What is an audit?
An audit is an independent review of working practices against selected criteria to verify the level of compliance with applicable requirements derived from internal policies and procedures and external regulations. Audit assures Heads of Departments that work is carried out in the expected way and provides support in addressing areas that do not fully comply with applicable requirements.
The prospect of an audit can be intimidating to some people; however, it does not need to be. There’s really no reason to view audit in a negative light. In fact, an audit is an irreplaceable tool to ensure that processes are in order and improvement is enhanced.
All University Departments that process card payments are required to comply with the Payment Card Industry Data Security Standard (PCI DSS) and will be a subject to PCI DSS audit. Demonstrating compliance to the standard indicates to the acquiring bank that your Department processes payments securely and your stakeholders can rest assured that you adequately protect their cardholder information.
Benefits of a PCI DSS Audit
1. Conformance
Helps to ensure that your Department complies with applicable PCI DSS requirements.
2. Effectiveness
Gives you confidence that payment processes achieve intended results.
3. Capability
Examines whether payment processes can produce required results.
4. Improvement
Identifies further opportunities to improve payment processes.
Enhancing benefits through preparation?
Being prepared for a PCI DSS audit will not only assist the auditors, but it will also ensure that you have a good understanding of your job and increase value to your Department. By working together, you and the auditors are more likely to find evidence of compliance and discover ways to improve efficiency.
The documents auditors might request are items your Department should have in support of normal procedures for processing payments, for instance: training records, terminals lists, contracts. Ensuring proper documentation is retained will allow you to quickly provide supporting documentation requested by the auditor and will avoid any unnecessary time spent searching other records.
The PCI DSS audit programme was recently developed for the University and selected Departments will be informed about the upcoming audit in advance so that time can be planned for preparation.
We are here to support you. If you have any questions or suggestions, please contact me: ewa.kolaniak@it.ox.ac.uk or grc@it.ox.a.c.uk