Use of audit clauses in information technology and outsourcing agreements including implications for the Cloud, OSFI Memorandum of February 29, 2012, control audits and CSAE 3416 Audits (Richard Austin and Ken Silverman)
There is an increasing trend witnessed in the cloud computing technology which has led to a lot of risks in preserving the Confidentiality, Integrity and Availability of data. The Cloud is now facing a lot of compliance requirements due to the sensitivity of the data that is being stored. View this presentation to understand the Cloud Compliance Requirements, Risks, Audit Processes and Methodologies involved in providing assurance.
This presentation was given by CA Anand Prakash Jangid at the Conference on Cloud Computing conducted by the Committee on Information Technology of the Institute of Chartered Accountants of India on 11th January 2014.
Exploring Payment Platforms - ISO 20022 and ISO 8583PECB
Have you thought about the process of communication in the financial institutions? On this webinar, we go over the importance of standards ISO 20022 and ISO 8583 and how it can help financial institution to create reports that are useful to all interested parties.
Main points covered:
• ISO 20022 and its importance on the financial communication.
• ISO 8583 and its usage on the most credit and debit card transaction.
• How can these two standards leverage to effectively manage the financial transactions and data?
Presenter:
This webinar was presented by Orlando Olumide Odejide. He is a PECB Certified Trainer and an experienced Enterprise Architect and Programme Director working on various technology solutions. His expertise spans to various ISO standard such as ISO 27001, ISO 20000 and ISO 22301, COBIT, CMMI, TOGAF, PRINCE2, ITIL.
Link of the recorded session published on YouTube: https://youtu.be/Ilx6isDrXEU
There is an increasing trend witnessed in the cloud computing technology which has led to a lot of risks in preserving the Confidentiality, Integrity and Availability of data. The Cloud is now facing a lot of compliance requirements due to the sensitivity of the data that is being stored. View this presentation to understand the Cloud Compliance Requirements, Risks, Audit Processes and Methodologies involved in providing assurance.
This presentation was given by CA Anand Prakash Jangid at the Conference on Cloud Computing conducted by the Committee on Information Technology of the Institute of Chartered Accountants of India on 11th January 2014.
Exploring Payment Platforms - ISO 20022 and ISO 8583PECB
Have you thought about the process of communication in the financial institutions? On this webinar, we go over the importance of standards ISO 20022 and ISO 8583 and how it can help financial institution to create reports that are useful to all interested parties.
Main points covered:
• ISO 20022 and its importance on the financial communication.
• ISO 8583 and its usage on the most credit and debit card transaction.
• How can these two standards leverage to effectively manage the financial transactions and data?
Presenter:
This webinar was presented by Orlando Olumide Odejide. He is a PECB Certified Trainer and an experienced Enterprise Architect and Programme Director working on various technology solutions. His expertise spans to various ISO standard such as ISO 27001, ISO 20000 and ISO 22301, COBIT, CMMI, TOGAF, PRINCE2, ITIL.
Link of the recorded session published on YouTube: https://youtu.be/Ilx6isDrXEU
IT Infrastructure Audit would help organization to understand its current IT environment, have an action plan to realize the optimal benefits from its IT infrastructure investment. IIA is about safeguard assets, maintain data integrity & operate effectively to achieve the organization goals. Documentation of policies, procedures, practices & org structures designed to provide reasonable assurance that business objectives would be achieved & undesired events will be prevented or detected and corrected.
ISO 27001:2013 is the international standard that provides a framework for Information Security Management Systems (ISMS) to provide continued confidentiality, integrity and availability of information as well as legal compliance.
ISO 27001 certification is essential for protecting your most vital assets like employee and client information, brand image and other private information. The ISO standard includes a process-based approach to initiating, implementing, operating and maintaining your ISMS.
This implementation guide will help you run through the benefits, PDCA Cycle and Annex SL structure in detail for implementing ISO 27001.
Find out more or get a quote for certification here – https://www.nqa.com/en-gb/certification/standards/iso-27001
Iso iec 27001 foundation training course by interpromMart Rovers
What is involved with the ISO/IEC 27001 Foundation certification training course? Learn about the course curriculum, target audience, duration, formats, exam, fees and much more.
