Regulatory Compliance, Governance and Security

Jan 28 2009   1:03PM GMT

SAS 70 Audits and PCI DSS Compliance | A Two for One Audit? Not Quite



As an accountant and a PCI Qualified Security Assessor (QSA), i’m seeing more and more auditors essentially provide audit and fieldwork services for both a SAS 70 and a PCI DSS assessment at the same time, then issue a PCI DSS Report on Compliance (ROC) and a SAS 70 Type II Service Auditor’s Report. While I am all for audit efficiencies, there does need to be some degree of engagement independence, both in an administrative manner (different engagement letters, etc.) and in terms of audit expertise (both CPA’s and QSA’s need to be involved in their respective assignments and committed to the work at hand).

Furthermore, SAS 70 audits will also examine areas not covered by PCI DSS assessments, and the same is true for PCI DSS assessments covering technical areas traditionally not under the scope of a SAS 70 audit. As professionals, we need to be careful in not blurring the lines and distinctions between CPA’s and QSA’s and still try to maintain professional indepedence in regards to the work that each does and what they are qualified to do.

To learn more about SAS 70 audits, visit the official SAS 70 Resource Guide.
To learn more about PCI DSS assessments, visit

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: