Mazars is an international audit, tax and advisory organization serving diverse clients, from large corporations to private individuals. With over 30,000 professionals in over 95 countries and territories, Mazars is one of the largest integrated partnerships in the world.
Darin McLaury, Director of Sensitive Data Cybersecurity Compliance, leads the PCI practice at Mazars USA. The PCI practice comprises a team of qualified security assessors (QSAs) who conduct PCI assessments for various clients across different industries. According to McLaury: “PCI compliance is a challenging and dynamic field, as it involves complex and frequent requirements, emerging standards and technologies, and high expectations from clients. Mazars strives to deliver high-quality and efficient engagements that meet or exceed his clients’ needs and expectations.”
One of the obstacles to delivering an outstanding client experience was the technologies that Mazars relied on for their cybersecurity engagements. The PCI practice relied on a combination of email, spreadsheets, and other tools to work with clients:
- Excel spreadsheets were used to track PCI controls or requirements and related information, such as status and notes.
- The Mazars PCI team would email clients on documents and information required for different PCI controls, and clients would respond with email attachments or links.
- Storing and updating client files was all done manually.
While the PCI team and clients had worked together for years, traditional siloed tools could lead to delays and client frustration. McLaury states: “PCI assessments are very complex, and our team needs to ensure our clients have a very streamlined experience. However, not having a single source of truth made it more difficult to offer optimal transparency, security, and communication with our clients.”
- Transparency: Clients had limited visibility into the progress of the assessment, including which requests were sent, received, reviewed or completed. They did not have timely access to a dashboard or status report showing each engagement's status.
- Communication: The communication between the Mazars team and clients was not as streamlined as it could be. They had to rely on emails or phone calls to exchange files and messages. It was difficult to send notifications or reminders for pending or overdue requests and provide real-time feedback or ask questions.
- Consistency: The assessment output was not as consistent as it could be across engagements and clients, especially as the practice continued to grow. There were also multiple versions of spreadsheets and documents, which could lead to conflicting or outdated information.
- Security: The email and file share methods were not as secure as Mazars would like, as they potentially exposed sensitive data to potential interception or leakage. The data was also not encrypted in transit or at rest.
With the advent of PCI DSS v4.0 and its more complex reporting requirements, the Mazars team knew they needed a new technology approach to maintain high client standards. The PCI team learned that other groups at Mazars were successfully using Fieldguide, an AI-powered engagement platform, to streamline their engagements. According to McLaury: “Our PCI team has unique challenges from other Mazars practices, so we wanted to make sure a technology solution could improve engagement efficiency and quality, as well as enhance client experience for our types of engagements.”
The PCI team chose Fieldguide as their solution because it provided several features that helped optimize both team efficiency and the client experience:
- Report on Compliance (ROC) generation: Fieldguide’s one-click PCI reporting allows the team to generate the ROC directly from the data and information collected during the assessment. McLaury states: “Fieldguide’s PCI reporting is a lifesaver. It saves our team hours and hours of time and effort, as it eliminates error-prone Word templates and manual copying and pasting from spreadsheets. Fieldguide reporting also improves client satisfaction by ensuring that the ROC is accurate and consistent with the evidence and findings.”
- Assessment milestones: Fieldguide milestones allow the team to create and track milestones for each engagement, such as kickoff meetings, scoping, testing, and reporting. This allows the team to plan and manage engagements more effectively, as everyone can see the timeline and deadlines for each milestone. Fieldguide milestones will enable the team to communicate with clients more clearly, as they can share the milestones with them and update them on the status.
- Request management: Fieldguide allows the team to create customized evidence request lists for each client, based on the PCI DSS v4.0 requirements. Team members and clients can track the status of each request and see which ones are fulfilled, rejected or missing.
- Ease of use: Fieldguide is user-friendly and intuitive, both for the team and clients. It requires little training or technical skills to use, and clients can easily access the latest information whenever they need it. Clients can delegate tasks and requests to the appropriate person, who can easily drag and drop the appropriate files for submission. McLaury states: “Clients like how easy it is to see everything that’s going on with the PCI assessment. They appreciate how much easier engagements are now, which saves them time and eliminates any confusion.”
- Document security: Fieldguide provides robust security for all the evidence and reports with each engagement. It encrypts the data both in transit and at rest and complies with relevant regulations and standards.
- Engagement dashboards: Fieldguide offers a clear and comprehensive view of the progress of each engagement. It shows team members and clients which requests are pending, in progress or completed, as well as any issues or comments.
- Real-time communications: Fieldguide facilitates smooth and seamless communication between Mazars and their clients. It allows everyone to easily collaborate on files, comment, and see the latest notifications and reminders. According to McLaury: “Comments and feedback on the evidence and reports have substantially improved the client experience. Clients like how quickly they can respond to comments from team members and provide clarifications or additional information.”
- Centralized notes: Fieldguide allows the PCI team to record their notes and observations during the assessment, so that everyone can access the latest information. Notes can also be easily linked to the relevant evidence or reports.
The Mazars PCI team expects Fieldguide to bring a variety of qualitative and quantitative benefits:
- Higher client satisfaction through streamlined communication and visibility throughout the engagement lifecycle. McLaury states: “Fieldguide has improved communication and transparency with Mazars’ clients. They can see the progress of their PCI assessments in real-time, and they can provide feedback or ask questions. The real-time collaborative nature of Fieldguide has increased trust and client satisfaction.”
- Increased efficiency through streamlining engagement workflows and reducing manual work. The PCI team expects to spend much less time on creating requests, collecting evidence, reviewing documents, and generating reports.
- Greater consistency through a standardized process and output. By leveraging a common platform across all engagements, Mazars can expect to always have consistently high-quality PCI assessments.