Regulatory Compliance, Governance and Security

Aug 18 2008   3:30PM GMT

SAS70 Audits and PCI Assessments | GAP Analysis



Many organizations are now being required to be SAS70 and PCI DSS compliant. With that said, I am often asked where the synergies or overlaps are for a SAS70 audit, which can only be done by a CPA firm and a PCI DSS assessment, which can only be done by a qualified PCI QSA individual.

My answer to this is yes, IF and only IF, you obtain services from an individual or a firm who is both a CPA and one that is a qualified PCI QSA individual, AND that they produce both high quality SAS70 audits and PCI DSS assessments. The SAS70 auditing standard is rather loose, so its incumbent upon the firm issuing the SAS70 report to produce a report that is high quality. High quality means it is a report that covers all essential baseline elements considered for a SAS70 audit, which should include substantial testing for network security and logical access. If done correctly, you will see an overlap with other areas within the PCI DSS assessment. So, this is the yes answer. If you engage in two different firms, one to do the SAS70 audit, the other to do the PCI DSS assessment, then you can have conflicting views on what each report should contain. In short, the synergies occur when you use a firm to do both the SAS70 and PCI assessment.

For more information on Payment Card Industry compliance, visit the official PCI website.

For more information on SAS70 audits, visit the official SAS70 Resource Guide website.

I have also created a SAS70 and PCI DSS Gap analysis, which shows the overlapping areas

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: