Abstract
Companies and their business processes are subject to many regulations. Today’s business processes are widely supported by IT systems. Therefore these systems play an im portant role in assuring compliance. The need to assure compliance can influence IT out sourcing decisions. We summarize some frameworks that give recommendations on assuring compliance of outsourced activities.
For a service provider with many globally acting customers similar audit activities of many auditors would be time-consuming and expensive. To avoid these costs, the American Institute of Certified Public Accountants (AICPA) suggested that an auditor may provide a SAS 70 Audit Report Type II which confirms the existence and effectiveness of internal con trols. Recently, the AICPA replaced the SAS 70 with the attestation standard SSAE 16. Based on frameworks and guidelines we discuss compliance issues in special cases of outsourcing relationships such as Subcontracting and Cloud Computing.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Lickel, C.M.: Introduction. IBM Systems Journal 46, 202 (2007)
Hurley, J.: The Struggle to Manage Security Compliance for Multiple Regulations (2004), https://www4.symantec.com/Vrt/offer?a_id=24482
Kendrick, R.: Outsourcing IT: A Governance Guide. IT Governance Publishing, Cambridgeshire (2009)
Linna, A., Korhonen, M., Mannermaa, J.-P., Airaksinen, M., Juppo, A.M.: Developing a tool for the preparation of GMP audit of pharmaceutical contract manufacturer. European Journal of Pharmaceutics and Biopharmaceutics 69, 786–792 (2007)
Swider, M.G.: FDA Recommendations to Industry Regarding Outsourcing. How to ensure compliance in the outsourcing environment. The BioPharm International Guide 33, 6–9 (2009), http://biopharminternational.findpharma.com/biopharm/Outsourcing+Articles/FDAs-Recommendations-to-Industry-Regarding-Outsour/ArticleStandard/Article/detail/590354
Vales, K.A.: Compliance Outsourcing Gaining New Ground in HRO Contracts. HRO Today 7 (2008), http://www.hrotoday.com/content/1965/compliance-outsourcing-gaining-new-ground-hro-contracts
Economist Intelligence Unit: The role of IT in compliance (2005), http://www.fairfactories.org/pdf/ITandCompliance.pdf
Amberg, M., Mossanen, K., Kramolisch, W., Biermann, S., Lehr, L.: Compliance im IT-Outsourcing: Theoretische und empirische Ermittlung von Einfluss nehmenden Compliance-Faktoren, Nürnberg, http://www.accenture.com/SiteCollectionDocuments/Local_Germany/PDF/ComplianceimITOutsourcing.pdf
Oshri, I., Kotlarsky, J., Willcocks, L.P.: The Handbook of Global Outsourcing and Offshoring. Palgrave Macmillan, Houndmills (2009)
Beulen, E.: Governance in IT Outsourcing Partnerships. In: Van Grembergen, W. (ed.) Strategies for Information Technology Governance, pp. 310–344. IDEA Group, Hershey (2004)
Beulen, E., Ribbers, P.: Control in outsourcing relationships: governance in action. In: Proceedings of the 40th Hawaii International Conference on System Sciences. IEEE Computer Society, Los Alamitos (2007)
Knolmayer, G.F.: Compliance-Nachweise bei Outsourcing von IT-Aufgaben. Wirtschaftsinformatik 49 (Special Issue), S98–S105 (2007)
de Jong, F., van Hillegersberg, J., van Eck, P., van der Kolk, F., Jorissen, R.: Governance of Offshore IT Outsourcing at Shell Global Functions IT-BAM Development and Application of a Governance Framework to Improve Outsourcing Relationships. In: Oshri, I., Kotlarsky, J. (eds.) Global Sourcing of Information Technology and Business Processes. LNBIP, vol. 55, pp. 119–150. Springer, Heidelberg (2010)
Beulen, E., Ribbers, P., Roos, J.: Managing IT Outsourcing, 2nd edn. Routledge, London (2011)
Asprion, P., Knolmayer, G.F.: Compliance und ERP-Systeme: Eine bivalente Beziehung. Zeitschrift für Controlling & Management 53(Special Issue 3), 40–47 (2009)
