Many organizations are having to complete both a SAS 70 Type I or SAS 70 Type II audit along with being Payment Card Industry (PCI) compliant. With that being said, I am often asked if you can create efficiencies of scale if a firm does both the SAS 70 audit and the PCI assessment. That answer is yes, but please keep in mind it is not a perfect one to one match. The SAS 70 audit, remember now, is NOT a technology audit, where as the PCI assessment requires a much more an in-depth examination of information security. That’s not to say that a SAS 70 audit does not have technology involved in the audit process, they do, and in many cases, quite a bit of technology. But with that said, please keep in mind that the original auditing standard’s intent was not for it to be a technology driven audit.
However, with all this being said, a quality CPA firm that has the experience and licensing requirements to do both a SAS 70 audit and a PCI assessment can create a high effective gap analysis that will show where overlaps occur and where documentation will still be needed for either the SAS 70 audit or the PCI assessment, depending on which one is conducted first.
For more information on NDB, LLP’s SAS 70 services, visit the official SAS 70 Resource Guide.
For more information on PCI assessments, visit NDB’s PCI website, which discussees PCI in detail and the services NDB offers.