service organizations

SAS 70 Audits and PCI DSS Assessments | What you NEED to Know

SAS 70 audits and PCI DSS Assessments are on everybody’s radar screen today, or though it seems. Particularly, SAS 70 Type II Audits and Payment Card Industry Data Security Standards (PCI DSS) Level I assessments.

And why? Because many service organizations, merchants, and service providers are being asked to become compliant with either a SAS 70 audit, a PCI DSS Assessment or both, for purposes of today’s regulatory compliance initiatives. Take note, Nevada just passed provisions of PCI into law, joining Minnesota as another state that is taking security and privacy to a new level.

I’ve put together a comprehensive white paper on SAS 70 Type II audits and PCI DSS Level 1 assessments that is definitely good reading material if your organization has to become compliant with either of these.

Visit the official SAS 70 Resource Guide to learn more about Type I and Type II audits
Visit the official PCI DSS Resource Guide to learn more about PCI DSS Assessments.

What is SAS 70 | A Question I’m Often Asked by Service Organizations

What is SAS 70? For us in the regulatory compliance and Information Technology world, this would be an absurd question. Well, put yourself in the shoes of businesses who work hard everyday, struggling to make ends meet, and then suddenly, they’ve been told they need a SAS 70. A SAS what? I field these calls everyday from the curious minded individuals who have now come to find themselves locked into the regulatory compliance game that many service organizations have come accustomed to.

So, then. What is SAS 70? Well, its an auditing standard put forth the American Institute of Certified Public Accountants (AICPA) in 1992, which is used to report on controls placed in operation and (if need be), tests of operating effectiveness. English please, right? Okay, in more simpler terms, its an audit that is used to test a number of controls (i.e., “checks and balances” you should have in place) throughout your organization.

To add to this, there are TWO types of SAS 70 audits; a Type I and a Type II. Most organizations having to comply with and go through a SAS 70 audit ultimately prepare for a SAS 70 Type II audit.

Okay, these are the basics, to learn more, visit the official SAS 70 Resource Guide, where you can learn all you need to know about SAS 70 audits to help answer that ever important question-What is SAS 70?

Sarbanes Oxley (SOX) and SAS 70 | Understanding the relationship

Many people often ask me what exactly is the relationship between SOX and SAS 70. The relationship between SOX and SAS 70 begins with Section 404. Because management must report annually on it’s effectiveness of internal controls, it then has an obligation to inquire and inspect on all controls considered vital to the organization as a whole, but more importantly, to it’s financial reporting process. Since a large number of publicly traded companies outsource a host of critical services, these outsourcer providers, commonly referred to as “service organizations”, are considered an integral component for purposes of financial reporting. Therefore, a due-diligence process must be enacted to have their internal controls observed and certified. The Securities and Exchange Commission’s (SEC) Chief Accountant and the Division of Corporation Finance has stated that “In many situations, a registrant relies on a third party service provider to perform certain functions where the outsourced activity affects the initiation, authorization, recording, processing or reporting of transactions in the registrant’s financial statement. In assessing internal controls over financial reporting, management may rely on a Type 2 SAS 70 report.” So, there you have it. If you want to learn more about SAS 70, visit the most in-depth web site available on Statement on Auditing Standards No. 70, at www.sas70.us.com