ITGI COBIT 4.1, Rolling Meadows: ITGI (2007), http://www.isaca.org/Knowledge-Center/cobit/Pages/Downloads.aspx
Schneider, G.P., Bruton, C.M.: New Regulations that Impact Information Systems Employees. In: Proceedings of the Academy of Legal, Ethical and Regulatory Issues, vol. 8, pp. 193–196. Allied Academies, Candler (2004)
White, A.: Impact new laws and reg existing IT systems, Bird&Bird (2004), http://www.twobirds.com/English/News/Articles/Pages/impact_new_laws_and_reg_existing_IT_systems.aspx
Nace, M.: Basel III Requirements and Their Bottom-Line Impact on IT & Business Integration (2010), http://portal.integrella.com/basel-iii-requirements-and-business-integration
PCAOB: Auditing Standard No. 2 - An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements (2004), http://www.auditcommittee-institute.ch/docs/20040309_PCAOB_Approved_Auditing_Standard_No.2.pdf
AICPA: Statement on Auditing Standards, Audit Considerations Relating to an Entity Using a Service Organization (2010), http://www.aicpa.org/Research/Standards/AuditAttest/ASB/DownloadableDocuments/Clarified%20SAS%20Service%20Organizations_Effective%20Date%20Change_Clean.pdf
IFAC: International Standard on Auditing 402, Audit Considerations relating to an Entity using a Service Organization. In: Handbook of International Quality Control, Auditing, Review, Other Assurance, and Related Services Pronouncements, 2010th edn., pp. 345–367. Part I (2010), http://web.ifac.org/media/publications/e/2010-handbook-of-internatio/2010-handbook-of-internatio-3.pdf
Beulen, E., Ribbers, P.: Governance of Complex IT Outsourcing Partnerships. In: Rivard, S., Aubert, B.A. (eds.) Information Technology Outsourcing, pp. 224–243. Sharpe, Amonk (2008)
AICPA: Internal Control - Integrated Framework. AICPA, New York (1992)
ITGI: IT Control Objectives for Sarbanes-Oxley: The Role of IT in the Design and Implementation of Internal Control Over Financial Reporting. 2nd edn. ITGI, Rolling Meadows (2006)
ITGI: IT Control Objectives for Basel II: The Importance of Governance and Risk Management for Compliance. ITGI, Rolling Meadows (2007)
ITGI: Aligning CobiT 4.1, ITIL V3 and ISO/IEC 27002 for Business Benefit. A Management Briefing from ITGI and OGC (2008), http://www.isaca.org/Knowledge-Center/Research/Documents/Aligning-COBIT,ITILV3,ISO27002-Bus-Benefit-12Nov08-Research.pdf
ISACA: Outsourced IT Environments Audit/Assurance Program. ISACA, Rolling Meadows (2009)
BITS Financial Services Roundtable: BITS Framework for Managing Technology Risk for IT Service Provider Relationships, Revised Version (2010), http://www.bits.org/downloads/Publications%20Page/FrameworkFeb2010.pdf
BITS, The Santa Fe Group, BSI: An Integrated Approach: ISO 27001 and BITS Shared Assessments Program. A Perspective of BSI Management Systems and the Shared Assessments Program (2008), http://www.sharedassessments.org/media/pdf-ISOWP2008.pdf
AICPA: Service Organizations: Applying SAS No. 70, as Amended, With Conforming Changes as of May 1, 2006. AICPA, New York (2006)
Bednarz, A.: Offsite security complicates compliance. NetworkWorld Executive Guide 22, 30–31 (2005), http://seclists.org/isn/2005/Mar/113
Gazzaway, T.: SAS 70: New life for an old audit standard. Financial Executive (2004), http://www.allbusiness.com/human-resources/workforce-management-hiring/143004-1.html
AGA: SAS 70 Reports: Are They Useful and Can They Be Improved? AGA CPAG Research Series: Report No. 15 (2008), http://www.agacgfm.org/research/downloads/CPAG15.pdf
Caldwell, F.: Hype Cycle for Regulations and Related Standards, 2010. Gartner RAS Core Research Note G00175154 (2010), http://www.gartner.com/DisplayDocument?ref=clientFriendlyUrl&id=1331647
ISACA: New Service Auditor Standard: A User Entity Perspective. ISACA White Paper (2010), http://www.isaca.org/Knowledge-Center/Research/Documents/New-Serv-Audit-Std-Wht-Paper-7July2010-Research.pdf
PWC: New level of trust and transparency. A perspective on the transition from SAS 70 to SSAE 16 and ISAE 3402. PricewaterhouseCoopers (US), (2010), http://www.pwc.com/en_US/us/third-party-assurance/assets/ssae16.pdf
A-lign: SAS 70/SSAE 16/ISAE 3402 Comparison, (2010), http://www.aligncpa.com/userfiles/files/SSAE16-SAS70-ISAE3402%20Comparison.pdf
Sinha, A., Jaiswal, A., Gupta, R., Chaurasiya, V.K.: SAS 70 to SSAE16 / ISAE 3402: An Insight into Outsourcing Security and Process Controls, and Significance of New Service Audit Standards. In: Internet Session Summer 2011 Global Conference on Business and Finance (2011), http://www.theibfr.com/INTERNET/CR03161106-PRESENTATION-ankita.pdf
Ernst, Young: New gold standard to change third party assurance. Internal Auditing & Business Risk magazine (2010), http://www.ey.com/Publication/vwLUAssets/Internal_Auditing_and_Business_Risk_magazine_-_February_2010_-_ISAE_3402_and_internal_audit/$FILE/EY_Internal_auditing_and_business_risk_magazine_-_February_2010.pdf
Bierce, W.B., Kenerson, M.L.: Belt and Suspenders, and From SOX to SOC’s: Changes in Service Audit Standards on the Service Organization’s Risk Management, Security and Process Controls (2010), http://www.outsourcing-law.com/tag/aicpa/
MASTER: D3.1.2: MASTER Methodology Handbook v2 (Compliance with Outsourcing between Trust Domains), FP7-216917 (2010), http://www.master-fp7.eu/index.php?option=com_docman&task=doc_download&gid=94&Itemid=60
Lotz, V., Pigout, E., Fischer, M., Kossmann, D., Massacci, F., Pretschner, A.: Towards Systematic Achievement of Compliance in Service-Oriented Architectures: The MASTER Approach. Wirtschaftsinformatik 50, 383–391 (2008)
Pasic, A., Bareño, J., Gallego-Nicasio, B., Torres, R., Fernandez, D.: Trust and compliance management models in emerging outsourcing environments. In: Cellary, W., Estevez, E. (eds.) Software Services for e-World. IFIPAICT, vol. 341, pp. 237–248. Springer, Heidelberg (2010)
Magnusson, C., Chou, S.-C.: Risk and Compliance Management Framework for Outsourced Global Software Development. In: Proceedings 2010 International Conference on Global Software Engineering, pp. 228–233. IEEE Computer Society, Los Alamitos (2010)
AICPA: AU Section 9324: Service Organizations: Auditing Interpretations of Section 324 (2002), http://www.aicpa.org/Research/Standards/AuditAttest/DownloadableDocuments/AU-00324_9.pdf
Linford, N.: Subservice Organizations and the Carve-out or Inclusive Method (2010), http://linfordco.com/2010/03/subservice-organizations-and-the-carve-out-or-inclusive-method/
Rhoton, J.: Cloud Computing Explained, 2nd edn. Recursive Press (2010)
Velte, A.T., Velte, T.J., Elsenpeter, R.: Cloud Computing: A Practical Approach. McGraw-Hill, New York (2010)
Willcocks, L., Venters, W., Whitley, E.: Cloud and the Future of Business: From Costs to Innovation, Part One: Promise. Accenture (2011), http://outsourcingunit.org/publications/cloudPromise.pdf
Mell, P., Grance, T.: The NIST Definition of Cloud Computing (Draft). Special Publication 800-145 (2011), http://csrc.nist.gov/publications/drafts/800-145/Draft-SP-800-145_cloud-definition.pdf
Hietala, J., Willoughby, M.: Managing Compliance and Security for Cloud Computing. Cutter IT Journal 22, 44–50 (2009)
Bowen, J.A.: Legal Issues in Cloud Computing. In: Buyya, R., Broberg, J., Goscinski, A. (eds.) Cloud Computing: Principles and Paradigms, pp. 593–613. Wiley, Hoboken (2011)
Amazon Web Services: AWS Customer Agreement (2011-02-08), http://aws.amazon.com/agreement/
Bunn, F.: Confidence in the Cloud. Symantec (2010), http://www.worldhostingdays.com/downloads/2011/mF1e.pdf
Gens, F.: Cloud Computing in the Enterprise, http://csis.pace.edu/~marchese/CS865/Cloud%20Computing%20in%20the%20Enterprise2.ppt
Cloud Security Alliance: Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 (2009), https://cloudsecurityalliance.org/csaguide.pdf
IDC: Cloud Adoption Will Have Major Impact on European Software Market in 2011, According to IDC (2011), http://www.idc.com/getdoc.jsp?containerId=prDK22728011
Mell, P., Grance, T.: Effectively and Securely Using the Cloud Computing Paradigm, NIST, Information Technology Laboratory (2009), http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.ppt
Sakka, M.A., Defude, B., Tellez, J.: Document provenance in the cloud: Constraints and challenges. In: Aagesen, F.A., Knapskog, S.J. (eds.) EUNICE 2010. LNCS, vol. 6164, pp. 107–117. Springer, Heidelberg (2010)
Mather, T., Kumaraswamy, S., Latif, S.: Cloud Security and Privacy. An Enterprise Perspective on Risks and Compliance. O’Reilly Media, Sebastopol (2009)
ISACA: Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives. ISACA Emerging Technology White Paper (2009), http://www.isaca.org/Knowledge-Center/Research/Documents/Cloud-Computing-28Oct09-Research.pdf
Khan, K.M., Malluhi, Q.M.: Establishing Trust in Cloud Computing. IT Professional 12(5), 20–27 (2010)
Price, S.G.: The 21st Century Version of SAS 70.....SSAE 16, http://www.aligncpa.com/userfiles/files/The%2021st%20Century%20Version%20of%20SAS%2070.pdf
Krutz, R.L., Vines, R.D.: Cloud Security. A Comprehensive Guide to Secure Cloud Computing. Wiley, Indianapolis (2010)
Brandl, D.: Don’t cloud your compliance data. Control Engineering 58, 23 (2010) http://www.controleng.com/index.php?id=483&cHash=081010&tx_ttnews[tt_news]=8780
Savage, M.: PCI DSS compliant cloud providers: No PCI panacea (2011), http://searchcloudsecurity.techtarget.com/news/2240033583/PCI-DSS-compliant-cloud-providers-No-PCI-panacea?asrc=EM_NLN_13525892&track=NL-102&ad=821278
Rai, S., Chukwuma, P.: Security in a Cloud. Internal Auditor 66, 21–23 (2009)
Brandic, I., Dustdar, S., Anstett, T., Schumm, D., Leymann, F., Konrad, R.: Compliant Cloud Computing (C3): Architecture and Language Support for User-driven Compliance Management in Cloud. In: 3rd International Conference on Cloud Computing, pp. 244–251. IEEE Computer Society, Los Alamitos (2010)
McCallum, A.: How to Conduct an Audit of an Outsourcing Provider. BioPharm International, Supplement, 40–46 (2008)
AICPA: Service Organizations Controls, Managing Risks by Obtaining a Service Auditor’s Report (2010), http://www.aicpa.org/InterestAreas/InformationTechnology/Resources/TrustServices/DownloadableDocuments/10957-378%20SOC%20Whitepaper.pdf
Lanz, J., Tie, R.: Advise Businesses on External IT Resources. Journal of Accountancy 197(6), 55–62 (2004), http://www.journalofaccountancy.com/Issues/2004/Jun/AdviseBusinessesOnExternalItResources.htm
Lepeak, S.: United States: The Impact of Regulatory Compliance Mandates on Business Process and IT Outsourcing (2005), http://www.mondaq.com/unitedstates/article.asp?articleid=34676
Hall, J.A., Liedtka, S.L.: The Sarbanes-Oxley Act: Implications For Large-Scale IT Outsourcing. Communications of the ACM 50(3), 95–100 (2007)
Bellman, E.: A cost of Sarbanes-Oxley: Outsourcing to India. Pittsburgh Post-Gazette 2005-07-14, http://www.post-gazette.com/pg/05195/537848.stm
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Knolmayer, G.F., Asprion, P. (2011). Assuring Compliance in IT Subcontracting and Cloud Computing. In: Kotlarsky, J., Willcocks, L.P., Oshri, I. (eds) New Studies in Global IT and Business Service Outsourcing. Global Sourcing 2011. Lecture Notes in Business Information Processing, vol 91. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-24815-3_2
Download citation
DOI: https://doi.org/10.1007/978-3-642-24815-3_2
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-24814-6
Online ISBN: 978-3-642-24815-3
eBook Packages: Computer ScienceComputer Science (R0)