Regulatory Compliance, Governance and Security

Aug 3 2008   2:49PM GMT

SAS70 & PCI Compliance | Creating Audit Efficiencies

Charles Denyer Charles Denyer Profile: Charles Denyer

SAS70 audits have grown tremendously in the past five years, largely due in part to the explosive growth of federal regulatory compliance laws and legislation. Interestingly also, Payment Card Industry (PCI) compliance has also received much attention as of recent, particularly with the recent breaches of security in a number of well publicized cases.

I’m often asked by organizations that have to be SAS70 & PCI compliant if these two audits can be a 2 for 1, that is, can I conduct SAS70 fieldwork and also hopefully piggyback off of that work to help augment a marginal part of the PCI compliance examination for QSA?

There are synergies that can be created, allowing an experienced auditor to use his or her best judgment for creating these synergies. If you look at the 12 core areas of the PCI compliance, you can extract elements from these very requirements that would most surely be included in a good, quality comprehensive SAS70 audit. I stress “good, quality” audit because the looseness of the SAS70 standard allows auditors to employ vastly different methodologies.

For example, PCI Requirement #9, “Restricting Physical Access to Cardholder Data” could be argued that this is very much in line with a common SAS70 control objective for “Physical Security”. Remember this, there are only so many regulatory compliance and governance laws that can be pushed forward before they start to become overlapping and redundant to a certain degree.

If you can find a quality firm that does both SAS70 auditing and PCI QSA compliance, then it would be most beneficial to create these synergies for the audit.

One of the most valuable tools I recently created was a SAS70 & PCI Gap analysis, showing you the overlapping features of both audits, allowing any firm to create these very efficiencies for these compliance examinations.

For more information on SAS70 audits, or to receive SAS70 sample reports, please visit the official SAS70 resource center

Bookmark and Share     Comment     RSS Feed     Email a friend

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: