Compliance expert Charles Denyer tells you what you need to know before entering the SAS 70 and PCI DSS auditing and assessment process.
SAS 70 audits and PCI DSS assessments are fast becoming two of the most widely recognized and "must have" compliance initiatives for many businesses in today's growing regulatory environment. Sarbanes Oxley, HIPAA, and other federally mandated legislative acts have pushed Statement on Auditing Standards No. 70 (SAS 70) into the forefront of compliance. Similarly, the Payment Card Industry Data Security Standards (PCI DSS) assessments have also become a widespread compliance mantra affecting thousands of businesses across the globe. And as with any compliance mandate, particularly SAS 70 and PCI DSS, an enormous amount of time and effort are required for achieving overall success.
No doubt, compliance can be arduous, but there are a number of steps your organization can take to ensure an efficient, transparent, and cost-effective audit and assessment process with both SAS 70 and PCI DSS. Let's take a look.
#1 Truly understand the scope for each engagement
Know what you're getting into for SAS 70 and PCI DSS compliance, which means read as much information as you can on each of them. The Payment Card Industry Security Standards Council (PCI SSC), which has broad oversight on PCI DSS compliance, has an excellent Web site at pcisecuritystandards.org. Likewise, the SAS 70 Resource Guide at sas70.us.com is the definitive guide for learning about SAS 70 audits. With that said, discuss the following critical points with the auditors for truly understanding the scope of each engagement:
- What physical locations and offices will be included for the actual scope of fieldwork?
- What entities do YOU outsource to that may also be included in the scope of the engagement? Note: Both SAS 70 and PCI DSS compliance place a heavy emphasis on data centers, managed service providers and other critical third-party outsourcing providers. Agree early on as to which of these facilities, if any, will be included in the scope of the engagement because this can have a significant financial consideration on the engagement.
- SAS 70 auditors and PCI DSS assessors all have different methodologies and ways about how they conduct engagements. Get to know them, ask how they conduct fieldwork and collect deliverables, and what constitutes an "exception" or a "problem" on any part of the engagement.
#2 Conduct a readiness assessment and gap analysis
You have to crawl before you walk, right? Trying to achieve compliance without any type of pre-audit due diligence is putting the cart before the horse. Many firms now offer SAS 70 and PCI DSS Readiness Assessments for helping organizations identify weaknesses, deficiencies, and gaps within their overall control environment. What's more, a readiness assessment will also help to proactively identify audit scope and which systems and physical locations are included in the engagement, along with giving your organization a real "gut check" to see if you are truly ready for the engagement.
Many firms provide SAS 70 and PCI DSS Readiness Assessment templates for free or charge a small fee, so make sure you inquire about these services.
#3 Write your own policies and procedures
Want a surefire way to pay auditors and consultants tens of thousand of dollars on top of the already incurred audit fees? Have no policies and procedures in place and request that they write them for you. This is one of the hidden secrets for SAS 70 audits and PCI DSS assessments, as companies are woefully weak and deficient in having documented policies and procedures. Take note as there are a number of high quality, standardized templates available on the Internet that allow you to quickly customize documents for SAS 70 and PCI DSS compliance.
From Human Resources to Change Management and Information Security, just to name a few, your organization will absolutely need to have the documents on hand and ready for inspection by the auditors. Hit the Internet and get busy writing them or you will pay dearly.
#4 Obtain a "fixed fee" for the engagement
Many firms today are providing fixed fees for both SAS 70 and PCI DSS compliance as the competitive landscape amongst auditors has resulted in this methodology. Gone should be the days of hourly billing for audit and assessment services, as it simply does not equate to current market conditions. An experienced, well-qualified SAS 70 auditor or PCI QSA will be able to properly scope the engagement and provide your organization with a fixed fee. Sure, there may be some caveats or exceptions that would create additional fees, and that's acceptable as unknowns come into play during engagements, but a fixed fee (at least for SMB's) is a logical choice.