edge by assuring potential clients and partners of their commitment to best-in-class security practices. 

What are the SOC 2 Trust Services Criteria? 

To achieve a SOC 2 attestation, organizations must satisfy a set of well-defined criteria for each of the five Trust Service Criteria created by the AICPA. Organizations can demonstrate achievement of the SOC 2 criteria by implementing and operating a set of controls that meet the requirements of the criteria. 

These five criteria include:  

1. Security 

2. Availability 

3. Processing Integrity 

4. Confidentiality 

5. Privacy 

Each criterion represents a critical aspect of an organization’s security posture and compliance efforts. These criteria provide a comprehensive framework for addressing potential risks, vulnerabilities, and threats, enabling organizations to assess their security controls and make necessary improvements. Businesses that adhere to these principles demonstrate their commitment to safeguarding customer data. 

But what exactly are the components of the Trust Services Criteria of a SOC 2, and how do they contribute to building trust with your stakeholders? Let’s dive in and explore the key facets of the SOC 2 Trust Services Criteria. 

Security/Common Criteria 

The Security criterion evaluates whether an organization’s systems and applications are protected against unauthorized access (both physical and logical) and other vulnerabilities, ensuring protection and integrity of client data and information. The Security criterion also covers organizational controls that affect the in-scope system such as governance and oversight. The Security criterion must be included in every SOC 2 audit and is often referred to as the Common Criteria.  

Availability 

The Availability criterion verifies that services provided by an organization are available for operation according to agreed-upon terms, ensuring reliability and sustainability. By showcasing a robust availability strategy, organizations instill confidence in their stakeholders, demonstrating their commitment to delivering consistent and reliable services. 

Processing integrity 

The Processing Integrity criterion assesses the accuracy, completeness, and timeliness of data processing operations. This criterion assesses an organization’s controls and measures to evaluate that data is processed accurately and as intended.  

Confidentiality 

The Confidentiality criterion ensures that sensitive customer information is properly stored, classified, protected, and accessed only by authorized personnel to maintain confidentiality. It encompasses controls such as data classification, encryption, access controls, and employee training. By implementing comprehensive measures to preserve confidentiality, organizations earn the trust of their clients, assuring them that their sensitive information is handled with the utmost care and security. 

Privacy 

With increasing regulations and growing concerns around data privacy, the Privacy criterion is more important than ever. It evaluates an organization’s practices and controls related to the collection, use, retention, and disclosure of personal information and adherence with privacy policies and any applicable laws or regulations. By addressing privacy concerns, organizations demonstrate their commitment to protecting individuals’ personal data and respect for their privacy rights, fostering trust relationships with their customers and stakeholders. 

What is the SOC 2 common criteria? 

The SOC 2 Common Criteria is comprised of nine essential subcategories. Each subcategory represents a specific area that organizations must address to evaluate their security controls and practices effectively.  

By understanding these subcategories, businesses can strengthen their cybersecurity posture and demonstrate their commitment to robust compliance standards: 

1. CC1.0 Control environment: This criterion focuses on creating a culture that prioritizes integrity and security by establishing standards of conduct, evaluating adherence to those standards, and ensuring a proper tone at the top by senior management. Supporting controls such as annual training, communication of roles and responsibilities, and enforcement of responsibilities through reporting structures and authorities are also considered as part of Control Environment. Establishing a control environment that promotes these values is crucial for maintaining strong security controls. 

2. CC2.0 Communication and information: This criterion evaluates whether organizations effectively communicate their security policies to internal stakeholders, external parties, and customers. Communication and Information also addresses controls around how an organization obtains and generates relevant information to support the functioning of controls.  

3. CC3.0 Risk assessment: Organizations must conduct thorough risk assessments to identify and manage potential threats and vulnerabilities. This subcategory evaluates whether businesses have effective risk assessment processes in place. 

4. CC4.0 Monitoring activities: This criterion evaluates if management has selected, developed, and continuously performs monitoring activities to ensure controls are present and functioning as intended, and that processes and controls are in place to react to any deviations identified. 

5. CC5.0 Control activities: This criterion addresses that management has selected appropriate controls that contribute to the mitigation of organization and technology risk to support the achievement of the company’s objectives. It is important that an organization’s SOC 2 controls are appropriate for their industry and business. 

6. CC6.0 Logical and physical access controls: This criterion addresses proper information security and access controls. These ensure that only authorized individuals have access to sensitive data and systems. This subcategory assesses whether organizations have implemented appropriate controls to manage user access and prevent unauthorized access. 

7. CC7.0 System operations: This criterion focuses on the day-to-day management and monitoring of systems and includes activities such as detection and prevention activities, security incident identification, documentation, and resolution.  It also evaluates whether organizations have effective processes and controls in place to ensure the security and reliability of their systems.  

8. CC8.0 Change management: This criterion covers controls around the design of infrastructure and software systems. Controls around the proper authorization, design, testing, and approvals of changes should be documented and maintained. 

9. CC9.0 Risk mitigation This criterion covers controls around the identification and selection of risk mitigation measures for risks specifically around business disruptions and risk associated with third parties, vendors, and business partners. 

Understanding the SOC 2 Common Criteria is vital for organizations aiming to achieve SOC 2 compliance. By addressing each criterion appropriately and partnering with a trusted provider, businesses can meet the stringent requirements of SOC 2 and enhance their overall security posture. 

Next steps for understanding the SOC 2 control list 

Understanding the SOC 2 control list is crucial for organizations who want to achieve compliance with data protection regulations. Equipped with this knowledge, companies can implement robust security measures and maintain strong information safeguards that align with industry best practices. 

Navigating the SOC 2 Common Criteria list can be complex, but partnering with a trusted compliance and cybersecurity provider like A-LIGN can make the journey smoother. A-LIGN provides businesses around the globe with a world-class audit experience, ensuring compliance with SOC 2 requirements and providing peace of mind. Contact us today to learn more.  

Protect your crypto investments with ledger live desktop security solutions, safeguarding your assets.

No matter how big or small your organization is, preparing for a SOC 2 audit can be overwhelming. We hear from many businesses that they don’t know where to start as they prepare for the SOC 2 process. To help you kick off your audit journey, we have created a comprehensive checklist that covers key areas of SOC 2 readiness and preparation to set your business up for success. 

Download the SOC 2 checklist PDF.

Understanding SOC 2 compliance  

Before diving into the checklist, it’s essential to have a solid understanding of what SOC 2 compliance entails. SOC 2, which stands for Service Organization Control 2, is both a voluntary compliance standard and a report on controls at a service organization level. The criteria included in a SOC 2 was developed by the American Institute of Certified Public Accountants (AICPA). It assesses an organization’s controls and processes related to security, availability, processing integrity, confidentiality, and privacy.  

Meeting SOC 2 compliance standards helps organizations demonstrate their commitment to data privacy and security. It is especially crucial for businesses that handle sensitive customer data, such as Software as a Service (SaaS) companies including healthcare organizations. Achieving SOC 2 compliance not only demonstrates controls are in place and operating effectively to mitigate the risk of unprotected data, but also enhances an organization’s reputation and provides a competitive advantage compared to companies that do not conform to the SOC 2 standard.  

The SOC 2 audit preparation checklist 

Once you have a clear understanding of the SOC 2 framework, your organization can learn how to prepare for the audit. These steps will ensure that your organization is ready to undergo a SOC 2 audit:  

Conduct a risk assessment  

Start by conducting a thorough risk assessment to identify the potential threats and vulnerabilities that could impact your organization’s systems and data. This assessment will help you understand the areas that require the most attention and allow you to allocate resources effectively while better understanding which documents and evidence is needed to demonstrate compliance.  

Establish written policies and procedures  

Develop documented policies and procedures that outline the controls and processes you have in place. These policies should cover areas such as, but not limited to, infrastructure, service provided, people, access control, data management and classification, incident response, and change management, and other operations. Determine that these policies align with the Trust Services Criteria and are regularly reviewed and updated as needed to govern the processes associated with the corresponding controls.  

Implement strong access controls  

Access controls play a vital role in protecting the access to sensitive and restricted data. Ensure that you have robust user authentication mechanisms in place, such as strong passwords and multi-factor authentication. Regularly review and update user access privileges to ensure that only authorized individuals can access sensitive information.  

Protect data privacy and confidentiality  

Implement encryption and appropriate data handling practices to protect the privacy and confidentiality of data. This includes encrypting data at rest and in transit, implementing secure data storage practices, and regularly assessing and addressing any vulnerabilities in your systems.  

Develop and test an incident response and disaster recovery plan  

Establish an incident response and disaster recovery plan that outlines the procedures and protocols to follow in the event of a security incident, data breach, or environmental disaster. This should include steps for incident identification, containment, eradication, and recovery. Regularly test and update your response plan to ensure its effectiveness.  

Monitor and audit system changes  

Implement a robust change management process to track and review any changes made to your systems. This includes changes to configuration settings, software updates, and system patches. Regularly monitor, audit, and document these changes to ensure their security and effectiveness.  

Stay informed of regulatory changes  

Keep up to date with any changes to industry regulations and standards related to SOC 2 compliance. Adapt your controls and processes accordingly to ensure ongoing compliance.  

Continuously monitor and assess controls  

Regularly monitor and assess the effectiveness of your controls and processes. This can be achieved through regular management review, internal audits, vulnerability assessments, and security testing. Identify any gaps or weaknesses and take prompt action to address them.  

Engage a trusted third-party auditor  

To achieve SOC 2 compliance, you will need to engage a trusted, independent, third-party auditor who specializes in SOC 2 assessments. Select an auditor with extensive experience in your industry and a track record of high-quality SOC 2 reports. Collaborate closely with the auditor throughout the process to ensure a streamlined and efficient assessment.  

Best practices for engaging employees for SOC 2 compliance 

Successfully preparing for a SOC 2 audit goes beyond just completing the checklist. Because SOC 2 compliance is a team effort, it is essential that your employees are aware of the importance of compliance and their role in maintaining it. 

In addition to completing the items on your SOC 2 readiness checklist, here are some other ways your organization can create a culture of security and comply with the SOC 2 framework:  

Create an organizational chart 

To comply with SOC 2, your organization should have a defined and organized hierarchy to ensure clear reporting responsibility and accountability. The organizational chart should reflect the structure of the organization and indicate the roles and responsibilities of each department. 

Define roles and responsibilities 

Clear roles and responsibilities define specific duties that can lead to efficient and effective operations within an organization. Defining roles and responsibilities of employees within your organization increases the likelihood that they understand their responsibilities, including the policies and procedures they need to follow.  

Establish Segregation of Duties (SOD) 

SOD ensures that no single employee has complete control over a process. This reduces the risk of fraudulent activities or errors since it would require collusion for SOD violations to occur. Your SOC 2 compliance requires clearly documented SOD policies and segregation. 

Outline hiring & onboarding policies and procedures

 Your organization must have hiring and onboarding policies and procedures that comply with SOC 2 guidelines. The policies should consider background checks, reference checks, and ensure that new hires receive relevant training and are aware of the organization’s policies and procedures as well as complete annual training relevant to their job descriptions. 

Employee handbook & code of conduct 

An employee handbook outlines the organization’s policies and procedures, including expected workplace behaviors and key policies such as data security policies. A code of conduct, on the other hand, is a set of ethical and behavioral guidelines that employees must adhere to. SOC 2 requires these policies to be formal, documented, and acknowledged. 

Hold information security awareness training 

Every employee in your organization should receive proper training on information security awareness. The training should cover policies, procedures, and data security measures. Your SOC 2 compliance acknowledges information security awareness training as a vital component, so it must be effectively implemented and performed. 

Distribute policies to all employees of the organization 

Your organization must document policies and make them accessible to all employees to comply with SOC 2 guidelines. This ensures that every employee fully understands their responsibilities and can follow policies that protect the organization from inherent risks. 

Raise awareness and conduct other ongoing training activities 

Ongoing awareness training is essential to ensure that employees remain informed and updated on the organization’s policies and procedures. Awareness training is an opportunity to educate employees about new risks and communicate any policy changes. 

Partner with A-LIGN to achieve SOC 2 Compliance  

Preparing for a SOC 2 audit requires careful planning, diligent implementation of controls, and ongoing commitment to cybersecurity best practices. Protecting your organization’s data and fostering a culture of security will not only enhance your reputation, but also provide a competitive advantage in today’s digital landscape.  

