July, 2009

SAS 70 for Payroll Companies | Tips on SAS 70 Type II Compliance

SAS 70 for payroll companies is fast becoming a requirement in this industry. And why? Because payroll companies conduct critical and material outsourcing functions for many organizations in today’s business arena. What’s more, they have a responsibility to protect vital consumer information, such as social security numbers, dates of birth, federal EIN tax numbers, just to name a few.

Add to the notions of the high degree of risk in this industry, and it’s quite easy to see how payroll companies are being asked to become SAS 70 Type II compliant.

The scope of a SAS 70 audit for a payroll company will include a host of general controls along with specific business process operational controls that examine and test the payroll life cycle, from start to finish- that is, from how consumer information is obtained to the final issuance of hard checks or electronic direct deposit.

To learn more about SAS 70 audits, visit the official SAS 70 Resource Guide, where a wealth of information can be obtained on both Type I and Type II audits.

PCI DSS Service Provider Levels for VISA | Level 1 to Level 3

PCI DSS Service Providers Levels for VISA are defined as the following:

Level 1: All VisaNet processors (member and non-member) and all payment gateways.

Level 2: Service Providers (agents) not in Level 1 that store, process, or transmit > 1 million accounts/transactions annually.

Level 3: Service Providers (agents) not in Level 1 that store, process, or transmit < 1 million accounts/transactions annually.

Additionally, these various “levels” have predefined requirements for PCI DSS compliance, which essentially call for the following:

* Annual onsite review by QSA
* Quarterly network scan by ASV
* Annual Self-Assessment Questionnaire
(Canada: SAQ required and must be reviewed by QSA)

In short, you will need to retain a Qualified Security Assessor (QSA) to help with PCI DSS compliance. A QSA will assist in guiding your organization through an actual on-site assessment.

PCI Merchant Level Requirements | VISA Merchant Level Compliance

PCI Merchant Level Requirements for VISA are stated as the following:

Level 1: Any merchant-regardless of acceptance channel-processing over 6,000,000 Visa transactions per year. Also, any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.

Level 2: Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 Visa transactions per year.

Level 3: Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year.

Level 4: Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year.

The other payment brands (MasterCard, American Express, Discover Card, and JCB) also have their own requirements for merchants.

PCI DSS Compliance | Why You Need a QSA for Level 1 Compliance

PCI DSS Compliance for Level 1 Merchants and Service Providers is mandatory. In short, if you are a Merchant or Service Provider and have been called upon to become Payment Card Industry Data Security Standards (PCI DSS) compliant, then an on-site assessment by a Qualified Security Assessor (QSA) is what you will need.

A QSA is simply an individual who has gone through the licensing to become an expert in PCI DSS compliance. This is somebody who has been awarded the designation by the Payment Card Industry Security Standards Council, known as the PCI SSC.

For more information about PCI DSS compliance and in hiring a QSA for all your Level 1 needs, visit the official PCI DSS Resource Guide.

And lastly, MasterCard has now strengthened their requirements to make Level 2 merchants also undertake an on-site PCI DSS assessment.

SAS 70 Audit and Compliance | Financial Services are Next in Line

SAS 70 Audit and Compliance will soon be entering the financial services and financial sector in a much more in-depth manner in the coming years. Sure, SAS 70 audits have been widely used on asset accounting, hedge funds, trust establishments, but the push will be much further and deeper in the coming years. Thank Mr. Madoff and his ponzi schemes along with increased regulatory compliance from the Obama administration.

Currently, the United States Securities and Exchange Commission (SEC) is looking into having Registered Investment Advisers being required to have an annual “surprise audit” and/or an “internal control” audit. In short, the default without question will be Statement on Auditing Standards No. 70.

The Obama administration is also looking into many other avenues of regulatory compliance that may include various provisions of additional auditing and oversight. Thus again, SAS 70 Type II audits may very well become quite transparent and well-known in other financial sectors. Let’s wait and see what truly unfolds in the coming months.

Visit the official SAS 70 Resource Guide to learn more about Type I and Type II audits.

SAS 70 Type II Audit Compliance | Expert Advice from a SAS 70 Auditor

After years of working with the SAS 70 auditing standard, there comes a time when i need to clarify and hand out helpful advice to service organizations that will soon be undertaking the process of an actual SAS 70 audit. So, let’s discuss some important issues for making sure you achieve SAS 70 Type II compliance in a cost-effective and timely manner.

1. Get a FIXED FEE for the audit. Hire a firm that gives you one price for all activities associated with the audit.

2. DO conduct a SAS 70 Readiness Assessment. This is vital to the audit and in helping frame the scope of the audit, while also giving your organization the time to correct any gaps or weaknesses found. A good, quality, and reputable CPA firm will offer this service and many times as part of the entire fixed fee.

3. Do ask about how testing is conducted by the firm you have hired. That is, how do they conduct sampling, what is their method for determining an “exception” to the audit process, etc. In short, communicate frequently and often and ask the right questions.

If you want to learn more about SAS 70 audits, then visit the official SAS 70 Resource Guide.

PCI DSS Compliance | MasterCard SDP Changes Rules for Merchants

MasterCard has recently announced changes to their Site Data Protection program, which now requires BOTH Level 1 and Level 2 Merchants to retain a Qualified Security Assessor (QSA) to validate compliance in regards to PCI DSS.

This is truly a monumental shake up in the industry, as many Level 2 merchants that could “self-assess” in the past now have to engage with a QSA to perform an annual on-site assessment. As a QSA myself, i cannot give hard and fast number as to how many merchants this will affect, but i can tell you that it will be a high number indeed. Level 2 Merchants have quite honestly never been exposed to the time, expenses, and arduous undertakings of an annual on-site PCI DSS assessment. What’s more, these costs will without question create significant financial constraints for Level 2 merchants.

Finally, MasterCard has designated that all Merchants identified as Level 2 merchants by other brands will also be classified as Level 2 for MasterCard. Call it reciprocity, simple and to the point.

MasterCard has also redefined the Service Provider thresholds and their respective levels to align with Visa.

My advice, find yourself a good, competent, knowledgeable Qualified Security Assessor.

SAS 70 Compliance | Why a Readiness Assessment is Essential for the Audit

Many service organizations having to undergo SAS 70 Type I or SAS 70 Type II compliance would greatly benefit from a SAS 70 Readiness Assessment. So, let’s clear the air as to what this actually is.

A SAS 70 Readiness Assessment should be a proactive exercise which actually benefits the overall SAS 70 audit process. A Readiness Assessment should, thus, include the following:

1. A series of in-depth and comprehensive questionnaires that help examine the control environment of a service organization, while assisting in identifying any weaknesses or deficiencies within the overall control framework.
2. A gap analysis or “findings” of deficiencies and what corrective action is needed to strengthen the control environment of the service organization.

A quality CPA firm should be able to provide you with a series of highly-customized SAS 70 Readiness Assessment Questionnaires along with giving the service organization expert guidance and assistance in answering the questionnaires.

If you want to learn more about what a Readiness Assessment actually entails, then visit the Official SAS 70 Resource Guide.

Sample SAS 70 Type II Audit Report | Learn about SAS 70 Audits

Obtaining a Sample SAS 70 Type II Audit Report is simply the best way for service organizations to learn about Statement on Auditing Standards No. 70. This can be a highly complex audit process, with much of it open to an auditor’s and service organization’s overall interpretation of man key points in the audit process.

Service organizations of all shapes and size today (data center, co-locations, software as a service, third party administrators, medical claims processors, etc.) are all being called upon to become SAS 70 Type II compliant. The regulatory drumbeat is beating louder every year and SAS 70 audits are here to stay.

A sample SAS 70 Type II audit report will give service organizations a fresh and unique perspective on exactly what the finished product of a SAS 70 Type II audit looks like. Look at it as a way to truly understand the end product and what the CPA firm conducting the audit will be furnishing you with.

Please keep in mind because of the looseness and the flexibility of the SAS 70 auditing standard, not every report will be identical in. However, there are, without question, common themes and subject matter that every quality report will include. The report can be downloaded via pdf