RA
Uploaded byRichard Austin
PPTX, PDF1,559 views

Audit clauses in IT agreements

The document discusses audit rights in IT agreements, emphasizing their importance due to growth in the IT outsourcing industry and increasing regulatory requirements. It outlines the rights of both service providers and customers regarding audits, detailing specific types of audits, parameters for conducting audits, as well as implications for cloud computing. The document also reviews changes in auditing standards, highlighting the evolution from previous standards to current practices, including the global convergence towards new auditing frameworks.

Law

Embed presentation

Downloaded 22 times
Audit Clauses in IT Agreements Richard Austin Ken Silverman June 17, 2014
Table of Contents I. The Auditing Context II. Audit Rights in IT Agreements III. Control Audits
I. The Auditing Context IT Outsourcing Industry:  Growth of Services Industry  Increasing number of players  Maturity  Globalization Increasing emphasis on Privacy and Security Well-publicized breakdowns of internal controls
I. Increasing Regulatory Requirements “h) Audit Rights ‘The contract or outsourcing agreement is expected to clearly stipulate the audit requirements and rights of both the service provider and the FRE. As a minimum, it should give the FRE the right to evaluate the service provided or, alternatively to cause an independent auditory to evaluate, on its behalf, the service provided. This includes a review of the service provider’s internal control environment as it relates to the service being provided. … Accordingly, an undertaking from the service provider or a provision in the outsourcing contract, should give OSFI or the Superintendent’s representative the right to: • Exercise the contractual rights of the FRE relating to audit” OSFI B-10 Guideline Outsourcing of Business Activities, Functions and Processes, March 2009
I. Consequences for Service Providers Audit requests pose challenges for service providers:  Impact on provision of services  The audit expense  Servicing multiple audit requests
II. Audit Rights in IT Agreements - General General Audit Right: Audit the service provider’s facilities, systems and records in order to verify:  compliance with the obligations under the agreement;  that the services are being provided in accordance with the service levels;  compliance with the security requirements;  compliance with law; and  amounts charged under the agreement.
II. Additional Audit Rights in IT Agreements Additional Audit Rights: May include:  security audits – compliance with the service provider’s internal policies, penetration testing, third party security audits  self-assessment of internal controls  business continuity and disaster recovery audits  certification with applicable industry standards (e.g., ISO, PCI) Regulators: Right for the customer’s regulators to exercise audit rights on behalf of the customer (for FREs, see OSFI Guideline B-10, Section 7.2.1(h)). Subcontractors: Agreements typically require that audit rights flow down to any subcontractors.
II. Parameters & Accompanying Provisions  Frequency & Notice  Limitation on the number of audits (e.g., per contract year)  Prior notice to the service provider  Must be performed during regular business hours  Exceptions: regulatory audits, claims of fraud or criminal activity, privacy or security breaches  Auditors  Cannot be competitors of the service provider  Not compensated on a contingency basis  Required to sign an NDA
II. Parameters cont’d  Service Levels  Audit cannot interfere with the service provider’s ability to perform the services in accordance with the service levels (or the service provider should be relieved from such obligation)  Record Retention  Retained for a certain period of time, in certain locations and in a prescribed format/standard (e.g., GAAP, IFRS)  Limitations on Auditable Records and Information  Internal policies  Internal audits  Privileged information
II. Parameters cont’d  Remediation  Time period for remediation  Verification or re-audit to confirm remediation  Costs / Reimbursement  Which party is liable for the cost of the audit?  What costs are covered – internal vs. external costs?  Do the cost implications shift if the audit was performed due to the service provider’s breach or based on the outcome of the audit?
II. Implications for the Cloud  Limited audit rights will be available in a shared services environment:  Limited or no access to the physical data center  No access to the shared cloud environment  Customers must typically rely on reports made available by the cloud provider through the customer portal (e.g., usage and invoicing data, physical attributes of the servers)  Some cloud providers may provide an SSAE 16 / CSAE 3416 SOC 1 or 2 Report (in the case of SOC 2, covering some of the SOC 2 principles)
II. Implications for the Cloud cont’d OSFI Memorandum titled “New technology-based outsourcing arrangements” issued on February 29, 2012: “Information technology plays a very important role in the financial services business and OSFI recognizes the opportunities and benefits that new technology-based services such as Cloud Computing can bring; however, FRFIs should also recognize the unique features of such services and duly consider the associated risks. As such, and in light of the proliferation of new technology-based outsourcing services, OSFI is reminding all FRFIs that the expectations contained in Guideline B-10 remain current and continue to apply in respect of such services. In particular, FRFIs should consider their ability to meet the expectations contained in Guideline B-10 in respect of a material arrangement, with an emphasis on … iv) access and audit rights … .”
III. Regulatory Audits: The Old Standards 1. American Institute of Certified Public Accountants (AICPA), Statement on Auditing Standards No. 70 (SAS 70)  Issued in 1992  Provides a report on service organization’s internal controls related to financial statement assertions of users  Following Sarbanes-Oxley and growth of global solutions, became standard of choice for organizations with a base of international clients 2. Canadian Institute of Chartered Accountants, Section 5970, Auditor’s Report on Controls at a Service Organization (Section 5970 Audit)  Preceded by Canadian Institute of Chartered Accountants, Handbook, Section 5900 Opinions on Controls at a Service Organization, Revision No. 52 (November 1986)  Replaced by CICA, Section 5970, effective for periods commencing after January 1, 2006  Reflected a decision to make reporting similar to U.S. SAS 70
III. Regulatory Audits: The New Standards International Auditing and Assurance Standards Board (IASB), International Standard on Assurance Engagements 3402 (ISAE 3402):  Effective for periods ending on or after June 15, 2011  Global standard for engagements to report on controls in a service organization AICPA Auditing Standards Board, Statement on Standards for Attestation Engagements No. 16, Reporting on Controls at a Service Organization (SSAE 16):  Effective for periods ending on or after June 15, 2011  Differences between ISAE 3402 and SSAE 16 are minimal as a result of efforts to converge U.S. standard with international one Canadian Institute of Chartered Accountants, Auditing and Assurance Standards Board, Canadian Standard on Assurance Engagements, Reporting on Controls at a Service Organization (CSAE 3416):  Effective for periods ending on or after December 15, 2011  Reflects intention to closely mirror U.S. requirements
III. Old and New Standards: The Differences Section 5970 Audits versus CSAE 3416: Under the CSAE 3416:  Management is required to provide a “written assertion” relating to:  Fair presentation and design of controls (Type 1 Report)  Fair presentation, design and operating effectiveness of controls (Type 2 Report)  “Subservice organizations” must also provide a written assertion where inclusive method used  With Type 2 Report, the service auditor provides opinion on the description of controls and the suitability of their design in respect of the control objectives for the entire period (as opposed to a specific date)  Service auditor required to disclose reliance on internal audit within the report  Format of service auditor’s opinion will change  Standard requires follow-up by service auditor in the event of deviations resulting from intentional acts
III. The Old and New: What Hasn’t Changed CSAE 3416:  Does not apply to examinations of controls over other subject matter than Financial Reporting  Cannot be provided to a service provider’s potential customers  Does not result in service providers being “certified” under CSAE 3416
Questions? Richard Austin Deeth Williams Wall LLP raustin@dww.com 416 941 8210 Ken Silverman IBM Canada Ltd. ksilver@ca.ibm.com 905-316-0289

More Related Content

PPTX
csr accounting.pptx
byGokilavaniS3
 
PDF
Independent directors
byRicky Chopra
 
PPTX
Approches to csr
bysajal789
 
PPTX
COMPANIES ACT 2013 & COMPANY SECRETARY
byANAND KANKANI
 
PDF
Legal Aid System in Nepal
byChandra Shekhar Khadka
 
PPTX
Company Directors
byAman Agarwal
 
PPTX
Llb i EL u 1.1 environment concept
byRai University
 
PPTX
Role of banks in financial market
bySowie Althea
 
csr accounting.pptx
byGokilavaniS3
 
Independent directors
byRicky Chopra
 
Approches to csr
bysajal789
 
COMPANIES ACT 2013 & COMPANY SECRETARY
byANAND KANKANI
 
Legal Aid System in Nepal
byChandra Shekhar Khadka
 
Company Directors
byAman Agarwal
 
Llb i EL u 1.1 environment concept
byRai University
 
Role of banks in financial market
bySowie Althea
 

What's hot

PPTX
LAW: meaning, evolution,features,classification
byprabhSimransingh49
 
PPT
(7)company law rgsc ppt
byTowfiquzzaman Shummo
 
PPT
The basic Understanding of Credit ppt.ppt
byetebarkhmichale
 
PPTX
Hostages case of iran 1979
bySamin Mohebbi
 
PPTX
Companies Act, 2013
byNishant Kumar
 
PPTX
Sentencing policy in india
bysebis1
 
PPTX
Legal Frameworks - Co-operative values and culture - LeadFarm Project
bySCDF-AN
 
