Use of audit clauses in information technology and outsourcing agreements including implications for the Cloud, OSFI Memorandum of February 29, 2012, control audits and CSAE 3416 Audits (Richard Austin and Ken Silverman)

1. Audit Clauses in IT Agreements
Richard Austin
Ken Silverman
June 17, 2014

2. Table of Contents
I. The Auditing Context
II. Audit Rights in IT Agreements
III. Control Audits

3. I. The Auditing Context
IT Outsourcing Industry:
 Growth of Services Industry
 Increasing number of players
 Maturity
 Globalization
Increasing emphasis on Privacy and
Security
Well-publicized breakdowns of internal
controls

4. I. Increasing Regulatory Requirements
“h) Audit Rights
‘The contract or outsourcing agreement is expected to clearly stipulate the
audit requirements and rights of both the service provider and the FRE.
As a minimum, it should give the FRE the right to evaluate the service
provided or, alternatively to cause an independent auditory to evaluate, on
its behalf, the service provided. This includes a review of the service
provider’s internal control environment as it relates to the service being
provided. …
Accordingly, an undertaking from the service provider or a provision in
the outsourcing contract, should give OSFI or the Superintendent’s
representative the right to:
• Exercise the contractual rights of the FRE relating to audit”
OSFI B-10 Guideline Outsourcing of Business Activities, Functions and
Processes, March 2009

5. I. Consequences for Service Providers
Audit requests pose challenges for service providers:
 Impact on provision of services
 The audit expense
 Servicing multiple audit requests

6. II. Audit Rights in IT Agreements - General
General Audit Right:
Audit the service provider’s facilities, systems
and records in order to verify:
 compliance with the obligations under the agreement;
 that the services are being provided in accordance with the
service levels;
 compliance with the security requirements;
 compliance with law; and
 amounts charged under the agreement.

7. II. Additional Audit Rights in IT Agreements
Additional Audit Rights: May include:
 security audits – compliance with the service provider’s internal policies,
penetration testing, third party security audits
 self-assessment of internal controls
 business continuity and disaster recovery audits
 certification with applicable industry standards (e.g., ISO, PCI)
Regulators: Right for the customer’s regulators to exercise
audit rights on behalf of the customer (for FREs, see OSFI
Guideline B-10, Section 7.2.1(h)).
Subcontractors: Agreements typically require that audit rights
flow down to any subcontractors.

8. II. Parameters & Accompanying Provisions
 Frequency & Notice
 Limitation on the number of audits (e.g., per contract year)
 Prior notice to the service provider
 Must be performed during regular business hours
 Exceptions: regulatory audits, claims of fraud or criminal activity,
privacy or security breaches
 Auditors
 Cannot be competitors of the service provider
 Not compensated on a contingency basis
 Required to sign an NDA

9. II. Parameters cont’d
 Service Levels
 Audit cannot interfere with the service provider’s ability to perform the
services in accordance with the service levels (or the service provider
should be relieved from such obligation)
 Record Retention
 Retained for a certain period of time, in certain locations and in a
prescribed format/standard (e.g., GAAP, IFRS)
 Limitations on Auditable Records and Information
 Internal policies
 Internal audits
 Privileged information

10. II. Parameters cont’d
 Remediation
 Time period for remediation
 Verification or re-audit to confirm remediation
 Costs / Reimbursement
 Which party is liable for the cost of the audit?
 What costs are covered – internal vs. external costs?
 Do the cost implications shift if the audit was performed due to the
service provider’s breach or based on the outcome of the audit?

11. II. Implications for the Cloud
 Limited audit rights will be available in a shared services
environment:
 Limited or no access to the physical data center
 No access to the shared cloud environment
 Customers must typically rely on reports made available by the
cloud provider through the customer portal (e.g., usage and
invoicing data, physical attributes of the servers)
 Some cloud providers may provide an SSAE 16 / CSAE
3416 SOC 1 or 2 Report (in the case of SOC 2, covering
some of the SOC 2 principles)

12. II. Implications for the Cloud cont’d
OSFI Memorandum titled “New technology-based
outsourcing arrangements” issued on February 29, 2012:
“Information technology plays a very important role in the financial
services business and OSFI recognizes the opportunities and benefits that
new technology-based services such as Cloud Computing can bring;
however, FRFIs should also recognize the unique features of such services
and duly consider the associated risks. As such, and in light of the
proliferation of new technology-based outsourcing services, OSFI is
reminding all FRFIs that the expectations contained in Guideline B-10
remain current and continue to apply in respect of such services. In
particular, FRFIs should consider their ability to meet the expectations
contained in Guideline B-10 in respect of a material arrangement, with an
emphasis on … iv) access and audit rights … .”

13. III. Regulatory Audits: The Old Standards
1. American Institute of Certified Public Accountants (AICPA), Statement on
Auditing Standards No. 70 (SAS 70)
 Issued in 1992
 Provides a report on service organization’s internal controls related to
financial statement assertions of users
 Following Sarbanes-Oxley and growth of global solutions, became
standard of choice for organizations with a base of international clients
2. Canadian Institute of Chartered Accountants, Section 5970, Auditor’s Report on
Controls at a Service Organization (Section 5970 Audit)
 Preceded by Canadian Institute of Chartered Accountants, Handbook,
Section 5900 Opinions on Controls at a Service Organization, Revision
No. 52 (November 1986)
 Replaced by CICA, Section 5970, effective for periods commencing after
January 1, 2006
 Reflected a decision to make reporting similar to U.S. SAS 70

14. III. Regulatory Audits: The New Standards
International Auditing and Assurance Standards Board (IASB), International
Standard on Assurance Engagements 3402 (ISAE 3402):
 Effective for periods ending on or after June 15, 2011
 Global standard for engagements to report on controls in a service organization
AICPA Auditing Standards Board, Statement on Standards for Attestation
Engagements No. 16, Reporting on Controls at a Service Organization (SSAE
16):
 Effective for periods ending on or after June 15, 2011
 Differences between ISAE 3402 and SSAE 16 are minimal as a result of efforts to
converge U.S. standard with international one
Canadian Institute of Chartered Accountants, Auditing and Assurance Standards
Board, Canadian Standard on Assurance Engagements, Reporting on Controls at
a Service Organization (CSAE 3416):
 Effective for periods ending on or after December 15, 2011
 Reflects intention to closely mirror U.S. requirements

15. III. Old and New Standards: The Differences
Section 5970 Audits versus CSAE 3416:
Under the CSAE 3416:
 Management is required to provide a “written assertion” relating to:
 Fair presentation and design of controls (Type 1 Report)
 Fair presentation, design and operating effectiveness of controls (Type 2
Report)
 “Subservice organizations” must also provide a written assertion where inclusive
method used
 With Type 2 Report, the service auditor provides opinion on the description of controls
and the suitability of their design in respect of the control objectives for the entire period
(as opposed to a specific date)
 Service auditor required to disclose reliance on internal audit within the report
 Format of service auditor’s opinion will change
 Standard requires follow-up by service auditor in the event of deviations resulting from
intentional acts

16. III. The Old and New: What Hasn’t Changed
CSAE 3416:
 Does not apply to examinations of controls over other
subject matter than Financial Reporting
 Cannot be provided to a service provider’s potential
customers
 Does not result in service providers being “certified” under
CSAE 3416

17. Questions?
Richard Austin
Deeth Williams Wall LLP
raustin@dww.com
416 941 8210
Ken Silverman
IBM Canada Ltd.
ksilver@ca.ibm.com
905-316-0289