Making Your IT Contract Work: Benchmarking & Audit Clauses in Technology Agreements Andrew Alleyne Richard Austin Ken Silverman May 4, 2015
Download ReportTranscript Making Your IT Contract Work: Benchmarking & Audit Clauses in Technology Agreements Andrew Alleyne Richard Austin Ken Silverman May 4, 2015
Making Your IT Contract Work: Benchmarking & Audit Clauses in Technology Agreements
Andrew Alleyne Richard Austin Ken Silverman May 4, 2015
Table of Contents
I.
II.
Benchmarking Information Technology Audits III.
Audit Rights in IT Agreements IV.
Control Audits
I. Benchmarking
“An objective measure of performance that can be used to compare operations across organizations”
IAOP, Outsourcing Body of Knowledge, Volume 10
Overview
Context and Scope Roles and Process To Benchmark or not to Benchmark Factors to Consider When Benchmarking Alternatives to Benchmarking Sample Benchmarking Provision 4
Benchmarking
Context:
Remain competitive in terms of pricing/service levels without the benefit of a competitive bid process
Scope:
Compare existing pricing and service levels in the agreement against a third party survey of the “relevant” outsourcing market, and adjusting pricing and service level agreements accordingly 5
Roles and Process
Parties:
Customer Supplier Benchmarker
Process:
Include concept in any procurement document/RFP Require release of relevant data to the Benchmarker Agree on size and nature of the peer group Allow for the normalization of data collected by the Benchmarker Who bears the costs Implementation of findings from the Benchmarking process 6
To Benchmark or Not to Benchmark
Customer:
Customer is interested in maintaining the competitiveness (with respect to what it could obtain from going to market) of the contract over its term
Supplier:
Supplier may prefer not to benchmark as it potentially decreases service delivery efficiencies anticipated over life of the contract. Supplier will argue that it put its best foot forward at contract formation and the deal should not be renegotiated mid-stream .
When to benchmark:
Benchmarking is expensive and time consuming. Advantages take effort to realize.
At a fixed point in time or on the Customer’s request (ie. based on the realization of changed industry standards).
Some contracts prohibit benchmarking for the first
n
years of a contract.
Maximum frequency of benchmarking over the life of the contract?
7
Factors to Consider When Benchmarking
Factors:
Size of the Supplier and its applicable industry Complexity of the services performed under the contract Relationship between Customer and Supplier and the effects of a potentially combative benchmarking exercise Related agreements between the parties that influence the fees or services under the contract 8
Alternatives to Benchmarking
Alternatives:
Most Favoured Customer clause Shorter term agreements Incorporate informal pricing and service level review into the contract Building incentives into the contract for the Supplier to seek cost saving measures where the savings may be shared with the Customer Experienced and engaged Customer sourcing department and effective contract governance 9
Sample Benchmark Provision
1.
2.
3.
4.
Benchmarking
Customer may exercise its option to have a benchmarking performed on or after the second anniversary of this Agreement. Service Provider shall, as a part of the Services, co-ordinate the benchmarking study that shall enable Customer to compare the Fees and Service Levels for the Services with those of a Peer Group (as defined below) to ensure that they are competitive (collectively “
Benchmarking
”). Benchmarking shall be conducted no more than twice during the Term of the Agreement at least twenty-four (24) months apart.
Benchmarker
The Benchmarking will be conducted by a mutually acceptable, independent industry-recognized provider of benchmarking services (the “
Third Party Benchmarker
”). The Parties shall agree upon the required qualifications but at a minimum the Third Party Benchmarker must (i) be independent, (ii) have demonstrated competence in performing information technology benchmarks and (iii) agree to maintain the confidentiality of all data, including Customer Data.
Peer Group
The Parties shall agree on the number of comparison organizations (not less than six (6)) to be considered the “
Peer Group
.” The Peer Group shall have significant [
banking/insurance/manufacturing etc.
] operations in North America and shall be recipients of services that are (i) substantially similar to those of the Customer (ii) at similar volumes and service levels (iii) using similar architecture (iv) from a single top service provider in Canada or the US. Each entity nominated as a peer shall be reviewed by and accepted by Service Provider and Customer.
