The Failed Audit
The examiner's letter arrives. Matters Requiring Attention. Matters Requiring Immediate Attention. Remediation deadlines you can't meet without help. Your board wants answers — and your IT vendor says "that wasn't in scope."
HIPAA, FFIEC, FTC Safeguards, IRS Pub 4557, ABA Rule 1.6, CJIS, PCI-DSS — built into your IT environment from day one by a CISSP-led Arkansas team. Pass exams without scrambling. Renew cyber insurance without surprises. Sleep at night knowing your documentation actually matches reality.
Compliance services translate the regulations your industry must follow — HIPAA, FFIEC, FTC Safeguards, IRS 4557, ABA 1.6, CJIS, PCI-DSS — into the actual technical controls, written policies, employee training, and audit evidence regulators and examiners require. We build it into your daily IT operations so the audit is just a review of what's already working, not a frantic six-week sprint.
These are the late-night calls. They almost never have to happen — and when a program is built right from day one, they don't.
The average data breach cost a U.S. business $9.36 million in 2024 — and for regulated industries (healthcare, finance, legal), the cost runs significantly higher. Most of that damage is the part regulators, examiners, and class-action attorneys cause after the breach, not the breach itself. Source: IBM Cost of a Data Breach Report 2024.
The examiner's letter arrives. Matters Requiring Attention. Matters Requiring Immediate Attention. Remediation deadlines you can't meet without help. Your board wants answers — and your IT vendor says "that wasn't in scope."
Your carrier emails a 12-page renewal questionnaire. They want evidence — not check-boxes. You can't produce the MFA coverage report. Premium triples. Policy gets non-renewed. Now you're shopping carriers in a market that's locked you out.
Ransomware hit. HHS OCR has to be notified within 60 days for any HIPAA breach affecting 500+ patients. State attorneys general have separate timers. The FTC wants to know what your Information Security Plan said. You don't have one in writing.
You signed PTIN renewal attesting to a Written Information Security Plan you've never written. You signed the bank exam response form without reading half of it. You hope HIPAA "is covered" because you bought an EHR. Nobody can tell you straight what you actually owe.
We don't dabble in seven frameworks. These are the ones our Arkansas clients actually face — and we know each one cold.
The FFIEC IT Examination Handbook is the playbook every Arkansas bank examiner pulls from. We implement Information Security, Business Continuity Management, Outsourcing Technology Services, and Audit modules. GLBA Safeguards Rule. Bank Service Company Act technology-service-provider attestations. Examiner-tested.
HIPAA isn't optional and HHS OCR audits aren't theoretical. We do the annual Security Risk Assessment required under §164.308, implement administrative / physical / technical safeguards, manage Business Associate Agreements, handle Breach Notification Rule timelines, and train your staff on what counts as PHI exposure.
ABA Model Rule 1.6 requires reasonable efforts to prevent unauthorized disclosure of client information. ABA Formal Opinion 477R and Rule 1.1 Comment 8 require technology competence. We translate "reasonable efforts" into concrete technical controls — and document them in a way that satisfies your state bar if a complaint is ever filed.
The 2023 FTC Safeguards Rule update added teeth. IRS Pub 4557 requires every paid tax preparer to maintain a Written Information Security Plan (WISP). PTIN renewal attests to it. We write the WISP, implement the nine required controls (access, encryption, MFA, change management, monitoring, secure development, incident response, training, vendor oversight), and designate a Qualified Individual.
If you touch FBI Criminal Justice Information — through CAD/RMS, NCIC, ACIC, or interagency data sharing — the CJIS Security Policy applies. Advanced Authentication. Personnel screening. Physical security. Encryption FIPS 140-3 validated. We implement, document, and prep your CJIS audit.
If you accept credit cards — even through a third-party processor — PCI-DSS applies. v4.0 added requirements that took effect March 2025. We scope your Cardholder Data Environment, complete the Self-Assessment Questionnaire honestly, and shrink your scope so you're not signing attestations you can't defend.
Not a checklist app. Not a template you fill in. Real CISSP-led work, documented to survive a real examiner.
We map your current environment against the framework that actually applies to your business — HIPAA, FFIEC, FTC Safeguards, IRS 4557, ABA 1.6, CJIS, or PCI-DSS — and deliver a written gap report with prioritized remediation. You'll know exactly where you stand and exactly what it takes to close the gap.
Written Information Security Plan (WISP). Incident Response Plan (IRP). Acceptable Use Policy (AUP). Data Classification. Access Control. Vendor Risk Management. BYOD. Business Continuity / Disaster Recovery. Written to your industry, your stack, your real business — not template fill-in-the-blank.
MFA everywhere. Encryption-at-rest + in-transit. EDR on every endpoint. Centralized logging with retention to match your framework. Privileged Access Management. Email DLP. The controls regulators want — implemented, monitored, and provable. Not "we have it somewhere."
The hardest part of any audit isn't doing the work — it's proving you did it. We capture and retain the evidence in real time: patch reports, MFA enrollment reports, EDR deployment reports, backup test logs, training completion records, access reviews. Audit prep becomes a download, not a fire drill.
We complete the 12-page underwriting questionnaires (Coalition, AON, Marsh, Travelers, Chubb, Beazley) accurately and back the answers with evidence. Clients we onboard typically see lower renewal premiums — often 20–40% lower — because they can document what other applicants only claim.
Annual review of your full compliance program against the latest version of your framework (frameworks change — HIPAA, FFIEC, FTC, PCI-DSS all updated in the last 24 months). Pre-exam dry run before regulators arrive. If you face a real exam, we're on the call answering examiner questions — not hiding behind your IT contact.
Most IT vendors say "we do compliance." Almost none of them have sat across the table from an examiner. Here's the difference.
| Mansour's Computer Solutions | Generic MSP | DIY (In-House) | |
|---|---|---|---|
| Framework expertise | CISSP-led · 7 frameworks done day-to-day | "We've heard of HIPAA" | YouTube + Reddit + a template you bought |
| Written policies (WISP, IRP, AUP) | Custom-written to your industry & stack | "Here's a template — fill it out yourself" | Word doc nobody updated in 3 years |
| Technical controls implementation | Implemented, monitored, evidence-captured | "You should turn on MFA" | Some users have it, some don't, nobody knows which |
| Audit evidence collection | Continuous · download-on-demand | Manual screenshots the week of the audit | Frantic Slack messages to IT 2 weeks before |
| Examiner / auditor representation | On the call · answers technical questions | "That's your responsibility" | You hope your CFO can wing it |
| Cyber insurance application | Completed · evidence-backed · defensible | "We'll send you a checklist" | Best guess · whatever gets it submitted |
| Breach response readiness | IRP tested annually · 24/7 incident hotline | "Call us during business hours" | Hope the breach happens between 9–5 weekdays |
| Employee training | Quarterly · phishing-simulated · documented | Lunch-and-learn once a year if anyone shows up | Annual "click through this video" requirement |
| Framework updates tracking | We track changes & adjust your program | You'll find out at audit time | You won't find out at all |
| Board / leadership reporting | Quarterly compliance posture reports | Invoice only | Verbal updates when leadership asks |
| Post-incident regulator support | MRA / MRIA / HHS OCR / FTC response work | "Hire an attorney" | Hire an attorney and a forensics firm at $600/hr |
| Cost of getting it wrong | Built-in · predictable · prevention-focused | Add-ons billed hourly after the audit fails | Fines, lawsuits, breach disclosure, lost license |
No 90-day discovery phases. No surprise scope changes. Just three clear steps to a documented, defensible compliance program.
Thirty minutes. We ask what industry you're in, what frameworks apply, what audits you face, where you think your gaps are, and what triggered the call. You walk away with a straight read on what you actually owe — even if you don't hire us.
We map your current state against the framework that applies — HIPAA, FFIEC, FTC, IRS 4557, ABA 1.6, CJIS, or PCI-DSS — and deliver a written gap report with prioritized remediation, fixed-fee pricing, and a realistic timeline. No mystery line items.
We write the policies, implement the technical controls, train the staff, and capture the evidence. Then we keep it running — so the next audit, the next renewal, the next examiner letter is just a review of what's already working.
Compliance is a separate monthly service — priced per framework, scoped on a free call. Plus optional one-time projects when you need a specific deliverable.
HHS Office for Civil Rights collected $144M+ in HIPAA enforcement actions through 2024, and the average post-breach OCR settlement now runs $50,000–$2M+ per case. Cyber-insurance carriers increasingly require documented compliance programs before they'll renew. The math on a Mansour's compliance program almost always works out in your favor. Source: HHS OCR.
Three Google reviews from clients we've worked with on cybersecurity, sensitive-data protection, and patient, jargon-free support.
"When we experienced an email breach, their team responded the same day, resolved the issue promptly, and gave us the confidence to entrust them with all our IT needs. We had never worked with an IT firm before, and now we can't imagine needing anyone else."
"Our accounting firm in Little Rock chose Mansour's Computer Solutions to handle our cybersecurity onboarding, and the experience was outstanding. They took the time to understand how we store and access sensitive client tax data, then implemented multiple layers of protection to keep our systems safe from hackers."
"I needed a workstation that could keep up with my demanding schedule — clinical research, telehealth, and data security — all while working between home and the hospital. Mansour delivered exactly what I needed right here in Little Rock. His team built me a custom machine with the power of a gaming rig and the protection of an enterprise system."
Yes. HIPAA is one of our most-served compliance frameworks. We handle the HIPAA Security Rule (administrative, physical, and technical safeguards), the Privacy Rule, and the Breach Notification Rule. That includes annual risk assessments, written policies, encryption-at-rest and in-transit, audit logging, MFA on every PHI-accessing account, Business Associate Agreement management, and employee HIPAA training. If HHS OCR ever knocks, you'll have the documentation to show your program was real.
Yes. Community banks are our wheelhouse. We implement the FFIEC IT Examination Handbook (Information Security, Business Continuity Management, Outsourcing Technology Services, Audit), the Gramm-Leach-Bliley Act Safeguards requirements, and the Bank Service Company Act technology-service-provider rules. We've sat in examination rooms. We know what regulators ask for, what they want to see in writing, and the gap between "we have it" and "we can prove it."
The FTC Safeguards Rule update (effective June 9, 2023) and IRS Publication 4557 both require a written Information Security Plan (WISP) for any firm that handles taxpayer data. We write the WISP, implement the nine required technical controls (access controls, encryption, MFA, change management, monitoring, secure development, incident response, training, and vendor oversight), designate a Qualified Individual, and keep the documentation current. If you sign IRS PTIN renewals, you're attesting compliance — we make that attestation truthful.
Cyber insurance applications have grown from one page to 12+ pages — and underwriters now require evidence, not check-boxes. We complete carrier applications (Coalition, AON, Marsh, Travelers, Chubb, etc.), gather the technical evidence they require (MFA coverage reports, EDR deployment proof, backup test logs, patch reports, security awareness training records), and represent your controls accurately so your application isn't kicked back. Clients we onboard typically see lower premiums at renewal — sometimes 20–40% lower — because they can document what other applicants only claim.
Founder Mansour Simpier holds the CISSP (Certified Information Systems Security Professional) — the gold-standard credential for information security professionals, requiring five years of paid security experience and a four-hour exam covering eight domains including Security and Risk Management, Asset Security, Security Architecture, and Security Operations. He's also the author of Cyber Fortresses, an Amazon best-selling book on small-business cybersecurity. We've been doing this since 2008 for Arkansas community banks, medical practices, law firms, CPA firms, and government agencies — not as a side hustle.
Yes. Written policies are required by every major framework — HIPAA Security Rule §164.316, FFIEC IT Handbook, FTC Safeguards Rule, IRS Pub 4557, ABA Model Rule 1.6 comments, CJIS Security Policy §5.2. We write the full policy stack to your specific industry: Written Information Security Plan (WISP), Incident Response Plan (IRP), Acceptable Use Policy (AUP), Data Classification Policy, Access Control Policy, Vendor Risk Management Policy, BYOD Policy, and Business Continuity / Disaster Recovery Plan. We keep them current, version-controlled, and tied to actual technical controls — not template fill-in-the-blank that won't survive a real exam.
For existing clients, that's rare — and when it happens, we're on the call with the examiner. We help respond to Matters Requiring Attention (MRA), Matters Requiring Immediate Attention (MRIA), HHS OCR Resolution Agreements, FTC consent decrees, and state attorney-general inquiries. For new clients who come to us after a failed audit, we triage the findings, build the remediation plan, deliver the technical controls and documentation the regulator demanded, and stay engaged through the closeout review. We don't disappear when it gets uncomfortable.
Compliance is a separate monthly service, priced per framework — it's not bundled into managed IT, because the right scope depends entirely on which framework applies to you (HIPAA, FFIEC, FTC Safeguards, IRS 4557, ABA 1.6, CJIS, or PCI-DSS) and the size and complexity of your environment. We don't post a one-size-fits-all monthly rate because the work isn't one size. We scope it on the free 10-minute call and lay out a flat monthly fee you can plan around. For one-time projects (gap assessment, WISP build, post-audit remediation, cyber-insurance application support), we scope a fixed fee on the same call.
In one quick call you'll walk away with: (1) where your current IT is leaking time, money, or risk, (2) what a fix looks like for a business your size, and (3) whether Mansour's is the right fit. Real Arkansas technician on the call — not a salesperson.