SlideShare a Scribd company logo
1 of 17
Download to read offline
Audit Clauses in IT Agreements 
Richard Austin 
Ken Silverman 
June 17, 2014
Table of Contents 
I. The Auditing Context 
II. Audit Rights in IT Agreements 
III. Control Audits
I. The Auditing Context 
IT Outsourcing Industry: 
 Growth of Services Industry 
 Increasing number of players 
 Maturity 
 Globalization 
Increasing emphasis on Privacy and 
Security 
Well-publicized breakdowns of internal 
controls
I. Increasing Regulatory Requirements 
“h) Audit Rights 
‘The contract or outsourcing agreement is expected to clearly stipulate the 
audit requirements and rights of both the service provider and the FRE. 
As a minimum, it should give the FRE the right to evaluate the service 
provided or, alternatively to cause an independent auditory to evaluate, on 
its behalf, the service provided. This includes a review of the service 
provider’s internal control environment as it relates to the service being 
provided. … 
Accordingly, an undertaking from the service provider or a provision in 
the outsourcing contract, should give OSFI or the Superintendent’s 
representative the right to: 
• Exercise the contractual rights of the FRE relating to audit” 
OSFI B-10 Guideline Outsourcing of Business Activities, Functions and 
Processes, March 2009
I. Consequences for Service Providers 
Audit requests pose challenges for service providers: 
 Impact on provision of services 
 The audit expense 
 Servicing multiple audit requests
II. Audit Rights in IT Agreements - General 
General Audit Right: 
Audit the service provider’s facilities, systems 
and records in order to verify: 
 compliance with the obligations under the agreement; 
 that the services are being provided in accordance with the 
service levels; 
 compliance with the security requirements; 
 compliance with law; and 
 amounts charged under the agreement.
II. Additional Audit Rights in IT Agreements 
Additional Audit Rights: May include: 
 security audits – compliance with the service provider’s internal policies, 
penetration testing, third party security audits 
 self-assessment of internal controls 
 business continuity and disaster recovery audits 
 certification with applicable industry standards (e.g., ISO, PCI) 
Regulators: Right for the customer’s regulators to exercise 
audit rights on behalf of the customer (for FREs, see OSFI 
Guideline B-10, Section 7.2.1(h)). 
Subcontractors: Agreements typically require that audit rights 
flow down to any subcontractors.
II. Parameters & Accompanying Provisions 
 Frequency & Notice 
 Limitation on the number of audits (e.g., per contract year) 
 Prior notice to the service provider 
 Must be performed during regular business hours 
 Exceptions: regulatory audits, claims of fraud or criminal activity, 
privacy or security breaches 
 Auditors 
 Cannot be competitors of the service provider 
 Not compensated on a contingency basis 
 Required to sign an NDA
II. Parameters cont’d 
 Service Levels 
 Audit cannot interfere with the service provider’s ability to perform the 
services in accordance with the service levels (or the service provider 
should be relieved from such obligation) 
 Record Retention 
 Retained for a certain period of time, in certain locations and in a 
prescribed format/standard (e.g., GAAP, IFRS) 
 Limitations on Auditable Records and Information 
 Internal policies 
 Internal audits 
 Privileged information
II. Parameters cont’d 
 Remediation 
 Time period for remediation 
 Verification or re-audit to confirm remediation 
 Costs / Reimbursement 
 Which party is liable for the cost of the audit? 
 What costs are covered – internal vs. external costs? 
 Do the cost implications shift if the audit was performed due to the 
service provider’s breach or based on the outcome of the audit?
II. Implications for the Cloud 
 Limited audit rights will be available in a shared services 
environment: 
 Limited or no access to the physical data center 
 No access to the shared cloud environment 
 Customers must typically rely on reports made available by the 
cloud provider through the customer portal (e.g., usage and 
invoicing data, physical attributes of the servers) 
 Some cloud providers may provide an SSAE 16 / CSAE 
3416 SOC 1 or 2 Report (in the case of SOC 2, covering 
some of the SOC 2 principles)
II. Implications for the Cloud cont’d 
OSFI Memorandum titled “New technology-based 
outsourcing arrangements” issued on February 29, 2012: 
“Information technology plays a very important role in the financial 
services business and OSFI recognizes the opportunities and benefits that 
new technology-based services such as Cloud Computing can bring; 
however, FRFIs should also recognize the unique features of such services 
and duly consider the associated risks. As such, and in light of the 
proliferation of new technology-based outsourcing services, OSFI is 
reminding all FRFIs that the expectations contained in Guideline B-10 
remain current and continue to apply in respect of such services. In 
particular, FRFIs should consider their ability to meet the expectations 
contained in Guideline B-10 in respect of a material arrangement, with an 
emphasis on … iv) access and audit rights … .”
III. Regulatory Audits: The Old Standards 
1. American Institute of Certified Public Accountants (AICPA), Statement on 
Auditing Standards No. 70 (SAS 70) 
 Issued in 1992 
 Provides a report on service organization’s internal controls related to 
financial statement assertions of users 
 Following Sarbanes-Oxley and growth of global solutions, became 
standard of choice for organizations with a base of international clients 
2. Canadian Institute of Chartered Accountants, Section 5970, Auditor’s Report on 
Controls at a Service Organization (Section 5970 Audit) 
 Preceded by Canadian Institute of Chartered Accountants, Handbook, 
Section 5900 Opinions on Controls at a Service Organization, Revision 
No. 52 (November 1986) 
 Replaced by CICA, Section 5970, effective for periods commencing after 
January 1, 2006 
 Reflected a decision to make reporting similar to U.S. SAS 70
III. Regulatory Audits: The New Standards 
International Auditing and Assurance Standards Board (IASB), International 
Standard on Assurance Engagements 3402 (ISAE 3402): 
 Effective for periods ending on or after June 15, 2011 
 Global standard for engagements to report on controls in a service organization 
AICPA Auditing Standards Board, Statement on Standards for Attestation 
Engagements No. 16, Reporting on Controls at a Service Organization (SSAE 
16): 
 Effective for periods ending on or after June 15, 2011 
 Differences between ISAE 3402 and SSAE 16 are minimal as a result of efforts to 
converge U.S. standard with international one 
Canadian Institute of Chartered Accountants, Auditing and Assurance Standards 
Board, Canadian Standard on Assurance Engagements, Reporting on Controls at 
a Service Organization (CSAE 3416): 
 Effective for periods ending on or after December 15, 2011 
 Reflects intention to closely mirror U.S. requirements
III. Old and New Standards: The Differences 
Section 5970 Audits versus CSAE 3416: 
Under the CSAE 3416: 
 Management is required to provide a “written assertion” relating to: 
 Fair presentation and design of controls (Type 1 Report) 
 Fair presentation, design and operating effectiveness of controls (Type 2 
Report) 
 “Subservice organizations” must also provide a written assertion where inclusive 
method used 
 With Type 2 Report, the service auditor provides opinion on the description of controls 
and the suitability of their design in respect of the control objectives for the entire period 
(as opposed to a specific date) 
 Service auditor required to disclose reliance on internal audit within the report 
 Format of service auditor’s opinion will change 
 Standard requires follow-up by service auditor in the event of deviations resulting from 
intentional acts
III. The Old and New: What Hasn’t Changed 
CSAE 3416: 
 Does not apply to examinations of controls over other 
subject matter than Financial Reporting 
 Cannot be provided to a service provider’s potential 
customers 
 Does not result in service providers being “certified” under 
CSAE 3416
Questions? 
Richard Austin 
Deeth Williams Wall LLP 
raustin@dww.com 
416 941 8210 
Ken Silverman 
IBM Canada Ltd. 
ksilver@ca.ibm.com 
905-316-0289

More Related Content

What's hot

ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3Tanmay Shinde
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and CertificationControlCase
 
IBM Security Services Overview
IBM Security Services OverviewIBM Security Services Overview
IBM Security Services OverviewCasey Lucas
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessmentCAS
 
1 understanding cyber threats
1   understanding cyber threats 1   understanding cyber threats
1 understanding cyber threats mohamad Hamizi
 
ISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureUppala Anand
 
Grc governance, risk management & compliance
Grc  governance, risk management & complianceGrc  governance, risk management & compliance
Grc governance, risk management & complianceHR Globe Consulting
 
GDPR and ISO27001 mapping EL
GDPR and ISO27001 mapping ELGDPR and ISO27001 mapping EL
GDPR and ISO27001 mapping ELEugene Lee
 
ISO 27001:2013 IS audit plan - by software outsourcing company in india
 ISO 27001:2013  IS audit plan - by software outsourcing company in india ISO 27001:2013  IS audit plan - by software outsourcing company in india
ISO 27001:2013 IS audit plan - by software outsourcing company in indiaiFour Consultancy
 
dischargeofcontract-170721054842 (1).pdf
dischargeofcontract-170721054842 (1).pdfdischargeofcontract-170721054842 (1).pdf
dischargeofcontract-170721054842 (1).pdfYashSingh20796
 
Information Security Awareness And Training Business Case For Web Based Solut...
Information Security Awareness And Training Business Case For Web Based Solut...Information Security Awareness And Training Business Case For Web Based Solut...
Information Security Awareness And Training Business Case For Web Based Solut...Michael Kaishar, MSIA | CISSP
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013  An Overview ISO/IEC 27001:2013  An Overview
ISO/IEC 27001:2013 An Overview Ahmed Riad .
 
ISO 27001 (v2013) Checklist
ISO 27001 (v2013) ChecklistISO 27001 (v2013) Checklist
ISO 27001 (v2013) ChecklistIvan Piskunov
 
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?PECB
 
Security audits & compliance
Security audits & complianceSecurity audits & compliance
Security audits & complianceVandana Verma
 

What's hot (20)

ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and Certification
 
IBM Security Services Overview
IBM Security Services OverviewIBM Security Services Overview
IBM Security Services Overview
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessment
 
1 understanding cyber threats
1   understanding cyber threats 1   understanding cyber threats
1 understanding cyber threats
 
ISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedure
 
Grc governance, risk management & compliance
Grc  governance, risk management & complianceGrc  governance, risk management & compliance
Grc governance, risk management & compliance
 
GDPR and ISO27001 mapping EL
GDPR and ISO27001 mapping ELGDPR and ISO27001 mapping EL
GDPR and ISO27001 mapping EL
 
ISO 27001:2013 IS audit plan - by software outsourcing company in india
 ISO 27001:2013  IS audit plan - by software outsourcing company in india ISO 27001:2013  IS audit plan - by software outsourcing company in india
ISO 27001:2013 IS audit plan - by software outsourcing company in india
 
Corporate compliance
Corporate complianceCorporate compliance
Corporate compliance
 
IPSec and VPN
IPSec and VPNIPSec and VPN
IPSec and VPN
 
dischargeofcontract-170721054842 (1).pdf
dischargeofcontract-170721054842 (1).pdfdischargeofcontract-170721054842 (1).pdf
dischargeofcontract-170721054842 (1).pdf
 
Guarantee
GuaranteeGuarantee
Guarantee
 
Information Security Awareness And Training Business Case For Web Based Solut...
Information Security Awareness And Training Business Case For Web Based Solut...Information Security Awareness And Training Business Case For Web Based Solut...
Information Security Awareness And Training Business Case For Web Based Solut...
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013  An Overview ISO/IEC 27001:2013  An Overview
ISO/IEC 27001:2013 An Overview
 
Secure Electronic Transaction
Secure Electronic TransactionSecure Electronic Transaction
Secure Electronic Transaction
 
3c 2 Information Systems Audit
3c   2   Information Systems Audit3c   2   Information Systems Audit
3c 2 Information Systems Audit
 
ISO 27001 (v2013) Checklist
ISO 27001 (v2013) ChecklistISO 27001 (v2013) Checklist
ISO 27001 (v2013) Checklist
 
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
 
Security audits & compliance
Security audits & complianceSecurity audits & compliance
Security audits & compliance
 

Similar to Audit clauses in IT agreements

Auditor Reporting on Controls at Service Organizations
Auditor Reporting on Controls at Service OrganizationsAuditor Reporting on Controls at Service Organizations
Auditor Reporting on Controls at Service OrganizationsUniversity of Waterloo
 
Lecture slide, chapter 4, Other Assurance Engagements and Quality Standards
Lecture slide, chapter 4, Other Assurance Engagements and Quality StandardsLecture slide, chapter 4, Other Assurance Engagements and Quality Standards
Lecture slide, chapter 4, Other Assurance Engagements and Quality StandardsSazzad Hossain, ITP, MBA, CSCA™
 
Sas 70 Readiness
Sas 70 ReadinessSas 70 Readiness
Sas 70 Readinessmpotorti
 
information system and computers
information system and computersinformation system and computers
information system and computers9535814851
 
Psae 3402-final
Psae 3402-finalPsae 3402-final
Psae 3402-finalRS NAVARRO
 
Planning for a new Service Organization Control (SOC) report
Planning for a new Service Organization Control (SOC) reportPlanning for a new Service Organization Control (SOC) report
Planning for a new Service Organization Control (SOC) reportJay Crossland
 
BKMSH Basics of SOC II
BKMSH Basics of SOC IIBKMSH Basics of SOC II
BKMSH Basics of SOC IIMojoFinancial
 
ISA 250 (Revised) Section B – The Auditor’s Statutory Right and Duty to Repor...
ISA 250 (Revised) Section B – The Auditor’s Statutory Right and Duty to Repor...ISA 250 (Revised) Section B – The Auditor’s Statutory Right and Duty to Repor...
ISA 250 (Revised) Section B – The Auditor’s Statutory Right and Duty to Repor...Sazzad Hossain, ITP, MBA, CSCA™
 
Audit prsentation
Audit prsentationAudit prsentation
Audit prsentationlogyonetimi
 
Guide for audit, report writing etc.doc
Guide for audit, report writing etc.docGuide for audit, report writing etc.doc
Guide for audit, report writing etc.docNeerajOjha17
 
