Microsoft Supplier Compliance Attestation (SSPA)

Australian businesses are navigating complex data security and privacy requirements, sometimes in multiple jurisdictions.

To truly protect consumer data and comply with complex regulations, companies doing business with Microsoft need to ensure they comply with Microsoft’s mandated (and recently updated since Europe’s GDPR requirements) Supplier Security and Privacy Assurance (SSPA) framework, involving an annual independent compliance assessment.

Add to that the need for Australian businesses to report data breaches, legislated under the Australian Privacy Act 1988 – businesses can receive hefty fines from our corporate and international regulators if their data protection is not up to standard. Now more than ever, businesses dealing with sensitive, personal or confidential information need to be completely confident of their data handling practices and processes.

Is your data handling Microsoft compliant?

When you first engage a third party assessor, you’ll need to answer these questions:

• Is the data that you hold personal, confidential or both?
• How many locations in your organisation do you possess Microsoft personal or confidential data?
• What is the average number of processes per location associated with Microsoft personal or confidential data?
• Do you have an ISO27001 or SOC2 report covering the locations and departments handling the Microsoft data you hold?
• What is your deadline for the assessment?

Choosing an assessor: The Grant Thornton advantage

If you are a Microsoft supplier, you must adhere to Microsoft’s SSPA requirements and submit a letter from an approved independent assessor within 90 days of the contract being signed, and then annually thereafter. Approved assessors are either a member in good standing with the American Institute of Certified Public Accountants (AICPA) or the International Federation of Accountants (IFAC), and qualified to conduct a Generally Accepted Privacy Principles (GAPP) assessment. Grant Thornton is one of a select few firms approved by Microsoft to conduct SSPA assessments globally.

We understand that complying with Microsoft’s SSPA program is not a one-size-fits-all approach. Grant Thornton has the qualifications, capability and experience to conduct tailored attestations specific to your business needs, to confirm compliance with Microsoft SSPA. Work with us to ensure your business has the peace of mind that your data handling practices are aligned with one of the world’s largest IT providers and that you can continue providing products and services to Microsoft.