Regulatory Compliance, Governance and Security

Jan 28 2009   1:03PM GMT

SAS 70 Audits and PCI DSS Compliance | A Two for One Audit? Not Quite



Posted by: Charles Denyer
Tags:
cpa
payment card industry data security standards (PCI DSS)
PCI DSS
pci dss report on compliance (ROC)
pciassessment.org
qsa
sas70.us.com

As an accountant and a PCI Qualified Security Assessor (QSA), i’m seeing more and more auditors essentially provide audit and fieldwork services for both a SAS 70 and a PCI DSS assessment at the same time, then issue a PCI DSS Report on Compliance (ROC) and a SAS 70 Type II Service Auditor’s Report. While I am all for audit efficiencies, there does need to be some degree of engagement independence, both in an administrative manner (different engagement letters, etc.) and in terms of audit expertise (both CPA’s and QSA’s need to be involved in their respective assignments and committed to the work at hand).

Furthermore, SAS 70 audits will also examine areas not covered by PCI DSS assessments, and the same is true for PCI DSS assessments covering technical areas traditionally not under the scope of a SAS 70 audit. As professionals, we need to be careful in not blurring the lines and distinctions between CPA’s and QSA’s and still try to maintain professional indepedence in regards to the work that each does and what they are qualified to do.

To learn more about SAS 70 audits, visit the official SAS 70 Resource Guide.
To learn more about PCI DSS assessments, visit pciassessment.org

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: