Description

A focused course, tailored for you

The Payments Internal Audit Evidence Playbook

Build the working-paper file a card-scheme, PCI QSA, and prudential examiner all sign off without a single follow-up request.

Your walkthrough working papers get re-opened by the QSA, the scheme auditor, and the prudential examiner because the file does not pre-answer the questions they always ask. Every cycle becomes a chase for screenshots, settlement extracts, and underwriting recordings that should have been in the file the first time.

$199 one-time

Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

Internal Audit at a payments acquirer-processor sits at the intersection of four assurance regimes that do not coordinate. The QSA wants PCI DSS v4 evidence with population, sampling, and exception treatment named. The card schemes want operating-rule compliance evidence on merchant boarding, settlement timing, chargeback handling, and 3-D Secure dispute volumes. The prudential regulator wants operational resilience and ICAAP-relevant control evidence. The external financial-statement auditor wants ITGC and revenue-stream controls evidence. Four assurance readers, four file formats, four sampling expectations, and you are the function that has to produce a single working-paper file that satisfies all four without writing the same control four times. When the file is built around a single canonical template that pre-answers population, sample, artefact, exception, and disposition for every control, the follow-up volume across all four readers drops together. When it is not, you spend three weeks per quarter chasing exports.

What you walk away with

Produce a single working-paper template that satisfies QSA, scheme auditor, prudential examiner, and external auditor in one pass.
Define population and sampling for merchant boarding, settlement reconciliation, chargeback, key custody, and third-party monitoring controls in a way that holds under each reader's challenge.
Cross-reference PCI DSS v4 requirements, card-scheme operating-rule clauses, and prudential resilience expectations against each control without duplicating evidence.
Run a control walkthrough that ends with the reader signing off on the paper rather than sending a follow-up request.
Build a quarterly continuous-auditing cadence on settlement breaks, chargeback aging, and underwriting exceptions that feeds the annual file rather than competing with it.

The 12 modules

Module 1. The acquirer-processor control universe and the four assurance readers

Maps the full control universe of an acquirer-processor from merchant onboarding through authorisation, clearing, settlement, chargeback, and reporting, then overlays the four assurance readers (QSA, scheme auditor, prudential examiner, external auditor) and what each one actually opens the file to look at. Output of the module is your annotated control universe with reader expectations named against each control family.

Module 2. The canonical working-paper template

Builds the one-page working-paper template that pre-answers control objective, population definition, sampling basis, evidence pulled, tester, review, exceptions, disposition, and cross-reference, in the order each assurance reader reads. Output is the template plus a worked example for one merchant-boarding control so you can clone it across the rest of the universe.

Module 3. Merchant onboarding and underwriting evidence

Walks the merchant-boarding control: KYC, sanctions screening, beneficial owner, MCC assignment, fraud-rule tier, and credit-risk decision. Defines population as boarded-in-period, sampling stratified by risk tier, and artefacts as boarding decision record, screen recording of the underwriting decision, and the sanction-list hit log. Output is a boarding-control working paper that closes scheme auditor and QSA questions in one pass.

Module 4. Authorisation, clearing, and settlement reconciliation

Treats the authorisation-to-settlement chain as a control rather than a system. Defines the daily settlement reconciliation control with break-aging buckets, the reperformance sample, the exception escalation rule, and the artefact set (recon report, exception log, treasury sign-off, scheme settlement file). Output is the settlement-recon paper that survives both prudential and external-auditor scrutiny.

Module 5. Chargeback, dispute, and 3-D Secure handling

Builds the chargeback-lifecycle control paper covering scheme-deadline adherence, evidence package quality, representment rate, and liability-shift treatment under 3-D Secure. Defines population as disputes raised in period, sampling by scheme and by reason code, and artefacts including the chargeback case file, the scheme deadline timer, and the financial impact register. Output is a chargeback paper that closes scheme-auditor follow-ups.

Module 6. Cryptographic key custody and HSM operations

Covers the key-management control set for an acquirer: key generation ceremony, dual control, split knowledge, key rotation, HSM access logging, and key inventory reconciliation. Maps each control to PCI PIN, PCI P2PE if in scope, and PCI DSS v4 Req 3. Output is the key-custody working paper with ceremony minutes, HSM access extracts, and the key-inventory reconciliation as named artefacts.

Module 7. Third-party processor, gateway, and ISO monitoring

Builds the third-party-monitoring control covering downstream processors, gateways, independent sales organisations, and payment facilitators in the merchant portfolio. Defines population as in-scope third parties at period end, sampling by transaction volume and risk tier, and artefacts including the due-diligence file, the SOC 2 / SOC 1 review note, and the contractual right-to-audit log. Output is the third-party paper the prudential examiner reads first.

Module 8. ITGC for the payments stack

Sets out the IT general controls (access provisioning, privileged access, change management, batch operations, backup and recovery) for the authorisation switch, clearing engine, settlement engine, and merchant portal. Defines the population and sampling that the external financial-statement auditor will accept without renegotiation, and the artefact set that doubles as PCI DSS v4 evidence. Output is an ITGC working-paper set that does not require a separate PCI testing pass.

Module 9. Operational resilience and DORA-style impact tolerances

Builds the operational-resilience evidence the prudential examiner expects: important business services mapped, impact tolerances set per service, severe-but-plausible scenario tests run, and remediation tracked. Names artefacts as the IBS register, the tolerance-setting paper, the scenario log, and the board reporting pack. Output is a resilience paper that closes prudential follow-ups and feeds into the ICAAP working-paper file.

Module 10. Fraud-rule governance and model risk

Treats fraud-rule changes and underlying model updates as a control with change-board approval, performance monitoring, false-positive review, and customer-impact assessment. Defines artefacts as the rule-change ticket, the back-test report, the model-validation note, and the customer-impact register. Output is a fraud-governance paper that holds under both scheme-audit and internal model-risk scrutiny.

Module 11. Continuous auditing of settlement, chargeback, and boarding

Builds the quarterly continuous-auditing cadence: settlement-break aging dashboard, chargeback win-rate by reason code, boarding-exception register, and underwriting override log, each with a tested query and a reviewer sign-off cycle. Output is a continuous-audit pack that feeds the annual working-paper file rather than duplicating it, and a calendar that names which reader receives which artefact when.

Module 12. Reader-by-reader walkthrough rehearsal

Rehearses the walkthrough for each of the four readers (QSA, scheme auditor, prudential examiner, external auditor) against the working-paper set you have built. Names the questions each reader asks first, the artefacts you point to, and the follow-up requests you are now structurally preventing. Output is a walkthrough script per reader plus a follow-up-request register from the prior cycle that you can mark closed against the new file.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

The QSA follow-up email asking for the merchant-boarding population definition (Module 3 closes this).

The scheme auditor question on chargeback evidence-package quality by reason code (Module 5 closes this).

The prudential examiner request for the important-business-services map and tolerance-setting paper (Module 9 closes this).

The external auditor's renegotiation of ITGC sample sizes mid-cycle (Module 8 closes this).

What you get with this course

Twelve written modules covering the full acquirer-processor working-paper file.
The canonical working-paper template plus a worked example for merchant boarding.
A control-universe map with the four-reader expectation overlay.
A follow-up-request register template for closing the prior cycle's loop.
A walkthrough rehearsal script per reader (QSA, scheme, prudential, external).
The hand-built implementation playbook tailored to your acquirer-processor scope, delivered alongside course access.

What you will have in hand by Day 1, Week 1, Month 1

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

Weeks 1 to 2: build the canonical working-paper template and run the control-universe map for your in-scope set.

Weeks 3 to 6: rewrite the merchant-boarding, settlement-recon, and chargeback papers against the template and rehearse the walkthroughs.

Weeks 7 to 10: complete key-custody, third-party, ITGC, and operational-resilience papers and stand up the continuous-audit pack.

Weeks 11 to 12: rehearse the four-reader walkthroughs against the new file and close the prior-cycle follow-up register.

Before and after

Before

Your working-paper file is built one control at a time, in Word, with pasted screenshots and free-text narratives. Each cycle generates twenty to forty follow-up requests across the four assurance readers and three weeks of chase work per quarter.

After

Your working-paper file is built from one canonical template that names population, sampling, evidence, exceptions, and cross-references in the order each reader reads. Follow-up requests drop to a handful per cycle, walkthroughs end with sign-off, and the quarterly continuous-audit pack feeds the annual file rather than competing with it.

What happens if you do not address this

Another cycle of follow-up chases, another QSA negotiation on sample sizes, another prudential request for a resilience artefact that should have been in the file, and another set of merchant-services calls asking why you need the same export again. The audit function reads as reactive rather than as the assurance backbone of the payments business.

Who it is for

You run or work inside Audit and Assurance at a payments business, most likely an acquirer-processor, payment-facilitator, or schemes-licensed PSP. You sit between the QSA, the card-scheme auditor, the prudential examiner, and the external auditor. You write the working papers, you negotiate the sample sizes, you defend the exception dispositions, and you carry the cycle calendar in your head. You have inherited a file structure that does not scale to the assurance load you actually face.

Who this is NOT for. Not for general IT auditors with no payments exposure. Not for QSAs writing ROC files for clients (different deliverable). Not for fintech founders looking for a compliance overview. Not for people who want a PCI DSS theory course; this is an internal-audit working-paper course set in the acquirer-processor world.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. About 30 to 40 hours of learner time over twelve weeks, sequenced so the working-paper template lands in week one and is in use by week three.

Why $199 is the right number

PCI DSS theory courses cover the standard but not the working-paper file your QSA actually reads. Internal-audit qualifications cover sampling theory but not the acquirer-processor control universe. Scheme operating-rule references explain what is required but not how the assurance file evidences it. This course sits in the gap: the acquirer-processor working-paper file that satisfies all four assurance readers at once.

FAQ

Is this aimed at the QSA or at internal audit?

Internal audit. The output is your working-paper file. The QSA is one of four readers the file has to satisfy.

Does it cover PCI DSS v4 specifically?

Yes, every relevant control names the v4 requirement against the artefact, but the file is not a ROC; it is the internal-audit working paper that pre-answers the QSA's questions.

We are a payment facilitator, not a full acquirer. Does it still apply?

Yes. The control universe scales down cleanly; merchant boarding, settlement, chargeback, third-party monitoring, key custody, and ITGC all apply to a PayFac in modified form, and the templates name the variation.

Will the implementation playbook be tailored to our scope?

Yes. The playbook is hand-built per buyer against your stated scope (acquirer, processor, PayFac, scheme licence held) and delivered alongside course access.

Is there a refund window?

Yes, 30-day money-back if the playbook and course do not match your scope as described at purchase.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.