PPT
worldbank.ppt
byHongha Phung
 
PDF
Companies Act 2013 PPT.pdf
byKartikKansal14
 
PPTX
Issue management in Indian financial system
byNikhil Antu
 
PDF
DECLARATION AND PAYMENT OF DIVIDEND COMPANIES ACT 2013
byProglobalcorp India
 
PPTX
Industrial development bank of pakistan
byMINISTRY OF DEFENCE PAK
 
DOCX
Types of Companies under Company Ordinance 1984
bySaad Mazhar
 
PPTX
Prisons & Professional Social work-The status of the Social work in Prisons
byBeulah Emmanuel
 
PPTX
Part 1 Policy Formulation for CDA R11ptx
byjo bitonio
 
LAW: meaning, evolution,features,classification
byprabhSimransingh49
 
(7)company law rgsc ppt
byTowfiquzzaman Shummo
 
The basic Understanding of Credit ppt.ppt
byetebarkhmichale
 
Hostages case of iran 1979
bySamin Mohebbi
 
Companies Act, 2013
byNishant Kumar
 
Sentencing policy in india
bysebis1
 
Legal Frameworks - Co-operative values and culture - LeadFarm Project
bySCDF-AN
 
worldbank.ppt
byHongha Phung
 
Companies Act 2013 PPT.pdf
byKartikKansal14
 
Issue management in Indian financial system
byNikhil Antu
 
DECLARATION AND PAYMENT OF DIVIDEND COMPANIES ACT 2013
byProglobalcorp India
 
Industrial development bank of pakistan
byMINISTRY OF DEFENCE PAK
 
Types of Companies under Company Ordinance 1984
bySaad Mazhar
 
Prisons & Professional Social work-The status of the Social work in Prisons
byBeulah Emmanuel
 
Part 1 Policy Formulation for CDA R11ptx
byjo bitonio
 

Similar to Audit clauses in IT agreements

PPTX
Auditor Reporting on Controls at Service Organizations
byUniversity of Waterloo
 
PPTX
Auditor Report on Controls to be used as Template.pptx
byaramaky
 
PPT
James hall ch 15
byDavid Julian
 
PDF
SSAE 16 Transitions Overview
byJeffrey Paulette
 
PPTX
CISA Training - Chapter 1 - 2016
byHafiz Sheikh Adnan Ahmed
 
PDF
Everything You Need To Know About SOC 1
bySchellman & Company
 
PPT
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
byabhichowdary16
 
PDF
CISSP Domain 06 Security Assessment and Testing.pdf
bygealehegn
 
PPTX
Achieving SSAE 16 Certification
byGary Pennington
 
PPTX
Audit Quality Framework & Proportionate Application of ISAs
byInternational Federation of Accountants
 
PPT
Security audit
byRosaria Dee
 
PDF
The Retirement Of Sas 70 Article
byDTIMMERMAN
 
PPT
Chap1 2007cisareviewcourse-090511232029-phpapp02
byWaqas Ahmad
 
PPT
Chap1 2007 Cisa Review Course
byDesmond Devendran
 
PDF
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
byAlan Yau Ti Dun
 
PPTX
Security audits & compliance
byVandana Verma
 
PPT
Ch1-201ASasASAsaSAsasaSAsaSAsaaa0_CISA.ppt
byssuserde23af
 
PPTX
Cloud Audit and Compliance
byQuadrisk
 
PPT
IT System & Security Audit
byMufaddal Nullwala
 
PPTX
Security auditing architecture
byVishnupriya T H
 
Auditor Reporting on Controls at Service Organizations
byUniversity of Waterloo
 
Auditor Report on Controls to be used as Template.pptx
byaramaky
 
James hall ch 15
byDavid Julian
 
SSAE 16 Transitions Overview
byJeffrey Paulette
 
CISA Training - Chapter 1 - 2016
byHafiz Sheikh Adnan Ahmed
 
Everything You Need To Know About SOC 1
bySchellman & Company
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
byabhichowdary16
 
CISSP Domain 06 Security Assessment and Testing.pdf
bygealehegn
 
Achieving SSAE 16 Certification
byGary Pennington
 
Audit Quality Framework & Proportionate Application of ISAs
byInternational Federation of Accountants
 
