making your it contract work: benchmarking & audit clauses in technology agreements andrew...
Post on 21-Dec-2015
213 Views
Preview:
TRANSCRIPT
Making Your IT Contract Work:Benchmarking & Audit Clauses in
Technology Agreements
Andrew Alleyne
Richard Austin
Ken Silverman
May 4, 2015
Table of Contents
I. Benchmarking
II. Information Technology Audits
III. Audit Rights in IT Agreements
IV. Control Audits
I. Benchmarking
“An objective measure of performance that can be used to compare operations across organizations”
IAOP, Outsourcing Body of Knowledge, Volume 10
Overview
Context and Scope Roles and Process To Benchmark or not to Benchmark Factors to Consider When Benchmarking Alternatives to Benchmarking Sample Benchmarking Provision
4
Benchmarking
Context: Remain competitive in terms of pricing/service levels
without the benefit of a competitive bid process Scope:
Compare existing pricing and service levels in the agreement against a third party survey of the “relevant” outsourcing market, and adjusting pricing and service level agreements accordingly
5
Roles and Process Parties:
Customer Supplier Benchmarker
Process: Include concept in any procurement document/RFP Require release of relevant data to the Benchmarker Agree on size and nature of the peer group Allow for the normalization of data collected by the
Benchmarker Who bears the costs Implementation of findings from the Benchmarking process
6
To Benchmark or Not to Benchmark Customer:
Customer is interested in maintaining the competitiveness (with respect to what it could obtain from going to market) of the contract over its term
Supplier: Supplier may prefer not to benchmark as it potentially decreases service
delivery efficiencies anticipated over life of the contract. Supplier will argue that it put its best foot forward at contract formation and the deal should not be renegotiated mid-stream.
When to benchmark: Benchmarking is expensive and time consuming. Advantages take effort to
realize. At a fixed point in time or on the Customer’s request (ie. based on the
realization of changed industry standards). Some contracts prohibit benchmarking for the first n years of a contract. Maximum frequency of benchmarking over the life of the contract?
7
Factors to Consider When Benchmarking
Factors:
Size of the Supplier and its applicable industry
Complexity of the services performed under the contract
Relationship between Customer and Supplier and the effects of a potentially combative benchmarking exercise
Related agreements between the parties that influence the fees or services under the contract
8
Alternatives to Benchmarking
Alternatives:
Most Favoured Customer clause
Shorter term agreements
Incorporate informal pricing and service level review into the contract
Building incentives into the contract for the Supplier to seek cost-saving measures where the savings may be shared with the Customer
Experienced and engaged Customer sourcing department and effective contract governance
9
Sample Benchmark Provision1. Benchmarking
Customer may exercise its option to have a benchmarking performed on or after the second anniversary of this Agreement. Service Provider shall, as a part of the Services, co-ordinate the benchmarking study that shall enable Customer to compare the Fees and Service Levels for the Services with those of a Peer Group (as defined below) to ensure that they are competitive (collectively “Benchmarking”). Benchmarking shall be conducted no more than twice during the Term of the Agreement at least twenty-four (24) months apart.
2. Benchmarker
The Benchmarking will be conducted by a mutually acceptable, independent industry-recognized provider of benchmarking services (the “Third Party Benchmarker”). The Parties shall agree upon the required qualifications but at a minimum the Third Party Benchmarker must (i) be independent, (ii) have demonstrated competence in performing information technology benchmarks and (iii) agree to maintain the confidentiality of all data, including Customer Data.
3. Peer Group
The Parties shall agree on the number of comparison organizations (not less than six (6)) to be considered the “Peer Group.” The Peer Group shall have significant [banking/insurance/manufacturing etc.] operations in North America and shall be recipients of services that are (i) substantially similar to those of the Customer (ii) at similar volumes and service levels (iii) using similar architecture (iv) from a single top service provider in Canada or the US. Each entity nominated as a peer shall be reviewed by and accepted by Service Provider and Customer.