COBIT is a good-practice framework created by international professional association ISACA for information technology management and IT governance. COBIT provides an implementable "set of controls over information technology and organizes them around a logical framework of IT-related processes and enablers.”
You can find the full presentation at http://theProjectLeaders.org
The success of change management relies on many seemingly unrelated factors. Allowing these 6 particularly common threats to be left to chance can derail the best of intentions. Monitor them closely during your next change initiative.
As a bonus, included are 3 more suggestions to help transform an initiative into fully-adopted reality.
Cloud computing is a paradigm evolution that benefits from virtualisation technologies and introduces “everything-as-a-service” as a technical and business concept supported by pay-per-use pricing models. Whilst the on-demand characteristics of this novel paradigm provide revolutionary advances in technical ability, the changes while incorporating this into an IT infrastructure raise many complex problems and risks with regards to auditing. Auditing is the process of tracing and logging significant events the take place during the system run-time for analysis, and can be seen as a vital tool in validating and securing systems.
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSShivamSharma909
ISACA IS Audit and Assurance Standards, Guidelines, and Tools & Techniques, Code of Professional Ethics & other applicable standard.
https://www.infosectrain.com/blog/cisa-domain-1-part-3-the-process-on-auditing-information-systems/
IT Infrastructure Audit would help organization to understand its current IT environment, have an action plan to realize the optimal benefits from its IT infrastructure investment. IIA is about safeguard assets, maintain data integrity & operate effectively to achieve the organization goals. Documentation of policies, procedures, practices & org structures designed to provide reasonable assurance that business objectives would be achieved & undesired events will be prevented or detected and corrected.
ISO 27001:2013 is the international standard that provides a framework for Information Security Management Systems (ISMS) to provide continued confidentiality, integrity and availability of information as well as legal compliance.
ISO 27001 certification is essential for protecting your most vital assets like employee and client information, brand image and other private information. The ISO standard includes a process-based approach to initiating, implementing, operating and maintaining your ISMS.
This implementation guide will help you run through the benefits, PDCA Cycle and Annex SL structure in detail for implementing ISO 27001.
Find out more or get a quote for certification here – https://www.nqa.com/en-gb/certification/standards/iso-27001
Iso iec 27001 foundation training course by interpromMart Rovers
What is involved with the ISO/IEC 27001 Foundation certification training course? Learn about the course curriculum, target audience, duration, formats, exam, fees and much more.
COBIT is a good-practice framework created by international professional association ISACA for information technology management and IT governance. COBIT provides an implementable "set of controls over information technology and organizes them around a logical framework of IT-related processes and enablers.”
You can find the full presentation at http://theProjectLeaders.org
The success of change management relies on many seemingly unrelated factors. Allowing these 6 particularly common threats to be left to chance can derail the best of intentions. Monitor them closely during your next change initiative.
As a bonus, included are 3 more suggestions to help transform an initiative into fully-adopted reality.
Cloud computing is a paradigm evolution that benefits from virtualisation technologies and introduces “everything-as-a-service” as a technical and business concept supported by pay-per-use pricing models. Whilst the on-demand characteristics of this novel paradigm provide revolutionary advances in technical ability, the changes while incorporating this into an IT infrastructure raise many complex problems and risks with regards to auditing. Auditing is the process of tracing and logging significant events the take place during the system run-time for analysis, and can be seen as a vital tool in validating and securing systems.
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSShivamSharma909
ISACA IS Audit and Assurance Standards, Guidelines, and Tools & Techniques, Code of Professional Ethics & other applicable standard.
https://www.infosectrain.com/blog/cisa-domain-1-part-3-the-process-on-auditing-information-systems/
ISA 250 (Revised) Section B – The Auditor’s Statutory Right and Duty to Report to Regulators of Public Interest Entities and Regulators of Other Entities in the Financial Sector
An Examination of the Mechanism and Legal Regulation Assuring Audit IndependenceRenzo Del Giudice
Please cite to the respective author of this journal article: Chou, T.K. (2012). An Examination of the Mechanism and Legal Regulation Assuring Audit Independence. UC David Business Law Journal, 12: 225-242.
