Skip to main content
SpringerLink
Log in

Assuring Compliance in IT Subcontracting and Cloud Computing

  • Conference paper
New Studies in Global IT and Business Service Outsourcing (Global Sourcing 2011)

Part of the book series: Lecture Notes in Business Information Processing ((LNBIP,volume 91))

Abstract

Companies and their business processes are subject to many regulations. Today’s business processes are widely supported by IT systems. Therefore these systems play an im portant role in assuring compliance. The need to assure compliance can influence IT out sourcing decisions. We summarize some frameworks that give recommendations on assuring compliance of outsourced activities.

For a service provider with many globally acting customers similar audit activities of many auditors would be time-consuming and expensive. To avoid these costs, the American Institute of Certified Public Accountants (AICPA) suggested that an auditor may provide a SAS 70 Audit Report Type II which confirms the existence and effectiveness of internal con trols. Recently, the AICPA replaced the SAS 70 with the attestation standard SSAE 16. Based on frameworks and guidelines we discuss compliance issues in special cases of outsourcing relationships such as Subcontracting and Cloud Computing.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 54.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 69.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Lickel, C.M.: Introduction. IBM Systems Journal 46, 202 (2007)

    Article  Google Scholar 

  2. Hurley, J.: The Struggle to Manage Security Compliance for Multiple Regulations (2004), https://www4.symantec.com/Vrt/offer?a_id=24482

  3. Kendrick, R.: Outsourcing IT: A Governance Guide. IT Governance Publishing, Cambridgeshire (2009)

    Google Scholar 

  4. Linna, A., Korhonen, M., Mannermaa, J.-P., Airaksinen, M., Juppo, A.M.: Developing a tool for the preparation of GMP audit of pharmaceutical contract manufacturer. European Journal of Pharmaceutics and Biopharmaceutics 69, 786–792 (2007)

    Article  Google Scholar 

  5. Swider, M.G.: FDA Recommendations to Industry Regarding Outsourcing. How to ensure compliance in the outsourcing environment. The BioPharm International Guide 33, 6–9 (2009), http://biopharminternational.findpharma.com/biopharm/Outsourcing+Articles/FDAs-Recommendations-to-Industry-Regarding-Outsour/ArticleStandard/Article/detail/590354

    Google Scholar 

  6. Vales, K.A.: Compliance Outsourcing Gaining New Ground in HRO Contracts. HRO Today 7 (2008), http://www.hrotoday.com/content/1965/compliance-outsourcing-gaining-new-ground-hro-contracts

  7. Economist Intelligence Unit: The role of IT in compliance (2005), http://www.fairfactories.org/pdf/ITandCompliance.pdf

  8. Amberg, M., Mossanen, K., Kramolisch, W., Biermann, S., Lehr, L.: Compliance im IT-Outsourcing: Theoretische und empirische Ermittlung von Einfluss nehmenden Compliance-Faktoren, Nürnberg, http://www.accenture.com/SiteCollectionDocuments/Local_Germany/PDF/ComplianceimITOutsourcing.pdf

  9. Oshri, I., Kotlarsky, J., Willcocks, L.P.: The Handbook of Global Outsourcing and Offshoring. Palgrave Macmillan, Houndmills (2009)

    Book  Google Scholar 

  10. Beulen, E.: Governance in IT Outsourcing Partnerships. In: Van Grembergen, W. (ed.) Strategies for Information Technology Governance, pp. 310–344. IDEA Group, Hershey (2004)

    Chapter  Google Scholar 

  11. Beulen, E., Ribbers, P.: Control in outsourcing relationships: governance in action. In: Proceedings of the 40th Hawaii International Conference on System Sciences. IEEE Computer Society, Los Alamitos (2007)

    Google Scholar 

  12. Knolmayer, G.F.: Compliance-Nachweise bei Outsourcing von IT-Aufgaben. Wirtschaftsinformatik 49 (Special Issue), S98–S105 (2007)

    Google Scholar 

  13. de Jong, F., van Hillegersberg, J., van Eck, P., van der Kolk, F., Jorissen, R.: Governance of Offshore IT Outsourcing at Shell Global Functions IT-BAM Development and Application of a Governance Framework to Improve Outsourcing Relationships. In: Oshri, I., Kotlarsky, J. (eds.) Global Sourcing of Information Technology and Business Processes. LNBIP, vol. 55, pp. 119–150. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  14. Beulen, E., Ribbers, P., Roos, J.: Managing IT Outsourcing, 2nd edn. Routledge, London (2011)

    Google Scholar 

  15. Asprion, P., Knolmayer, G.F.: Compliance und ERP-Systeme: Eine bivalente Beziehung. Zeitschrift für Controlling & Management 53(Special Issue 3), 40–47 (2009)

    Google Scholar 

  16. ITGI COBIT 4.1, Rolling Meadows: ITGI (2007), http://www.isaca.org/Knowledge-Center/cobit/Pages/Downloads.aspx

  17. Schneider, G.P., Bruton, C.M.: New Regulations that Impact Information Systems Employees. In: Proceedings of the Academy of Legal, Ethical and Regulatory Issues, vol. 8, pp. 193–196. Allied Academies, Candler (2004)

    Google Scholar 

  18. White, A.: Impact new laws and reg existing IT systems, Bird&Bird (2004), http://www.twobirds.com/English/News/Articles/Pages/impact_new_laws_and_reg_existing_IT_systems.aspx

  19. Nace, M.: Basel III Requirements and Their Bottom-Line Impact on IT & Business Integration (2010), http://portal.integrella.com/basel-iii-requirements-and-business-integration

  20. PCAOB: Auditing Standard No. 2 - An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements (2004), http://www.auditcommittee-institute.ch/docs/20040309_PCAOB_Approved_Auditing_Standard_No.2.pdf

  21. AICPA: Statement on Auditing Standards, Audit Considerations Relating to an Entity Using a Service Organization (2010), http://www.aicpa.org/Research/Standards/AuditAttest/ASB/DownloadableDocuments/Clarified%20SAS%20Service%20Organizations_Effective%20Date%20Change_Clean.pdf

  22. IFAC: International Standard on Auditing 402, Audit Considerations relating to an Entity using a Service Organization. In: Handbook of International Quality Control, Auditing, Review, Other Assurance, and Related Services Pronouncements, 2010th edn., pp. 345–367. Part I (2010), http://web.ifac.org/media/publications/e/2010-handbook-of-internatio/2010-handbook-of-internatio-3.pdf

  23. Beulen, E., Ribbers, P.: Governance of Complex IT Outsourcing Partnerships. In: Rivard, S., Aubert, B.A. (eds.) Information Technology Outsourcing, pp. 224–243. Sharpe, Amonk (2008)

    Google Scholar 

  24. AICPA: Internal Control - Integrated Framework. AICPA, New York (1992)

    Google Scholar 

  25. ITGI: IT Control Objectives for Sarbanes-Oxley: The Role of IT in the Design and Implementation of Internal Control Over Financial Reporting. 2nd edn. ITGI, Rolling Meadows (2006)

    Google Scholar 

  26. ITGI: IT Control Objectives for Basel II: The Importance of Governance and Risk Management for Compliance. ITGI, Rolling Meadows (2007)

    Google Scholar 

  27. ITGI: Aligning CobiT 4.1, ITIL V3 and ISO/IEC 27002 for Business Benefit. A Management Briefing from ITGI and OGC (2008), http://www.isaca.org/Knowledge-Center/Research/Documents/Aligning-COBIT,ITILV3,ISO27002-Bus-Benefit-12Nov08-Research.pdf

  28. ISACA: Outsourced IT Environments Audit/Assurance Program. ISACA, Rolling Meadows (2009)

    Google Scholar 

  29. BITS Financial Services Roundtable: BITS Framework for Managing Technology Risk for IT Service Provider Relationships, Revised Version (2010), http://www.bits.org/downloads/Publications%20Page/FrameworkFeb2010.pdf

  30. BITS, The Santa Fe Group, BSI: An Integrated Approach: ISO 27001 and BITS Shared Assessments Program. A Perspective of BSI Management Systems and the Shared Assessments Program (2008), http://www.sharedassessments.org/media/pdf-ISOWP2008.pdf

  31. AICPA: Service Organizations: Applying SAS No. 70, as Amended, With Conforming Changes as of May 1, 2006. AICPA, New York (2006)

    Google Scholar 

  32. Bednarz, A.: Offsite security complicates compliance. NetworkWorld Executive Guide 22, 30–31 (2005), http://seclists.org/isn/2005/Mar/113

    Google Scholar 

  33. Gazzaway, T.: SAS 70: New life for an old audit standard. Financial Executive (2004), http://www.allbusiness.com/human-resources/workforce-management-hiring/143004-1.html

  34. AGA: SAS 70 Reports: Are They Useful and Can They Be Improved? AGA CPAG Research Series: Report No. 15 (2008), http://www.agacgfm.org/research/downloads/CPAG15.pdf

  35. Caldwell, F.: Hype Cycle for Regulations and Related Standards, 2010. Gartner RAS Core Research Note G00175154 (2010), http://www.gartner.com/DisplayDocument?ref=clientFriendlyUrl&id=1331647

  36. ISACA: New Service Auditor Standard: A User Entity Perspective. ISACA White Paper (2010), http://www.isaca.org/Knowledge-Center/Research/Documents/New-Serv-Audit-Std-Wht-Paper-7July2010-Research.pdf

  37. PWC: New level of trust and transparency. A perspective on the transition from SAS 70 to SSAE 16 and ISAE 3402. PricewaterhouseCoopers (US), (2010), http://www.pwc.com/en_US/us/third-party-assurance/assets/ssae16.pdf

  38. A-lign: SAS 70/SSAE 16/ISAE 3402 Comparison, (2010), http://www.aligncpa.com/userfiles/files/SSAE16-SAS70-ISAE3402%20Comparison.pdf

  39. Sinha, A., Jaiswal, A., Gupta, R., Chaurasiya, V.K.: SAS 70 to SSAE16 / ISAE 3402: An Insight into Outsourcing Security and Process Controls, and Significance of New Service Audit Standards. In: Internet Session Summer 2011 Global Conference on Business and Finance (2011), http://www.theibfr.com/INTERNET/CR03161106-PRESENTATION-ankita.pdf

  40. Ernst, Young: New gold standard to change third party assurance. Internal Auditing & Business Risk magazine (2010), http://www.ey.com/Publication/vwLUAssets/Internal_Auditing_and_Business_Risk_magazine_-_February_2010_-_ISAE_3402_and_internal_audit/$FILE/EY_Internal_auditing_and_business_risk_magazine_-_February_2010.pdf

  41. Bierce, W.B., Kenerson, M.L.: Belt and Suspenders, and From SOX to SOC’s: Changes in Service Audit Standards on the Service Organization’s Risk Management, Security and Process Controls (2010), http://www.outsourcing-law.com/tag/aicpa/

  42. MASTER: D3.1.2: MASTER Methodology Handbook v2 (Compliance with Outsourcing between Trust Domains), FP7-216917 (2010), http://www.master-fp7.eu/index.php?option=com_docman&task=doc_download&gid=94&Itemid=60

  43. Lotz, V., Pigout, E., Fischer, M., Kossmann, D., Massacci, F., Pretschner, A.: Towards Systematic Achievement of Compliance in Service-Oriented Architectures: The MASTER Approach. Wirtschaftsinformatik 50, 383–391 (2008)