4. Data
The Third Party Benchmarker will use data that is no more than 18 months old. The Third Party Benchmarker will adjust the data to ensure relevant comparisons for purposes of the Benchmarking. Factors to be taken into consideration by the Third Party Benchmarker shall include: (i) geographic location of the peer companies; (ii) industry differences affecting information technology costs; (iii) economies of scale; (iv) workload and complexity factors (including operating environment). In addition, the Third Party Benchmarker should take into account factors related to outsourced services generally such as: (i) the service levels offered; (ii) duration and nature of the contractual commitment; (iii) volume of services being provided; (iv) contractual terms, conditions and allocation of risk; (v) amount of investment made by Service Provider in Customer’ equipment and personnel (vi) appropriate overhead; and (vii) any other unique factors in connection with this Agreement. Service Provider shall have no obligation to provide any proprietary data or data with respect to any particular customer in connection with the Benchmarking.
Benchmarking Provision from C. Ian Kyer & John Beardwood, Outsourcing Transactions A Practical Guide, loose-leaf (consulted on 31 December 2012), (Toronto, ON: Thomson Reuters, 2012), ch 10.
10
Sample Benchmark Provision5. Costs
The Parties will share equally the costs incurred in connection with the Benchmarking.
6. Benchmarking Procedure
If the Customer wishes to exercise its right to require a Benchmarking, it shall send written notice to the Service Provider. The notice shall identify when the Benchmarking will occur (the “Benchmarking Notice”) and identify one or more third party benchmarkers who would be acceptable to the Customer. The Parties shall meet to agree upon the Third Party Benchmarker within 5 Business Days of the Benchmarking Notice. Once selected, the Parties shall meet with the Third Party Benchmarker within 10 Business Days for the purpose of agreeing upon a detailed plan (including time deadlines for provision of data by Service Provider) for the implementation of the Benchmarking. The Service Provider shall provide data, and otherwise comply in a timely manner with the agreed plan. The plan shall require delivery by the Third Party Benchmarker of its initial report to the Parties within the time period agreed by the Parties. Within a reasonable time after delivery of the initial report (not to exceed 30 days) the Parties shall jointly review the report and submit comments and identify areas of concern (challenges) to the Third Party Benchmarker. The Third Party Benchmarker shall promptly consider any comments and address all challenges in a manner acceptable to each Party, acting reasonably, and deliver to the Parties a revised report. After the Third Party Benchmarker provides its final report to the Parties, Customer and Service Provider will promptly meet to jointly review the Benchmarking results.
7. Adjusting Fees and Service Levels
If the Third Party Benchmarker’s final report states that:
i. the average aggregate fees for Customer are not 4% greater than the Peer Group average aggregate fees then no adjustment shall be made by Service Provider;
ii. the average aggregate fees for Customer are 4% or greater than the Peer Group average aggregate fees, then Service Provider in consultation with Customer shall prepare a plan setting out the activities and investments, if any, as may be required to bring the average aggregate fees for the Customer to within 4%.
If the Parties fail to reach agreement on the adjustments to be made as set out above or if a final report has not been issued within 90 days of the initial report because Service Provider is continuing to challenge the proposed final report, Customer shall have the right to terminate the Agreement provided that Customer will be obligated to pay (i) 50% of the Early Termination Fee if such termination is within the 48 months of the Effective Date or (ii) 25% of Early Termination Fee if such termination is more than 48 months after the Effective Date.
11
II. Information Technology Audits: Context IT Outsourcing Industry:
Growth of Services Industry Increasing number of players Maturity Globalization
Increasing emphasis on: Security Availability Confidentiality and Privacy
Well-publicized breakdowns of internal controls
II. Increasing Regulatory Requirements“h) Audit Rights
‘The contract or outsourcing agreement is expected to clearly stipulate the audit requirements and rights of both the service provider and the FRE. As a minimum, it should give the FRE the right to evaluate the service provided or, alternatively to cause an independent auditory to evaluate, on its behalf, the service provided. This includes a review of the service provider’s internal control environment as it relates to the service being provided. …
Accordingly, an undertaking from the service provider or a provision in the outsourcing contract, should give OSFI or the Superintendent’s representative the right to:• Exercise the contractual rights of the FRE relating to audit”
OSFI B-10 Guideline Outsourcing of Business Activities, Functions and Processes, March 2009
II. Consequences for Service Providers
Increasing demands for: access to internal (first party) audit reports external (second and third party) audits
Audit requests pose challenges for service providers: Impact on provision of services The audit expense Servicing multiple audit requests
III. Audit Rights in IT Agreements - General
General Audit Right:
Audit the service provider’s facilities, systems and records in order to verify: compliance with the obligations under the agreement; that the services are being provided in accordance with the
service levels; compliance with the security requirements; compliance with law; and
amounts charged under the agreement.
III. Additional Audit Rights in IT Agreements Additional Audit Rights: May include:
security audits – compliance with the service provider’s internal policies, penetration testing, third party security audits
self-assessment of internal controls business continuity and disaster recovery audits certification with applicable industry standards (e.g., ISO, PCI)
Regulators: Right for the customer’s regulators to exercise audit rights on behalf of the customer (for FREs, see OSFI Guideline B-10, Section 7.2.1(h)).
Subcontractors: Agreements typically require that audit rights flow down to any subcontractors.
III. Parameters & Accompanying Provisions Frequency & Notice
Limitation on the number of audits (e.g., per contract year) Prior notice to the service provider Must be performed during regular business hours Exceptions: regulatory audits, claims of fraud or criminal activity,
privacy or security breaches
Auditors Cannot be competitors of the service provider Not compensated on a contingency basis Required to sign an NDA
III. Parameters cont’d Service Levels
Audit cannot interfere with the service provider’s ability to perform the services in accordance with the service levels (or the service provider should be relieved from such obligation)
Record Retention Retained for a certain period of time, in certain locations and in a
prescribed format/standard (e.g., GAAP, IFRS)
Limitations on Auditable Records and Information Internal policies Internal audits Privileged information
III. Parameters cont’d Remediation
Time period for remediation Verification or re-audit to confirm remediation
Costs / Reimbursement Which party is liable for the cost of the audit? What costs are covered – internal vs. external costs? Do the cost implications shift if the audit was performed due to the
service provider’s breach or based on the outcome of the audit?
III. Implications for the Cloud
Limited audit rights will be available in a shared services environment: Limited or no access to the physical data center No access to the shared cloud environment Customers must typically rely on reports made available by the
cloud provider through the customer portal (e.g., usage and invoicing data, physical attributes of the servers)
Some cloud providers may provide an SSAE 16 / CSAE 3416 SOC 1 or 2 Report (in the case of SOC 2, covering some of the SOC 2 principles)
III. Implications for the Cloud cont’dOSFI Memorandum titled “New technology-based outsourcing arrangements” issued on February 29, 2012:
“Information technology plays a very important role in the financial services business and OSFI recognizes the opportunities and benefits that new technology-based services such as Cloud Computing can bring; however, FRFIs should also recognize the unique features of such services and duly consider the associated risks. As such, and in light of the proliferation of new technology-based outsourcing services, OSFI is reminding all FRFIs that the expectations contained in Guideline B-10 remain current and continue to apply in respect of such services. In particular, FRFIs should consider their ability to meet the expectations contained in Guideline B-10 in respect of a material arrangement, with an emphasis on … iv) access and audit rights … .”
