Understanding the Differences and Similarities Between the PCI and SOX Projects
By: Mitchell H. Levine, CISA
Companies which process or handle larges volumes of credit card data are required to go through an annual PCI (Payment Card Industry) assessment (i.e., self-assessment or independent onsite assessment depending on the transaction volumes) to ensure that they comply with a pre-established set of security requirements established by the PCI Security Council. The PCI Security Council was founded by American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International.
The objective of Sarbanes-Oxley is to evaluate the effectiveness of controls over financial reporting. Section 404 of the Sarbanes-Oxley Act is comprised of two paragraphs from the SEC that have been interpreted by all organizations to determine the types of controls which are required to be in place. The PCAOB has provided additional guidance subsequent to the release of Section 404 which still does not provide a set of standards of the type of financial, integrated and IT controls which should be established by an organization.
PCI Standards are comprised of a specific set of security requirements which cover traditional components of an IT General Controls Audit such as Network Security, Logon Security, Logical & Physical Access Control, Change Control, SDLC and Security Policy. The PCI standard also encompasses the test procedure to be used to evaluate an organization’s compliance with the PCI standards. This approach ensures that all organizations which are required to be PCI compliant are evaluated in a consistent manner.
Although there is still some level of interpretation regarding the design of the compliance test to ensure the PCI requirement is being met, it is a far departure from the approach used in SOX. Within SOX, it is the discretion of each organization to determine the IT General Control Audit components included as SOX control areas where control objectives and control activities are defined. Although the external auditor can identify deficiencies for missing controls during their control design evaluation, most organizations subject to the requirements of SOX have found that external auditors will not require additional controls to be included in the SOX control inventory during subsequent SOX compliant years. Most individuals involved in SOX testing have also realized that the compliance tests established to prove that controls are effective are solely based on the discretion of the tester.
Although it would be expected that for both SOX and PCI an organization would require the mandated controls to be deployed in a consistent manner across an organization, the reality is that each of these projects provide the ability to reduce the IT processing areas which are subject to control and security requirements which reduces the overall scope for each of these projects.
For the SOX project, organizations are only required to prove that controls are effective for those hosts, applications and databases which have a material impact on the accuracy of the financial statements. This is the reason that the most important SOX project task is to identify in-scope financial processes which relate to assets, liabilities and expenses which are then traced to the associated IT applications, database and servers. It is not surprising that in most SOX organizations, less than 20% of the applications which support business processing are in-scope for SOX.
For the PCI project, the host, applications and databases which are validated against the PCI standard are only those components which contain cardholder data. Therefore, one of the first tasks of the PCI project is to perform a “scavenger hunt” to locate those applications which process and those databases that store cardholder data.
The PCI and SOX projects provide unique challenges to an organization. Both projects require annual validations and allocation of significant resources to maintain overall compliance. With the additional requirements that have been recently added to the PCI standard, organizations which were previously thought to be compliant with all requirements are now forced to initiate projects to address these expanded requirements.
Both of these projects have provided audit professionals additional career opportunities to utilize their control evaluation and testing talents.
Mitchell Levine is the founder of Audit Serve, Inc. Audit Serve performs PCI Assessment and Remediation Project Management consulting services. Audit Serve also conducts Integrated & IT Audits, SOX Control Design & Testing and Penetration Testing. Email Mr. Levine at Levinemh@auditserve.com if you would like to discuss your organization's specific project requirements in order to establish a proposal of services.
Copyright 2008, Audit Serve, Inc. All rights reserved. Reproduction, which includes links from other Web sites, is prohibited except by permission in writing.