Assuring Compliance in IT Outsourcing Relationships: Frameworks and Selected Applications

Abstract

Companies and their business processes are subject to many regulations. Today’s business processes are widely supported by IT systems. Therefore these systems play an im portant role in assuring compliance. The need to assure compliance can influence IT out sourcing decisions. We summarize some frameworks that give recommendations on assuring compliance of outsourced activities.

For a service provider with many globally acting customers similar audit activities of many auditors would be time-consuming and expensive. To avoid these costs, the American Institute of Certified Public Accountants (AICPA) suggested that an auditor may provide a SAS 70 Audit Report Type II which confirms the existence and effectiveness of internal con trols. Recently, the AICPA replaced the SAS 70 with the attestation standard SSAE 16. Based on frameworks and guidelines we discuss compliance issues in special cases of outsourcing relationships such as Subcontracting and Cloud Computing.