The Artificial Intelligence World: Responding to Legal and Ethical IssuesRichard Austin
The presentation examines the legal and ethical issues that Facial Recognition Systems and Autonomous and Self-driving Vehicles present then looks at organizational, regulatory and individual tools available to respond to these issues.
An examination of the legal and ethical issues that the use of Artificial Intelligence products and services presents to lawyers including by reference to the American Bar Association's Model Rules of Professional Conduct.
Intermediary Accountability in the Digital AgeRichard Austin
Examination of the accountability of Internet Intermediaries with a focus on Online Reputation, Cambridge Analytica and Facebook and Competition issues
Ai on the case legal and ethical issues (may 17 2019)Richard Austin
Presentation on the legal and ethical issues that the use of Artificial Intelligence products and systems presents for lawyers including discussion of ABA Model Rules of Professional Conduct
Records Retention and Destruction Policies 2015Richard Austin
Overview of records retention and destruction policies including why have an RRDP, issues to consider in developing an RRDP and steps in developing an RRDP
Knowing and managing what's been agreed the case for contract managementRichard Austin
This presentation, by Richard Austin and Eric Notkin, looks at: (i) the context of Contract Management - why it is becoming more important; (ii) the reasons for expectations' and performance gaps in contracts; and (iii) ideas and initiatives to improve Contract Management.
Records Retention And Destruction PoliciesRichard Austin
This presentation reviews the legal reasons for companies to establish a records retention and destruction policy and identifies the major steps in establishing a policy. It also presents a high level overview of the new Ontario e-Discovery rules.
This presentation reviews key provisions of source code escrow agreements including (i) how to define escrow deposits; (ii) the importance of verfication services; and (iii) definitions of release events. The presentation also considers other uses of escrow such as SaaS escrow. It concludes by looking at IP licenses under s. 365(n) of the U.S. Bankruptcy Code and under s. 65.11 of the recently amended Canadian Bankruptcy and Insolvency Act.
Protecting Third Party Information under FOI LegislationRichard Austin
Examination of the protection available for vendor confidential information in public sector procurements in light of client concerns for public accountability and disclosure (including under FOI legislation).
RIGHTS OF VICTIM EDITED PRESENTATION(SAIF JAVED).pptxOmGod1
Victims of crime have a range of rights designed to ensure their protection, support, and participation in the justice system. These rights include the right to be treated with dignity and respect, the right to be informed about the progress of their case, and the right to be heard during legal proceedings. Victims are entitled to protection from intimidation and harm, access to support services such as counseling and medical care, and the right to restitution from the offender. Additionally, many jurisdictions provide victims with the right to participate in parole hearings and the right to privacy to protect their personal information from public disclosure. These rights aim to acknowledge the impact of crime on victims and to provide them with the necessary resources and involvement in the judicial process.
Military Commissions details LtCol Thomas Jasper as Detailed Defense CounselThomas (Tom) Jasper
Military Commissions Trial Judiciary, Guantanamo Bay, Cuba. Notice of the Chief Defense Counsel's detailing of LtCol Thomas F. Jasper, Jr. USMC, as Detailed Defense Counsel for Abd Al Hadi Al-Iraqi on 6 August 2014 in the case of United States v. Hadi al Iraqi (10026)
ALL EYES ON RAFAH BUT WHY Explain more.pdf46adnanshahzad
All eyes on Rafah: But why?. The Rafah border crossing, a crucial point between Egypt and the Gaza Strip, often finds itself at the center of global attention. As we explore the significance of Rafah, we’ll uncover why all eyes are on Rafah and the complexities surrounding this pivotal region.
INTRODUCTION
What makes Rafah so significant that it captures global attention? The phrase ‘All eyes are on Rafah’ resonates not just with those in the region but with people worldwide who recognize its strategic, humanitarian, and political importance. In this guide, we will delve into the factors that make Rafah a focal point for international interest, examining its historical context, humanitarian challenges, and political dimensions.
