Abstract image of a woman sitting on books and studying on a laptop

Audit clauses in IT agreements

Download as PPTX, PDF
R
Richard Austin

The document discusses audit rights in IT agreements, emphasizing their importance due to growth in the IT outsourcing industry and increasing regulatory requirements. It outlines the rights of both service providers and customers regarding audits, detailing specific types of audits, parameters for conducting audits, as well as implications for cloud computing. The document also reviews changes in auditing standards, highlighting the evolution from previous standards to current practices, including the global convergence towards new auditing frameworks.

Law
1 of 17
Downloaded 22 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Audit Clauses in IT Agreements Richard Austin Ken Silverman June 17, 2014
Table of Contents I. The Auditing Context II. Audit Rights in IT Agreements III. Control Audits
I. The Auditing Context IT Outsourcing Industry:  Growth of Services Industry  Increasing number of players  Maturity  Globalization Increasing emphasis on Privacy and Security Well-publicized breakdowns of internal controls
I. Increasing Regulatory Requirements “h) Audit Rights ‘The contract or outsourcing agreement is expected to clearly stipulate the audit requirements and rights of both the service provider and the FRE. As a minimum, it should give the FRE the right to evaluate the service provided or, alternatively to cause an independent auditory to evaluate, on its behalf, the service provided. This includes a review of the service provider’s internal control environment as it relates to the service being provided. … Accordingly, an undertaking from the service provider or a provision in the outsourcing contract, should give OSFI or the Superintendent’s representative the right to: • Exercise the contractual rights of the FRE relating to audit” OSFI B-10 Guideline Outsourcing of Business Activities, Functions and Processes, March 2009
I. Consequences for Service Providers Audit requests pose challenges for service providers:  Impact on provision of services  The audit expense  Servicing multiple audit requests
II. Audit Rights in IT Agreements - General General Audit Right: Audit the service provider’s facilities, systems and records in order to verify:  compliance with the obligations under the agreement;  that the services are being provided in accordance with the service levels;  compliance with the security requirements;  compliance with law; and  amounts charged under the agreement.
II. Additional Audit Rights in IT Agreements Additional Audit Rights: May include:  security audits – compliance with the service provider’s internal policies, penetration testing, third party security audits  self-assessment of internal controls  business continuity and disaster recovery audits  certification with applicable industry standards (e.g., ISO, PCI) Regulators: Right for the customer’s regulators to exercise audit rights on behalf of the customer (for FREs, see OSFI Guideline B-10, Section 7.2.1(h)). Subcontractors: Agreements typically require that audit rights flow down to any subcontractors.
II. Parameters & Accompanying Provisions  Frequency & Notice  Limitation on the number of audits (e.g., per contract year)  Prior notice to the service provider  Must be performed during regular business hours  Exceptions: regulatory audits, claims of fraud or criminal activity, privacy or security breaches  Auditors  Cannot be competitors of the service provider  Not compensated on a contingency basis  Required to sign an NDA
II. Parameters cont’d  Service Levels  Audit cannot interfere with the service provider’s ability to perform the services in accordance with the service levels (or the service provider should be relieved from such obligation)  Record Retention  Retained for a certain period of time, in certain locations and in a prescribed format/standard (e.g., GAAP, IFRS)  Limitations on Auditable Records and Information  Internal policies  Internal audits  Privileged information
II. Parameters cont’d  Remediation  Time period for remediation  Verification or re-audit to confirm remediation  Costs / Reimbursement  Which party is liable for the cost of the audit?  What costs are covered – internal vs. external costs?  Do the cost implications shift if the audit was performed due to the service provider’s breach or based on the outcome of the audit?
II. Implications for the Cloud  Limited audit rights will be available in a shared services environment:  Limited or no access to the physical data center  No access to the shared cloud environment  Customers must typically rely on reports made available by the cloud provider through the customer portal (e.g., usage and invoicing data, physical attributes of the servers)  Some cloud providers may provide an SSAE 16 / CSAE 3416 SOC 1 or 2 Report (in the case of SOC 2, covering some of the SOC 2 principles)
II. Implications for the Cloud cont’d OSFI Memorandum titled “New technology-based outsourcing arrangements” issued on February 29, 2012: “Information technology plays a very important role in the financial services business and OSFI recognizes the opportunities and benefits that new technology-based services such as Cloud Computing can bring; however, FRFIs should also recognize the unique features of such services and duly consider the associated risks. As such, and in light of the proliferation of new technology-based outsourcing services, OSFI is reminding all FRFIs that the expectations contained in Guideline B-10 remain current and continue to apply in respect of such services. In particular, FRFIs should consider their ability to meet the expectations contained in Guideline B-10 in respect of a material arrangement, with an emphasis on … iv) access and audit rights … .”
III. Regulatory Audits: The Old Standards 1. American Institute of Certified Public Accountants (AICPA), Statement on Auditing Standards No. 70 (SAS 70)  Issued in 1992  Provides a report on service organization’s internal controls related to financial statement assertions of users  Following Sarbanes-Oxley and growth of global solutions, became standard of choice for organizations with a base of international clients 2. Canadian Institute of Chartered Accountants, Section 5970, Auditor’s Report on Controls at a Service Organization (Section 5970 Audit)  Preceded by Canadian Institute of Chartered Accountants, Handbook, Section 5900 Opinions on Controls at a Service Organization, Revision No. 52 (November 1986)  Replaced by CICA, Section 5970, effective for periods commencing after January 1, 2006  Reflected a decision to make reporting similar to U.S. SAS 70
III. Regulatory Audits: The New Standards International Auditing and Assurance Standards Board (IASB), International Standard on Assurance Engagements 3402 (ISAE 3402):  Effective for periods ending on or after June 15, 2011  Global standard for engagements to report on controls in a service organization AICPA Auditing Standards Board, Statement on Standards for Attestation Engagements No. 16, Reporting on Controls at a Service Organization (SSAE 16):  Effective for periods ending on or after June 15, 2011  Differences between ISAE 3402 and SSAE 16 are minimal as a result of efforts to converge U.S. standard with international one Canadian Institute of Chartered Accountants, Auditing and Assurance Standards Board, Canadian Standard on Assurance Engagements, Reporting on Controls at a Service Organization (CSAE 3416):  Effective for periods ending on or after December 15, 2011  Reflects intention to closely mirror U.S. requirements
III. Old and New Standards: The Differences Section 5970 Audits versus CSAE 3416: Under the CSAE 3416:  Management is required to provide a “written assertion” relating to:  Fair presentation and design of controls (Type 1 Report)  Fair presentation, design and operating effectiveness of controls (Type 2 Report)  “Subservice organizations” must also provide a written assertion where inclusive method used  With Type 2 Report, the service auditor provides opinion on the description of controls and the suitability of their design in respect of the control objectives for the entire period (as opposed to a specific date)  Service auditor required to disclose reliance on internal audit within the report  Format of service auditor’s opinion will change  Standard requires follow-up by service auditor in the event of deviations resulting from intentional acts
III. The Old and New: What Hasn’t Changed CSAE 3416:  Does not apply to examinations of controls over other subject matter than Financial Reporting  Cannot be provided to a service provider’s potential customers  Does not result in service providers being “certified” under CSAE 3416
Questions? Richard Austin Deeth Williams Wall LLP raustin@dww.com 416 941 8210 Ken Silverman IBM Canada Ltd. ksilver@ca.ibm.com 905-316-0289

More Related Content

PDF
Right to Audit Clauses: What you need to know!
Jim Kaplan CIA CFE
 
PDF
ISO 9000 certification(Quality Management System)
Varshid Patel
 
PPT
Tqm ch 02
Pimsat University
 
PPTX
Cyber crime - and digital device.pptx
AlAsad4
 
PPTX
Digital Copyright
Buddhi Prakash Chauhan
 
PPTX
DPDP Made Easy PPT.pptx
AshishHans7
 
PPTX
ISO 27001 - information security user awareness training presentation -part 2
Tanmay Shinde
 
PPT
Computer forensics law and privacy
ch samaram
 
Right to Audit Clauses: What you need to know!
Jim Kaplan CIA CFE
 
ISO 9000 certification(Quality Management System)
Varshid Patel
 
Tqm ch 02
Pimsat University
 
Cyber crime - and digital device.pptx
AlAsad4
 
Digital Copyright
Buddhi Prakash Chauhan
 
DPDP Made Easy PPT.pptx
AshishHans7
 
ISO 27001 - information security user awareness training presentation -part 2
Tanmay Shinde
 
Computer forensics law and privacy
ch samaram
 

What's hot (7)

PPTX
Tqm
Rajiva Srivastava
 
PDF
audit_it_250759.pdf
mabkhoutaliwi1
 
PPTX
CMMC Certification
ControlCase
 
PPTX
Total quality management its applications and failures
SIBENDU SURAJEET JENA
 
PPTX
SQE Lecture 1.pptx
UsmanShafique23
 
PPTX
Maintenance & Re-Engineering of Software
Adeel Riaz
 
PPTX
Seguridad de la Información en Entidades Financieras
maxalonzohuaman
 
Tqm
Rajiva Srivastava
 
audit_it_250759.pdf
mabkhoutaliwi1
 
CMMC Certification
ControlCase
 
Total quality management its applications and failures
SIBENDU SURAJEET JENA
 
SQE Lecture 1.pptx
UsmanShafique23
 
Maintenance & Re-Engineering of Software
Adeel Riaz
 
Seguridad de la Información en Entidades Financieras
maxalonzohuaman
 
Ad

Similar to Audit clauses in IT agreements (20)

PPTX
Auditor Reporting on Controls at Service Organizations
University of Waterloo
 
PPTX
Auditor Report on Controls to be used as Template.pptx
aramaky
 
PPT
James hall ch 15
David Julian
 
PDF
SSAE 16 Transitions Overview
Jeffrey Paulette
 
PPTX
CISA Training - Chapter 1 - 2016
Hafiz Sheikh Adnan Ahmed
 
PDF
Everything You Need To Know About SOC 1
Schellman & Company
 
PPT
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
abhichowdary16
 
PDF
CISSP Domain 06 Security Assessment and Testing.pdf
gealehegn
 
PPTX
Achieving SSAE 16 Certification
Gary Pennington
 
PPTX
Audit Quality Framework & Proportionate Application of ISAs
International Federation of Accountants
 
PPT
Security audit
Rosaria Dee
 
PDF
The Retirement Of Sas 70 Article
DTIMMERMAN
 
PPT
Chap1 2007cisareviewcourse-090511232029-phpapp02
Waqas Ahmad
 
PPT
Chap1 2007 Cisa Review Course
Desmond Devendran
 
PDF
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
Alan Yau Ti Dun
 
PPTX
Security audits & compliance
Vandana Verma
 
PPT
Ch1-201ASasASAsaSAsasaSAsaSAsaaa0_CISA.ppt
ssuserde23af
 
PPTX
Cloud Audit and Compliance
Quadrisk
 
PPT
IT System & Security Audit
Mufaddal Nullwala
 
PPTX
Security auditing architecture
Vishnupriya T H
 
Auditor Reporting on Controls at Service Organizations
University of Waterloo
 
Auditor Report on Controls to be used as Template.pptx
aramaky
 
James hall ch 15
David Julian
 
SSAE 16 Transitions Overview
Jeffrey Paulette
 
CISA Training - Chapter 1 - 2016
Hafiz Sheikh Adnan Ahmed
 
Everything You Need To Know About SOC 1
Schellman & Company
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
abhichowdary16
 
CISSP Domain 06 Security Assessment and Testing.pdf
gealehegn
 
Achieving SSAE 16 Certification
Gary Pennington
 
Audit Quality Framework & Proportionate Application of ISAs
International Federation of Accountants
 
Security audit
Rosaria Dee
 
The Retirement Of Sas 70 Article
DTIMMERMAN
 
Chap1 2007cisareviewcourse-090511232029-phpapp02
Waqas Ahmad
 
Chap1 2007 Cisa Review Course
Desmond Devendran
 
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
Alan Yau Ti Dun
 
Security audits & compliance
Vandana Verma
 
Ch1-201ASasASAsaSAsasaSAsaSAsaaa0_CISA.ppt
ssuserde23af
 
Cloud Audit and Compliance
Quadrisk
 
IT System & Security Audit
Mufaddal Nullwala
 
Security auditing architecture
Vishnupriya T H
 
Ad

More from Richard Austin (12)

PDF
The Artificial Intelligence World: Responding to Legal and Ethical Issues
Richard Austin
 
PDF
AI on the Case: Legal and Ethical Issues
Richard Austin
 
PPTX
Intermediary Accountability in the Digital Age
Richard Austin
 
PDF
Ai on the case legal and ethical issues (may 17 2019)
Richard Austin
 
PPTX
RRDP - 2015.02.26
Richard Austin
 
PPTX
Records Retention and Destruction Policies 2015
Richard Austin
 
PPTX
Knowing and managing what's been agreed the case for contract management
Richard Austin
 
PPT
Records Retention And Destruction Policies
Richard Austin
 
PPT
Source Code Escrow Agreements 2010.02.12
Richard Austin
 
PPT
Protecting Third Party Information under FOI Legislation
Richard Austin
 
PPT
Outsourcing Trends 2009
Richard Austin
 
PPT
International Market Selection Strategies for Softwarte Companies
Richard Austin
 
The Artificial Intelligence World: Responding to Legal and Ethical Issues
Richard Austin
 
AI on the Case: Legal and Ethical Issues
Richard Austin
 
Intermediary Accountability in the Digital Age
Richard Austin
 
Ai on the case legal and ethical issues (may 17 2019)
Richard Austin
 
RRDP - 2015.02.26
Richard Austin
 
Records Retention and Destruction Policies 2015
Richard Austin
 
Knowing and managing what's been agreed the case for contract management
Richard Austin
 
Records Retention And Destruction Policies
Richard Austin
 
Source Code Escrow Agreements 2010.02.12
Richard Austin
 
Protecting Third Party Information under FOI Legislation
Richard Austin
 
Outsourcing Trends 2009
Richard Austin
 
International Market Selection Strategies for Softwarte Companies
Richard Austin
 

Recently uploaded (20)

PPTX
R.A. NO. 76 10 OR THE CHILD ABUSE LAW.pptx
DyepoyFigsVjoucher
 
PDF
devolution-handbook (1).pdf the growh of devolution from 2010
nmuthuri1
 
PPT
Role of trustees in EC Competition Law.ppt
BakariHamisi3
 
PDF
2022CH12581 - Civil Rights vs Morzak, Harrison, Chrisman et al. (Cook County,...
xeyig22055
 
PDF
Common Estate Planning Mistakes to Avoid in Wisconsin
Elder Law Center Of Wisconsin
 
PPTX
Human Rights as per Indian Constitution.
nafisarudhir06
 
PPTX
Indian Medical Device Rules or Institute of Management Development and Research.
lakshmi87622
 
PPTX
Evolution of First Amendment Jurisprudence.pptx
James Marsh
 
PDF
Divorce Attorney Chicago – Guiding You Through Every Step
Women's Divorce & Family Law Group, by Haid and Teich LLP
 
PPTX
Philippine Politics and Governance - Lesson 10 - The Executive Branch
maricardenicetenorio
 
PPT
Judicial Process of Law Chapter 2 Law and Legal Systems
portraitdrawings111
 
PPTX
Democracy DISCUSSION//////////////////////////.pptx
KhrisMickRojas1
 
PDF
Legal Strategics for Startup Success Contracts.pdf
Roger Royse
 
PDF
8-14-25 Examiner Report from NJ Bankruptcy (Heller)
skysthelimitcolor
 
PPT
2025 KATARUNGANG PAMBARANGAY LECTURE.ppt
DyepoyFigsVjoucher
 
PDF
WRIT Jurisdiction of Supreme court of Bangladesh
nafisarudhir06
 
PPTX
The-Specific-Relief-AmendmentAct2018.pptx
portraitdrawings111
 
PDF
Contact CADA Legal Counsel Sexual Harassment
Rollover kids company (factory), Ferozepur Road, Asif Town, Lahore, Pakistan
 
PPTX
Indian Medical Device Rules or Institute of Management Development and Research
lakshmi87622
 
PPTX
Unit 2The Making of India's Constitution
VenkateshGaikwad2
 
R.A. NO. 76 10 OR THE CHILD ABUSE LAW.pptx
DyepoyFigsVjoucher
 
devolution-handbook (1).pdf the growh of devolution from 2010
nmuthuri1
 
Role of trustees in EC Competition Law.ppt
BakariHamisi3
 
2022CH12581 - Civil Rights vs Morzak, Harrison, Chrisman et al. (Cook County,...
xeyig22055
 
Common Estate Planning Mistakes to Avoid in Wisconsin
Elder Law Center Of Wisconsin
 
Human Rights as per Indian Constitution.
nafisarudhir06
 
Indian Medical Device Rules or Institute of Management Development and Research.
lakshmi87622
 
Evolution of First Amendment Jurisprudence.pptx
James Marsh
 
Divorce Attorney Chicago – Guiding You Through Every Step
Women's Divorce & Family Law Group, by Haid and Teich LLP
 
Philippine Politics and Governance - Lesson 10 - The Executive Branch
maricardenicetenorio
 
Judicial Process of Law Chapter 2 Law and Legal Systems
portraitdrawings111
 
Democracy DISCUSSION//////////////////////////.pptx
KhrisMickRojas1
 
Legal Strategics for Startup Success Contracts.pdf
Roger Royse
 
8-14-25 Examiner Report from NJ Bankruptcy (Heller)
skysthelimitcolor
 
2025 KATARUNGANG PAMBARANGAY LECTURE.ppt
DyepoyFigsVjoucher
 
WRIT Jurisdiction of Supreme court of Bangladesh
nafisarudhir06
 
The-Specific-Relief-AmendmentAct2018.pptx
portraitdrawings111
 
Contact CADA Legal Counsel Sexual Harassment
Rollover kids company (factory), Ferozepur Road, Asif Town, Lahore, Pakistan
 
Indian Medical Device Rules or Institute of Management Development and Research
lakshmi87622
 
Unit 2The Making of India's Constitution
VenkateshGaikwad2
 

Audit clauses in IT agreements

  • 1. Audit Clauses in IT Agreements Richard Austin Ken Silverman June 17, 2014
  • 2. Table of Contents I. The Auditing Context II. Audit Rights in IT Agreements III. Control Audits
  • 3. I. The Auditing Context IT Outsourcing Industry:  Growth of Services Industry  Increasing number of players  Maturity  Globalization Increasing emphasis on Privacy and Security Well-publicized breakdowns of internal controls
  • 4. I. Increasing Regulatory Requirements “h) Audit Rights ‘The contract or outsourcing agreement is expected to clearly stipulate the audit requirements and rights of both the service provider and the FRE. As a minimum, it should give the FRE the right to evaluate the service provided or, alternatively to cause an independent auditory to evaluate, on its behalf, the service provided. This includes a review of the service provider’s internal control environment as it relates to the service being provided. … Accordingly, an undertaking from the service provider or a provision in the outsourcing contract, should give OSFI or the Superintendent’s representative the right to: • Exercise the contractual rights of the FRE relating to audit” OSFI B-10 Guideline Outsourcing of Business Activities, Functions and Processes, March 2009
  • 5. I. Consequences for Service Providers Audit requests pose challenges for service providers:  Impact on provision of services  The audit expense  Servicing multiple audit requests
  • 6. II. Audit Rights in IT Agreements - General General Audit Right: Audit the service provider’s facilities, systems and records in order to verify:  compliance with the obligations under the agreement;  that the services are being provided in accordance with the service levels;  compliance with the security requirements;  compliance with law; and  amounts charged under the agreement.
  • 7. II. Additional Audit Rights in IT Agreements Additional Audit Rights: May include:  security audits – compliance with the service provider’s internal policies, penetration testing, third party security audits  self-assessment of internal controls  business continuity and disaster recovery audits  certification with applicable industry standards (e.g., ISO, PCI) Regulators: Right for the customer’s regulators to exercise audit rights on behalf of the customer (for FREs, see OSFI Guideline B-10, Section 7.2.1(h)). Subcontractors: Agreements typically require that audit rights flow down to any subcontractors.
  • 8. II. Parameters & Accompanying Provisions  Frequency & Notice  Limitation on the number of audits (e.g., per contract year)  Prior notice to the service provider  Must be performed during regular business hours  Exceptions: regulatory audits, claims of fraud or criminal activity, privacy or security breaches  Auditors  Cannot be competitors of the service provider  Not compensated on a contingency basis  Required to sign an NDA
  • 9. II. Parameters cont’d  Service Levels  Audit cannot interfere with the service provider’s ability to perform the services in accordance with the service levels (or the service provider should be relieved from such obligation)  Record Retention  Retained for a certain period of time, in certain locations and in a prescribed format/standard (e.g., GAAP, IFRS)  Limitations on Auditable Records and Information  Internal policies  Internal audits  Privileged information
  • 10. II. Parameters cont’d  Remediation  Time period for remediation  Verification or re-audit to confirm remediation  Costs / Reimbursement  Which party is liable for the cost of the audit?  What costs are covered – internal vs. external costs?  Do the cost implications shift if the audit was performed due to the service provider’s breach or based on the outcome of the audit?
  • 11. II. Implications for the Cloud  Limited audit rights will be available in a shared services environment:  Limited or no access to the physical data center  No access to the shared cloud environment  Customers must typically rely on reports made available by the cloud provider through the customer portal (e.g., usage and invoicing data, physical attributes of the servers)  Some cloud providers may provide an SSAE 16 / CSAE 3416 SOC 1 or 2 Report (in the case of SOC 2, covering some of the SOC 2 principles)
  • 12. II. Implications for the Cloud cont’d OSFI Memorandum titled “New technology-based outsourcing arrangements” issued on February 29, 2012: “Information technology plays a very important role in the financial services business and OSFI recognizes the opportunities and benefits that new technology-based services such as Cloud Computing can bring; however, FRFIs should also recognize the unique features of such services and duly consider the associated risks. As such, and in light of the proliferation of new technology-based outsourcing services, OSFI is reminding all FRFIs that the expectations contained in Guideline B-10 remain current and continue to apply in respect of such services. In particular, FRFIs should consider their ability to meet the expectations contained in Guideline B-10 in respect of a material arrangement, with an emphasis on … iv) access and audit rights … .”
  • 13. III. Regulatory Audits: The Old Standards 1. American Institute of Certified Public Accountants (AICPA), Statement on Auditing Standards No. 70 (SAS 70)  Issued in 1992  Provides a report on service organization’s internal controls related to financial statement assertions of users  Following Sarbanes-Oxley and growth of global solutions, became standard of choice for organizations with a base of international clients 2. Canadian Institute of Chartered Accountants, Section 5970, Auditor’s Report on Controls at a Service Organization (Section 5970 Audit)  Preceded by Canadian Institute of Chartered Accountants, Handbook, Section 5900 Opinions on Controls at a Service Organization, Revision No. 52 (November 1986)  Replaced by CICA, Section 5970, effective for periods commencing after January 1, 2006  Reflected a decision to make reporting similar to U.S. SAS 70
  • 14. III. Regulatory Audits: The New Standards International Auditing and Assurance Standards Board (IASB), International Standard on Assurance Engagements 3402 (ISAE 3402):  Effective for periods ending on or after June 15, 2011  Global standard for engagements to report on controls in a service organization AICPA Auditing Standards Board, Statement on Standards for Attestation Engagements No. 16, Reporting on Controls at a Service Organization (SSAE 16):  Effective for periods ending on or after June 15, 2011  Differences between ISAE 3402 and SSAE 16 are minimal as a result of efforts to converge U.S. standard with international one Canadian Institute of Chartered Accountants, Auditing and Assurance Standards Board, Canadian Standard on Assurance Engagements, Reporting on Controls at a Service Organization (CSAE 3416):  Effective for periods ending on or after December 15, 2011  Reflects intention to closely mirror U.S. requirements
  • 15. III. Old and New Standards: The Differences Section 5970 Audits versus CSAE 3416: Under the CSAE 3416:  Management is required to provide a “written assertion” relating to:  Fair presentation and design of controls (Type 1 Report)  Fair presentation, design and operating effectiveness of controls (Type 2 Report)  “Subservice organizations” must also provide a written assertion where inclusive method used  With Type 2 Report, the service auditor provides opinion on the description of controls and the suitability of their design in respect of the control objectives for the entire period (as opposed to a specific date)  Service auditor required to disclose reliance on internal audit within the report  Format of service auditor’s opinion will change  Standard requires follow-up by service auditor in the event of deviations resulting from intentional acts
  • 16. III. The Old and New: What Hasn’t Changed CSAE 3416:  Does not apply to examinations of controls over other subject matter than Financial Reporting  Cannot be provided to a service provider’s potential customers  Does not result in service providers being “certified” under CSAE 3416
  • 17. Questions? Richard Austin Deeth Williams Wall LLP raustin@dww.com 416 941 8210 Ken Silverman IBM Canada Ltd. ksilver@ca.ibm.com 905-316-0289