Data
The Third Party Benchmarker will use data that is no more than 18 months old. The Third Party Benchmarker will adjust the data to ensure relevant comparisons for purposes of the Benchmarking. Factors to be taken into consideration by the Third Party Benchmarker shall include: (i) geographic location of the peer companies; (ii) industry differences affecting information technology costs; (iii) economies of scale; (iv) workload and complexity factors (including operating environment). In addition, the Third Party Benchmarker should take into account factors related to outsourced services generally such as: (i) the service levels offered; (ii) duration and nature of the contractual commitment; (iii) volume of services being provided; (iv) contractual terms, conditions and allocation of risk; (v) amount of investment made by Service Provider in Customer’ equipment and personnel (vi) appropriate overhead; and (vii) any other unique factors in connection with this Agreement. Service Provider shall have no obligation to provide any proprietary data or data with respect to any particular customer in connection with the Benchmarking.
Benchmarking Provision from C. Ian Kyer & John Beardwood,
Outsourcing Transactions A Practical Guide
, loose-leaf (consulted on 31 December 2012), (Toronto, ON: Thomson Reuters, 2012), ch 10.
10
Sample Benchmark Provision
5.
6.
Costs
The Parties will share equally the costs incurred in connection with the Benchmarking.
Benchmarking Procedure 7.
If the Customer wishes to exercise its right to require a Benchmarking, it shall send written notice to the Service Provider. The notice shall identify when the Benchmarking will occur (the “
Benchmarking Notice
”) and identify one or more third party benchmarkers who would be acceptable to the Customer. The Parties shall meet to agree upon the Third Party Benchmarker within 5 Business Days of the Benchmarking Notice. Once selected, the Parties shall meet with the Third Party Benchmarker within 10 Business Days for the purpose of agreeing upon a detailed plan (including time deadlines for provision of data by Service Provider) for the implementation of the Benchmarking. The Service Provider shall provide data, and otherwise comply in a timely manner with the agreed plan. The plan shall require delivery by the Third Party Benchmarker of its initial report to the Parties within the time period agreed by the Parties. Within a reasonable time after delivery of the initial report (not to exceed 30 days) the Parties shall jointly review the report and submit comments and identify areas of concern (challenges) to the Third Party Benchmarker. The Third Party Benchmarker shall promptly consider any comments and address all challenges in a manner acceptable to each Party, acting reasonably, and deliver to the Parties a revised report. After the Third Party Benchmarker provides its final report to the Parties, Customer and Service Provider will promptly meet to jointly review the Benchmarking results.
Adjusting Fees and Service Levels
If the Third Party Benchmarker’s final report states that: i.
ii.
the average aggregate fees for Customer are not 4% greater than the Peer Group average aggregate fees then no adjustment shall be made by Service Provider; the average aggregate fees for Customer are 4% or greater than the Peer Group average aggregate fees, then Service Provider in consultation with Customer shall prepare a plan setting out the activities and investments, if any, as may be required to bring the average aggregate fees for the Customer to within 4%.
If the Parties fail to reach agreement on the adjustments to be made as set out above or if a final report has not been issued within 90 days of the initial report because Service Provider is continuing to challenge the proposed final report, Customer shall have the right to terminate the Agreement provided that Customer will be obligated to pay (i) 50% of the Early Termination Fee if such termination is within the 48 months of the Effective Date or (ii) 25% of Early Termination Fee if such termination is more than 48 months after the Effective Date.