A "File Trademark" is a legal term referring to the registration of a unique symbol, logo, or name used to identify and distinguish products or services. This process provides legal protection, granting exclusive rights to the trademark owner, and helps prevent unauthorized use by competitors.
Visit Now: https://www.tumblr.com/trademark-quick/751620857551634432/ensure-legal-protection-file-your-trademark-with?source=share
PRECEDENT AS A SOURCE OF LAW (SAIF JAVED).pptxOmGod1
Precedent, or stare decisis, is a cornerstone of common law systems where past judicial decisions guide future cases, ensuring consistency and predictability in the legal system. Binding precedents from higher courts must be followed by lower courts, while persuasive precedents may influence but are not obligatory. This principle promotes fairness and efficiency, allowing for the evolution of the law as higher courts can overrule outdated decisions. Despite criticisms of rigidity and complexity, precedent ensures similar cases are treated alike, balancing stability with flexibility in judicial decision-making.
Car Accident Injury Do I Have a Case....Knowyourright
Every year, thousands of Minnesotans are injured in car accidents. These injuries can be severe – even life-changing. Under Minnesota law, you can pursue compensation through a personal injury lawsuit.
Responsibilities of the office bearers while registering multi-state cooperat...Finlaw Consultancy Pvt Ltd
Introduction-
The process of register multi-state cooperative society in India is governed by the Multi-State Co-operative Societies Act, 2002. This process requires the office bearers to undertake several crucial responsibilities to ensure compliance with legal and regulatory frameworks. The key office bearers typically include the President, Secretary, and Treasurer, along with other elected members of the managing committee. Their responsibilities encompass administrative, legal, and financial duties essential for the successful registration and operation of the society.
Introducing New Government Regulation on Toll Road.pdfAHRP Law Firm
For nearly two decades, Government Regulation Number 15 of 2005 on Toll Roads ("GR No. 15/2005") has served as the cornerstone of toll road legislation. However, with the emergence of various new developments and legal requirements, the Government has enacted Government Regulation Number 23 of 2024 on Toll Roads to replace GR No. 15/2005. This new regulation introduces several provisions impacting toll business entities and toll road users. Find out more out insights about this topic in our Legal Brief publication.
DNA Testing in Civil and Criminal Matters.pptxpatrons legal
Get insights into DNA testing and its application in civil and criminal matters. Find out how it contributes to fair and accurate legal proceedings. For more information: https://www.patronslegal.com/criminal-litigation.html
WINDING UP of COMPANY, Modes of DissolutionKHURRAMWALI
Winding up, also known as liquidation, refers to the legal and financial process of dissolving a company. It involves ceasing operations, selling assets, settling debts, and ultimately removing the company from the official business registry.
Here's a breakdown of the key aspects of winding up:
Reasons for Winding Up:
Insolvency: This is the most common reason, where the company cannot pay its debts. Creditors may initiate a compulsory winding up to recover their dues.
Voluntary Closure: The owners may decide to close the company due to reasons like reaching business goals, facing losses, or merging with another company.
Deadlock: If shareholders or directors cannot agree on how to run the company, a court may order a winding up.
Types of Winding Up:
Voluntary Winding Up: This is initiated by the company's shareholders through a resolution passed by a majority vote. There are two main types:
Members' Voluntary Winding Up: The company is solvent (has enough assets to pay off its debts) and shareholders will receive any remaining assets after debts are settled.
Creditors' Voluntary Winding Up: The company is insolvent and creditors will be prioritized in receiving payment from the sale of assets.
Compulsory Winding Up: This is initiated by a court order, typically at the request of creditors, government agencies, or even by the company itself if it's insolvent.
Process of Winding Up:
Appointment of Liquidator: A qualified professional is appointed to oversee the winding-up process. They are responsible for selling assets, paying off debts, and distributing any remaining funds.
Cease Trading: The company stops its regular business operations.
Notification of Creditors: Creditors are informed about the winding up and invited to submit their claims.
Sale of Assets: The company's assets are sold to generate cash to pay off creditors.
Payment of Debts: Creditors are paid according to a set order of priority, with secured creditors receiving payment before unsecured creditors.
Distribution to Shareholders: If there are any remaining funds after all debts are settled, they are distributed to shareholders according to their ownership stake.
Dissolution: Once all claims are settled and distributions made, the company is officially dissolved and removed from the business register.
Impact of Winding Up:
Employees: Employees will likely lose their jobs during the winding-up process.
Creditors: Creditors may not recover their debts in full, especially if the company is insolvent.
Shareholders: Shareholders may not receive any payout if the company's debts exceed its assets.
Winding up is a complex legal and financial process that can have significant consequences for all parties involved. It's important to seek professional legal and financial advice when considering winding up a company.
ASHWINI KUMAR UPADHYAY v/s Union of India.pptxshweeta209
transfer of the P.I.L filed by lawyer Ashwini Kumar Upadhyay in Delhi High Court to Supreme Court.
on the issue of UNIFORM MARRIAGE AGE of men and women.
1. Audit Clauses in IT Agreements
Richard Austin
Ken Silverman
June 17, 2014
2. Table of Contents
I. The Auditing Context
II. Audit Rights in IT Agreements
III. Control Audits
3. I. The Auditing Context
IT Outsourcing Industry:
Growth of Services Industry
Increasing number of players
Maturity
Globalization
Increasing emphasis on Privacy and
Security
Well-publicized breakdowns of internal
controls
4. I. Increasing Regulatory Requirements
“h) Audit Rights
‘The contract or outsourcing agreement is expected to clearly stipulate the
audit requirements and rights of both the service provider and the FRE.
As a minimum, it should give the FRE the right to evaluate the service
provided or, alternatively to cause an independent auditory to evaluate, on
its behalf, the service provided. This includes a review of the service
provider’s internal control environment as it relates to the service being
provided. …
Accordingly, an undertaking from the service provider or a provision in
the outsourcing contract, should give OSFI or the Superintendent’s
representative the right to:
• Exercise the contractual rights of the FRE relating to audit”
OSFI B-10 Guideline Outsourcing of Business Activities, Functions and
Processes, March 2009
5. I. Consequences for Service Providers
Audit requests pose challenges for service providers:
Impact on provision of services
The audit expense
Servicing multiple audit requests
6. II. Audit Rights in IT Agreements - General
General Audit Right:
Audit the service provider’s facilities, systems
and records in order to verify:
compliance with the obligations under the agreement;
that the services are being provided in accordance with the
service levels;
compliance with the security requirements;
compliance with law; and
amounts charged under the agreement.
7. II. Additional Audit Rights in IT Agreements
Additional Audit Rights: May include:
security audits – compliance with the service provider’s internal policies,
penetration testing, third party security audits
self-assessment of internal controls
business continuity and disaster recovery audits
certification with applicable industry standards (e.g., ISO, PCI)
Regulators: Right for the customer’s regulators to exercise
audit rights on behalf of the customer (for FREs, see OSFI
Guideline B-10, Section 7.2.1(h)).
Subcontractors: Agreements typically require that audit rights
flow down to any subcontractors.
8. II. Parameters & Accompanying Provisions
Frequency & Notice
Limitation on the number of audits (e.g., per contract year)
Prior notice to the service provider
Must be performed during regular business hours
Exceptions: regulatory audits, claims of fraud or criminal activity,
privacy or security breaches
Auditors
Cannot be competitors of the service provider
Not compensated on a contingency basis
Required to sign an NDA
9. II. Parameters cont’d
Service Levels
Audit cannot interfere with the service provider’s ability to perform the
services in accordance with the service levels (or the service provider
should be relieved from such obligation)
Record Retention
Retained for a certain period of time, in certain locations and in a
prescribed format/standard (e.g., GAAP, IFRS)
Limitations on Auditable Records and Information
Internal policies
Internal audits
Privileged information
10. II. Parameters cont’d
Remediation
Time period for remediation
Verification or re-audit to confirm remediation
Costs / Reimbursement
Which party is liable for the cost of the audit?
What costs are covered – internal vs. external costs?
Do the cost implications shift if the audit was performed due to the
service provider’s breach or based on the outcome of the audit?
11. II. Implications for the Cloud
Limited audit rights will be available in a shared services
environment:
Limited or no access to the physical data center
No access to the shared cloud environment
Customers must typically rely on reports made available by the
cloud provider through the customer portal (e.g., usage and
invoicing data, physical attributes of the servers)
Some cloud providers may provide an SSAE 16 / CSAE
3416 SOC 1 or 2 Report (in the case of SOC 2, covering
some of the SOC 2 principles)
12. II. Implications for the Cloud cont’d
OSFI Memorandum titled “New technology-based
outsourcing arrangements” issued on February 29, 2012:
“Information technology plays a very important role in the financial
services business and OSFI recognizes the opportunities and benefits that
new technology-based services such as Cloud Computing can bring;
however, FRFIs should also recognize the unique features of such services
and duly consider the associated risks. As such, and in light of the
proliferation of new technology-based outsourcing services, OSFI is
reminding all FRFIs that the expectations contained in Guideline B-10
remain current and continue to apply in respect of such services. In
particular, FRFIs should consider their ability to meet the expectations
contained in Guideline B-10 in respect of a material arrangement, with an
emphasis on … iv) access and audit rights … .”
13. III. Regulatory Audits: The Old Standards
1. American Institute of Certified Public Accountants (AICPA), Statement on
Auditing Standards No. 70 (SAS 70)
Issued in 1992
Provides a report on service organization’s internal controls related to
financial statement assertions of users
Following Sarbanes-Oxley and growth of global solutions, became
standard of choice for organizations with a base of international clients
2. Canadian Institute of Chartered Accountants, Section 5970, Auditor’s Report on
Controls at a Service Organization (Section 5970 Audit)
Preceded by Canadian Institute of Chartered Accountants, Handbook,
Section 5900 Opinions on Controls at a Service Organization, Revision
No. 52 (November 1986)
Replaced by CICA, Section 5970, effective for periods commencing after
January 1, 2006
Reflected a decision to make reporting similar to U.S. SAS 70
14. III. Regulatory Audits: The New Standards
International Auditing and Assurance Standards Board (IASB), International
Standard on Assurance Engagements 3402 (ISAE 3402):
Effective for periods ending on or after June 15, 2011
Global standard for engagements to report on controls in a service organization
AICPA Auditing Standards Board, Statement on Standards for Attestation
Engagements No. 16, Reporting on Controls at a Service Organization (SSAE
16):
Effective for periods ending on or after June 15, 2011
Differences between ISAE 3402 and SSAE 16 are minimal as a result of efforts to
converge U.S. standard with international one
Canadian Institute of Chartered Accountants, Auditing and Assurance Standards
Board, Canadian Standard on Assurance Engagements, Reporting on Controls at
a Service Organization (CSAE 3416):
Effective for periods ending on or after December 15, 2011
Reflects intention to closely mirror U.S. requirements
15. III. Old and New Standards: The Differences
Section 5970 Audits versus CSAE 3416:
Under the CSAE 3416:
Management is required to provide a “written assertion” relating to:
Fair presentation and design of controls (Type 1 Report)
Fair presentation, design and operating effectiveness of controls (Type 2
Report)
“Subservice organizations” must also provide a written assertion where inclusive
method used
With Type 2 Report, the service auditor provides opinion on the description of controls
and the suitability of their design in respect of the control objectives for the entire period
(as opposed to a specific date)
Service auditor required to disclose reliance on internal audit within the report
Format of service auditor’s opinion will change
Standard requires follow-up by service auditor in the event of deviations resulting from
intentional acts
16. III. The Old and New: What Hasn’t Changed
CSAE 3416:
Does not apply to examinations of controls over other
subject matter than Financial Reporting
Cannot be provided to a service provider’s potential
customers
Does not result in service providers being “certified” under
CSAE 3416
17. Questions?
Richard Austin
Deeth Williams Wall LLP
raustin@dww.com
416 941 8210
Ken Silverman
IBM Canada Ltd.
ksilver@ca.ibm.com
905-316-0289