    Article  Google Scholar 

  44. Pasic, A., Bareño, J., Gallego-Nicasio, B., Torres, R., Fernandez, D.: Trust and compliance management models in emerging outsourcing environments. In: Cellary, W., Estevez, E. (eds.) Software Services for e-World. IFIPAICT, vol. 341, pp. 237–248. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  45. Magnusson, C., Chou, S.-C.: Risk and Compliance Management Framework for Outsourced Global Software Development. In: Proceedings 2010 International Conference on Global Software Engineering, pp. 228–233. IEEE Computer Society, Los Alamitos (2010)

    Google Scholar 

  46. AICPA: AU Section 9324: Service Organizations: Auditing Interpretations of Section 324 (2002), http://www.aicpa.org/Research/Standards/AuditAttest/DownloadableDocuments/AU-00324_9.pdf

  47. Linford, N.: Subservice Organizations and the Carve-out or Inclusive Method (2010), http://linfordco.com/2010/03/subservice-organizations-and-the-carve-out-or-inclusive-method/

  48. Rhoton, J.: Cloud Computing Explained, 2nd edn. Recursive Press (2010)

    Google Scholar 

  49. Velte, A.T., Velte, T.J., Elsenpeter, R.: Cloud Computing: A Practical Approach. McGraw-Hill, New York (2010)

    Google Scholar 

  50. Willcocks, L., Venters, W., Whitley, E.: Cloud and the Future of Business: From Costs to Innovation, Part One: Promise. Accenture (2011), http://outsourcingunit.org/publications/cloudPromise.pdf

  51. Mell, P., Grance, T.: The NIST Definition of Cloud Computing (Draft). Special Publication 800-145 (2011), http://csrc.nist.gov/publications/drafts/800-145/Draft-SP-800-145_cloud-definition.pdf

  52. Hietala, J., Willoughby, M.: Managing Compliance and Security for Cloud Computing. Cutter IT Journal 22, 44–50 (2009)

    Google Scholar 

  53. Bowen, J.A.: Legal Issues in Cloud Computing. In: Buyya, R., Broberg, J., Goscinski, A. (eds.) Cloud Computing: Principles and Paradigms, pp. 593–613. Wiley, Hoboken (2011)

    Chapter  Google Scholar 

  54. Amazon Web Services: AWS Customer Agreement (2011-02-08), http://aws.amazon.com/agreement/

  55. Bunn, F.: Confidence in the Cloud. Symantec (2010), http://www.worldhostingdays.com/downloads/2011/mF1e.pdf

  56. Gens, F.: Cloud Computing in the Enterprise, http://csis.pace.edu/~marchese/CS865/Cloud%20Computing%20in%20the%20Enterprise2.ppt

  57. Cloud Security Alliance: Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 (2009), https://cloudsecurityalliance.org/csaguide.pdf

  58. IDC: Cloud Adoption Will Have Major Impact on European Software Market in 2011, According to IDC (2011), http://www.idc.com/getdoc.jsp?containerId=prDK22728011

  59. Mell, P., Grance, T.: Effectively and Securely Using the Cloud Computing Paradigm, NIST, Information Technology Laboratory (2009), http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.ppt

  60. Sakka, M.A., Defude, B., Tellez, J.: Document provenance in the cloud: Constraints and challenges. In: Aagesen, F.A., Knapskog, S.J. (eds.) EUNICE 2010. LNCS, vol. 6164, pp. 107–117. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  61. Mather, T., Kumaraswamy, S., Latif, S.: Cloud Security and Privacy. An Enterprise Perspective on Risks and Compliance. O’Reilly Media, Sebastopol (2009)

    Google Scholar 

  62. ISACA: Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives. ISACA Emerging Technology White Paper (2009), http://www.isaca.org/Knowledge-Center/Research/Documents/Cloud-Computing-28Oct09-Research.pdf

  63. Khan, K.M., Malluhi, Q.M.: Establishing Trust in Cloud Computing. IT Professional 12(5), 20–27 (2010)

    Article  Google Scholar 

  64. Price, S.G.: The 21st Century Version of SAS 70.....SSAE 16, http://www.aligncpa.com/userfiles/files/The%2021st%20Century%20Version%20of%20SAS%2070.pdf

  65. Krutz, R.L., Vines, R.D.: Cloud Security. A Comprehensive Guide to Secure Cloud Computing. Wiley, Indianapolis (2010)

    Google Scholar 

  66. Brandl, D.: Don’t cloud your compliance data. Control Engineering 58, 23 (2010) http://www.controleng.com/index.php?id=483&cHash=081010&tx_ttnews[tt_news]=8780

    Google Scholar 

  67. Savage, M.: PCI DSS compliant cloud providers: No PCI panacea (2011), http://searchcloudsecurity.techtarget.com/news/2240033583/PCI-DSS-compliant-cloud-providers-No-PCI-panacea?asrc=EM_NLN_13525892&track=NL-102&ad=821278

  68. Rai, S., Chukwuma, P.: Security in a Cloud. Internal Auditor 66, 21–23 (2009)

    Google Scholar 

  69. Brandic, I., Dustdar, S., Anstett, T., Schumm, D., Leymann, F., Konrad, R.: Compliant Cloud Computing (C3): Architecture and Language Support for User-driven Compliance Management in Cloud. In: 3rd International Conference on Cloud Computing, pp. 244–251. IEEE Computer Society, Los Alamitos (2010)

    Google Scholar 

  70. McCallum, A.: How to Conduct an Audit of an Outsourcing Provider. BioPharm International, Supplement, 40–46 (2008)

    Google Scholar 

  71. AICPA: Service Organizations Controls, Managing Risks by Obtaining a Service Auditor’s Report (2010), http://www.aicpa.org/InterestAreas/InformationTechnology/Resources/TrustServices/DownloadableDocuments/10957-378%20SOC%20Whitepaper.pdf

  72. Lanz, J., Tie, R.: Advise Businesses on External IT Resources. Journal of Accountancy 197(6), 55–62 (2004), http://www.journalofaccountancy.com/Issues/2004/Jun/AdviseBusinessesOnExternalItResources.htm

    Google Scholar 

  73. Lepeak, S.: United States: The Impact of Regulatory Compliance Mandates on Business Process and IT Outsourcing (2005), http://www.mondaq.com/unitedstates/article.asp?articleid=34676

  74. Hall, J.A., Liedtka, S.L.: The Sarbanes-Oxley Act: Implications For Large-Scale IT Outsourcing. Communications of the ACM 50(3), 95–100 (2007)

    Article  Google Scholar 

  75. Bellman, E.: A cost of Sarbanes-Oxley: Outsourcing to India. Pittsburgh Post-Gazette 2005-07-14, http://www.post-gazette.com/pg/05195/537848.stm

Download references

Author information

Authors and Affiliations

  1. Institute of Information Systems, University of Bern, Engehaldenstrasse 8, CH 3012, Bern, Switzerland

    Gerhard F. Knolmayer & Petra Asprion

Authors
  1. Gerhard F. Knolmayer
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Petra Asprion
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Warwick Business School, University of Warwick, Coventry, UK

    Julia Kotlarsky

  2. London School of Economics, London, UK

    Leslie P. Willcocks

  3. Rotterdam School of Management, Erasmus University, Rotterdam, The Netherlands

    Ilan Oshri

Rights and permissions

Reprints and permissions

Copyright information

© 2011 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Knolmayer, G.F., Asprion, P. (2011). Assuring Compliance in IT Subcontracting and Cloud Computing. In: Kotlarsky, J., Willcocks, L.P., Oshri, I. (eds) New Studies in Global IT and Business Service Outsourcing. Global Sourcing 2011. Lecture Notes in Business Information Processing, vol 91. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-24815-3_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-24815-3_2

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-24814-6

  • Online ISBN: 978-3-642-24815-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation