Dangerous Liaisons: Drafting Outsourcing Contracts

Internal policies are degraded if external contractors ignore their control objectives. Draft an IT outsourcing contract that allows you to monitor specific aspects of your service provider’s compliance efforts or risk being guilty by association.

By Linda L. Briggs

IT outsourcing contracts are often complex documents involving a lot of give-and-take, negotiated over time with a service provider. Crafting the agreement can take months of work and the assistance of specialized attorneys. But experts suggest there are key compliance issues to keep in mind when negotiating an IT outsourcing contract.

1. Mind the devilish details

“The most important thing is to approach this subject with a paring knife rather than a meat cleaver,” according to Debra Alligood White, an attorney with the strategic sourcing and technology group at law firm Milbank, Tweed, Hadley & McCloy. White cautions against falling back on “the alluringly simple contractual requirement that ‘vendor will comply with regulatory requirements that apply to it in its capacity as a service provider.’” That sort of simple statement, she warns, may not offer adequate protection.
Instead, it is vital to verify that compliance language is explicitly included to address issues such as SAS 70.

2. Watch your SAS 70 language

According to Philadelphia attorney Barbara Melby with Morgan, Lewis & Bockius, Sarbanes-Oxley (SOX) has had a significant effect on SAS 70-type reporting. (A SAS 70 audit verifies that a service provider, such as an outsource vendor, has adequate controls and safeguards in place, generally including controls over IT and related processes, to protect client data.) Most outsourcing vendors, particularly bigger vendors at bigger sites, already do multi-client SAS 70 reports, she says, but from a customer’s perspective, that’s often not enough. In addition, auditors may require that a company produce specific reports or pay the outsourcing vendor to do that for them. Melby specializes in structuring and negotiating outsourcing contracts with a focus on IT and BPO, and she has co-authored a number of books on those topics.

White points out that the SAS 70 audit language included in outsourcing contracts has gradually become much more precise as customers and vendors gain experience with the capabilities and limitations of the audit process and reports. The language now tends to address compliance specifics, although that should be verified.

3. Spell out audit rights

According to Nipun Sehgal, CEO of Enlight, customers negotiating outsourcing contracts should retain the ability to audit “not only the operations, but also the effectiveness of internal controls of key service providers.” Enlighta provides outsourcing management solutions to companies and service providers globally.

Also, Sehgal says, the contract should specify the ability to audit the effectiveness of the security of systems, locations, and data by the service provider. “These should be supported by a well-defined process that allows tracking of gaps or defects,” he suggests, “and implementation of corrective action within a reasonable time.” White also suggests retaining extensive audit rights over the service provider. While the contract can specify reasonable limits on frequency, duration, cost, and intrusiveness, it shouldn’t erect artificial barriers that might hinder the ability to determine whether the service provider is complying with the agreement.

“The one area that is understandably sacrosanct is vendor's costs,” White says, which the service provider generally balks at providing.

4. Specify event notification

Seghal also advises that an outsourcing contract should state that the service provider must divulge any significant event that may impact a company’s financial performance or reporting. “Too often,” he says, “the services provider is not contractually required to notify the client in a specified [timeframe], and when the client is informed, the damage is greater than it could have been.”

Finally, Seghal says, explicitly specify is that the provider is governed not only by requirements in the current law or regulation, but also by changes in the law or regulations that may occur in the life of the contract.

During negotiations, keep in mind that the biggest challenge for large service providers, Sehgal says, is labor attrition and the resulting large-scale infusion of new recruits. “With this constant churning of people,” he says, it’s difficult or impossible for the vendor to maintain tight control over compliance-related operational processes and security. He recommends choosing a service provider that uses tools to automate change-control and governance processes, to capture who has access to what client information or applications, and for how long—and to proactively maintain breach-logs that are visible to clients. “Transparency is a critical requirement,” Sehgal says, “that must be supported by processes and tools.”

5. Retain responsibility

Because SOX compliance can’t legally be outsourced—the customer retains ultimate legal responsibility for compliance—Melby says most companies choose to retain ultimate control, although the vendor still needs to participate. “At the end of the day,” she says, “the customer is on the hook from a liability and a risk perspective,” although customers can and do outsource such compliance elements as testing and documentation requirements.

“Only the mechanics of compliance can be shifted,” White confirms. With financial controls compliance issues, you can retain some oversight function through your internal audit staff, in combination with your external auditors, she says.

Melby says she often involves the customer’s outside auditor toward the end of the negotiations, as they’re determining who’s responsible for what and the different points of handover. That helps ensure that the outside auditor will certify for SOX compliance based on documentation from both the customer and the service provider, and it helps to “make sure they’re comfortable with the allocation of responsibilities, [since] they’re going to have to certify that too.”

About the Author

Linda Briggs is the founding editor of Microsoft Certified Professional Magazine and a former senior editorial director at 101communications. Based in San Diego, she writes about technology in corporate, education, and government markets. You can contact her about this and other articles at lbriggs(at)lindabriggs.com.


This article originally appeared at itcinstitute.com. Copyright 2008, 1105 Media Inc. Used by permission.

Comment on this article

You must be logged in to leave a reply. Login »