The outsourcing of IT services to external service providers (e.g. IT outsourcing, BPO outsourcing and ASP) has in the meantime become an everyday occurrence for a large number of companies. The provisions of the Sarbanes Oxley Act of 2002 (“SOX”) have had direct implications for the drafting of IT agreements. For German companies that are listed on the USA stock exchange, it is necessary for IT service providers to establish their compliance with SOX guidelines by appropriate certification.
Therefore, it is recommended that the principal impose a contractual obligation on the external IT service provider to comply with SOX requirements when providing its services. In order to prove this, the IT services provider may refer to USA auditing standard “Statement on Auditing Standard No. 70: Service Organizations” (“SAS 70”)” of the American Institute of Certified Public Accountants (AICPA), which was also developed for instances of IT outsourcing schemes, and appoint an independent auditor to certify the existence of effective internal controls within its company in accordance with SAS 70. The auditor then issues an “SAS 70 Report Type II” for the IT services provider. This SAS 70 Report Type II describes the efficacy of the company control procedures, and only this type of report can sufficiently guarantee the assessment of the internal controls required under Section 404 SOX for the principal.
The new SSAE 16 & ISAE 3402 Standards
Since SAS 70 had been sufficient for almost twenty years, in April 2010 the AICPA recognised the need for its review both within the USA as well as internationally and published the “Statement on Standards for Attestation Engagements (SSAE) No. 16 Reporting on Controls at a Service Organization”, which completely replaced the old SAS 70 Standard. In order to promote the internationalisation of the previously globally applied USA Standard, at the same time the AICPA published an entirely new international version, the “International Standard on Assurance Engagements (ISAE) 3402 Assurance Reports on Controls at a Service Organization” (“ISAE 3402”).
From the viewpoint of companies which may wish to implement large IT outsourcing schemes that are critical for business, it is currently still recommended that they work with an IT service provider that has appropriate SAS 70 Report Type II certification. In Reports relating to periods ending on 15 July 2011 or later, the clause concerning evidence of certification according to SAS 70 contained in old agreements should be updated and the appropriate certification according to the new Standards should be required in all new contracts.
Peter Huppertz, LL.M.
Fachanwalt für Informationstechnologierecht
Hoffmann Liebs Fritsch & Partner
Kaiserswerther Straße 119
Telefon: +49 (0) 211 51882 – 197
Fax: +49 (0) 211 51882 – 220