Security audit
byRosaria Dee
 
The Retirement Of Sas 70 Article
byDTIMMERMAN
 
Chap1 2007cisareviewcourse-090511232029-phpapp02
byWaqas Ahmad
 
Chap1 2007 Cisa Review Course
byDesmond Devendran
 
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
byAlan Yau Ti Dun
 
Security audits & compliance
byVandana Verma
 
Ch1-201ASasASAsaSAsasaSAsaSAsaaa0_CISA.ppt
byssuserde23af
 
Cloud Audit and Compliance
byQuadrisk
 
IT System & Security Audit
byMufaddal Nullwala
 
Security auditing architecture
byVishnupriya T H
 

More from Richard Austin

PDF
The Artificial Intelligence World: Responding to Legal and Ethical Issues
byRichard Austin
 
PDF
AI on the Case: Legal and Ethical Issues
byRichard Austin
 
PPTX
Intermediary Accountability in the Digital Age
byRichard Austin
 
PDF
Ai on the case legal and ethical issues (may 17 2019)
byRichard Austin
 
PPTX
RRDP - 2015.02.26
byRichard Austin
 
PPTX
Records Retention and Destruction Policies 2015
byRichard Austin
 
PPTX
Knowing and managing what's been agreed the case for contract management
byRichard Austin
 
PPT
Records Retention And Destruction Policies
byRichard Austin
 
PPT
Source Code Escrow Agreements 2010.02.12
byRichard Austin
 
PPT
Protecting Third Party Information under FOI Legislation
byRichard Austin
 
PPT
Outsourcing Trends 2009
byRichard Austin
 
PPT
International Market Selection Strategies for Softwarte Companies
byRichard Austin
 
The Artificial Intelligence World: Responding to Legal and Ethical Issues
byRichard Austin
 
AI on the Case: Legal and Ethical Issues
byRichard Austin
 
Intermediary Accountability in the Digital Age
byRichard Austin
 
Ai on the case legal and ethical issues (may 17 2019)
byRichard Austin
 
RRDP - 2015.02.26
byRichard Austin
 
Records Retention and Destruction Policies 2015
byRichard Austin
 
Knowing and managing what's been agreed the case for contract management
byRichard Austin
 
Records Retention And Destruction Policies
byRichard Austin
 
Source Code Escrow Agreements 2010.02.12
byRichard Austin
 
Protecting Third Party Information under FOI Legislation
byRichard Austin
 
Outsourcing Trends 2009
byRichard Austin
 
International Market Selection Strategies for Softwarte Companies
byRichard Austin
 

Recently uploaded

PDF
McDowell Law Firm: The Services We Offer
byJosh Mcdowell
 
PDF
Taxation- Introduction.pdfnknshqhsuqslmqsiisn
byKylaLimpiada
 
PPTX
Documents Required for Trademark Registration in India
bylegalxcode
 
PPTX
L5 Lawlessness - Cover.pptx ududu hshhs
by21jkaur
 
PPTX
Business Associations additional intro powerpoint
byGarrettHalydier1
 
PDF
DR. OLIVER MASSMANN - DOING BUSINESS AND INVESTING IN VIETNAM
byDr. Oliver Massmann
 
PPTX
950559454-Benami-Amendment-Act-2016.pptx
byDhrumilRanpura1
 
PDF
Danielle Oliveira New Jersey - A Central Figure In New Jersey Criminal Justice
byDanielle Oliveira New Jersey
 
PDF
Lessons from Korea’s Platform Competition Regulation Saga
bySangyun Lee
 
PDF
AHP-Data-dec-20-29-1.pdf AHP Pravin Togaria
bysabranghindi
 
PDF
Legal Strategies for Startup Success MA final.pdf
byRoger Royse
 
PDF
TISS-Student.pdf Students warned Judges Court
bysabranghindi
 
PPTX
GROUP 1 - ELECTRONIC COMMERCE ACT OF 2000.pptx
bydadaygonza
 
PDF
Professional Journey and Achievement - Adv. Olengurumwa
byOnesmo Olengurumwa
 
PDF
Lecture on the provisions of the Anti-hazing Law
byshyllock
 
PPTX
Criminal Defense Your First Step Toward Justice in California.pptx
byjc4justice1
 
PPTX
Documentary Requirements for Copyright Registration in India
bylegalxcode
 
PPTX
The Role of a Criminal Defense Lawyer in San Diego’s Justice System.pptx
byKG LAW SD, APC
 
