PCI DSS and SAS70 audits are two of the most common regulatory compliance initiatives currently facing many service organizations in today’s current business climate. Add to the mix of some unique similarities that both PCI DSS and SAS70 possess, and you can have some marginal to meaningful efficiencies of scale when one firm conducts both the PCI DSS assessment and the SAS70 audit.
Here’s how it works. When you look at the 12 core standards as put forth for PCI DSS, some of those functional areas can very well be part of a SAS70 audit, if scoped properly. That’s not to say that a PCI DSS and a SAS70 audit are a one for one match-by no means are they at all, but some items are examined and tested for in both the PCI DSS assessment and the SAS70 audit.
In short, there are only a handful of firms that are currently conducting both PCI DSS and SAS70 compliance. If you can find one, and they are out there, and they are willing to work on both the PCI DSS assessment and the SAS70 audit for purposes of document collection, analysis, discovery, and a host of other activities, then you have found a WIN WIN. Though the PCI DSS is much more technology driven than a SAS70 audit (and again for the thousandth time, a SAS70 is NOT an I.T. audit), there will be much learned from the PCI DSS assessment that will create great value and savings for purposes of the SAS70 audit.
If you want to learn more about this along with creating a Gap analysis, then contact NDB, Accountants and Consultants