The Case for IT Audit Cost Containment

By Alan Ferguson, Executive Vice President

This article is an analysis of how a rapidly growing platform provider consolidated control objectives and audit services for its SAS 70 Type II (now known as SOC reports) and PCI compliance reports to reduce time and cost, and to minimize impact on its operations and staff.
Business leaders in a variety of regulated industries are faced with more demanding IT governance and regulatory compliance requirements to protect sensitive data at a time when resources are becoming more constrained.
And as companies increasingly move operations to the cloud, greater confidence in data security is needed.  But many of the risks faced by service providers become risks of their customers.  That’s why they have increased due diligence to avoid internal-control breakdowns (e.g., data security and privacy breaches, and fraud).
Now service organization controls (SOC) reports, formerly known as SAS 70 reports, are becoming the "de facto due diligence document" when reporting on internal controls.  And compliance can be a huge benefit as a differentiator against competitors who are vying for the same outsourcing contracts.

As a result, service providers who support these businesses are searching for innovative IT audit and regulatory reporting solutions that contain costs and limit operational disruptions while allowing them to provide the transparency required by these businesses.
This case study addresses these competing requirements with a proven, consolidated audit approach that provides enhanced IT control management by measuring common controls through a consolidated audit program.  By implementing a unified control framework and consolidated audit program, the company realized these benefits:

  • Control objectives are more closely aligned to the business to enable a more sustainable governance and compliance reporting process.
  • Audit costs were reduced by streamlining audit preparation and consolidating test procedures.
  • Operation disruption is minimized by allowing staff to provide better transparency for control operations.

Cost savings and higher quality audit results were achieved in the first year by adopting a "test once, report twice" process. In subsequent years, the consolidated online program streamlined audit preparation and testing by re-using test scripts and leveraging stored knowledge of the control environment collected during previous years.

The public backlash from lack of oversight on service delivery continues to grow as the financial services sector consolidates and the broader economy is negatively affected.  Two trends are emerging to counteract the perception of corporate indifference. 

First, the need to demonstrate more transparent governance of critical operations to include data processing is essential.  In this connection, it is anticipated that enforcement of existing regulations will increase and new regulations will be enacted to protect the confidentiality and integrity of financial transactions and sensitive data.

Second, enhanced oversight and governance of IT controls must be accomplished with smaller budgets and often shrinking staff resources.

"Two Truths" of IT Governance in the
Post Financial Consolidation of 2008

The daunting task of demonstrating adequate oversight for operational and financial controls in a period of constrained financial resources is driving innovative thinking among IT audit and regulatory compliance professionals.  This case study analyzes the IT governance requirements of a leading payment platform provider, IP Commerce, and the unified oversight and compliance management approach that they adopted under Coalfire’s guidance to meet requirements for cost-effective Payment Card Industry Data Security Standard (PCI DSS) compliance and SAS 70 reporting (now known as SOC reporting).

In this case study, an overview of how Coalfire’s consolidated IT audit approach is covered in detail.  A Consolidated Audit Program (CAP) allows service providers to implement common controls across a range of business processes and associated systems to address multiple operational or regulatory requirements.  These controls are defined, implemented and embedded into the service provider’s environment to streamline control operations, testing and reporting.  Evidence of control design adequacy or control operations effectiveness is collected only once in a unified testing program and multiple reports are prepared to validate compliance against a matrix of regulations. 

As illustrated in this paper, service providers that must comply with the PCI DSS and elect to evidence service delivery through the American Institute of Certified Public Accountants (AICPA) Statement of Auditing Standard 70 (SAS 70) Type II reporting process (now known as SOC reporting) can adopt the Coalfire CAP to achieve significant efficiencies and cost savings.

The IT Governance Challenge for Service Providers
As a provider of outsourced services, a service provider must periodically demonstrate to their clients – and their auditors - the adequacy of certain IT and financial controls.  Additionally, if the service provider supports transactions in the credit card payment stream, the service provider must also demonstrate compliance with the PCI DSS on an annual basis.

To insure the outsourced controls over critical IT services are adequate and meet vendor management requirements, service providers typically demand an independent audit to determine if the risks have been mitigated to acceptable levels.  Historically, PCI DSS assessments and SAS 70 reports (SOC Reports) are performed independently and, although necessary, are disruptive to internal IT, finance and management staff and carry significant audit fees.  In periods of growth, service providers encounter increasing demands (i.e.  more clients = more audits = more expense and disruption).  It is also important to note that PCI and financial controls audits are often managed by different groups within a service provider organization.  This separation typically results in overlap and duplication of effort for both the external auditor and internal staff supporting these audits.

Market Demand
Clearly, the traditional approach to IT audit is no longer viable for many service providers.  The demand for ongoing transparency of effective control operations combined with reduced cost for compliance reporting is driving the need for a more efficient process.  IP Commerce established an objective to provide “Best of Breed” control reporting for both internal management and ongoing external reporting at the same time establishing a goal to drive significant efficiencies into its IT audit process.

The consolidation of SAS 70 reporting with IP Commerce's annual assessment of compliance as a Level 1 service provider under the PCI DSS was an obvious choice to target efficiencies.  Coalfire responded by conducting a review of both audit programs to establish a common controls framework that will be used by IP Commerce to manage disparate compliance and governance requirements.  The resulting consolidated audit program is representative of the approach that service providers can adopt to meet the competing requirements for improved IT control reporting with a well defined program for cost containment.

IT Audit Containment - A New Approach
Utilizing its Consolidated Audit Program (CAP) for IP Commerce, Coalfire conducted a cross-walk for the SAS 70 and PCI controls and developed a common controls matrix.  Based on this matrix, Coalfire and its audit CPA firm partner determined the testing and documentation that would meet both PCI standards and SAS 70 control objectives as well as any control activities that were unique to a particular standard. 

Working with the IP Commerce project manager, the Coalfire team developed a project plan that included identifying and scheduling required resources from IP Commerce. 

The goal was to ensure that testing was performed and documented to meet the requirements of both standards with minimal cost and reduced disruption to IP Commerce staff.  The team mantra was "Do it once – do it right".
The table below illustrates the IP Commerce common control framework and the alignment between its PCI and SAS 70 requirements.

Pre-Audit Activities

To guide the project, the Coalfire team conducted the following pre-audit activities in association with designated IP Commerce staff:

  • Created an on-line, secure project portal for team communications and document storage and retention;
  • Designated a client project leader and appropriate team members;
  • Analyzed compliance reporting requirements and documented consolidated PCI and SAS 70 control objectives and related control activities;
  • Mapped the scope for unified testing across all relevant systems;
  • Performed a Design of Controls gap analysis of the control environment to highlight control deficiencies or weaknesses
  • Provided a roadmap to guide prioritized remediation and gap closure;
  • Collected relevant control documentation to prepare test scripts for evidence archiving;
  • Established a portal-based communication plan to keep all relevant stakeholders apprised of audit progress.

Audit Activities
Once the audit preparation phase was completed, Coalfire conducted the following onsite testing activities:

  • Documented the current IT environment and defined a scope for testing;
  • Selected samples for evidence collection that would serve both the PCI DSS and SAS 70 Type II audit requirements;
  • Performed IT audit testing through observation, documentation inspection, technical testing, re-performance, corroborative inquiry and process walk-through;
  • Delivered draft and final PCI Report on Compliance and SAS 70 Type I attestation report

Gap Identification and Remediation
A SAS 70 report (or now a SOC Report) is issued by a CPA, and a PCI ROC requires attestation from a PCI-certified Qualified Security Assessor such as Coalfire.  Each audit may expose control deficiencies, but the process can be the catalyst for significant, long-lasting business and operational benefits. For some service providers, an interim deliverable of the Coalfire CAP approach is a management letter and PCI remediation roadmap justifying new or modified controls to more adequately address risks to the organization and its customers.  Once control objectives and customer specific control activities are adequately designed, documented, tested, and operational – future audits are executed with greater efficiency.

The following page illustrates the common control objectives and activities relevant to the IP Commerce PCI Report on Compliance (ROC) as a level 1 Service Provider and SAS 70 Type II reports. 

(Note: Other clients may require additional controls or cross walk across multiple environments to unify control mapping.)

PCI Report on Compliance SAS 70 Type
Control Objectives PCI DSS
Controls Activities
Common Control Objectives SAS70 Common Controls
PCI Section 1 and 2

Build and maintain a secure network
  1. Install and maintain a firewall configuration to protect data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.
  3. Maintain secure configurations.
Network Security
  1. Develop and maintain routers, firewalls, VPNs, and other security systems to restrict unauthorized access.
  2. Monitor and promptly respond to problems and unauthorized access to network information.
  3. Network connectivity is configured to restrict unauthorized access to all network systems.
  4. Systems are configured to protect sensitive data.
  5. Encryption is deployed to protect sensitive data during transmission.
PCI Section 3 and 4

Protect cardholder data
  1. Protect stored data
  2. Encrypt transmission of cardholder data and sensitive information across public networks.
xx (see Network security and Computer Operations)
PCI Section 5

Implement and regularly update anti-virus protection
  1. Use and regularly update anti-virus software.
  2. Develop and maintain secure systems and applications.
Computer Operations
  1. Use and regularly update anti-virus software.
  2. Data is routinely backed-up, stored in a secure offsite location, and tested periodically for the effectiveness of the restoration process.
PCI Section 6

Develop and Maintain secure Systems
  1. Use of Open Web Application Security Program (OWASP) standards for web-facing development.
  2. Change control procedures.
System Development Life Cycle (SDLC)

Change Management
  1. Plan, analyze, design, test, implement, and maintain changes requested for information security.
  2. Segregation of duties throughout the change process.
  3. Ensure infrastructure and application changes are approved, tested, and appropriately deployed.
PCI Sections 7 and 8

Implement strong access control measures
  1. Restrict access to data by business need-to-know.
  2. Assign a unique ID to each person with computer access.
  3. Enforce the use of strong passwords
  4. Implement access control audit and accounting.
Logical access controls
  1. Manage system access via identification and authentication (password management)
  2. Manage information system accounts, including establishing, activating, modifying, disabling, and removing accounts, passwords, and user IDs.
  3. Manage user access to resources via appropriate authorization.
  4. Manage system and application accounting, logging, and monitoring.
PCI Section 9

Restrict physical access to cardholder data
  1. Implement physical access controls to restrict access to cardholder data.
  2. Require visitor controls and logging.
  3. Maintain video surveillance at data centers.
Physical and Environmental Controls/Data Center Security
  1. Access to computers, computer rooms, networks, etc. is restricted to authorized individuals.
  2. Data center security is reviewed periodically.
  3. Data center monitoring via CCTV, log systems, observation.
  4. Data center environmental controls including fire protection, HVAC, power, and redundancy.
PCI Section 10 & 11

Regularly monitor and test networks and systems
  1. Track and monitor all access to network resources and cardholder data.
  2. Regularly test security systems and processes.
Network security
  1. Develop and maintain routers, firewalls, VPNs, and other security systems to restrict and monitor unauthorized users from gaining access.
  2. Monitor and promptly respond to problems and unauthorized access to network information.
  3. Testing and Assessment to include vulnerability scans, pen tests and other audits.
PCI Section 12
  1. Background checks.
  2. Enforce acceptable use policies
  3. Implement security awareness training
Human resources
  1. Implement HR & security policies and procedures.
  2. Conduct background checks.
    Application controls
  1. Validate data input controls.
  2. Validate data processing controls.
  3. Validate data security controls.
  4. Validate data output controls.
    Processing client transactions
  1. Maintain a Quality Assurance (QA) program to monitor transactions.
  2. Review transactions periodically and test for completeness and accuracy.
    Customer billing
  1. Maintain audit process to ensure the completeness and accuracy of billing.
    Customer Service
  1. Customer Service Level Agreement (SLA) management
  2. Customer problem management and resolution.

Efficiencies Achieved

As indicated in the following charts, the Consolidated Audit Program yields significant efficiencies in both audit preparation and testing for those organizations currently performing a separate SAS 70 audit and PCI assessment.  Additional efficiencies will be gained if your organization does not currently provide a SAS 70 Type II report to clients.  Ad hoc, reporting of controls could result in significantly higher costs and a likelihood of customers migrating away from an unaudited service.

(NOTE:  The following results are based on the experience of IP Commerce and may vary based on the unique characteristics of another service provider.)

Traditional Separate Audit Approach
Estimated Impact on IP Commerce Resources For Annual Audits under a Traditional Program
  Internal Staff Hours External Audit Hours Totals Impact
PCI Report on Compliance 120 140 260 Requires IT & management resources
SAS 70 Type II Report 180 180 360 Typically, requires participation from additional internal staff resources and a different auditor.

Grand Total


300 hours 320 hours 620 hours  

Consolidated Audit Program (CAP) Approach

Estimated Impact on IP Commerce Resources under the Coalfire CAP Program

  Internal Staff Hours External Audit Hours Totals Impact
PCI Report on Compliance 80 120 200 Requires IT & management resources
SAS 70 80 120 200 Leveraging common controls for unified audit preparation and testing through an online portal, dramatically reduces resource requirements.

Grand Total


160 hours 240 hours 400 hours  



140 hours 80 hours 220 hours  
  46% 25% 35%  

Benefits Realized

“Completing the PCI ROC and SAS 70 reports simultaneously proved to be an excellent decision.  Both standards are a high bar and the Coalfire / K Financial team was definitely up to the task.  Their organizational ability and expertise with both standards were critical to the success of the project. The result exceeded our expectations and vividly demonstrates IP Commerce’s market leadership and its commitment to compliance and accountability.  Our customers can be confident that our platform and associated services are consistent, safe and reliable and that they are compliant with industry and regulatory mandates.”

-- Chip Kahn IV, President and CEO – IP Commerce, Inc.

Benefits for a Service Provider:

  1. Compliance Assurance - Attestation that the company’s controls over processes, infrastructure and applications has been reviewed and deemed adequate by an independent third party.
  2. Competitive Advantage - Keep, attract, and build customer relationships. User organizations are more likely to retain services of organization like IP Commerce that have formally established effective internal controls and compliance reporting.
  3. Cost Containment - Dual ‘seal of approval’ that can be provided to multiple client organizations, thereby freeing up resources that would otherwise be allocated to responding to individual audit requests and questionnaires from each client organization.
  4. Risk Mitigation – Reduce exposure for potential liability of a data breach.

The Coalfire CAP methodology can align SAS 70 reports to other regulatory influences or interest to your organization such as control objectives relevant to the Gramm-Leach-Bliley Act (GLBA), Healthcare Portability and Accountability Act (HIPAA) the Federal Information Systems Management Act (FISMA) and others.

Benefits for the Service Provider’s Clients:

  1. Compliance Assurance - Provides reasonable assurance that and service provider has established internal controls that are operating adequately.
  2. Transparency of Risk Management - Provides insight into the nature of a service provider’s controls and an independent third-party assessment of their effectiveness.
  3. Cost Containment – Through reliance on independent testing, it alleviates the burden and cost of performing an internal audit.

Additional Benefits

Mature Structure

Informal processes, minimal documentation and a loose system of relying on individuals are often factors that characterize a service provider’s early development.  The process of completing SAS 70 and PCI audits simultaneously is a maturing process that causes the service provider to establish and document formal, transparent controls that will withstand in-depth review by management and external auditors.  Using the CAP approach, this can be accomplished while protecting the growth-propelling environment and culture of the business.

Documentation Harmonization
Policies are an important part of an organization’s IT control structure, and SAS 70 and PCI certifications require that an organization’s policies are both appropriate and complete. As companies mature, they need to transform informal policies that are not fully documented into formal ones.
The CAP process encourages a service provider to invest in documenting a unified set of policies that meet both PCI and SAS 70 requirements.  Informal policies are documented and existing policies are revised and expanded where needed.  Where gaps are identified, Coalfire provides templates and examples based on industry best practices for similar organizations.

Using this approach, a service provider is able to prevent control isolation, where one set of controls is set up to meet a specific regulation, and other controls are established to meet different but similar standards. Control isolation leads to control conflict, which leads to control deterioration and ineffective governance. Coordinating policies with control activities will strongly support an organization in achieving policy harmonization and regulatory compliance in a comprehensive, unified manner.

Segregation of Duties
PCI and SAS 70 examinations require segregation of duties as means to discourage and prevent fraud and malicious acts. The Consolidated Audit Process examines internal controls to ensure the independence and integrity of critical functions and processes.

IT governance and compliance management for emerging data privacy regulations require a transparent approach for a wide range of internal controls. With the demand for more accountability and improved governance, service providers can "step up" to market demands while continuing to control costs.  Efficiencies delivered from utilization of common controls across disparate regulatory requirements in combination with a unified test and reporting process can be achieved.

PCI compliance and SAS 70 reports (SOC Reports) are increasingly important certifications for service providers.  The dual SAS 70/PCI certifications are a demonstration of an organization’s ‘tone-at-the-top’ - that adequate IT controls are implemented and operational.  When performed in a coordinated manner under Coalfire’s CAP methodology, the certification process yields many benefits beyond cost savings and are leveraged as a market differentiator for these service providers.