IATF-Rules-5th-Edition_Sanctioned-Interpretations-Dec-2020.pdf
IATF-Rules-5th-Edition_Sanctioned-Interpretations-Dec-2020.pdfIATF-Rules-5th-Edition_Sanctioned-Interpretations-Dec-2020.pdf
IATF-Rules-5th-Edition_Sanctioned-Interpretations-Dec-2020.pdfmartinusteddy
 
Lecture slide ,chapter 6, Overview of the audit of financial reports
Lecture slide ,chapter 6, Overview of the audit of financial reportsLecture slide ,chapter 6, Overview of the audit of financial reports
Lecture slide ,chapter 6, Overview of the audit of financial reportsSazzad Hossain, ITP, MBA, CSCA™
 
Nicc 1 Normas Internacionales Sobre Control De Calidad 1 En Ingles
Nicc 1 Normas Internacionales Sobre Control De Calidad 1  En InglesNicc 1 Normas Internacionales Sobre Control De Calidad 1  En Ingles
Nicc 1 Normas Internacionales Sobre Control De Calidad 1 En Inglesguest4a971d
 
Unintended Discrimination Case
Unintended Discrimination CaseUnintended Discrimination Case
Unintended Discrimination CaseTammy Mitchell
 
XBRL US Filing Update 10212209
XBRL US Filing Update 10212209XBRL US Filing Update 10212209
XBRL US Filing Update 10212209Conor O'Kelly
 
SMOs Presentation.pptx Dec 2018.pptx
SMOs Presentation.pptx Dec 2018.pptxSMOs Presentation.pptx Dec 2018.pptx
SMOs Presentation.pptx Dec 2018.pptxRansfordArmahACCAMSc
 
An Examination of the Mechanism and Legal Regulation Assuring Audit Independence
An Examination of the Mechanism and Legal Regulation Assuring Audit IndependenceAn Examination of the Mechanism and Legal Regulation Assuring Audit Independence
An Examination of the Mechanism and Legal Regulation Assuring Audit IndependenceRenzo Del Giudice
 
Advanced Auditing and assurance ,chapter1
Advanced Auditing and assurance ,chapter1Advanced Auditing and assurance ,chapter1
Advanced Auditing and assurance ,chapter1seidIbrahim2
 

Similar to Audit clauses in IT agreements (20)

Auditor Reporting on Controls at Service Organizations
Auditor Reporting on Controls at Service OrganizationsAuditor Reporting on Controls at Service Organizations
Auditor Reporting on Controls at Service Organizations
 
Lecture slide, chapter 4, Other Assurance Engagements and Quality Standards
Lecture slide, chapter 4, Other Assurance Engagements and Quality StandardsLecture slide, chapter 4, Other Assurance Engagements and Quality Standards
Lecture slide, chapter 4, Other Assurance Engagements and Quality Standards
 
Sas 70 Readiness
Sas 70 ReadinessSas 70 Readiness
Sas 70 Readiness
 
Isae 3402 Abstract
Isae 3402   AbstractIsae 3402   Abstract
Isae 3402 Abstract
 
information system and computers
information system and computersinformation system and computers
information system and computers
 
Psae 3402-final
Psae 3402-finalPsae 3402-final
Psae 3402-final
 
Planning for a new Service Organization Control (SOC) report
Planning for a new Service Organization Control (SOC) reportPlanning for a new Service Organization Control (SOC) report
Planning for a new Service Organization Control (SOC) report
 
BKMSH Basics of SOC II
BKMSH Basics of SOC IIBKMSH Basics of SOC II
BKMSH Basics of SOC II
 
ISA 250 (Revised) Section B – The Auditor’s Statutory Right and Duty to Repor...
ISA 250 (Revised) Section B – The Auditor’s Statutory Right and Duty to Repor...ISA 250 (Revised) Section B – The Auditor’s Statutory Right and Duty to Repor...
ISA 250 (Revised) Section B – The Auditor’s Statutory Right and Duty to Repor...
 
Audit prsentation
Audit prsentationAudit prsentation
Audit prsentation
 
Guide for audit, report writing etc.doc
Guide for audit, report writing etc.docGuide for audit, report writing etc.doc
Guide for audit, report writing etc.doc
 
IATF-Rules-5th-Edition_Sanctioned-Interpretations-Dec-2020.pdf
IATF-Rules-5th-Edition_Sanctioned-Interpretations-Dec-2020.pdfIATF-Rules-5th-Edition_Sanctioned-Interpretations-Dec-2020.pdf
IATF-Rules-5th-Edition_Sanctioned-Interpretations-Dec-2020.pdf
 
11070_AP_NA
11070_AP_NA11070_AP_NA
11070_AP_NA
 
Lecture slide ,chapter 6, Overview of the audit of financial reports
Lecture slide ,chapter 6, Overview of the audit of financial reportsLecture slide ,chapter 6, Overview of the audit of financial reports
Lecture slide ,chapter 6, Overview of the audit of financial reports
 
Nicc 1 Normas Internacionales Sobre Control De Calidad 1 En Ingles
Nicc 1 Normas Internacionales Sobre Control De Calidad 1  En InglesNicc 1 Normas Internacionales Sobre Control De Calidad 1  En Ingles
Nicc 1 Normas Internacionales Sobre Control De Calidad 1 En Ingles
 
Unintended Discrimination Case
Unintended Discrimination CaseUnintended Discrimination Case
Unintended Discrimination Case
 
XBRL US Filing Update 10212209
XBRL US Filing Update 10212209XBRL US Filing Update 10212209
XBRL US Filing Update 10212209
 
SMOs Presentation.pptx Dec 2018.pptx
SMOs Presentation.pptx Dec 2018.pptxSMOs Presentation.pptx Dec 2018.pptx
SMOs Presentation.pptx Dec 2018.pptx
 
An Examination of the Mechanism and Legal Regulation Assuring Audit Independence
An Examination of the Mechanism and Legal Regulation Assuring Audit IndependenceAn Examination of the Mechanism and Legal Regulation Assuring Audit Independence
An Examination of the Mechanism and Legal Regulation Assuring Audit Independence
 
Advanced Auditing and assurance ,chapter1
Advanced Auditing and assurance ,chapter1Advanced Auditing and assurance ,chapter1
Advanced Auditing and assurance ,chapter1
 

More from Richard Austin

The Artificial Intelligence World: Responding to Legal and Ethical Issues
The Artificial Intelligence World:  Responding to Legal and Ethical IssuesThe Artificial Intelligence World:  Responding to Legal and Ethical Issues
The Artificial Intelligence World: Responding to Legal and Ethical IssuesRichard Austin
 
AI on the Case: Legal and Ethical Issues
AI on the Case:  Legal and Ethical IssuesAI on the Case:  Legal and Ethical Issues
AI on the Case: Legal and Ethical IssuesRichard Austin
 
Intermediary Accountability in the Digital Age
Intermediary Accountability in the Digital AgeIntermediary Accountability in the Digital Age
Intermediary Accountability in the Digital AgeRichard Austin
 
Ai on the case legal and ethical issues (may 17 2019)
Ai on the case   legal and ethical issues (may 17 2019)Ai on the case   legal and ethical issues (may 17 2019)
Ai on the case legal and ethical issues (may 17 2019)Richard Austin
 
Records Retention and Destruction Policies 2015
Records Retention and Destruction Policies 2015Records Retention and Destruction Policies 2015
Records Retention and Destruction Policies 2015Richard Austin
 
Knowing and managing what's been agreed the case for contract management
Knowing and managing what's been agreed   the case for contract managementKnowing and managing what's been agreed   the case for contract management
Knowing and managing what's been agreed the case for contract managementRichard Austin
 
Records Retention And Destruction Policies
Records Retention And Destruction PoliciesRecords Retention And Destruction Policies
Records Retention And Destruction PoliciesRichard Austin
 
Source Code Escrow Agreements 2010.02.12
Source Code Escrow Agreements   2010.02.12Source Code Escrow Agreements   2010.02.12
Source Code Escrow Agreements 2010.02.12Richard Austin
 
Protecting Third Party Information under FOI Legislation
Protecting Third Party Information  under FOI LegislationProtecting Third Party Information  under FOI Legislation
Protecting Third Party Information under FOI LegislationRichard Austin
 
Outsourcing Trends 2009
Outsourcing Trends 2009Outsourcing Trends 2009
Outsourcing Trends 2009Richard Austin
 
International Market Selection Strategies for Softwarte Companies
International Market Selection Strategies for Softwarte CompaniesInternational Market Selection Strategies for Softwarte Companies
International Market Selection Strategies for Softwarte CompaniesRichard Austin
 

More from Richard Austin (12)

The Artificial Intelligence World: Responding to Legal and Ethical Issues
The Artificial Intelligence World:  Responding to Legal and Ethical IssuesThe Artificial Intelligence World:  Responding to Legal and Ethical Issues
The Artificial Intelligence World: Responding to Legal and Ethical Issues
 
AI on the Case: Legal and Ethical Issues
AI on the Case:  Legal and Ethical IssuesAI on the Case:  Legal and Ethical Issues
AI on the Case: Legal and Ethical Issues
 
Intermediary Accountability in the Digital Age
Intermediary Accountability in the Digital AgeIntermediary Accountability in the Digital Age
Intermediary Accountability in the Digital Age
 
