Assuring Compliance in IT Subcontracting and Cloud Computing

Companies and their business processes are subject to many regulations. Today's business processes are widely supported by IT systems. Therefore these systems play an important role in assuring compliance. The need to assure compliance can influence IT outsourcing decisions. We summarize some frameworks that give recommendations on assuring compliance of outsourced activities. For a service provider with many globally acting customers similar audit activities of many auditors would be time-consuming and expensive. To avoid these costs, the American Institute of Certified Public Accountants (AICPA) suggested that an auditor may provide a SAS 70 Audit Report Type II which confirms the existence and effectiveness of internal controls. Recently, the AICPA replaced the SAS 70 with the attestation standard SSAE 16. Based on frameworks and guidelines we discuss compliance issues in special cases of outsourcing relationships such as Subcontracting and Cloud Computing.