11
II. Information Technology Audits: Context
IT Outsourcing Industry:
Growth of Services Industry Increasing number of players Maturity Globalization
Increasing emphasis on:
Security Availability Confidentiality and Privacy
Well-publicized breakdowns of internal controls
II. Increasing Regulatory Requirements
“h) Audit Rights ‘The contract or outsourcing agreement is expected to clearly stipulate the audit requirements and rights of both the service provider and the FRE. As a minimum, it should give the FRE the right to evaluate the service provided or, alternatively to cause an independent auditory to evaluate, on its behalf, the service provided. This includes a review of the service provider’s internal control environment as it relates to the service being provided. … • Accordingly, an undertaking from the service provider or a provision in the outsourcing contract, should give OSFI or the Superintendent’s representative the right to: Exercise the contractual rights of the FRE relating to audit” OSFI B-10 Guideline
Outsourcing of Business Activities, Functions and Processes
, March 2009
II. Consequences for Service Providers Increasing demands for:
access to internal (first party) audit reports external (second and third party) audits
Audit requests pose challenges for service providers :
Impact on provision of services The audit expense Servicing multiple audit requests
III. Audit Rights in IT Agreements - General General Audit Right: Audit the service provider’s facilities, systems and records in order to verify:
compliance with the obligations under the agreement; that the services are being provided in accordance with the service levels; compliance with the security requirements; compliance with law; and amounts charged under the agreement
.
III. Additional Audit Rights in IT Agreements
Additional Audit Rights: May include: security audits – compliance with the service provider’s internal policies, penetration testing, third party security audits self-assessment of internal controls business continuity and disaster recovery audits certification with applicable industry standards (e.g., ISO, PCI) Regulators: Right for the customer’s regulators to exercise audit rights on behalf of the customer (for FREs, see OSFI Guideline B-10, Section 7.2.1(h)).
Subcontractors: Agreements typically require that audit rights flow down to any subcontractors.
III. Parameters & Accompanying Provisions
Frequency & Notice Limitation on the number of audits (e.g., per contract year) Prior notice to the service provider Must be performed during regular business hours Exceptions: regulatory audits, claims of fraud or criminal activity, privacy or security breaches Auditors Cannot be competitors of the service provider Not compensated on a contingency basis Required to sign an NDA
III. Parameters cont’d
Service Levels Audit cannot interfere with the service provider’s ability to perform the services in accordance with the service levels (or the service provider should be relieved from such obligation) Record Retention Retained for a certain period of time, in certain locations and in a prescribed format/standard (e.g., GAAP, IFRS) Limitations on Auditable Records and Information Internal policies Internal audits Privileged information
III. Parameters cont’d
Remediation Time period for remediation Verification or re-audit to confirm remediation Costs / Reimbursement Which party is liable for the cost of the audit?
What costs are covered – internal vs. external costs?
Do the cost implications shift if the audit was performed due to the service provider’s breach or based on the outcome of the audit?
III. Implications for the Cloud
Limited audit rights will be available in a shared services environment : Limited or no access to the physical data center No access to the shared cloud environment Customers must typically rely on reports made available by the cloud provider through the customer portal (e.g., usage and invoicing data, physical attributes of the servers) Some cloud providers may provide an SSAE 16 / CSAE 3416 SOC 1 or 2 Report (in the case of SOC 2, covering some of the SOC 2 principles)
III. Implications for the Cloud cont’d
OSFI Memorandum titled “New technology-based outsourcing arrangements” issued on February 29, 2012: “Information technology plays a very important role in the financial services business and OSFI recognizes the opportunities and benefits that new technology-based services such as Cloud Computing can bring; however, FRFIs should also recognize the unique features of such services and duly consider the associated risks. As such, and in light of the proliferation of new technology-based outsourcing services, OSFI is reminding all FRFIs that the expectations contained in Guideline B-10 remain current and continue to apply in respect of such services. In particular, FRFIs should consider their ability to meet the expectations contained in Guideline B-10 in respect of a material arrangement, with an emphasis on … iv) access and audit rights … .”
IV. Control Audits
International Auditing and Assurance Standards Board (IASB),
International Standard on Assurance Engagements 3402
(
ISAE 3402
): Global standard for engagements to report on controls in a service organization for periods ending on or after June 15, 2011 AICPA Auditing Standards Board,
Statement on Standards for Attestation Engagements No. 16, Reporting on Controls at a Service Organization
(
SSAE 16
): Replaces AICPA
, Statement on Auditing Standards No. 70 (SAS 70)
for periods ending on or after June 15, 2011 Differences between ISAE 3402 and SSAE 16 are minimal as a result of efforts to converge U.S. standard with international one
IV. Canadian Control Audits
Canadian Institute of Chartered Accountants, Auditing and Assurance Standards Board,
Canadian Standard on Assurance Engagements, Reporting on Controls at a Service Organization
(CSAE 3416): Effective for periods ending on or after December 15, 2011 Reflects intention to closely mirror U.S. requirements
CSAE 3416 Audits
Scope SOC 1
The internal controls at a service provider relevant to user organization’s controls of financial reporting
Focus SOC 2
Operational controls
SOC 3
Internal controls over / risks to financial reporting Operational/non-financial controls supporting a system’s: Security Availability Confidentiality Processing integrity Privacy
Controls
Controls are specified by service provider Based on Trust Services Principles, and Criteria (specific requirements developed by AICPA and CICA)
CSAE 3416 Audits
Report Types Sub-service providers Report SOC 1
Type 1 and Type 2 Reports
SOC 2
Type 1 and Type 2 Reports
SOC 3
Type 2 Report only May be done on a carve-out or inclusive basis Detailed report Use restricted to service provider’s management, the user and the user’s auditors May be done on a carve-out or inclusive basis Detailed report May be done on a carve-out or inclusive basis Use restricted to service provider’s management, the user and the user’s auditors and specified parties Must be done on an inclusive basis Shorter report, excluding specific tests and test results Must be done on an inclusive basis May be generally distributed Unqualified reports may use SOC 3 seal Type 1 Reports report on: •Management’s description of the service provider’s system •Suitability of the design of the controls to meet the control objectives, as of a specified date Type 2 Reports report on: •Management’s description of the service provider’s system •Suitability of the design and operating effectiveness of the controls to meet the control objectives, throughout a specified period
ISO/IEC 27000 Series
Family of information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission Address privacy, confidentiality and technical security issues Guidelines and general principles for initiating, implementing, maintaining and improving information security management within an organization More than 33 standards available today with more under development http://www.iso.org/iso/home/store/catalogue_tc/catalogue_tc_browse.htm?commid=4 5306&published=on
Available standards in ISO 27000 family include:
ISO 27000:2014- ISM – Overview and Vocabulary ISO 27001:2013 – ISMS Requirement ISO 27002:2013 – Code of practice for information security controls ISO 27003:2010 – ISMS Implementation guidance ISO 27005:2011 – Information security risk management ISO 27006:2011 – Requirements for bodies providing audit and certification of the ISMS ISO 27007:2011 – Guidelines for ISMS auditing ISO 27018:2014 – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII ISO 27032:2012 – Guidelines for cybersecurity
ISO/IEC 27001 – ISMS Requirements
Sets out requirements for establishing, maintaining, implementing and continually improving an information security management system
ISO 27001: 2013 Clauses
4. Context of the organization 5. Leadership 6. Planning 7. Support 8. Operation 9. Performance evaluation 10. Improvement
ISO 27001: 2013 Annex A Controls
5. Information security policies 6. Organization of information security 7. Human resources security 8. Asset management 9. Access control 10. Cryptography 11. Physical and environmental security 12. Operations security 13. Communications security 14. Systems acquisition development & maintenance 15. Supplier relationships 16. Information security incident management 17. Information security aspects of business continuity management 18. Compliance
ISO/IEC 27001
ISO 27001:2013 - establishes 114 controls in 14 security domains ISO 27002:2013: provides guidance to organizations on implementing controls within an information security management system Defines control objections controls and implementation guidance under the 14 security domains ISO 27018:2014 - provides security categories and controls that can be implemented by a public cloud computing service processing personally identifiable information Organizations can be certified against ISO 27001:2013 and ISO 27018:2014
Questions?
Andrew Alleyne Fasken Martineau DuMoulin LLP [email protected]
416.868.3338
Richard Austin Deeth Williams Wall LLP [email protected]
416.941.8210
Ken Silverman IBM Canada Ltd.
905.316.0289