Regulatory Compliance, Governance and Security


July 17, 2009  12:58 PM

SAS 70 Type II Audit Compliance | Expert Advice from a SAS 70 Auditor

Charles Denyer Charles Denyer Profile: Charles Denyer

After years of working with the SAS 70 auditing standard, there comes a time when i need to clarify and hand out helpful advice to service organizations that will soon be undertaking the process of an actual SAS 70 audit. So, let’s discuss some important issues for making sure you achieve SAS 70 Type II compliance in a cost-effective and timely manner.

1. Get a FIXED FEE for the audit. Hire a firm that gives you one price for all activities associated with the audit.

2. DO conduct a SAS 70 Readiness Assessment. This is vital to the audit and in helping frame the scope of the audit, while also giving your organization the time to correct any gaps or weaknesses found. A good, quality, and reputable CPA firm will offer this service and many times as part of the entire fixed fee.

3. Do ask about how testing is conducted by the firm you have hired. That is, how do they conduct sampling, what is their method for determining an “exception” to the audit process, etc. In short, communicate frequently and often and ask the right questions.

If you want to learn more about SAS 70 audits, then visit the official SAS 70 Resource Guide.

July 17, 2009  12:45 PM

PCI DSS Compliance | MasterCard SDP Changes Rules for Merchants

Charles Denyer Charles Denyer Profile: Charles Denyer

MasterCard has recently announced changes to their Site Data Protection program, which now requires BOTH Level 1 and Level 2 Merchants to retain a Qualified Security Assessor (QSA) to validate compliance in regards to PCI DSS.

This is truly a monumental shake up in the industry, as many Level 2 merchants that could “self-assess” in the past now have to engage with a QSA to perform an annual on-site assessment. As a QSA myself, i cannot give hard and fast number as to how many merchants this will affect, but i can tell you that it will be a high number indeed. Level 2 Merchants have quite honestly never been exposed to the time, expenses, and arduous undertakings of an annual on-site PCI DSS assessment. What’s more, these costs will without question create significant financial constraints for Level 2 merchants.

Finally, MasterCard has designated that all Merchants identified as Level 2 merchants by other brands will also be classified as Level 2 for MasterCard. Call it reciprocity, simple and to the point.

MasterCard has also redefined the Service Provider thresholds and their respective levels to align with Visa.

My advice, find yourself a good, competent, knowledgeable Qualified Security Assessor.


July 8, 2009  7:27 PM

SAS 70 Compliance | Why a Readiness Assessment is Essential for the Audit

Charles Denyer Charles Denyer Profile: Charles Denyer

Many service organizations having to undergo SAS 70 Type I or SAS 70 Type II compliance would greatly benefit from a SAS 70 Readiness Assessment. So, let’s clear the air as to what this actually is.

A SAS 70 Readiness Assessment should be a proactive exercise which actually benefits the overall SAS 70 audit process. A Readiness Assessment should, thus, include the following:

1. A series of in-depth and comprehensive questionnaires that help examine the control environment of a service organization, while assisting in identifying any weaknesses or deficiencies within the overall control framework.
2. A gap analysis or “findings” of deficiencies and what corrective action is needed to strengthen the control environment of the service organization.

A quality CPA firm should be able to provide you with a series of highly-customized SAS 70 Readiness Assessment Questionnaires along with giving the service organization expert guidance and assistance in answering the questionnaires.

If you want to learn more about what a Readiness Assessment actually entails, then visit the Official SAS 70 Resource Guide.


July 6, 2009  3:20 PM

Sample SAS 70 Type II Audit Report | Learn about SAS 70 Audits

Charles Denyer Charles Denyer Profile: Charles Denyer

Obtaining a Sample SAS 70 Type II Audit Report is simply the best way for service organizations to learn about Statement on Auditing Standards No. 70. This can be a highly complex audit process, with much of it open to an auditor’s and service organization’s overall interpretation of man key points in the audit process.

Service organizations of all shapes and size today (data center, co-locations, software as a service, third party administrators, medical claims processors, etc.) are all being called upon to become SAS 70 Type II compliant. The regulatory drumbeat is beating louder every year and SAS 70 audits are here to stay.

A sample SAS 70 Type II audit report will give service organizations a fresh and unique perspective on exactly what the finished product of a SAS 70 Type II audit looks like. Look at it as a way to truly understand the end product and what the CPA firm conducting the audit will be furnishing you with.

Please keep in mind because of the looseness and the flexibility of the SAS 70 auditing standard, not every report will be identical in. However, there are, without question, common themes and subject matter that every quality report will include. The report can be downloaded via pdf


June 26, 2009  3:37 PM

SAS 70 Audit | Why a Readiness Assessment is Crucial

Charles Denyer Charles Denyer Profile: Charles Denyer

If your organization is seeking to become SAS 70 Type I or Type II compliant in the near future, then it is a wise decision to embark on a SAS 70 Readiness Assessment. These assessments essentially help you identify your control environment, the scope of the audit, and what deficiencies or gaps may be present within your overall internal control framework within your organization. It should not be looked upon as an additional cost of a SAS 70 audit, but that of a useful and proactive exercise in preparing your organization for the rigors of going through an actual SAS 70 audit.

Working right towards SAS 70 Type I or Type II compliance without conducting a SAS 70 Readiness Assessment can be a daunting and challenging task. Many problems can arise out of this, such as not properly scoping the audit, not adequately identifying weaknesses within your control structure, along with other critical and material issues. The result can be cost and time overruns to correct these issues that should of been addressed prior to the actual audit.

To learn more about SAS 70, visit the official SAS 70 Resource Guide.


June 26, 2009  3:16 PM

PCI DSS Requirements and PCI DSS Merchant Levels | American Express | AMEX

Charles Denyer Charles Denyer Profile: Charles Denyer

While most individuals focus on Merchant Levels for VISA, it’s important to note that the additional payment brands, such as American Expresss (AMEX), have defined their own respective merchant levels based on transaction volume and what the requirements are. With that said, listed below are AMEX’s Merchant Levels and their corresponding requirements:

Level 1: Merchants processing over 2.5 million American Express Card transactions annually or any merchant that American Express otherwise deems a Level 1.

Level 2: Merchants providing 50,000 to 2.5 million American Express transactions annually or any merchant that American Express otherwise deems Level 2.

Level 3: Merchants processing less than 50,000 American Express transactions annually.

Level 4: NA. (AMEX does not have a 4th level, such as VISA).

Level 1 Requirements: Annual onsite review by QSA (PCI DSS Assessment) and Quarterly Network Scan by ASV.

Level 2 Requirements:Quarterly Network Scan by ASV.

Level 3 Requirements:Quarterly Network Scan by ASV.

To learn about PCI DSS compliance and the varying requirements for merchants and service providers, please visit pciassessment.org


June 26, 2009  3:08 PM

PCI DSS Requirements and PCI DSS Merchant Levels | VISA

Charles Denyer Charles Denyer Profile: Charles Denyer

PCI DSS Requirements for Merchants is dependent on the “Level” your organization falls into. Currently, there are four (4) Merchant Levels for PCI DSS compliance. What’s important to note is that these merchant levels are based on transaction volume of cardholder data. But also keep in mind that many merchants who do not meet the more stringent Level 1 requirements because of lower transaction volumes may still have to become Level 1 compliant based on customer demands, marketing efforts for their company, or possible regulatory requirements (i.e, you’ve been notified by your acquirer that you need to be level 1 compliant).

Thus, here are the VISA Merchant Levels:

Level 1: Any merchant-regardless of acceptance channel-processing over 6,000,000 Visa transactions per year OR Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.

Level 1 Requirements:
* Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”)
* Quarterly network scan by Approved Scan Vendor (“ASV”)
* Attestation of Compliance Form

Level 2: Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 Visa transactions per year.

Level 2 Requirements:
* Annual Self-Assessment Questionnaire (“SAQ”)
* Quarterly network scan by ASV
* Attestation of Compliance Form

Level 3: Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year.

Level 3 Requirements:
* Annual Self-Assessment Questionnaire (“SAQ”)
* Quarterly network scan by ASV
* Attestation of Compliance Form

Level 4: Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year.

Level 4 Requirements:
* Annual SAQ recommended
* Quarterly network scan by ASV if applicable
* Compliance validation requirements set by acquirer

To learn more about PCI DSS compliance and merchant level requirements for other payment brands (MasterCard, American Express, Discover Card, and JCB), visit pciassessment.org


June 20, 2009  3:31 AM

PCI COMPLIANCE

Charles Denyer Charles Denyer Profile: Charles Denyer

Payment Card Industry Data Security Standards (PCI DSS) compliance means many different things to many people. And after all, it should, based on the complexities of truly understanding what the phrase “PCI Compliance” or being “PCI compliant” really means.

For an ounce of clarity, remember this. All merchants that fall into Level 1 of the transaction volume parameters for PCI will have to undertake an on-site PCI DSS assessment by a Qualified Security Assessor; somebody who has gone through the training and certification process by the Payment Card Industry Security Standards Council (PCI SSC).

“Most” other levels (and i stress most, because there are exceptions) can conduct their own self-assessment for PCI compliance. The world “self” is misleading because most organizations trying to comply will need assistance from a PCI QSA.

To learn more about PCI DSS, visit pciassessment.org.


June 20, 2009  3:20 AM

SAS 70

Charles Denyer Charles Denyer Profile: Charles Denyer

Statement on Auditing Standards No. 70, simply known as SAS 70 to many, has had a profound impact on regulatory compliance since the passage of the Sarbanes Oxley Act in 2002. As a SAS 70 auditor for many years, i’ve been asked a broad and wide range of questions regarding the who, what, where, when and why of SAS 70 Type I and SAS 70 Type II audits. Thus, if you need to learn everything you possibly can about SAS 70, then visit the official SAS 70 Resource Guide, where a voluminous amount of information is available.

Now, with that said, let me touch on a subject that has been brought up so many times it feels like a broken record: SAS 70 PRICING. So, what do they cost? What SHOULD they cost? These are some of the questions i fielded over the years. With that said, i can tell you what my honest best assessment is for pricing on these engagements, so here you go.

A general controls SAS 70 Type I that covers no real business processes and all fieldwork can be done at one location should be between $15,000 and $25,000.

A general controls SAS 70 Type II that covers no real business processes and all fieldwork can be done at one location should be between $25,000 and $35,000. Thus, subsequent years “could” see a decrease in fees (marginal, that is) if the control environment stays somewhat static.

If you start adding in requirements to test a wide array of specific “business process” controls, the price will go up. Keep in mind, some firms may charge (and do) a slightly cheaper fee than i’ve just quoted. But remember, you get what you pay for, especially for auditors. Find that healthy medium from a quality, boutique CPA firm that specializes in SAS 70 audits and you should be fine.


June 19, 2009  10:00 PM

PCI DSS Level 1 Compliance for Merchants and Service Providers | Helpful Tips

Charles Denyer Charles Denyer Profile: Charles Denyer

PCI DSS Level 1 Compliance for Merchants and Service Providers can be a daunting task, but there are a number of proactive steps to take to help mitigate and hopefully eliminate cost and time overruns.

There’s quite a bit you can do to help prepare your organization for PCI DSS Level 1 compliance, so let’s start with some of the basics and move forward in subsequent blogs.

First and foremost, READ the PCI DSS standard, from front to back. Sure, it will take some time, but you will be able to much better grasp and understand the dynamics of PCI compliance. There are 12 main requirements, each one is quite specific in their demands, so break them up and spend time truly digesting what each Requirement means.

Second, conduct a PCI DSS Readiness Assessment (either internally or preferably with a PCI QSA). Why? You need to be able to generate a gap analysis to see where your weaknesses are and what steps you will need to take to correct them. So, that’s just a start. I’ll be writing more in later blogs, so stay tuned.

To learn more about PCI compliance, visit pciassessment.org


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: