Audit Clauses in IT Agreements

Richard Austin

Ken Silverman

June 17, 2014

Table of Contents

I. The Auditing Context

II. Audit Rights in IT Agreements

III. Control Audits

I. The Auditing Context

IT Outsourcing Industry: Growth of Services Industry Increasing number of players Maturity Globalization

Increasing emphasis on Privacy and Security

Well-publicized breakdowns of internal controls

I. Increasing Regulatory Requirements“h) Audit Rights

‘The contract or outsourcing agreement is expected to clearly stipulate the audit requirements and rights of both the service provider and the FRE. As a minimum, it should give the FRE the right to evaluate the service provided or, alternatively to cause an independent auditory to evaluate, on its behalf, the service provided. This includes a review of the service provider’s internal control environment as it relates to the service being provided. …

Accordingly, an undertaking from the service provider or a provision in the outsourcing contract, should give OSFI or the Superintendent’s representative the right to:• Exercise the contractual rights of the FRE relating to audit”

 OSFI B-10 Guideline Outsourcing of Business Activities, Functions and Processes, March 2009

I. Consequences for Service Providers

Audit requests pose challenges for service providers:

Impact on provision of services

The audit expense

Servicing multiple audit requests

II. Audit Rights in IT Agreements - General

General Audit Right:

Audit the service provider’s facilities, systems and records in order to verify: compliance with the obligations under the agreement; that the services are being provided in accordance with the

service levels; compliance with the security requirements; compliance with law; and

amounts charged under the agreement.

II. Additional Audit Rights in IT Agreements Additional Audit Rights: May include:

security audits – compliance with the service provider’s internal policies, penetration testing, third party security audits

self-assessment of internal controls business continuity and disaster recovery audits certification with applicable industry standards (e.g., ISO, PCI)

Regulators: Right for the customer’s regulators to exercise audit rights on behalf of the customer (for FREs, see OSFI Guideline B-10, Section 7.2.1(h)).

Subcontractors: Agreements typically require that audit rights flow down to any subcontractors.

II. Parameters & Accompanying Provisions Frequency & Notice

Limitation on the number of audits (e.g., per contract year) Prior notice to the service provider Must be performed during regular business hours Exceptions: regulatory audits, claims of fraud or criminal activity,

privacy or security breaches

Auditors Cannot be competitors of the service provider Not compensated on a contingency basis Required to sign an NDA

II. Parameters cont’d Service Levels

Audit cannot interfere with the service provider’s ability to perform the services in accordance with the service levels (or the service provider should be relieved from such obligation)

Record Retention Retained for a certain period of time, in certain locations and in a

prescribed format/standard (e.g., GAAP, IFRS)

Limitations on Auditable Records and Information Internal policies Internal audits Privileged information

II. Parameters cont’d Remediation

Time period for remediation Verification or re-audit to confirm remediation

Costs / Reimbursement Which party is liable for the cost of the audit? What costs are covered – internal vs. external costs? Do the cost implications shift if the audit was performed due to the

service provider’s breach or based on the outcome of the audit?

II. Implications for the Cloud

Limited audit rights will be available in a shared services environment: Limited or no access to the physical data center No access to the shared cloud environment Customers must typically rely on reports made available by the

cloud provider through the customer portal (e.g., usage and invoicing data, physical attributes of the servers)

Some cloud providers may provide an SSAE 16 / CSAE 3416 SOC 1 or 2 Report (in the case of SOC 2, covering some of the SOC 2 principles)

II. Implications for the Cloud cont’dOSFI Memorandum titled “New technology-based outsourcing arrangements” issued on February 29, 2012:

“Information technology plays a very important role in the financial services business and OSFI recognizes the opportunities and benefits that new technology-based services such as Cloud Computing can bring; however, FRFIs should also recognize the unique features of such services and duly consider the associated risks. As such, and in light of the proliferation of new technology-based outsourcing services, OSFI is reminding all FRFIs that the expectations contained in Guideline B-10 remain current and continue to apply in respect of such services. In particular, FRFIs should consider their ability to meet the expectations contained in Guideline B-10 in respect of a material arrangement, with an emphasis on … iv) access and audit rights … .”

III. Regulatory Audits: The Old Standards1. American Institute of Certified Public Accountants (AICPA), Statement on Auditing Standards No. 70 (SAS 70)

Issued in 1992 Provides a report on service organization’s internal controls related to

financial statement assertions of users Following Sarbanes-Oxley and growth of global solutions, became

standard of choice for organizations with a base of international clients

2. Canadian Institute of Chartered Accountants, Section 5970, Auditor’s Report on Controls at a Service Organization (Section 5970 Audit)

Preceded by Canadian Institute of Chartered Accountants, Handbook, Section 5900 Opinions on Controls at a Service Organization, Revision No. 52 (November 1986)

Replaced by CICA, Section 5970, effective for periods commencing after January 1, 2006

Reflected a decision to make reporting similar to U.S. SAS 70

III. Regulatory Audits: The New StandardsInternational Auditing and Assurance Standards Board (IASB), International Standard on Assurance Engagements 3402 (ISAE 3402):

Effective for periods ending on or after June 15, 2011 Global standard for engagements to report on controls in a service organization

AICPA Auditing Standards Board, Statement on Standards for Attestation Engagements No. 16, Reporting on Controls at a Service Organization (SSAE 16):

Effective for periods ending on or after June 15, 2011 Differences between ISAE 3402 and SSAE 16 are minimal as a result of efforts to

converge U.S. standard with international one

Canadian Institute of Chartered Accountants, Auditing and Assurance Standards Board, Canadian Standard on Assurance Engagements, Reporting on Controls at a Service Organization (CSAE 3416):

Effective for periods ending on or after December 15, 2011 Reflects intention to closely mirror U.S. requirements

III. Old and New Standards: The DifferencesSection 5970 Audits versus CSAE 3416:

Under the CSAE 3416: Management is required to provide a “written assertion” relating to:

Fair presentation and design of controls (Type 1 Report) Fair presentation, design and operating effectiveness of controls (Type 2

Report) “Subservice organizations” must also provide a written assertion where inclusive method

used With Type 2 Report, the service auditor provides opinion on the description of controls

and the suitability of their design in respect of the control objectives for the entire period (as opposed to a specific date)

Service auditor required to disclose reliance on internal audit within the report Format of service auditor’s opinion will change Standard requires follow-up by service auditor in the event of deviations resulting from

intentional acts

III. The Old and New: What Hasn’t Changed

CSAE 3416:

Does not apply to examinations of controls over other subject matter than Financial Reporting

Cannot be provided to a service provider’s potential customers

Does not result in service providers being “certified” under CSAE 3416

Questions?

Richard Austin

Deeth Williams Wall LLPraustin@dww.com

416 941 8210

Ken Silverman

IBM Canada Ltd.ksilver@ca.ibm.com

905-316-0289