Regulatory Compliance, Governance and Security

Aug 26 2008   12:25PM GMT

PCI & SAS 70 Audits | Cost Savings Initiatives



If your organization is required to be SAS 70 compliant along with obtaining a PCI DSS assessment, then it’s time to think about creating efficiencies of scale when conducting both the audit for SAS 70 and the assessment for PCI compliance.

By no means are there perfect synergies, rather, both the SAS 70 and the PCI DSS can be looked upon for assisting each other in regards to preparing deliverables for auditors. Here’s how it works. Auditors create “prepared by client” (PBC) lists, which are in essence a wide assortment of documents, materials, and other deliverables needed for an audit and that must be prepared by the client. My advice is why not schedule the PCI DSS assessment before the SAS 70 audit, thus using many of the samples pulled for the PCI DSS audit for the SAS 70 audit, provided the time periods are applicable. Better yet, fieldwork could be conduced in close proximity or even overlapping both the SAS 70 and th PCI DSS assessment. The point to make is this. Compliance audits or assessments (as we’ve been told to call the PCI DSS during training-an “assessment”, not an audit!) generally ask for similar information in some shape or form. Working with an auditor that truly knows both the PCI DSS and the SAS 70 auditing standard will save you alot of time, headaches and money. Though it’s not a 2 for 1, it does create a high level of efficiency which any organization requiring both a SAS 70 and PCI DSS should consider.

To learn more about SAS 70 audit or to receive a sample SAS 70 report, visit the official SAS 70 Resource Center.

To learn more about PCI DSS assessments, visit the official PCI resource center.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: