SAS 70 and PCI

One of the most misunderstood standards is the American Institute of Certified Public Accountants (AICPA) Statement on Auditing Standards number 70 (SAS 70).  I intend to explain this standard and show how it can be applied to the PCI compliance process.

It is important to understand that the SAS 70 is a financial accounting standard and is considered an attest service in the audit community.  As an attest service that means that the auditor issues an opinion regarding the control environment.  This attestation is not a certification such as those an organization gets for ISO.  The SAS 70 standard was developed so that financial auditors did not have to go out and conduct an audit of every outsourcer that a client might use.  This saves the outsourcer of having multiple audits conducted mostly in the last quarter of the year.  However, being a financial audit standard, it does not have to cover everything that you will need to complete your PCI compliance process.  Even with the SAS 70 report, you will likely have to go back to the outsourcer with additional questions.

A key point about SAS 70 is that there must be a material financial impact to your company in order to justify a SAS 70 report from an outsourcer.  This is why outsourcers such as those that process your organization’s payroll or serve up your financial software will have a SAS 70, but your telecommunications provider or the company that monitors the security of your facilities likely does not have a SAS 70.  As a result, not every outsourcer will have to provide your organization a SAS 70 report.

A SAS 70 can come in two varieties, Type I and Type II.  A SAS 70 Type I report only attests to the description of the outsourcer’s control environment.  The auditor conducts no independent testing of the control environment and therefore does not express an opinion on whether or not the control environment is functioning properly.  For PCI compliance a Type I report is worthless, as you need the testing to have any chance of using the report.  A Type II report will have a section devoted to the tests that were conducted to confirm that the control environment is functioning properly and the outcome of those tests.  However, since the testing in a Type II report will be focused on key financial controls that do not necessarily involve PCI, a Type II report may also be worthless to your PCI compliance efforts.

Just like its financial audit report brethren, there is a correct way to read a SAS 70.  The first thing you should read is the cover letter to the report, otherwise known in auditing circles as the opinion letter.  The opinion letter will tell you the locations reviewed, the time span of the report, whether the report is a Type I or a Type II and whether or not there were material issues found during the audit.

The locations reviewed are very important.  If your organization is hosted out of the outsourcer’s data center Q and it was not reviewed in the SAS 70 report, then you need to get the SAS 70 report that covers data center Q.  Unlike the PCI ROC, which covers an organization’s compliance at a given point in time, a SAS 70 report is for a period of time known as the opinion period.  The opinion period can be as little as three months and typically as much as 12 months.  Most SAS 70 reports are for opinion periods of six to 12 months.  For financial auditors, they can only accept SAS 70 reports that cover all or part of their audit client’s financial audit period.  For PCI compliance, it is up to you to determine if you are willing to accept the SAS 70 report.  If you have a QSA conducting your assessment, it is up to the QSA to accept the report.

The opinion letter will not expressly use the terminology of Type I or Type II.  To determine the type of SAS 70 report, you will need to read the letter and look for where it says, “We did not perform procedures to determine the operating effectiveness of controls for any period” or similar wording.  That will indicate that the report is a Type I and is not usable for you PCI compliance.

There are three opinions that an auditor can provide; unqualified, qualified and adverse.  An adverse opinion is the worst and means that the control environment is not operating as designed and the controls cannot be relied upon.  I have never seen an adverse opinion ever publicly issued, but you need to be aware that it does exist.  A qualified opinion means that some controls are not operating as designed.  The opinion letter will document those controls that failed and why they failed.  The best opinion, unqualified, means that the control environment is functioning as designed and that none of the controls failed testing.  Remember, just because an outsourcer gets an unqualified opinion, does not mean that the controls operate that way all of the time.  It just means that the auditor through their testing techniques was not able to observe any conditions that would indicate that the controls were not functioning.  The phrase ‘reasonable but not absolute assurance’ is how auditors refer to the ability of their testing to detect any flaws in the control environment.  What this means is that they construct their tests such that there is a high likelihood that any flaws in the controls can be detected, but that these testing procedures are not perfect.

Once you have read the opinion letter, you need to read the testing section to see if the controls that you need for your PCI compliance were tested and if the tests are ones that are relevant to your PCI compliance.  The most common tests that everyone needs are related to physical security and environmental controls at the data center. All of these are necessary for all outsourcers.  Additional control testing will be required if your outsourcer provides services beyond just housing your technology, so you will be interested in controls surrounding those additional services.  Many organizations are now adding PCI, Gramm Leach Bliley Act (GLBA) and Sarbanes Oxley (SOX) tests to their SAS 70 reports to help their customers meet the majority of their compliance requirements.  This is a relatively new practice and the adding or changing tests can radically affect the price of an organization’s SAS 70 report, so it is still rare to find many of the controls tested for these other compliance areas.

When reviewing the control tests, the auditor will usually mark the test as “No Relevant Exception Noted” if the test was passed.  In cases where an issue was noted, the issue will be documented.  If the issue is determined to not be systemic, it will typically be noted in the testing notes and will not result in a qualification.  If a single issue is deemed by the auditor to be systemic or a group of issues lead the auditor to believe there is a failure of controls, then a qualification will be generated.  A qualification is not an indication of a bad organization; a qualification just indicates an area that requires improvement.  However, depending on the controls qualified, you may feel that your outsourcer has issues in meeting their PCI compliance obligations.

The final area that should be reviewed is a section labeled ‘User and User Auditor Considerations’.  Not all SAS 70 reports have such sections but those that do are typically invaluable to the user organization.  This section describes the controls that your organization needs to have in place and functioning in order for the outsourcer’s control environment to function as described in the SAS 70 report.  This is similar to the purpose of the Implementation Guide required in the PA-DSS.  Without this section, your organization would not know its responsibilities for creating complimentary controls so that the controls in place at the outsourcer remain functional and effective.

Entire books have been written on the SAS 70 process.  I hope that I have given you an eye into the process and how you can use it to reduce the amount of work to meet your PCI compliance.

UPDATE: It was announced in February 2010 that the SAS 70 standard will be superseded by SSAE 16 in the United States and by ISAE 3402 internationally.  From a user and user auditor standpoint, these new auditing standards do not change much from the SAS 70, so what is stated here still is valid.  See my new post entitled SAS 70 Is Dead for more information on SSAE 16 and ISAE 3402.


1 Response to “SAS 70 and PCI”

  1. May 22, 2013 at 8:20 PM

    Thanks for finally writing about >SAS 70 and PCI
    | PCI Guru <Loved it!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.


July 2009
« Jun   Aug »

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 1,941 other followers


%d bloggers like this: