Compliance audits of outsourcing service provider arrangements have become increasingly common over the past few years, especially for service scope affecting public companies’ financial reporting. In 2011, changes will take effect that may cause outsourcing customers to amend their approaches auditing of service provision arrangements.

Over the last 20 years, organisations that outsource functions (“user organisations”) have become comfortable using the AICPA Statement on Auditing Standards No. 70 (“SAS 70”) as a means to audit a service provider’s controls that affect the internal controls of the user organisation. One effect of the Sarbanes-Oxley Act of 2002 (“Sarbanes-Oxley”) was that companies which publicly traded their securities in the U.S. markets were required to comply with significantly more stringent audit requirements. As a result, reliance by user organisations on SAS 70 reports provided by service providers was of even greater importance and, over the past 8 years, user organisations and service providers worked out reasonable methods of allocating risks associated with internal controls.