Regulatory Compliance, Governance and Security

Oct 19 2008   9:17PM GMT

SAS 70 and PCI DSS | An Auditor’s Expert Opinion



Many organizations are having to complete both a SAS 70 Type I or SAS 70 Type II audit along with being Payment Card Industry (PCI) compliant. With that being said, I am often asked if you can create efficiencies of scale if a firm does both the SAS 70 audit and the PCI assessment. That answer is yes, but please keep in mind it is not a perfect one to one match. The SAS 70 audit, remember now, is NOT a technology audit, where as the PCI assessment requires a much more an in-depth examination of information security. That’s not to say that a SAS 70 audit does not have technology involved in the audit process, they do, and in many cases, quite a bit of technology. But with that said, please keep in mind that the original auditing standard’s intent was not for it to be a technology driven audit.

However, with all this being said, a quality CPA firm that has the experience and licensing requirements to do both a SAS 70 audit and a PCI assessment can create a high effective gap analysis that will show where overlaps occur and where documentation will still be needed for either the SAS 70 audit or the PCI assessment, depending on which one is conducted first.

For more information on NDB, LLP’s SAS 70 services, visit the official SAS 70 Resource Guide.

For more information on PCI assessments, visit NDB’s PCI website, which discussees PCI in detail and the services NDB offers.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: