Date post: | 07-Feb-2015 |
Category: |
Law |
Upload: | richard-austin |
View: | 50 times |
Download: | 1 times |
Audit Clauses in IT Agreements
Richard Austin
Ken Silverman
June 17, 2014
Table of Contents
I. The Auditing Context
II. Audit Rights in IT Agreements
III. Control Audits
I. The Auditing Context
IT Outsourcing Industry: Growth of Services Industry Increasing number of players Maturity Globalization
Increasing emphasis on Privacy and Security
Well-publicized breakdowns of internal controls
I. Increasing Regulatory Requirements“h) Audit Rights
‘The contract or outsourcing agreement is expected to clearly stipulate the audit requirements and rights of both the service provider and the FRE. As a minimum, it should give the FRE the right to evaluate the service provided or, alternatively to cause an independent auditory to evaluate, on its behalf, the service provided. This includes a review of the service provider’s internal control environment as it relates to the service being provided. …
Accordingly, an undertaking from the service provider or a provision in the outsourcing contract, should give OSFI or the Superintendent’s representative the right to:• Exercise the contractual rights of the FRE relating to audit”
OSFI B-10 Guideline Outsourcing of Business Activities, Functions and Processes, March 2009
I. Consequences for Service Providers
Audit requests pose challenges for service providers:
Impact on provision of services
The audit expense
Servicing multiple audit requests
II. Audit Rights in IT Agreements - General
General Audit Right:
Audit the service provider’s facilities, systems and records in order to verify: compliance with the obligations under the agreement; that the services are being provided in accordance with the
service levels; compliance with the security requirements; compliance with law; and
amounts charged under the agreement.
II. Additional Audit Rights in IT Agreements Additional Audit Rights: May include:
security audits – compliance with the service provider’s internal policies, penetration testing, third party security audits
self-assessment of internal controls business continuity and disaster recovery audits certification with applicable industry standards (e.g., ISO, PCI)
Regulators: Right for the customer’s regulators to exercise audit rights on behalf of the customer (for FREs, see OSFI Guideline B-10, Section 7.2.1(h)).
Subcontractors: Agreements typically require that audit rights flow down to any subcontractors.
II. Parameters & Accompanying Provisions Frequency & Notice
Limitation on the number of audits (e.g., per contract year) Prior notice to the service provider Must be performed during regular business hours Exceptions: regulatory audits, claims of fraud or criminal activity,
privacy or security breaches
Auditors Cannot be competitors of the service provider Not compensated on a contingency basis Required to sign an NDA
II. Parameters cont’d Service Levels
Audit cannot interfere with the service provider’s ability to perform the services in accordance with the service levels (or the service provider should be relieved from such obligation)
Record Retention Retained for a certain period of time, in certain locations and in a
prescribed format/standard (e.g., GAAP, IFRS)
Limitations on Auditable Records and Information Internal policies Internal audits Privileged information
II. Parameters cont’d Remediation
Time period for remediation Verification or re-audit to confirm remediation
Costs / Reimbursement Which party is liable for the cost of the audit? What costs are covered – internal vs. external costs? Do the cost implications shift if the audit was performed due to the
service provider’s breach or based on the outcome of the audit?
II. Implications for the Cloud
Limited audit rights will be available in a shared services environment: Limited or no access to the physical data center No access to the shared cloud environment Customers must typically rely on reports made available by the
cloud provider through the customer portal (e.g., usage and invoicing data, physical attributes of the servers)
Some cloud providers may provide an SSAE 16 / CSAE 3416 SOC 1 or 2 Report (in the case of SOC 2, covering some of the SOC 2 principles)
II. Implications for the Cloud cont’dOSFI Memorandum titled “New technology-based outsourcing arrangements” issued on February 29, 2012:
“Information technology plays a very important role in the financial services business and OSFI recognizes the opportunities and benefits that new technology-based services such as Cloud Computing can bring; however, FRFIs should also recognize the unique features of such services and duly consider the associated risks. As such, and in light of the proliferation of new technology-based outsourcing services, OSFI is reminding all FRFIs that the expectations contained in Guideline B-10 remain current and continue to apply in respect of such services. In particular, FRFIs should consider their ability to meet the expectations contained in Guideline B-10 in respect of a material arrangement, with an emphasis on … iv) access and audit rights … .”
III. Regulatory Audits: The Old Standards1. American Institute of Certified Public Accountants (AICPA), Statement on Auditing Standards No. 70 (SAS 70)
Issued in 1992 Provides a report on service organization’s internal controls related to
financial statement assertions of users Following Sarbanes-Oxley and growth of global solutions, became
standard of choice for organizations with a base of international clients
2. Canadian Institute of Chartered Accountants, Section 5970, Auditor’s Report on Controls at a Service Organization (Section 5970 Audit)
Preceded by Canadian Institute of Chartered Accountants, Handbook, Section 5900 Opinions on Controls at a Service Organization, Revision No. 52 (November 1986)
Replaced by CICA, Section 5970, effective for periods commencing after January 1, 2006
Reflected a decision to make reporting similar to U.S. SAS 70
III. Regulatory Audits: The New StandardsInternational Auditing and Assurance Standards Board (IASB), International Standard on Assurance Engagements 3402 (ISAE 3402):
Effective for periods ending on or after June 15, 2011 Global standard for engagements to report on controls in a service organization
AICPA Auditing Standards Board, Statement on Standards for Attestation Engagements No. 16, Reporting on Controls at a Service Organization (SSAE 16):
Effective for periods ending on or after June 15, 2011 Differences between ISAE 3402 and SSAE 16 are minimal as a result of efforts to
converge U.S. standard with international one
Canadian Institute of Chartered Accountants, Auditing and Assurance Standards Board, Canadian Standard on Assurance Engagements, Reporting on Controls at a Service Organization (CSAE 3416):
Effective for periods ending on or after December 15, 2011 Reflects intention to closely mirror U.S. requirements
III. Old and New Standards: The DifferencesSection 5970 Audits versus CSAE 3416:
Under the CSAE 3416: Management is required to provide a “written assertion” relating to:
Fair presentation and design of controls (Type 1 Report) Fair presentation, design and operating effectiveness of controls (Type 2
Report) “Subservice organizations” must also provide a written assertion where inclusive method
used With Type 2 Report, the service auditor provides opinion on the description of controls
and the suitability of their design in respect of the control objectives for the entire period (as opposed to a specific date)
Service auditor required to disclose reliance on internal audit within the report Format of service auditor’s opinion will change Standard requires follow-up by service auditor in the event of deviations resulting from
intentional acts
III. The Old and New: What Hasn’t Changed
CSAE 3416:
Does not apply to examinations of controls over other subject matter than Financial Reporting
Cannot be provided to a service provider’s potential customers
Does not result in service providers being “certified” under CSAE 3416
Questions?
Richard Austin
Deeth Williams Wall [email protected]
416 941 8210
Ken Silverman
IBM Canada [email protected]
905-316-0289