S3 E1: PCI and SOC 2 Combined Audits

Audio version

S3 E1: PCI and SOC 2 Combined Audits

Transcript

Jordan Eisner: Hello everybody. Welcome back to season three of Compliance Pointers, episode one. I’m here with probably our most frequent guest at this point, Brandon Breslin, Director of our Assurance Group, PCI Guru, but also a manager of our SOC 2 practice and our ISO 27001 and similar practice.
Brandon, how are you doing?

Brandon Breslin: Pretty good. I’m honored you bring me back a couple more times. You can’t get rid of me.

Jordan Eisner: I’m glad you’re back. You’re wearing your Georgia vest. For our watchers and our listeners, we are actually recording this before the new year, but this is technically a 2025 episode. If you’re listening or seeing this, it is 2025. Then perhaps the result of the college football quarterfinal game has already happened.

Brandon Breslin: I’m excited. I’m excited. We’re coming off the SEC Championship over Texas.

Jordan Eisner: What do you say to your future self for when this video is released and that game has already happened? If you’ve won or if you’ve lost, what do you tell them future Brandon?

Brandon Breslin: Just stay relaxed. Georgia football takes years off of my life for sure. As I’m sure it does for every fan of their respective teams.

Jordan Eisner: Well, we’re talking to people because PCI, SOC 2, and ISO take years off their lives.

Brandon Breslin: Yes, absolutely.

Jordan Eisner: I think that’s a good theme for this podcast today. As a reminder for our listeners, Compliance Pointers is about information security, data privacy, cybersecurity, and all the things in that realm. CompliancePoint is a consulting firm that does assessments and audits and consulting services around these different InfoSec and privacy frameworks. It really has to do with how you interact with the marketplace, but also what sort of steward of data you are. Securing it, protecting it, limiting it, limiting use of it and processing of it and abiding by various rules and requirements and regulations based on the type of data set you’re collecting.

Two areas that we consult on that are under Brandon’s group are PCI and SOC 2. Two of the areas that organizations have to go through annual audits for are PCI and SOC 2, if not even more than that. And a lot of times there’s a combination of the two. And so we’re going to be talking about how you can combine those audits. We’re going to look at how they can benefit businesses and how to best prepare for those.

So pretty straightforward. Some questions with an expert who’s done dual audits that is familiar with both to talk about the benefits for the businesses.

I will say this or tee it up at the beginning. If after you listen to this or even before you listen to this, you have questions about this, your business is considering it, please consider CompliancePoint. Reach out to us. We offer attestation and readiness services around both of these areas. And we’ll be glad to assist or at least answer some questions and see you in the right direction.
So let’s dive right in. Start with explaining first and foremost, rudimentary, what’s a blended audit?

Brandon Breslin: Yeah, absolutely. And I do want to clarify on the readiness and attestation. I’m sure those have seen that. That’s a newer change for us. We’ve spun up a CPA organizationally independent division under our umbrella. So it allows us to do both of those while still maintaining that independence on the AICPA guidelines there.

As it relates to blended audits, integrated audits, combined audits, they’re all interchangeable terms. They’re extremely helpful for saving time in the assessment.

And I will say that the landscape of these continues to change, even as the requirements mostly stay the same. There are new technologies that they have to incorporate or concerns about that or new threats that come out to the landscape that can affect new requirements. They come out, but the core integrity of these assessments continues to maintain its steady pace, right? Saves time, reduces that audit crunch, if you will.

If you’re spreading out audits over the year, sure, you can use different people if people are out. But I will say combining assessments at the same time allows you to use similar evidence, especially if you have overlapping controls. You can have the audit team working at the same time for both of those assessments, so you can knock them both out at the same time. And then later in the year, you can have more time freed up for other initiatives that you may have going on in your organization.

It also gives you a better holistic security posture on your environment. If you’re evaluating controls in the beginning of the year and then later again in the end of the year, things change, right? So if you do both of those at the same time, you have a better picture of where you are right now, and then you can better prepare for the next year.

And maybe I can talk about the more tactical elements of how these work.

Jordan Eisner: Well, I mean, the next thing I was going to ask you are the benefits. We really got into that as well. Efficiency, cost savings. You highlighted some of them. Yeah. So, I mean, if you want to dive further into those, we talked about some key areas beforehand. Audit fatigue, just a holistic security posture, improved risk management overall. I mean, that was the intent of a lot of these frameworks. And now they’ve become compliance and a bit going through the motions. But the original intent behind a lot of this was security.

Talk about that in addition to what you had on those other areas and how that can help enhance security posture through a compliance framework.

Brandon Breslin: Sure. Yeah. Yeah, you hit a couple things there. You know, improving the security posture, I think, as it relates to the, like what I was saying, as it relates to the evaluation of the controls, those continue to change as the landscape changes. So you really want to be able to evaluate where your environment is at right now versus what your goals and objectives are for the future so that you can determine your risk appetite. Those risk assessments that you can start to do later in the year if you haven’t done one of those before, right? You can’t evaluate where you’re going to be until you know where you are right now. And doing a SOC 2 assessment, doing a PCI assessment, doing an ISO assessment, whatever it may be, really gives you that gut check of, hey, where’s your environment at right now? What’s the security posture look like? How do we get to be a more mature organization? What makes sense from a SOC perspective? What makes sense for us to do from a trust services criteria, right? Whether it’s just doing security or looking at availability or confidentiality, right? Like really understanding what your business model is, where you want to get to, and what makes sense to evaluate from where you want to be in the future.

PCI is a little bit more prescriptive, but you know with SOC 2, you have a little bit more flexibility based on the controls that you want to evaluate.

And everybody always says, oh, well, why don’t I just evaluate controls that are easy for my organization to hit? That doesn’t really meet the intent of the standard, right? That’s just kind of doing a baseline. It’s a check the box. You don’t want to do that, right? You really want to look at this from a truly security and audit perspective, not just an audit standpoint, not just a compliance framework, right? You really want to look at these. How do we mature the organization? How do we improve that security posture? How do we establish a better risk management program for our organization? A better security governance program, right?

Jordan Eisner: Easier said than done, right? It all sounds good in theory. Okay, so more time, more effort on this. How’s that adding to our bottom line? And it’s hard to measure.

Brandon Breslin: It is. And I think that’s where kind of the cost savings comes into play, right? You hit on that a little bit with these blended audits or integrated audits, combined audits, whatever you want to call it. When you’re doing both of those at the same time, you know, you don’t have to establish another separate game plan for later in the year. We can leverage the same evidence. We can leverage overlapping controls. We can do crosswalks across the different frameworks, right?

We can save time of requests and work papers and, you know, pieces of elements of the report, right? If you’re doing them at the same time and it’s the same people or the same departments that are managing it and providing that evidence, we can do interviews overlapping, observations overlapping, evidence overlapping, right? There’s so many ways to save time and in turn save cost because the price of the assessment would go down because you’re evaluating a lot of those together at the same time.

Jordan Eisner: Well said. So for businesses considering combined audits, you know, what steps can they take to ensure that doing so successful? I mean, you’re adding a little bit more to the plate by doing it at the same time. You could argue both ways, I guess, but it may be a bit more scrutiny in that time period to get it right and get it right for both, right? Trying to do two birds with one stone. So what are some steps that you would recommend to ensure they’re successful?

Brandon Breslin: Yeah, you hit the nail on the head of really looking at where you are, right? Understanding what’s the, you know, what’s the landscape right now for the organization? Is it a situation? Because you can argue both sides. You’re absolutely right. Is it a situation where you’re going to have one person managing all the compliance efforts in the organization? If that’s the case, it probably doesn’t make sense to do all of them at the same time because then that person is going to be completely tied down with these assessments, right? If you’re a one man or one woman compliance shop, you don’t have the ability to do that.

But this is more geared towards organizations that have a couple different people to allow for redundancy, right?

With that said, though, if you have a one person IT shop or one person compliance shop and you don’t mind tying them down to audits for a couple weeks or a couple months, right? Then maybe it makes sense for you, right? I think the right answer is going to differ from organization to organization. You really need to look internally to say, hey, what is the best approach for us? What is our appetite for time management, right? Are we okay with this person or this team doing these assessments for a couple weeks together and just not knocking them all out in the beginning of the year or getting a few things established in the organization, do a readiness and then do all the assessments later in the year, right? Or if you think spreading it out to free up people throughout the year is good, that’s fine too.

I will say when you do these integrated audits, though, the time saver is the evidence, is the work, the workflows, the observations, the interviews. If you’ve got just a couple people managing all the controls in the organization, it’s a no brainer to do all these together because you’re already having the conversation. Like, does it really make sense to have the same conversations with somebody in April and then come back again in August? No, unless you’re doing an interim and a year end type of a situation of like a 9-30 data and then a 12-31 date. Sure, you may have to do some year-end, some interim testing and year-end testing to revalidate some things. Sure, you want to make sure you’re doing your good diligence there. However, you want to be careful about, especially for us as a consulting company, we want to be mindful about our clients time. We want to, you know, to not burden them down with that time. So there’s just so many factors to think about in that sense.

Jordan Eisner: Yeah, ask the question once.

Brandon Breslin: Yeah, exactly. And I will say also, just having a really solid audit plan is such a key factor in this. If you’re an organization that performs multiple assessments or multiple audits throughout the year, you can’t just roll right into this with no plan, right? You really need to have a governance structure in place or even just an audit plan of some sort to say, hey, these are all the assessments that we need to do. This is the timeframes that we think would be best. And this is maybe where we feel like we are right now or where we are falling short and where we need to establish a program to go to move forward and establish compliance with these controls. And that’s really where we can help you guys out, build out those road maps, build out those audit plans.

Jordan Eisner: Yeah. What about, you know, you talked about evidence collection, right? Planning coordination. What about a GRC tool?

Brandon Breslin: Yeah, that’s a great point. You know, we’re talking a lot about process and planning and, you know, organizational structure. Having a tool to empower that process changes the game. You don’t want to be doing these assessments manually, you know, and that’s not just speaking from our side, from the consulting side, from the organizational side, from, you know, from the entity that’s actually doing the assessment. You really don’t want to be doing that manually. Managing controls, especially if you have 50, 100, 200, 400 controls, right? That’s a lot to manage. And when it comes to doing risk assessments or risk management frameworks on those controls, that is a big burden if you’re doing that manually.

There’s also frequency based controls too, right? Not a lot of these are, it’s not a one time, audit is not a one time process. It’s a continuous journey. It’s a year long continuous process. So you need to stay ahead of that curve. That’s where the GRC tool can come in, right? Of evaluating, hey, what’s the criticality rating of these controls or these risks, right? To the organization.

Starts are really blending in the process of risk management and the controls together. I think historically they’ve kind of been standalone, but, you know, with GRC tools now these are becoming more intertwined or integrated. So really understanding what’s the frequency of all our controls? What’s the process? Do we have any controls that are at risk? Or is everything healthy? Or do we have any non-compliant controls?

Who do we assign the controls to, right? That’s another factor. If you’re a larger organization, you want to make sure that each control is assigned to a person to make sure that nothing gets missed.

And there’s so many tools out there, right? We’ve partnered with a few tools. So if you work with us, we can definitely provide you guys access to those tools that we’ve partnered with. But if you’re a larger organization that has not gone down the route of exploring GRC tools, definitely something we highly recommend.

Jordan Eisner: Yeah. There’s no limit to those in the marketplace these days.

There have been some good quick hitters. What is a blended audit? Why consider it? Best recommendation is to do it and how to do it successfully. And you summarize those, right? Choose the right auditor, organizational planning around it, right? People prioritization of it. Doing it not just as a check the box exercise, but really get something out of it. Mature the organization. Mature not only security posture, but other things as well. Policies, governance. And using a tool. Great. You know, nice to have. You can’t do that. At least existing documentation and some sort of file sharing. And not having to repurpose or recreate the wheel every time you do these audits.

I guess, the last piece? Remediation, right? So you’re doing two audits at the same time. Maybe it’s very different. Does that create more remediation? You know, more work coming out of this audit as opposed to doing it two separate times. You know, how do you evaluate that? Or what are some considerations?

Brandon Breslin: Sure. Yeah, that’s a good question. So the remediation piece is going to vary, right? From organization to organization. It’s also going to vary from control framework to control framework. You may have a lot of requirements that are not applicable or you may have a bunch of controls that are not relevant or not utilized in the organization, right? So in the SOC world, that’s just not included or implemented in the assessment, right? For PCI, for example, that would be not applicable.

So there’s different. I think the remediation piece will vary from customer to customer that we, you know, specifically for us that we would work with. But it is important to recognize that where a benefit of an integrated audits comes into play is actually the remediation. Because, for example, if you have a, if you go down the route of a PCI assessment and a SOC 2 assessment or an ISO readiness or an ISO attestation assessment, right? You may find out that you have a couple policies and procedures that need to be established. You might discover that you’ve got some, you know, system configurations that are, that need to be established, some baseline configurations that need to be configured or created.

And I think where the benefits can come into play is if you know all the controls and requirements for those frameworks that you’re evaluated against, you can do that in one-hitter, right? You don’t want to have to go down the route of establishing a policy for SOC 2 and then realize down the road, oh, actually, we need to modify this policy to incorporate some of the PCI requirements as well, right? That’s a headache for the organization. So that’s kind of my long-winded point there of the remediation is if you know all the, you know, pain points in the organization that, or the non-compliant points of the organization, right? As it relates to the frameworks that you’re evaluated against, you can remediate all of those in one quick hitter.

Jordan Eisner: Yeah, no, good point. I don’t think that was too long-winded. I think that was a certain point. Per usual with you, Brandon.

Thanks for coming on. I think this leaves listeners with some key points and considerations I would say to the audience what I said at the top if you have further questions or considerations around this and you want to bounce it off a sounding board or maybe you’re interested in bringing on an auditor to do either or both of these. We’d welcome the conversation at CompliancePoint and you can find us online, CompliancePoint.com. You can email in your inquiries at Connect@CompliancePoint.com and Brandon and myself are both online and active on LinkedIn, so feel free to find us there.

We will be back with more episodes. We did 37 episodes last year, so the goal has got to be at least 38 this year and maybe more, so continue to tune in, continue to subscribe, leave feedback, make requests on the page for other content you want to hear.

All right, thanks everybody.