...
Effective contract monitoring requires a process or methodology in place that defines the approach to take based on the risk of the contract or engagement - activities should be more stringent and closer to the high end of the spectrum as risk increases or when exceptional situations warrant them. Institutional policy may refer to instances in which the sharing of sensitive data will result in a significant risk. Again, "significant" can mean a number of things but, ultimately, depends on the institution's risk management practices and risk tolerance (i.e., what is acceptable risk). Only in cases of very high risk or when exceptional situations may warrant it should contract monitoring include a requirement to perform a site audit, of results of a Statement on Standards for Attestation Engagements (SSAE) No. 16 (formerly SAS 70) audit, or of results of an audit performed by an independent auditor.
...