An organization may choose a combined SOC 1, SOC 2, and PCI audit for many reasons. First, there are compliance requirements. A PCI audit may be mandatory, but too narrow of a scope to be useful to user entities, so a SOC 1 or SOC 2 is needed. Second, there are logistical reasons. If you have to go through all three audits, why not consolidate the effort into one process? Combining three audits into one process can also be a more cost-effective option. In any case, it’s important for organizations to know that a combined SOC 1, SOC 2, and PCI audit is an accessible, effective option – you just need to know what organizations are authorized to perform one.
Explaining SOC 1, SOC 2, and PCI Audits
What does a SOC 1 audit assess? A SOC 1 audit is an assessment of the internal controls at a service organization which have been implemented to protect client data. SOC 1 audits are performed in accordance with the SSAE 18 standard and report on the effectiveness of internal controls at a service organization that may be relevant to their client’s internal control over financial reporting (ICFR).
A SOC 2 audit is an assessment of the internal controls at a service organization that protect client data, but are not related to ICFR. The SOC 2 audit was designed to determine if service organizations are compliant with the principles of security, availability, processing integrity, confidentiality, and privacy (also known as the Trust Services Criteria). The Trust Services Criteria are the foundation of the SOC 2 audit, just as the SSAE 18 is the basis of a SOC 1 audit.
The PCI DSS was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally, and a PCI audit assesses compliance on this standard. The founding payment brands include Visa, MasterCard, Discover Financial, American Express, and JCB International. The PCI DSS consists of nearly 400 individual controls and is a critical part of staying in business for any merchant, service provider, or subservice provider who is involved in handling cardholder data.
Both SOC 1 and SOC 2 audits must be conducted by a CPA firm, while a PCI audit must be conducted by a QSA. This makes finding a firm that is authorized to perform a combined SOC 1, SOC 2, and PCI audit much more difficult. When deciding on one firm to perform all three assessments, it must be a CPA and QSA firm. We’ve seen many organizations hire a firm that they believe meets these requirements, then later discover that the firm is actually outsourcing one portion – like a CPA firm that doesn’t employ any QSAs, so they must outsource the PCI audit. This type of firm completely negates the organization’s goal of working with one firm for one audit process.
Case Study: CBOSS
Let’s take a look at why CBOSS chose to pursue SOC 1 and SOC 2 attestations plus a PCI RoC. As a full-service payment solution provider, CBOSS offers online payment APIs, hosted payment forms, and POS integrations that must be kept secure in order to secure cardholder data. Complying with the PCI DSS is mandatory for CBOSS – it keeps them in business! But CBOSS has also elected to pursue annual SOC 1 and SOC 2 attestations to give their team, their management, and their clients a holistic view of CBOSS’ compliance efforts. With SOC 1, and SOC 2, and PCI reports available, CBOSS can provide proof that their systems can be trusted and they will deliver secure, available services.
When asked about CBOSS’ combined SOC 1, SOC 2, and PCI audit, Mike Lendvay, Security and Compliance Manager at CBOSS, said, “PCI compliance keeps us in business. The PCI framework is really detailed, but it’s only concerned with cardholder data. Meanwhile, SOC reports are all but mandatory. The SOC audits give a full report of our environment as a whole; everything that we offer to our customers is looked at during SOC audits. That’s why SOC reports are helpful – to have a single document summarizing all the controls that we utilize. It acts as reassurance to us on the operation of our environment, as well as reassurance to our customers.”
Richard Rieben, Lead Practitioner at KirkpatrickPrice, commented, “CBOSS is a great example of what happens when a team of highly-skilled personnel not only understand the frameworks involved in their SOC 1, SOC 2, and PCI assessments, but also understand that security inherently leads to compliance, not the other way around. This commitment to protecting the sensitive data their clients trust them with has yielded a significant return on investment.”
Originally posted on the KirkpatrickPrice blog: https://kirkpatrickprice.com/blog/combining-soc-1-soc-2-and-pci-audits/