October, 2008

SAS 70 Audits | Make Sure to Get a “Fixed Fee” for the Audit

SAS 70 audits today are being conducted by CPA firms large and small, big and tall. Though they vary greatly in size, complexity and audit skills, what seems to be the industry standard is a “fixed fee” for the audit. Fixed in meaning that all the fees for the engagement are wrapped and bundled into one price. This “fixed fee” also includes any out of pocket travel and miscellaneous expenses that the CPA firm would incur for doing the audit.

Buyer beware, as not all “fixed fees” are the same. Some “fixed fee” have clauses that say the “fixed fee” is only for the engagement itself and does not include travel or any other expenses you may incur. Additionally, some fixed fees may include the travel and out of pocket expenses may also bill you for preparing reports, after audit consulting fees, etc.

In short, read the fine print and make sure the “fixed fee” really is fixed. Another point, make sure the fixed fee gradually goes down after year one. Why? Because the CPA firm conducting the audit should have a good working knowledge of your company, thus fees should be marginally reduced for subsequent years (5 to 10 percent). However, if your scope changes, then expect the fees to go up.

To learn more about SAS 70 audits, visit the official SAS 70 Resource Guide.

SAS 70 Audit Reports | What You Need to Know About Them

SAS 70 Type I and SAS 70 Type II audits are fast becoming a mainstay in today’s regulatory compliance environment. If your organization is seeking to become SAS 70 Type I or SAS 70 Type II compliant in the near future, then here are some helpful tips in adequately preparing for all aspects of the audit.

1. Requirements-Do you need a SAS 70 Type I or SAS 70 Type II audit?
2. What is the scope of the audit? What business lines, services, and operations have to be covered in the SAS 70 audit. Are their specific demands that need to be within the audit that somebody is asking for?
3. Pricing-Always obtain three (3) quotes and get a “fixed fee” for the audit, that is, the entire audit, including travel and all out of pocket expenses, are included within the fixed fee.
4. Testing period-If moving forward with a SAS 70 Type II audit, what is the test period going to be (note: test periods are traditionally 6 or 10 months long-you will have to identify this with the CPA firm that will be conducting the SAS 70 audit)
5. SAS 70 Readiness-Make sure you conduct a Readiness Assessment before moving forward with the audit. It will prove invaluable in understanding your control environment.

To learn more about SAS 70 audits, visit the official SAS 70 Resource guide, where you can obtain a wealth of information on SAS 70 audits, including a sample SAS 70 report.

PCI DSS Compliance in Today’s Heightened Security World

PCI DSS stands for Payment Card Industry Data Security Standards. If you are a merchant or service provider who is directly involved in the processing, storage, or transmission of transaction data or cardholder data, then you should be looked upon as PCI DSS candidates for compliance.

As with any compliance mandate, costs can be expensive, it can be time consuming to go through the assessment, and it’s something that has to be conducted annually.

The very first thing organizations should do to prepare for PCI DSS compliance is to make sure their organization has documented policies and procedures in place. And why? Because a large part of the success of obtaining PCI DSS compliance is dependent on having these very documented policies and procedures in place. Don’t believe me? Well, take a look at the PCI DSS standards for yourself and read between the lines and you will quickly find that this is an absolute necessity.

If you do not have them or do not have the time and skills to write them, then I highly recommend you hire a consulting firm who is an expert at writing policies and procedures for PCI DSS.

Time and time again, this is one of the biggest weaknesses I seen in merchants, service providers and any other organization looking to become PCI DSS compliant.

PCI DSS | Payment Card Industry Compliance Tips to Use

PCI DSS is fast becoming a requirement for many merchants and service providers in todays economy that are directly involved in the processing, storage, or transmission of transaction data or cardholder data. In short, they should be looked upon as PCI DSS candidates for compliance.

If you have to become PCI DSS compliant, here are a few tips and strategies for making sure you go through the process in an efficient and cost-effective manner.

1. Find out exactly what your requirements are for PCI DSS, that is, what level do you fall under for compliance. Many of the levels allow you to do a PCI DSS self-assessment. But before you move forward, get the facts from a qualified PCI firm.

2. Policies and Procedures: Make sure you have the ability, knowledge and know how to write effective policies and procedures for your organization. Why? Because a large part of PCI DSS success centers around having effective PCI DSS policies and procedures in place. If you do not have them or do not have the time or skills to write them, then find a qualified firm who is an expert at writing policies and procedures for PCI DSS compliance.

3. Understand the scope of PCI DSS. Regardless of what level you fall under for PCI DSS compliance, your scope may be limited or expanded; this is all depending on the services you provide in accordance to the processing, storage, or transmission of trandaction data or cardholder data should be looked upon as PCI DSS candidates for compliance.

To learn more about PCI DSS, visit www.pciassessment.org

PCI DSS | Helpful Tips on Becoming PCI DSS Compliant

PCI DSS-It’s a well-known phrase in today’s growing regulatory compliance landscape. Because PCI DSS and it’s standards, requirements, and other supporting factors are relatively new, there still seems to be a high degree of uncertainty of who needs to be PCI DSS compliant and why. the who, what, where, when, and why is still unclear for many merchants, service providers, and other entities involved, directly or indirectly, in the overall payment cycle.

Here is what is for certain. If you do have to be PCI DSS compliant, then its wise you start to immediately look at and inspect your organization’s documented policies and procedures. Why, you ask? Because most companies are very good at what they do, but typically weak at documenting what they do. Add to the mix that a fair amount of PCI DSS compliance is dependent on documented policies and procedures, and you can quickly see the importance. But who is going to write them and how long will it take?

My recommendation is to hire an experienced PCI QSA firm that has the skills and the templates ready for your organization to use. Remember, this is one of the most arduous and time consuming efforts of PCI DSS compliance, so start early before it’s too late.

To learn more about PCI DSS compliance, visit www.pciassessment.org.

PCI DSS Compliance | It Starts with Policies & Procedures

PCI DSS compliance can be considered a costly, time consuming assessment for any merchant or service provider that has to obtain PCI DSS compliance. What many organizations fail to recognize is that within the PCI DSS standards are a slew of requirements for documents policies and procedures on a laundry list of items. While companies are typically very good at what they do from a operational and business perspective, most companies perform rather poorly when it comes to documenting what they do. It’s an inherent weakness that I, as a PCI QSA assessor, see time and time again out there in the world of compliance.

Take note as documenting your policies and procedures for PCI DSS compliance can be considered a costly and time consuming affair. My recommendation, find a QSA PCI firm that has ready made templates which can be customized to your operations. Furthermore, appoint an internal employee to either develop these documented policies and procedures or work with an external PCI QSA assessor.

To learn more about PCI DSS compliance and how to develop customized documented policies and procedures for ensuring PCI DSS compliance, visit NDB advisory

SAS 70 Type II Audit Reports | A SAS 70 Auditor’s Expert Opinion

SAS 70 Type I and SAS 70 Type II audits are being required more and more by service organizations in today’s growing regulatory compliance and heightened corporate governance environment.

Thus, if you are a service organization or third party providers of critical services to another entity, you may be very well called upon to become SAS 70 Type I or SAS 70 Type II compliant.

If you want to learn about the who, what, when, where and why of Statement on Auditing Standards No. 70, commonly known as SAS 70, then visit the official SAS 70 Resource Guide, where a wealth of information on the SAS 70 auditing standard awaits you. You can download white papers on SAS 70, read about the history of the auditing standard, learn certain SAS 70 specific terms and phrases that auditors use along with even obtaining a sample SAS 70 audit report.

Many service organizations having to go through a SAS 70 audit have voiced frustration in not being able to find a true resource portal that breaks down, distills, and explains the SAS 70 auditing standard in an easy to read and explainable format.

So, visit the SAS 70 Resource portal for all your needs on SAS 70 audits.

SAS 70 and PCI DSS | An Auditor’s Expert Opinion

Many organizations are having to complete both a SAS 70 Type I or SAS 70 Type II audit along with being Payment Card Industry (PCI) compliant. With that being said, I am often asked if you can create efficiencies of scale if a firm does both the SAS 70 audit and the PCI assessment. That answer is yes, but please keep in mind it is not a perfect one to one match. The SAS 70 audit, remember now, is NOT a technology audit, where as the PCI assessment requires a much more an in-depth examination of information security. That’s not to say that a SAS 70 audit does not have technology involved in the audit process, they do, and in many cases, quite a bit of technology. But with that said, please keep in mind that the original auditing standard’s intent was not for it to be a technology driven audit.

However, with all this being said, a quality CPA firm that has the experience and licensing requirements to do both a SAS 70 audit and a PCI assessment can create a high effective gap analysis that will show where overlaps occur and where documentation will still be needed for either the SAS 70 audit or the PCI assessment, depending on which one is conducted first.

For more information on NDB, LLP’s SAS 70 services, visit the official SAS 70 Resource Guide.

For more information on PCI assessments, visit NDB’s PCI website, which discussees PCI in detail and the services NDB offers.

SAS70 Audit Reports | Understanding SAS70 Type I & Type II Audits

Does your organization need to be SAS70 compliant? If so, many people often ask me if they have to complete a SAS70 Type I audit before doing a SAS70 Type II audit. And the answer? Well, it all depends on a number of factors, such as: 1. Has your organization ever gone through a SAS70 audit before, if so when? 2. Are you required to be SAS70 Type II compliant or will a SAS70 Type I suffice for your client’s for this year? 3. What is your deadline for completing a SAS70 audit and when must it be presented to your clients or their auditors?

As you can see, there’s no quick black or white answer to the question. The most important to understand is what are the requirements that are being put on you by another entity for being SAS70 compliant. In essence, you should be able to answer the who, what, when, where and why within a relatively short period of time. You can also call a CPA firm that specializes in SAS70 audits to help answer these questions for you.

If you want to learn more about SAS70 audits, then visit the official SAS70 Resource Guide, where a wealth of information awaits you on SAS70 audits.