PCI DSS compliance can be considered a costly, time consuming assessment for any merchant or service provider that has to obtain PCI DSS compliance. What many organizations fail to recognize is that within the PCI DSS standards are a slew of requirements for documents policies and procedures on a laundry list of items. While companies are typically very good at what they do from a operational and business perspective, most companies perform rather poorly when it comes to documenting what they do. It’s an inherent weakness that I, as a PCI QSA assessor, see time and time again out there in the world of compliance.
Take note as documenting your policies and procedures for PCI DSS compliance can be considered a costly and time consuming affair. My recommendation, find a QSA PCI firm that has ready made templates which can be customized to your operations. Furthermore, appoint an internal employee to either develop these documented policies and procedures or work with an external PCI QSA assessor.
SAS 70 Type I and SAS 70 Type II audits are being required more and more by service organizations in today’s growing regulatory compliance and heightened corporate governance environment.
Thus, if you are a service organization or third party providers of critical services to another entity, you may be very well called upon to become SAS 70 Type I or SAS 70 Type II compliant.
If you want to learn about the who, what, when, where and why of Statement on Auditing Standards No. 70, commonly known as SAS 70, then visit the official SAS 70 Resource Guide, where a wealth of information on the SAS 70 auditing standard awaits you. You can download white papers on SAS 70, read about the history of the auditing standard, learn certain SAS 70 specific terms and phrases that auditors use along with even obtaining a sample SAS 70 audit report.
Many service organizations having to go through a SAS 70 audit have voiced frustration in not being able to find a true resource portal that breaks down, distills, and explains the SAS 70 auditing standard in an easy to read and explainable format.
So, visit the SAS 70 Resource portal for all your needs on SAS 70 audits.
Many organizations are having to complete both a SAS 70 Type I or SAS 70 Type II audit along with being Payment Card Industry (PCI) compliant. With that being said, I am often asked if you can create efficiencies of scale if a firm does both the SAS 70 audit and the PCI assessment. That answer is yes, but please keep in mind it is not a perfect one to one match. The SAS 70 audit, remember now, is NOT a technology audit, where as the PCI assessment requires a much more an in-depth examination of information security. That’s not to say that a SAS 70 audit does not have technology involved in the audit process, they do, and in many cases, quite a bit of technology. But with that said, please keep in mind that the original auditing standard’s intent was not for it to be a technology driven audit.
However, with all this being said, a quality CPA firm that has the experience and licensing requirements to do both a SAS 70 audit and a PCI assessment can create a high effective gap analysis that will show where overlaps occur and where documentation will still be needed for either the SAS 70 audit or the PCI assessment, depending on which one is conducted first.
For more information on NDB, LLP’s SAS 70 services, visit the official SAS 70 Resource Guide.
For more information on PCI assessments, visit NDB’s PCI website, which discussees PCI in detail and the services NDB offers.
Does your organization need to be SAS70 compliant? If so, many people often ask me if they have to complete a SAS70 Type I audit before doing a SAS70 Type II audit. And the answer? Well, it all depends on a number of factors, such as: 1. Has your organization ever gone through a SAS70 audit before, if so when? 2. Are you required to be SAS70 Type II compliant or will a SAS70 Type I suffice for your client’s for this year? 3. What is your deadline for completing a SAS70 audit and when must it be presented to your clients or their auditors?
As you can see, there’s no quick black or white answer to the question. The most important to understand is what are the requirements that are being put on you by another entity for being SAS70 compliant. In essence, you should be able to answer the who, what, when, where and why within a relatively short period of time. You can also call a CPA firm that specializes in SAS70 audits to help answer these questions for you.
If you want to learn more about SAS70 audits, then visit the official SAS70 Resource Guide, where a wealth of information awaits you on SAS70 audits.
PCI DSS and SAS70 audits are two of the most common regulatory compliance initiatives currently facing many service organizations in today’s current business climate. Add to the mix of some unique similarities that both PCI DSS and SAS70 possess, and you can have some marginal to meaningful efficiencies of scale when one firm conducts both the PCI DSS assessment and the SAS70 audit.
Here’s how it works. When you look at the 12 core standards as put forth for PCI DSS, some of those functional areas can very well be part of a SAS70 audit, if scoped properly. That’s not to say that a PCI DSS and a SAS70 audit are a one for one match-by no means are they at all, but some items are examined and tested for in both the PCI DSS assessment and the SAS70 audit.
In short, there are only a handful of firms that are currently conducting both PCI DSS and SAS70 compliance. If you can find one, and they are out there, and they are willing to work on both the PCI DSS assessment and the SAS70 audit for purposes of document collection, analysis, discovery, and a host of other activities, then you have found a WIN WIN. Though the PCI DSS is much more technology driven than a SAS70 audit (and again for the thousandth time, a SAS70 is NOT an I.T. audit), there will be much learned from the PCI DSS assessment that will create great value and savings for purposes of the SAS70 audit.