Ai on the case legal and ethical issues (may 17 2019)
Ai on the case   legal and ethical issues (may 17 2019)Ai on the case   legal and ethical issues (may 17 2019)
Ai on the case legal and ethical issues (may 17 2019)
 
RRDP - 2015.02.26
RRDP - 2015.02.26RRDP - 2015.02.26
RRDP - 2015.02.26
 
Records Retention and Destruction Policies 2015
Records Retention and Destruction Policies 2015Records Retention and Destruction Policies 2015
Records Retention and Destruction Policies 2015
 
Knowing and managing what's been agreed the case for contract management
Knowing and managing what's been agreed   the case for contract managementKnowing and managing what's been agreed   the case for contract management
Knowing and managing what's been agreed the case for contract management
 
Records Retention And Destruction Policies
Records Retention And Destruction PoliciesRecords Retention And Destruction Policies
Records Retention And Destruction Policies
 
Source Code Escrow Agreements 2010.02.12
Source Code Escrow Agreements   2010.02.12Source Code Escrow Agreements   2010.02.12
Source Code Escrow Agreements 2010.02.12
 
Protecting Third Party Information under FOI Legislation
Protecting Third Party Information  under FOI LegislationProtecting Third Party Information  under FOI Legislation
Protecting Third Party Information under FOI Legislation
 
Outsourcing Trends 2009
Outsourcing Trends 2009Outsourcing Trends 2009
Outsourcing Trends 2009
 
International Market Selection Strategies for Softwarte Companies
International Market Selection Strategies for Softwarte CompaniesInternational Market Selection Strategies for Softwarte Companies
International Market Selection Strategies for Softwarte Companies
 

Recently uploaded

Patents and AI: Current Tools, Future Solutions
Patents and AI: Current Tools, Future SolutionsPatents and AI: Current Tools, Future Solutions
Patents and AI: Current Tools, Future SolutionsAurora Consulting
 
Corporate Sustainability Due Diligence Directive (CSDDD or the EU Supply Chai...
Corporate Sustainability Due Diligence Directive (CSDDD or the EU Supply Chai...Corporate Sustainability Due Diligence Directive (CSDDD or the EU Supply Chai...
Corporate Sustainability Due Diligence Directive (CSDDD or the EU Supply Chai...Dr. Oliver Massmann
 
ArtificiaI Intelligence based Cyber Forensic Tools: Relevancy and Admissibili...
ArtificiaI Intelligence based Cyber Forensic Tools: Relevancy and Admissibili...ArtificiaI Intelligence based Cyber Forensic Tools: Relevancy and Admissibili...
ArtificiaI Intelligence based Cyber Forensic Tools: Relevancy and Admissibili...Anadi Tewari
 
An introduction to Indian Contract Act, 1872 by Shraddha Pandit
An introduction to Indian Contract Act, 1872 by Shraddha PanditAn introduction to Indian Contract Act, 1872 by Shraddha Pandit
An introduction to Indian Contract Act, 1872 by Shraddha PanditSHRADDHA PANDIT
 
Classification of Contracts in Business Regulations
Classification of Contracts in Business RegulationsClassification of Contracts in Business Regulations
Classification of Contracts in Business RegulationsSyedaAyeshaTabassum1
 
The Ultimate Guide to Drafting Your Separation Agreement with a Template
The Ultimate Guide to Drafting Your Separation Agreement with a TemplateThe Ultimate Guide to Drafting Your Separation Agreement with a Template
The Ultimate Guide to Drafting Your Separation Agreement with a TemplateBTL Law P.C.
 
Islamabad High Court Judges wrote a letter to Supreme Judicial Council.pdf
Islamabad High Court Judges wrote a letter to Supreme Judicial Council.pdfIslamabad High Court Judges wrote a letter to Supreme Judicial Council.pdf
Islamabad High Court Judges wrote a letter to Supreme Judicial Council.pdfNo One
 
Women and the World of Climate Change- A Conceptual Foundation by Shraddha Pa...
Women and the World of Climate Change- A Conceptual Foundation by Shraddha Pa...Women and the World of Climate Change- A Conceptual Foundation by Shraddha Pa...
Women and the World of Climate Change- A Conceptual Foundation by Shraddha Pa...SHRADDHA PANDIT
 
xLran: Open source AI for legal hackers.
xLran: Open source AI for legal hackers.xLran: Open source AI for legal hackers.
xLran: Open source AI for legal hackers.mike689707
 

Recently uploaded (10)

Patents and AI: Current Tools, Future Solutions
Patents and AI: Current Tools, Future SolutionsPatents and AI: Current Tools, Future Solutions
Patents and AI: Current Tools, Future Solutions
 
Corporate Sustainability Due Diligence Directive (CSDDD or the EU Supply Chai...
Corporate Sustainability Due Diligence Directive (CSDDD or the EU Supply Chai...Corporate Sustainability Due Diligence Directive (CSDDD or the EU Supply Chai...
Corporate Sustainability Due Diligence Directive (CSDDD or the EU Supply Chai...
 
