(x) close
IT Risk &
Types of

If your company stores sensitive customer data, provides software services to other businesses or conducts transactions through the cloud, then you understand the importance of information technology (IT) risk and compliance. Holtzman Partners has an entire team of IT professionals dedicated to helping clients access their IT controls and assist with IT controls audits.


If your organization provides services to public companies or to regulated industries (e.g., banking or healthcare), then you may be asked to provide an audit report on your internal controls as they pertain to information technology (IT) and business processes.

These reports are referred to as Systems and Organization Control (SOC) 1, 2 and 3 reports and are released by the American Institute of Certified Public Accountants (AICPA).

Holtzman Partners understands the challenges of the internal controls reporting process, and we are familiar with the different types of reports. We work with companies to review internal controls and other measures to ensure compliance with SSAE 18 and SOC reporting standards. We work with clients of all sizes to custom-tailor their report to the exact needs of their customers and regulators.

Since information technology (IT) systems proliferate throughout an organization and can therefore impact almost all areas of a company’s business, evaluations of IT control structure can have a profound impact on a company’s overall control environment.

Our firm has the experience to perform these evaluations and add value to help strengthen that control environment. Our IT risk services allow our clients to utilize personnel with significant technical IT and audit experience across various industries and to benchmark IT control procedures against other companies in similar industries.

We maintain a talented group of IT professionals with a combination of technical and audit experience which rivals that of large international accounting and consulting firms. This experience includes performing reviews and evaluations of the following:

  • User access to and roles within IT systems
  • Logical security around a company’s IT environment
  • Changes to systems and applications
  • Backup of applications and data files
  • IT controls upon the implementation of a new IT system
  • Process flows to identify efficiencies and reduce risk
  • Companies that work with patient health care information may be required to comply with the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). These requirements include maintaining an internal control structure that limits access to sensitive patient health-related information and may be subject to review by regulatory agencies. Companies may also face fines for non-compliance.

    Our HIPAA compliance services allow companies to voluntarily evaluate the impact of HIPAA requirements before a formal evaluation is required by a regulatory agency. This service allows management to be confident that their control structure is sufficient to address HIPAA requirements thus reducing the exposures that may result from non-compliance with its rules.

    Our HIPAA Audit Preparation services include:

  • Performing an evaluation of a company’s compliance with the requirements of HIPAA as it pertains to patient health care information.
  • Identifying exposures related to HIPAA requirements.
  • Using our experience and review of our client internal controls database, we can provide logical suggestions for addressing exposures.
  • The extensive experience of our partners and staff personnel with internal control related services uniquely positions our firm to provide these HIPAA audit preparation services. This experience allows us to provide logical solutions to issues encountered and as a result, may reduce the overall compliance effort for our clients.

    Companies that provide services to banks, credit unions or other financial institutions may be required to undergo an examination by the FDIC, NCUA or OCC under the guidelines defined by the Federal Financial Institutions Examination Council (FFIEC).

    These guidelines require that companies formalize their internal control policies, perform an internal risk assessment and perform an internal audit of their controls. Non-compliance with these requirements (as identified by an FFIEC audit) may result in fines.

    Our firm provides services that help companies comply with FFIEC requirements including assistance with the creation of internal control policies, developing and performing an internal risk assessment and evaluating internal controls on behalf of management.

    These procedures are intended to help ensure that the company will meet FFIEC requirements if an audit were to be performed by a regulatory agency, thus reducing the exposures that may result from non-compliance with the guidelines. Further, since we are independent of the company, our services may allow the regulatory agency to rely on the results of our procedures to reduce the amount and extent of their evaluation procedures.

    Our FFIEC audit preparation services include:

  • Performing an evaluation of a company’s compliance with FFIEC requirements.
  • Identifying exposures related to FFIEC requirements.
  • Assisting with the drafting of company policies.
  • Performing an internal risk assessment against FFIEC requirements.
  • Auditing internal controls and evaluating residual risk.
  • Using our experience and review of our client internal controls database to provide logical suggestions for addressing exposures.

    I have worked with Holtzman Partners for many years where they have provided audit and consulting services. I cannot say enough about the team at Holtzman. Their staff are consistent, professional and demonstrate strong technical skills. They are extremely responsive and easy to work with.

    - Michael S. Lafair, CFO - CS Disco
    Your IT Risk & Compliance Partners
    professional affiliations
    Schedule a Consultation
    Do you have questions about your company’s tax or Sarbanes-Oxley compliance? Are you planning to merge or acquire another firm or are you a startup that would like some peace of mind? Maybe we’re the right fit for your company. If we’re not, we’ll recommend a firm that is.
    contact us
    For news and resources related to COVID-19, please visit ourCOVID-19 Resource Center