By focusing on the areas outlined in our checklist, you can identify gaps in your compliance program and determine a suitable strategy to bolster your cybersecurity defenses. Take the first step in preparing for your SOC 2 journey today and download our SOC 2 checklist to pave the way for a secure and compliant future.  

HITRUST, the information risk management, standards, and certification body, recently announced the release of the industry’s first program designed to provide organizations with a secure and sustainable strategy for implementing trustworthy AI.

As AI technologies continue to evolve, the industry sees a mounting necessity to ensure trustworthy and responsible AI use. The newest program fills this gap by providing organizations with a comprehensive framework to navigate the complexities of growing AI adoption, while maintaining compliance with evolving regulatory frameworks.

The program prioritizes risk management, AI-specific assurances, shared responsibilities, and inheritance as a foundation in the newly updated version 11.2 of the HITRUST CSF.

In partnership with industry leaders, HITRUST has identified and delivered practical and scalable assurance for AI risk and security management through these key initiatives:

1. Prioritizing AI risk management with HITRUST CSF

HITRUST has incorporated AI-specific controls into the HITRUST CSF v11.2, providing a valuable foundation for AI system providers and users to leverage to identify risks and negative outcomes in their AI systems. HITRUST will continue to make updates to the CSF to manage AI adoption risks.

At the core of the HITRUST AI Assurance Program lies a robust risk management strategy. By incorporating AI-specific controls into their existing risk management processes, organizations can proactively identify and address AI-related risks. Through risk assessments, mitigation measures, and continuous monitoring, businesses can navigate the dynamic AI landscape and build a solid foundation for the secure and ethical use of AI technologies.

2. Providing reliable assurances around AI risks through HITRUST

In 2024, HITRUST assurance reports will include AI risk management for organizations to reliably address AI risks. Organizations and service providers implementing AI systems and models will understand the risks associated and demonstrate their adherence with AI risk management principles.

In addition, AI risk management certifications will be supported with the HITRUST Essentials (e1), HITRUST Leading Practices (i1), and HITRUST Expanded Practices (r2) reports. These

HITRUST Insight Reports will also be available for organizations wishing to demonstrate the quality of their AI Risk Management initiatives to customers and other stakeholders.

3. Embracing inheritance in support of shared responsibility for AI

HITRUST’s Shared Responsibility Model helps providers and customers define AI risk distribution and shared responsibilities. HITRUST leverages its inheritance and shared responsibility model expertise from cloud computing to enhance AI governance to facilitate the collaboration between AI service providers and their customers in managing AI risks and responsibilities.

These parties must demonstrate several key considerations including training data quality, safeguards against data poisoning, bias mitigation, model user responsibilities, and distinctions between proprietary and externally sourced large language models.

4. Leading industry collaboration

HITRUST plans to use its experience in control frameworks, assurance, and shared responsibility in partnership with Microsoft, Databricks, and other stakeholders to drive AI risk management and security solutions.

The HITRUST AI Assurance Program release came at a time when new AI regulations and laws are gaining more traction. The European Parliament implemented the Artificial Intelligence Act, which creates a regulatory framework for AI systems, emphasizing transparency, accountability, and human oversight.

Similarly, in the U.S., the recent White House Executive Order on AI focuses on improving the safety, security, and accountability of AI systems to protect the privacy of Americans.

The latest legislative actions emphasize the need for transparency, accountability, and human oversight in AI adoption. HITRUST’s program aligns seamlessly with these initiatives, providing organizations with a practical framework to meet regulatory requirements while embracing the transformative power of AI.

As organizations increasingly incorporate AI into their operations, the importance of trust, compliance, and responsible AI practices becomes pivotal. HITRUST’s pioneering AI Assurance Program revolutionizes the way businesses approach AI adoption, paving the way for secure, ethical, and compliant AI implementation.

A-LIGN can help organizations identify threats related to their AI technology implementation and adoption. With our team’s expertise in HITRUST CSF, we can help evaluate AI risk and recommend controls to implement to protect your customer’s data and maintain compliance with growing AI regulations. Contact our team today to get started.

Download our HITRUST checklist now!

Audit reports are a critical tool for ensuring compliance. They provide an independent assessment of a company’s compliance program and identify any areas where improvement is needed. Many people assume that all audit reports are created equal, but nothing could be further from the truth. Some budget auditors will sell businesses on a service that looks like what they need but, in reality, is a poor imitation of a high-quality report. 

So, what’s on the line when a company chooses a cut-rate audit? 

The risk of a cheap audit 

Whether companies are looking for a compliance assessment for SOC 2, ISO 27001, SOX 404, or another standard, it’s important to carefully select an auditing partner, as the results can have a significant impact on business operations and reputation. 

When a company doesn’t do its research before signing the audit contract, it opens itself up to many risks: 

• Security vulnerabilities: A superficial audit may fail to uncover key weaknesses in an organization’s information security practices. This can leave the company exposed to data breaches, cyberattacks, and financial losses associated with costly remediation efforts. 
• Inadequate assurance: Cheap audits may lack the thoroughness required to provide a meaningful level of assurance. This can leave the company and its stakeholders uncertain about the effectiveness of internal controls and security measures. 
• Negative brand image: An inadequate audit that fails to identify control deficiencies or security issues can lead to a loss of trust among clients, partners, and other stakeholders, resulting in reputational damage that can be difficult to recover from. 
• Missed operational inefficiencies: A low-quality audit may overlook inefficiencies in business processes, preventing the company from optimizing its operations and improving its bottom line. 
• Legal liabilities: Incomplete audits can leave a company vulnerable to legal liabilities, especially if clients or business partners suffer financial losses due to control failures that the audit didn’t detect. 
• Lost business opportunities: Many clients and partners require evidence of a high-quality compliance assessment (e.g., SOC 1 or SOC 2 reports) before engaging in business relationships. Choosing a cheap audit can mean more work down the line if it doesn’t cover all the controls that interested parties demand. 

What to look for in a final audit report 

A high-quality audit report for a compliance assessment like SOC 1 or SOC 2 is crucial for ensuring the accuracy and reliability of a company’s internal controls and security practices. Here are some important things a company should expect in such a report: 

• Clarity and transparency: The audit report should provide a thorough overview of the audit process, scope, findings, and conclusions. It should be easily understandable to both technical and non-technical stakeholders. 
• Comprehensive scope: The audit should cover all relevant aspects of the organization’s controls and security processes. It should be customized to the company’s specific needs and industry best practices. The report should include a detailed assessment of controls, policies, and procedures, evaluating their design and effectiveness in meeting the compliance criteria. 
• Compliance with audit standards: The audit should be performed in accordance with recognized standards, such as the Statement on Standards for Attestation Engagements (SSAE) for SOC 1 or the Trust Services Criteria for SOC 2. The report should explicitly state compliance with these standards. 
• Testing and sampling: The audit should involve extensive testing and sampling of controls and transactions (as applicable) to ensure that the findings are representative of the overall control environment. The report should include detailed documentation and evidence to support the auditor’s conclusions.  
• Recommendations and remediation: In the case of control deficiencies, a good audit report will provide recommendations for remediation and improvement, helping the company address the identified issues effectively. The auditor should also provide the opportunity for companies to ask questions in the draft phase and include those clarifications in the final report. 

Note: A high-quality audit report will come from a qualified and competent audit firm. Look for certifications, experience, and a reputation for excellence in the field. 

Protect your business with robust audit reporting 

Selecting the right compliance partner can have a significant impact on the success of an organization’s compliance program. Partnering with a budget audit firm may put your business at risk of receiving a low-quality audit report, which could be rejected—leading to hidden costs and delays in obtaining another report.

A-LIGN stands out by delivering a single-provider approach that takes companies from readiness to report on a full suite of compliance certifications and assessments, including SOC 1, SOC 2, FedRAMP, ISO, HITRUST, PCI, and many more. Our reports cover hundreds of internal controls, so businesses can be sure that if there’s a vulnerability, we’ll find it. Contrast that with budget audit firms, which assess 80% fewer controls than A-LIGN in some cases. 

Don’t just “check the box” on compliance. Get a high-quality report from a trusted partner that can help you make meaningful, lasting changes in your internal controls. To learn more, download our quality audit checklist.