ArtificiaI Intelligence based Cyber Forensic Tools: Relevancy and Admissibili...
ArtificiaI Intelligence based Cyber Forensic Tools: Relevancy and Admissibili...ArtificiaI Intelligence based Cyber Forensic Tools: Relevancy and Admissibili...
ArtificiaI Intelligence based Cyber Forensic Tools: Relevancy and Admissibili...
 
An introduction to Indian Contract Act, 1872 by Shraddha Pandit
An introduction to Indian Contract Act, 1872 by Shraddha PanditAn introduction to Indian Contract Act, 1872 by Shraddha Pandit
An introduction to Indian Contract Act, 1872 by Shraddha Pandit
 
Classification of Contracts in Business Regulations
Classification of Contracts in Business RegulationsClassification of Contracts in Business Regulations
Classification of Contracts in Business Regulations
 
The Ultimate Guide to Drafting Your Separation Agreement with a Template
The Ultimate Guide to Drafting Your Separation Agreement with a TemplateThe Ultimate Guide to Drafting Your Separation Agreement with a Template
The Ultimate Guide to Drafting Your Separation Agreement with a Template
 
Islamabad High Court Judges wrote a letter to Supreme Judicial Council.pdf
Islamabad High Court Judges wrote a letter to Supreme Judicial Council.pdfIslamabad High Court Judges wrote a letter to Supreme Judicial Council.pdf
Islamabad High Court Judges wrote a letter to Supreme Judicial Council.pdf
 
Criminalizing Disabilities & False Confessions
Criminalizing Disabilities & False ConfessionsCriminalizing Disabilities & False Confessions
Criminalizing Disabilities & False Confessions
 
Women and the World of Climate Change- A Conceptual Foundation by Shraddha Pa...
Women and the World of Climate Change- A Conceptual Foundation by Shraddha Pa...Women and the World of Climate Change- A Conceptual Foundation by Shraddha Pa...
Women and the World of Climate Change- A Conceptual Foundation by Shraddha Pa...
 
xLran: Open source AI for legal hackers.
xLran: Open source AI for legal hackers.xLran: Open source AI for legal hackers.
xLran: Open source AI for legal hackers.
 

Audit clauses in IT agreements

  • 1. Audit Clauses in IT Agreements Richard Austin Ken Silverman June 17, 2014
  • 2. Table of Contents I. The Auditing Context II. Audit Rights in IT Agreements III. Control Audits
  • 3. I. The Auditing Context IT Outsourcing Industry:  Growth of Services Industry  Increasing number of players  Maturity  Globalization Increasing emphasis on Privacy and Security Well-publicized breakdowns of internal controls
  • 4. I. Increasing Regulatory Requirements “h) Audit Rights ‘The contract or outsourcing agreement is expected to clearly stipulate the audit requirements and rights of both the service provider and the FRE. As a minimum, it should give the FRE the right to evaluate the service provided or, alternatively to cause an independent auditory to evaluate, on its behalf, the service provided. This includes a review of the service provider’s internal control environment as it relates to the service being provided. … Accordingly, an undertaking from the service provider or a provision in the outsourcing contract, should give OSFI or the Superintendent’s representative the right to: • Exercise the contractual rights of the FRE relating to audit” OSFI B-10 Guideline Outsourcing of Business Activities, Functions and Processes, March 2009
  • 5. I. Consequences for Service Providers Audit requests pose challenges for service providers:  Impact on provision of services  The audit expense  Servicing multiple audit requests
  • 6. II. Audit Rights in IT Agreements - General General Audit Right: Audit the service provider’s facilities, systems and records in order to verify:  compliance with the obligations under the agreement;  that the services are being provided in accordance with the service levels;  compliance with the security requirements;  compliance with law; and  amounts charged under the agreement.
  • 7. II. Additional Audit Rights in IT Agreements Additional Audit Rights: May include:  security audits – compliance with the service provider’s internal policies, penetration testing, third party security audits  self-assessment of internal controls  business continuity and disaster recovery audits  certification with applicable industry standards (e.g., ISO, PCI) Regulators: Right for the customer’s regulators to exercise audit rights on behalf of the customer (for FREs, see OSFI Guideline B-10, Section 7.2.1(h)). Subcontractors: Agreements typically require that audit rights flow down to any subcontractors.
  • 8. II. Parameters & Accompanying Provisions  Frequency & Notice  Limitation on the number of audits (e.g., per contract year)  Prior notice to the service provider  Must be performed during regular business hours  Exceptions: regulatory audits, claims of fraud or criminal activity, privacy or security breaches  Auditors  Cannot be competitors of the service provider  Not compensated on a contingency basis  Required to sign an NDA
  • 9. II. Parameters cont’d  Service Levels  Audit cannot interfere with the service provider’s ability to perform the services in accordance with the service levels (or the service provider should be relieved from such obligation)  Record Retention  Retained for a certain period of time, in certain locations and in a prescribed format/standard (e.g., GAAP, IFRS)  Limitations on Auditable Records and Information  Internal policies  Internal audits  Privileged information
  • 10. II. Parameters cont’d  Remediation  Time period for remediation  Verification or re-audit to confirm remediation  Costs / Reimbursement  Which party is liable for the cost of the audit?  What costs are covered – internal vs. external costs?  Do the cost implications shift if the audit was performed due to the service provider’s breach or based on the outcome of the audit?
  • 11. II. Implications for the Cloud  Limited audit rights will be available in a shared services environment:  Limited or no access to the physical data center  No access to the shared cloud environment  Customers must typically rely on reports made available by the cloud provider through the customer portal (e.g., usage and invoicing data, physical attributes of the servers)  Some cloud providers may provide an SSAE 16 / CSAE 3416 SOC 1 or 2 Report (in the case of SOC 2, covering some of the SOC 2 principles)
  • 12. II. Implications for the Cloud cont’d OSFI Memorandum titled “New technology-based outsourcing arrangements” issued on February 29, 2012: “Information technology plays a very important role in the financial services business and OSFI recognizes the opportunities and benefits that new technology-based services such as Cloud Computing can bring; however, FRFIs should also recognize the unique features of such services and duly consider the associated risks. As such, and in light of the proliferation of new technology-based outsourcing services, OSFI is reminding all FRFIs that the expectations contained in Guideline B-10 remain current and continue to apply in respect of such services. In particular, FRFIs should consider their ability to meet the expectations contained in Guideline B-10 in respect of a material arrangement, with an emphasis on … iv) access and audit rights … .”
  • 13. III. Regulatory Audits: The Old Standards 1. American Institute of Certified Public Accountants (AICPA), Statement on Auditing Standards No. 70 (SAS 70)  Issued in 1992  Provides a report on service organization’s internal controls related to financial statement assertions of users  Following Sarbanes-Oxley and growth of global solutions, became standard of choice for organizations with a base of international clients 2. Canadian Institute of Chartered Accountants, Section 5970, Auditor’s Report on Controls at a Service Organization (Section 5970 Audit)  Preceded by Canadian Institute of Chartered Accountants, Handbook, Section 5900 Opinions on Controls at a Service Organization, Revision No. 52 (November 1986)  Replaced by CICA, Section 5970, effective for periods commencing after January 1, 2006  Reflected a decision to make reporting similar to U.S. SAS 70
  • 14. III. Regulatory Audits: The New Standards International Auditing and Assurance Standards Board (IASB), International Standard on Assurance Engagements 3402 (ISAE 3402):  Effective for periods ending on or after June 15, 2011  Global standard for engagements to report on controls in a service organization AICPA Auditing Standards Board, Statement on Standards for Attestation Engagements No. 16, Reporting on Controls at a Service Organization (SSAE 16):  Effective for periods ending on or after June 15, 2011  Differences between ISAE 3402 and SSAE 16 are minimal as a result of efforts to converge U.S. standard with international one Canadian Institute of Chartered Accountants, Auditing and Assurance Standards Board, Canadian Standard on Assurance Engagements, Reporting on Controls at a Service Organization (CSAE 3416):  Effective for periods ending on or after December 15, 2011  Reflects intention to closely mirror U.S. requirements
  • 15. III. Old and New Standards: The Differences Section 5970 Audits versus CSAE 3416: Under the CSAE 3416:  Management is required to provide a “written assertion” relating to:  Fair presentation and design of controls (Type 1 Report)  Fair presentation, design and operating effectiveness of controls (Type 2 Report)  “Subservice organizations” must also provide a written assertion where inclusive method used  With Type 2 Report, the service auditor provides opinion on the description of controls and the suitability of their design in respect of the control objectives for the entire period (as opposed to a specific date)  Service auditor required to disclose reliance on internal audit within the report  Format of service auditor’s opinion will change  Standard requires follow-up by service auditor in the event of deviations resulting from intentional acts
  • 16. III. The Old and New: What Hasn’t Changed CSAE 3416:  Does not apply to examinations of controls over other subject matter than Financial Reporting  Cannot be provided to a service provider’s potential customers  Does not result in service providers being “certified” under CSAE 3416
  • 17. Questions? Richard Austin Deeth Williams Wall LLP raustin@dww.com 416 941 8210 Ken Silverman IBM Canada Ltd. ksilver@ca.ibm.com 905-316-0289