PPTX
RA-229 Jose Rizal - The Life and work of rizal
byMarcAnthonyLouisParb1
 
McDowell Law Firm: The Services We Offer
byJosh Mcdowell
 
Taxation- Introduction.pdfnknshqhsuqslmqsiisn
byKylaLimpiada
 
Documents Required for Trademark Registration in India
bylegalxcode
 
L5 Lawlessness - Cover.pptx ududu hshhs
by21jkaur
 
Business Associations additional intro powerpoint
byGarrettHalydier1
 
DR. OLIVER MASSMANN - DOING BUSINESS AND INVESTING IN VIETNAM
byDr. Oliver Massmann
 
950559454-Benami-Amendment-Act-2016.pptx
byDhrumilRanpura1
 
Danielle Oliveira New Jersey - A Central Figure In New Jersey Criminal Justice
byDanielle Oliveira New Jersey
 
Lessons from Korea’s Platform Competition Regulation Saga
bySangyun Lee
 
AHP-Data-dec-20-29-1.pdf AHP Pravin Togaria
bysabranghindi
 
Legal Strategies for Startup Success MA final.pdf
byRoger Royse
 
TISS-Student.pdf Students warned Judges Court
bysabranghindi
 
GROUP 1 - ELECTRONIC COMMERCE ACT OF 2000.pptx
bydadaygonza
 
Professional Journey and Achievement - Adv. Olengurumwa
byOnesmo Olengurumwa
 
Lecture on the provisions of the Anti-hazing Law
byshyllock
 
Criminal Defense Your First Step Toward Justice in California.pptx
byjc4justice1
 
Documentary Requirements for Copyright Registration in India
bylegalxcode
 
The Role of a Criminal Defense Lawyer in San Diego’s Justice System.pptx
byKG LAW SD, APC
 
RA-229 Jose Rizal - The Life and work of rizal
byMarcAnthonyLouisParb1
 

Audit clauses in IT agreements

  • 1.
    Audit Clauses inIT Agreements Richard Austin Ken Silverman June 17, 2014
  • 2.
    Table of Contents I. The Auditing Context II. Audit Rights in IT Agreements III. Control Audits
  • 3.
    I. The AuditingContext IT Outsourcing Industry:  Growth of Services Industry  Increasing number of players  Maturity  Globalization Increasing emphasis on Privacy and Security Well-publicized breakdowns of internal controls
  • 4.
    I. Increasing RegulatoryRequirements “h) Audit Rights ‘The contract or outsourcing agreement is expected to clearly stipulate the audit requirements and rights of both the service provider and the FRE. As a minimum, it should give the FRE the right to evaluate the service provided or, alternatively to cause an independent auditory to evaluate, on its behalf, the service provided. This includes a review of the service provider’s internal control environment as it relates to the service being provided. … Accordingly, an undertaking from the service provider or a provision in the outsourcing contract, should give OSFI or the Superintendent’s representative the right to: • Exercise the contractual rights of the FRE relating to audit” OSFI B-10 Guideline Outsourcing of Business Activities, Functions and Processes, March 2009
  • 5.
    I. Consequences forService Providers Audit requests pose challenges for service providers:  Impact on provision of services  The audit expense  Servicing multiple audit requests
  • 6.
    II. Audit Rightsin IT Agreements - General General Audit Right: Audit the service provider’s facilities, systems and records in order to verify:  compliance with the obligations under the agreement;  that the services are being provided in accordance with the service levels;  compliance with the security requirements;  compliance with law; and  amounts charged under the agreement.
  • 7.
    II. Additional AuditRights in IT Agreements Additional Audit Rights: May include:  security audits – compliance with the service provider’s internal policies, penetration testing, third party security audits  self-assessment of internal controls  business continuity and disaster recovery audits  certification with applicable industry standards (e.g., ISO, PCI) Regulators: Right for the customer’s regulators to exercise audit rights on behalf of the customer (for FREs, see OSFI Guideline B-10, Section 7.2.1(h)). Subcontractors: Agreements typically require that audit rights flow down to any subcontractors.
  • 8.
    II. Parameters &Accompanying Provisions  Frequency & Notice  Limitation on the number of audits (e.g., per contract year)  Prior notice to the service provider  Must be performed during regular business hours  Exceptions: regulatory audits, claims of fraud or criminal activity, privacy or security breaches  Auditors  Cannot be competitors of the service provider  Not compensated on a contingency basis  Required to sign an NDA
  • 9.
    II. Parameters cont’d  Service Levels  Audit cannot interfere with the service provider’s ability to perform the services in accordance with the service levels (or the service provider should be relieved from such obligation)  Record Retention  Retained for a certain period of time, in certain locations and in a prescribed format/standard (e.g., GAAP, IFRS)  Limitations on Auditable Records and Information  Internal policies  Internal audits  Privileged information
  • 10.
    II. Parameters cont’d  Remediation  Time period for remediation  Verification or re-audit to confirm remediation  Costs / Reimbursement  Which party is liable for the cost of the audit?  What costs are covered – internal vs. external costs?  Do the cost implications shift if the audit was performed due to the service provider’s breach or based on the outcome of the audit?
  • 11.
    II. Implications forthe Cloud  Limited audit rights will be available in a shared services environment:  Limited or no access to the physical data center  No access to the shared cloud environment  Customers must typically rely on reports made available by the cloud provider through the customer portal (e.g., usage and invoicing data, physical attributes of the servers)  Some cloud providers may provide an SSAE 16 / CSAE 3416 SOC 1 or 2 Report (in the case of SOC 2, covering some of the SOC 2 principles)
  • 12.
    II. Implications forthe Cloud cont’d OSFI Memorandum titled “New technology-based outsourcing arrangements” issued on February 29, 2012: “Information technology plays a very important role in the financial services business and OSFI recognizes the opportunities and benefits that new technology-based services such as Cloud Computing can bring; however, FRFIs should also recognize the unique features of such services and duly consider the associated risks. As such, and in light of the proliferation of new technology-based outsourcing services, OSFI is reminding all FRFIs that the expectations contained in Guideline B-10 remain current and continue to apply in respect of such services. In particular, FRFIs should consider their ability to meet the expectations contained in Guideline B-10 in respect of a material arrangement, with an emphasis on … iv) access and audit rights … .”
  • 13.
    III. Regulatory Audits:The Old Standards 1. American Institute of Certified Public Accountants (AICPA), Statement on Auditing Standards No. 70 (SAS 70)  Issued in 1992  Provides a report on service organization’s internal controls related to financial statement assertions of users  Following Sarbanes-Oxley and growth of global solutions, became standard of choice for organizations with a base of international clients 2. Canadian Institute of Chartered Accountants, Section 5970, Auditor’s Report on Controls at a Service Organization (Section 5970 Audit)  Preceded by Canadian Institute of Chartered Accountants, Handbook, Section 5900 Opinions on Controls at a Service Organization, Revision No. 52 (November 1986)  Replaced by CICA, Section 5970, effective for periods commencing after January 1, 2006  Reflected a decision to make reporting similar to U.S. SAS 70
  • 14.
    III. Regulatory Audits:The New Standards International Auditing and Assurance Standards Board (IASB), International Standard on Assurance Engagements 3402 (ISAE 3402):  Effective for periods ending on or after June 15, 2011  Global standard for engagements to report on controls in a service organization AICPA Auditing Standards Board, Statement on Standards for Attestation Engagements No. 16, Reporting on Controls at a Service Organization (SSAE 16):  Effective for periods ending on or after June 15, 2011  Differences between ISAE 3402 and SSAE 16 are minimal as a result of efforts to converge U.S. standard with international one Canadian Institute of Chartered Accountants, Auditing and Assurance Standards Board, Canadian Standard on Assurance Engagements, Reporting on Controls at a Service Organization (CSAE 3416):  Effective for periods ending on or after December 15, 2011  Reflects intention to closely mirror U.S. requirements
  • 15.
    III. Old andNew Standards: The Differences Section 5970 Audits versus CSAE 3416: Under the CSAE 3416:  Management is required to provide a “written assertion” relating to:  Fair presentation and design of controls (Type 1 Report)  Fair presentation, design and operating effectiveness of controls (Type 2 Report)  “Subservice organizations” must also provide a written assertion where inclusive method used  With Type 2 Report, the service auditor provides opinion on the description of controls and the suitability of their design in respect of the control objectives for the entire period (as opposed to a specific date)  Service auditor required to disclose reliance on internal audit within the report  Format of service auditor’s opinion will change  Standard requires follow-up by service auditor in the event of deviations resulting from intentional acts
  • 16.
    III. The Oldand New: What Hasn’t Changed CSAE 3416:  Does not apply to examinations of controls over other subject matter than Financial Reporting  Cannot be provided to a service provider’s potential customers  Does not result in service providers being “certified” under CSAE 3416
  • 17.
    Questions? Richard Austin Deeth Williams Wall LLP raustin@dww.com 416 941 8210 Ken Silverman IBM Canada Ltd. ksilver@ca.ibm.com 905-316-0289