During the QSA course I recently completed, it was mentioned that a merchant may use it’s Internal Audit Department to perform a PCI Audit, if signed off by an approved officer of the Merchant. From the notes I took, I believe this has been agreed by Visa, but I'm not sure about other card brands.

Does the same agreement apply to Service Providers. Can their Internal Audit departments perform a PCI Audit ?

Given the requirements placed on QSAC's and QSA's to be appropriately qualified, it seems strange that the PCI SSC would allow untrained (not QSA certified) auditors to perform these audits.

Can anyone elaborate on this ?

There has been a strong push back on behalf of the large merchant community to enable them to comply without having to pay large costs to audit firms. This applies more in the US than it does in other countries. For example, some of the largest retailers in Australia will have upwards of 1-2,000 retail stores, whereas there are retailers in the US with 15-30,000 retail stores. You can imagine the cost for having an audit firm would be considerably higher even with the usage of sampling. Because of the push back from large retailers and to drive adoption of the program an exception was made for Level 1 (or Large) Merchants only, NOT service providers.

It may sound risky, but in all reality most merchants do not ask for this exception and those that do rarely perform the audit in house. The risk is just too large in the event they overlook an area of their network (without the guidance of a trained professional). I would not worry about it, but if a merchant asks, you can advise them on the risk and complexity of performing the audit in-house.

In theory, a company subject to PCI could also fulfill the 11.3 annual application and network penetration test in house. There are a lot of good reasons not to!

See the thread in this forum http://forum.pcianswers.com/showthread.php?t=13

as well as Michael Dahn's blog post referenced in that thread.

We have met with a number of organizations that want the independence of a third party looking at things but also want to leverage their internal audit work. This works well in organizations with thousands of locations. We just sample the results of the audit work to confirm its accuracy and move on.

However, before going down this road, you need to make sure some things are in place. Organizations that want to take this approach need to modify their internal audit approach so that the relevant PCI requirements are covered when they are performing their fieldwork.

In addition, internal audit's location sampling approach needs to include all versions of POS or other relevant remote PCI systems implemented. A lot of internal audit sampling algorithms only take into account the remote locations' various audit risk factors but not software version. As a result, their selected sample may not result in a sample set that includes all of the necessary versions of POS or other relevant remote PCI systems. If the sample is not complete, then the QSA has to fill in the gaps.

It is strongly encouraged that merchants who want to do this audit in-house first engage a QSA to perform the audit their first year. Then on year two, have the internal audit group shadow and perform the audit along side the QSA. On the third year have the internal audit team perform the audit and hire the QSA to verify (as Jeff mentioned.)

Something like this will help reduce your chance of doing it improperly.