SAS70 Audits and PCI Assessments | GAP Analysis

Many organizations are now being required to be SAS70 and PCI DSS compliant. With that said, I am often asked where the synergies or overlaps are for a SAS70 audit, which can only be done by a CPA firm and a PCI DSS assessment, which can only be done by a qualified PCI QSA individual.

My answer to this is yes, IF and only IF, you obtain services from an individual or a firm who is both a CPA and one that is a qualified PCI QSA individual, AND that they produce both high quality SAS70 audits and PCI DSS assessments. The SAS70 auditing standard is rather loose, so its incumbent upon the firm issuing the SAS70 report to produce a report that is high quality. High quality means it is a report that covers all essential baseline elements considered for a SAS70 audit, which should include substantial testing for network security and logical access. If done correctly, you will see an overlap with other areas within the PCI DSS assessment. So, this is the yes answer. If you engage in two different firms, one to do the SAS70 audit, the other to do the PCI DSS assessment, then you can have conflicting views on what each report should contain. In short, the synergies occur when you use a firm to do both the SAS70 and PCI assessment.

For more information on Payment Card Industry compliance, visit the official PCI website.

For more information on SAS70 audits, visit the official SAS70 Resource Guide website.

I have also created a SAS70 and PCI DSS Gap analysis, which shows the overlapping areas