If you want to learn more about this along with creating a Gap analysis, then contact NDB, Accountants and Consultants
SAS70 Auditing has become a staple in today’s growing regulatory compliance world. As such, I have put together a list of questions and answers for SAS70 issues that are commonly asked to me:
1. How much does a SAS70 audit cost?
That depends on a number of issues, such as the scope of the audit, are you required to be SAS70 Type I or Type II compliant. Have you ever had a SAS70 audit conducted before on your organization. However, do remember this. Get a FIXED FEE for the audit, that is, make sure all out of pocket, travel expenses are included in the FIXED FEE.
2. We have never had a SAS70 audit done before, what and where is the best place to start?
Start with a SAS70 Readiness Assessment-A series of highly customized questionnaires that help guide and facilitate the overall SAS70 audit process for your organization. You don’t go from first to third without a pit stop at second. The same theory holds true for SAS70 audits-don’t jump right into a SAS70 Type I or Type II without conducting preliminary work and analysis on your controls, your manpower, and the overall audit process. Get a SAS70 Readiness Assessment done-it will prove invaluable. You can even obtain free SAS70 Readiness Assessment questionnaires from the official SAS70 Resource Guide, developed by NDB Accountants and Consultants.
3. Can you fail a SAS70 audit? Technically, you can be given a “qualified” or adverse opinion on the audit. However, if you go through a SAS70 Readiness Assessment, learn from the deficiencies you have found, your organization should be able to successfully get a clean, “unqualified” SAS70 opinion.
Want to learn more about SAS70 audits, then ask for a complimentary SAS70 Type II audit report. You will learn much about the auditing standard from this report.
SAS70 audits have quickly become a mainstay in the world of data centers, managed services and co-location entities, and this will no doubt continue to grow. This is happening for a large number of reasons, but primarily data centers (and any variant thereof, such as managed services, co-location entities with “ping, power and pipe”) are hosting and residing an ever growing and enormous amount of information for many service providers. These service providers are commonly being asked to be SAS70 Type II compliant. As such, the data centers used by these very service organizations are commonly included within the scope of the SAS70 audit.
And what should data centers take from this? A good idea would be to become SAS70 compliant, and here’s why.
1. SAS70 compliance help mitigate and possibly eliminate many of these specialized requests your clients are asking for in helping them facilitate their own SAS70 compliance.
2. It greatly helps with business development and marketing for data centers.
3. It helps unearth any weaknesses or deficiencies you may have within your control environment.
SAS70 pricing for Type I and Type II audits is still a hot topic for regulatory compliance these days, and for good reason. The huge rise in SAS70 audits over the past five years has created a true need for accountants and auditors to perform these specialized audits. As a SAS70 auditor for many years now, i have noticed some interesting trends regarding SAS70 pricing along with my thoughts on where they will be going.
First and foremost, SAS70 pricing has gradually moved towards a “Fixed Fee”, that is, a SAS70 audit price that also includes travel and any out of pocket miscellaneous expenses. If you’re organization is looking to become SAS70 compliant, then get a fixed fee for all the proposals you receive.
Prices are coming down-Five years ago, only a handful of accounting firms conducted SAS70 audits. Taken a look at Google lately to search for the term “SAS70” and WOW, CPA firms are everywhere! Well, that’s good news for service organizations looking to become SAS70 Type I or Type II compliant.
Pricing will probably stabilize. For a good quality reputable SAS70 firm, SAS70 Type I and Type II fees are becoming very reasonable. What’s more, good firms have also figured out a way to do more and more work remotely, thus minimizing business interruption for their clients.
To learn more about SAS70 pricing or to receive a complimentary SAS70 Type II audit report, then visit the official SAS70 resource guide at www.sas70.us.com
Want to think and talk like a SAS70 auditor? Well, if you are a service organization that will soon be undergoing a SAS70 audit, then it’s a good idea to gain an understanding of some of the most commonly used term for Statement on Auditing Standards No. 70. Do you know the difference between the term “service organization” and “user organization”? How about Statement on Auditing Standards No. 55 and it’s importance on SAS70 Type I and SAS 70 Type II audits. The more of these key phrases and terms you know, the better prepared you will be in assisting your company in going through a SAS70 audit.
What’s more, if you are currently in the proposal phase and looking to find a qualified SAS70 CPA firm to conduct the audit, then your understanding of these key terms and phrases will ultimately help you better scope the audit, giving way to a fair and equitable fee for your company.
Learn about key SAS70 phrases and become a knowledge base for you and your organization regarding SAS70 audits.
SAS70 audits can be seen as expensive, time consuming, and arduous, to say the least. What’s important to note though is that a SAS70 audit can be seen as a great tool for helping promote and grow your business. Just take a look at the heightened regulatory compliance and corporate governance arena we know live in. Need further proof? How you noticed how many request for proposals (RFP) that are put out to service organizations now require a SAS70 Type II audit report if you want to even be CONSIDERED a viable outsourcing entity.
Sure, they can be time consuming and expensive, but if they help your business grow, and they have done just that for many service organizations, then it should be looked upon as an effective value proposition for your business.
From an operational standpoint, SAS70 Type I and SAS70 Type II audits help you greatly understand your system of internal controls, where you are weak, where your controls are strong, and what has been unearthed during the SAS70 process to help your organization in becoming an entity that truly values controls at all levels throughout your organization.
Want to learn more about SAS70 audits, such as what a SAS70 really is? Then visit the official SAS70 resource guide.