Combining SOC 1 and PCI Audits

by Sarah Harvey / March 9th, 2020

When a breach occurs in the financial services industry, it costs the compromised organization $210 per breached record – which is why we get a lot of questions about SOC 1 and PCI audits from organizations in the financial services industry. How can you protect your data from threats? Should your company complete both audits? Are you able to consolidate multiple audits into one project? KirkpatrickPrice has developed the Online Audit Manager to make it easier to combine multiple audits into one project. Let’s talk through why and how you would take on the project of a combined SOC 1 and PCI audit.

What are SOC 1 and PCI Audits?

Before we discuss how to go through a combined SOC 1 and PCI audit, let’s review what each of these types of audits are.

What does a SOC 1 audit assess? A SOC 1 audit is an assessment of the internal controls at a service organization which have been implemented to protect client data. SOC 1 audits are performed in accordance with the SSAE 18 standard and report on the effectiveness of internal controls at a service organization that may be relevant to their client’s internal control over financial reporting (ICFR). A SOC 1 audit must be conducted by a CPA firm.

The PCI DSS was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. The founding payment brands include Visa, Inc., MasterCard, Discover Financial, American Express, or JCB International. The PCI DSS consists of nearly 400 individual controls and is a critical part of staying in business for any merchant, service provider, or subservice provider who is involved in handling cardholder data. A PCI audit must be conducted by a QSA.

Why a Combined SOC 1 and PCI Audit?

Why would a company pursue a combined SOC 1 and PCI audit? Depending on your services, both could be valuable for your organization. PCI compliance may not actually be an option for you – rather, it’s mandatory to stay in business. However, a PCI audit is strictly focused on the security of cardholder data. If clients or stakeholders want assurance of other controls in your environment, they may expect to see a SOC 1 report.

Even when you’re not required to undergo a SOC 1 audit, you could consider doing a combined SOC 1 and PCI audit to get ahead of the competition on either or both types of compliance. Whenever your clients (especially key accounts) or stakeholders have specific compliance requirements, it’s always a wise decision to do your due diligence and know what your options are for meeting their requirements and industry standards. To effectively ensure that your controls meet the demands of the variety of clients and stakeholders that you serve, you should know that a combined SOC 1 and PCI audit is an option.

Using the Online Audit Manager

Our goal is to make SOC 1 and PCI reports more accessible to organizations who are being asked for them, so in order to perform a combined SOC 1 and PCI audit, we utilize the Online Audit Manager. The Online Audit Manager is an online audit delivery tool that maps the requirements of each framework to one another so that you can capitalize on your resources instead of answering the same question over and over again on separate audits – all with the goal of saving your organization’s time, effort, and money. Completing a combined SOC 1 and PCI audit with KirkpatrickPrice will be a more efficient, accessible process for your organization. Interested in more specifics on how this works? Let’s set up a demo of the Online Audit Manager.

More SOC 1 and PCI Resources

4 Reasons to Start a PCI Audit Right Now

SOC 1 Compliance Checklist

Using the Online Audit Manager to Complete Multiple Audits