Combining SOC 2 and PCI Audits
by Sarah Harvey / February 17th, 2020
We get a lot of questions about SOC 2 and PCI audits. Should your company do both? Are you able to consolidate multiple audits into one project? KirkpatrickPrice has developed the Online Audit Manager to make it easier to combine multiple audits into one project. Let’s talk through why and how you would take on the project of a combined SOC 2 and PCI audit.
What are SOC 2 and PCI Audits?
Before we discuss how to go through a combined SOC 2 and PCI audit, let’s review what each of these types of audits are.
A SOC 2 audit is an assessment of the internal controls at a service organization that protect client data. The SOC 2 audit was designed to determine if service organizations are compliant with the principles of security, availability, processing integrity, confidentiality, and privacy (also known as the Trust Services Criteria). A SOC 2 audit must be conducted by a CPA firm.
The PCI DSS was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. The founding payment brands include Visa, Inc., MasterCard, Discover Financial, American Express, and JCB International. The PCI DSS consists of nearly 400 individual controls and is a critical part of staying in business for any merchant, service provider, or subservice provider who is involved in handling cardholder data. A PCI audit must be conducted by a QSA.
Why a Combined SOC 2 and PCI Audit?
Why would a company pursue a combined SOC 2 and PCI audit? Depending on your services, both could be valuable for your organization. PCI compliance may not actually be an option for you – rather, it’s a requirement. There are a couple different scenarios of why you would pursue a SOC 2 attestation along with your PCI RoC. You could have clients that appreciate your PCI compliance, but also specifically ask for a SOC 2 report from you. Or, in other circumstances, your clients may not know the value of your PCI RoC, so they require a SOC 2 report. Even when you’re not required to undergo a SOC 2 audit, though, you could consider doing a combined SOC 2 and PCI audit to get ahead of the competition on either or both types of compliance.
Whenever your clients (especially key accounts) or stakeholders have specific compliance requirements, it’s always a wise decision to do your due diligence and know what your options are for meeting their requirements and industry standards. To effectively ensure that your controls meet the demands of the variety of clients and stakeholders that you serve, you should know that a combined SOC 2 and PCI audit is an option.
Using the Online Audit Manager
Our goal is to make SOC 2 and PCI reports more accessible to organizations who are being asked for them, so in order to complete a combined SOC 2 and PCI audit, we utilize the Online Audit Manager. The Online Audit Manager is an online audit delivery tool that maps the requirements of each framework to one another so that you can capitalize on your resources instead of answering the same question over and over again on separate audits – all with the goal of saving your organization’s time, effort, and money. Completing a combined SOC 2 and PCI audit with KirkpatrickPrice will be a more efficient, accessible process for your organization. Interested in more specifics on how this works? Let’s set up a demo of the Online Audit Manager.
More SOC 2 and PCI Resources
4 Reasons to Start a PCI Audit Right Now
Using the Online Audit Manager to Complete Multiple Audits
4 Reasons the Online Audit Manager is the Audit Tool You’ve Been Missing