IV. Control Audits
International Auditing and Assurance Standards Board (IASB), International Standard on Assurance Engagements 3402 (ISAE 3402):
Global standard for engagements to report on controls in a service organization for periods ending on or after June 15, 2011
AICPA Auditing Standards Board, Statement on Standards for Attestation Engagements No. 16, Reporting on Controls at a Service Organization (SSAE 16):
Replaces AICPA, Statement on Auditing Standards No. 70 (SAS 70) for periods ending on or after June 15, 2011
Differences between ISAE 3402 and SSAE 16 are minimal as a result of efforts to converge U.S. standard with international one
IV. Canadian Control Audits
Canadian Institute of Chartered Accountants, Auditing and Assurance Standards Board, Canadian Standard on Assurance Engagements, Reporting on Controls at a Service Organization (CSAE 3416):
Effective for periods ending on or after December 15, 2011
Reflects intention to closely mirror U.S. requirements
CSAE 3416 Audits SOC 1 SOC 2 SOC 3
Scope The internal controls at a service provider relevant to user organization’s controls of financial reporting
Operational controls
Focus Internal controls over / risks to financial reporting
Operational/non-financial controls supporting a system’s:
Security Availability Confidentiality Processing integrity Privacy
Controls Controls are specified by service provider
Based on Trust Services Principles, and Criteria (specific requirements developed by AICPA and CICA)
CSAE 3416 Audits
SOC 1 SOC 2 SOC 3
Report Types Type 1 and Type 2 Reports Type 1 and Type 2 Reports Type 2 Report only
Sub-service providers
May be done on a carve-out or inclusive basis
May be done on a carve-out or inclusive basis
Must be done on an inclusive basis
Report Detailed report
Use restricted to service provider’s management, the user and the user’s auditors
Detailed report
May be done on a carve-out or inclusive basis
Use restricted to service provider’s management, the user and the user’s auditors and specified parties
Shorter report, excluding specific tests and test results
Must be done on an inclusive basis
May be generally distributed
Unqualified reports may use SOC 3 seal
Type 1 Reports report on:• Management’s description of the service provider’s system• Suitability of the design of the controls to meet the control objectives, as of a specified date
Type 2 Reports report on:• Management’s description of the service provider’s system• Suitability of the design and operating effectiveness of the controls to meet the control objectives, throughout a specified period
ISO/IEC 27000 Series Family of information security standards published jointly by the
International Organization for Standardization (ISO) and the International Electrotechnical Commission
Address privacy, confidentiality and technical security issues
Guidelines and general principles for initiating, implementing, maintaining and improving information security management within an organization
More than 33 standards available today with more under developmenthttp://www.iso.org/iso/home/store/catalogue_tc/catalogue_tc_browse.htm?commid=45306&published=on
Available standards in ISO 27000 family include: ISO 27000:2014- ISM – Overview and Vocabulary
ISO 27001:2013 – ISMS Requirement
ISO 27002:2013 – Code of practice for information security controls
ISO 27003:2010 – ISMS Implementation guidance
ISO 27005:2011 – Information security risk management
ISO 27006:2011 – Requirements for bodies providing audit and certification of the ISMS
ISO 27007:2011 – Guidelines for ISMS auditing
ISO 27018:2014 – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII
ISO 27032:2012 – Guidelines for cybersecurity
ISO/IEC 27001 – ISMS Requirements Sets out requirements for establishing, maintaining, implementing and
continually improving an information security management system
ISO 27001: 2013 Clauses ISO 27001: 2013 Annex A Controls
4. Context of the organization 5. Information security policies
5. Leadership 6. Organization of information security
6. Planning 7. Human resources security
7. Support 8. Asset management
8. Operation 9. Access control
9. Performance evaluation 10. Cryptography
10. Improvement 11. Physical and environmental security
12. Operations security
13. Communications security
14. Systems acquisition development & maintenance
15. Supplier relationships
16. Information security incident management
17. Information security aspects of business continuity management
18. Compliance
ISO/IEC 27001 ISO 27001:2013 - establishes 114 controls in 14 security domains
ISO 27002:2013: provides guidance to organizations on implementing controls within an
information security management system Defines control objections controls and implementation guidance under the 14
security domains
ISO 27018:2014 - provides security categories and controls that can be implemented by a public cloud computing service processing personally identifiable information
Organizations can be certified against ISO 27001:2013 and ISO 27018:2014
Questions?Andrew Alleyne
Fasken Martineau DuMoulin LLP
aalleyne@fasken.com
416.868.3338aalleyne@fasken.com
Richard Austin
Deeth Williams Wall LLP
raustin@dww.com
416.941.8210
Ken Silverman
IBM Canada Ltd.
ksilver@ca.ibm.com
905.316.0289
top related