1 © 2001 deloitte & touche. this presentation contains proprietary information and materials...

1

© 2001 Deloitte & Touche. This presentation contains proprietary information and materials which are the property of Deloitte & Touche. All rights reserved.

Outsourcing orThird Party Service

Management

Karen [email protected]

Deloitte & Touche Enterprise Risk Services

October 25, 2001Presentation to ISACA

2


Agenda

Introduction

Areas of risk to consider before outsourcing

The outsourcing project

Managing the relationship

Audit considerations

Why do outsourcing arrangements often fail?

Conclusions

3


Introduction

A HIGH LEVEL DEFINITION OF OUTSOURCING:

When the management of a company decides for

strategic, economic, technological or other reasons to

cease managing a business function itself and to

delegate the responsibility to a third party.

“Outsourcing” generally associated with IT management,

but it could be any service

“Third Party Service Management” is a more accurate

description

4


Dominant Type of Outsourcing

0

20

40

60

80

%

ICT BPO

ICT- BPO Split by Total Market Value

Source - www.cw360.com/outsourcing report

Information and Communications Technology (ICT)

Business Process Outsourcing (BPO)

5


Who are the big suppliers?

FTSE 100 Top Six Suppliers Total Market Values ICT and BPO

0100020003000400050006000

£m

BPO

ICT


6


Who are the big purchasers?


Distribution by Market Sector (BPO and ICT)

Banks

Aerospace & Defence

Telecommunications Services

Oil & Gas

Food & Drug Retailers

Pharmaceuticals

Life Assurance

Electricity

Beverages

Insurance

Water

Transport

Chemicals

Others

7


Areas of risk to consider before outsourcing

The Business Case

Human Resources Risks

Legal Risks

Avoiding Disaster before you start

8


The Business Case - why outsource?

Business Re-engineering

Cost Reduction

Access to new skills and technology

Delegation of “difficult” functions

Optimal use of scarce management resources

A sound business case is very important to the future success of the arrangement Management must understand why they want to

outsource and what the consequences will be

9


Common Pros and Cons of Outsourcing

Pros:

increased focus on strategic issues and core competencies

improved use of management resources

predictable, reduced (?) and controllable costs

access to improved services because of supplier size and functional focus

access to improved technology and staff resources

10


Common Pros and Cons of Outsourcing

Cons:

loss of control/influence coupled with increased management time re disputes

poorer service quality

higher than expected costs

poorer relationships with staff and customers

lack of integration with corporate infrastructure and culture

loss of skills

11


Human Resources Risks

What are the current and future staffing numbers and skills?

What concerns will existing staff have? - Communication is important.

Who will carry out the function after outsourcing?

Staff currently employed by the contractor; or

Staff currently employed by the company.

Will the contract be subject to the 1981 Transfer of Undertakings Regulations (TUPE)?

The contract must include appropriate warranties and indemnities in relation to the parties liability for the transferred staff.

Management and the third party must be aware of the potential cost.

12


Legal Risks

Confidentiality agreements

Structure of contracts and schedules

Financial considerations (e.g. flexibility, VAT issues)

Property & Assets

Defining respective responsibilities

Exit plan - expiry and termination

Regulatory requirements (e.g. FSA)

Legal requirements (e.g. Data Protection Act)

13


Avoiding disaster before you start

Companies need to be prepared to do plenty of pre-work

Technically - know and understand existing processes and what services the third party is expected to provide

Commercially - know and understand your cost base and the understand the pricing model proposed by the service provider

Legally - be prepared to negotiate the finer details of the deal

14


The Outsourcing Project

The outsourcing project is subject to the same risks as any other major project

Failure to deliver and cost overruns could arise from a number of directions, including:

lack of commitment from senior staff

failure to engage all parts of the business in the process

poor project governance

lack of detailed plans

failure to monitor and manage adequately

15


Proposed Methodology for Outsourcing

Phase 0Initiate

Phase 1Assess

Phase 2Plan

Phase 3Contract

Phase 4Transition

Phase 5Manage &

Review

USER ORGANISATION Transition of CONTRACTOR Responsibility

KeyDocuments

FeasibilityStudy

ServiceDefinition

ServiceLevelAgreement

TransitionPlan

ReviewProcedures

Source: Oracle Corporation

16


The Outsourcing Project

Ensure that there is full commitment at the most senior level

Appoint the appropriate Project Manager

Devise and agree the project methodology that is going to be applied

Draft the project plan

Implement the assessment study

Report findings / proposal for specific projects

Select and plan specific projects

Migration of control

17


Managing the Relationship

The SLA is the key to success in the ongoing relationship

It should be considered as a “living document”, to be changed when supplier or customer circumstances change

The SLA should clarify the expectations of both sides but should not be overly prescriptive or used as something to wave at the other party

Possible Service Level parameters:

Availability

System specific metrics (engineer response times, mean time between failures etc.)

Turnaround or delivery times

Levels of customer satisfaction

Minimum security standards

18


Suggested structure of an SLA

There is no standard format - the SLA should be tailored to the particular circumstances of the arrangements to be made. A suggested structure could be:

Introduction

Service Definition and Responsibilities

Service Expectations and Future Targets

Reporting arrangements

Customer Responsibilities

Procedures for Customer / Service Provider Liaison

Cost of services

Exit arrangements

Appendices - Services and Service Levels / Definitions

19


Why SLAs fail

Document not sufficiently business oriented

Document too brief

Document too detailed

Lack of commitment to the outsourcing process, which may include:

resources

finance

monitoring tools

support tools

management

control

20


Customer/Supplier versus Partnership

Research from Compass suggests that while less than 5% of outsourcing contracts are taken back in house, another 50% of contracts fail to deliver initial expectations.

Average length of a contract is between 5 and 10 years - this is a long term business commitment!

Choosing the right partner is essential - look for cultural and business fit before you start

Outsourcing does not involve a shift of power from the organisation to the outsourcer - management is still responsible for the outsourced functions and assets More than 80% of contracts fail because of poor governance Governance resource costs should be around 5 - 10 % of the total

contract value (source: Compass) A balance must be created between micromanagement and

abdication of responsibility

The arrangement must be beneficial to BOTH parties - in general, low costs will mean reduced service

21



Statement of auditing standard, SAS 480 “Service Organisations” states:

“Auditors should identify whether a reporting entity uses service organisations and assess the effect of any such use on the procedures necessary to obtain sufficient appropriate audit evidence to determine with reasonable assurance whether the user entity’s financial statements are free of material misstatement (SAS 480.1)”

22



On obtaining audit evidence, the standard is clear:

“Based on their understanding of the aspects of the user entity’s accounting system and control environment relating to relevant activities, user entity auditors should:

a) assess whether sufficient appropriate audit evidence concerning the relevant financial statement assertions is available from records held at the user entity; and if not,

b) determine effective procedures to obtain evidence necessary for the audit, either by direct access to records kept by service organisations or through information obtained from the service organisations or their auditors. (SAS 480.6)”

23



Percentage of operations outsourced

Core

Outsourced

Internal and external auditors cannot ignore the outsourced operations when providing assurances to management and shareholders

24


Auditing considerations

Effectively, auditors have 3 alternatives:

1) Rely on a Service Auditor’s report from the outsourcer;

2) Carry out audit procedures directly with the outsourcer as if the processes were still in-house; or

3) Consider whether evidence from the user entity, together with independent confirmations from the service organisation, amount to sufficient evidence. Not always feasible if the evidence is not independent, e.g. where

the service organisation can initiate transactions on the user entity’s behalf without prior agreement or approval.

If the external auditors cannot obtain adequate evidence, they must qualify or issue a disclaimer of the audit opinion on the basis of scope limitation (SAS 480.8)

25


Service Auditor’s reports

Reports carried out by the service organisation’s auditors which can be provided to the auditors of customers;

Subject to separate terms of engagement from the external audit opinion (if carried out by the external auditors);

Must be independent;

Customers’ external auditors must verify that the scope of the audit is sufficient and appropriate for its intended use (SAS 480.7).

There are 2 standards in place which define the work to be carried out: SAS 70 (a US standard); and FIT 1/94 (an ICAEW standard).

Both standards cover IT audit work only, but provide a good benchmark for the extent of work and the opinion required.

26


What are the most common reasons for Outsourcing arrangements to fail?

Unrealistic or politically motivated business case

Inadequate matching of requirements against supplier capabilities

Poor management and governance

Personnel motivational issues

Inadequately drafted service level agreement(s)

Lack of partnership / trust in relationship

27


High Level Conclusions

Remember that the reason for outsourcing is to benefit the Business

Look forward, not backwards - retrospection is negative

The supplier has to make a profit a partnership works, a basic commercial

arrangement doesn’t

The outsourcing arrangement is “living” and must be constantly reviewed and refined

An outsourcing arrangement makes little or no difference to the auditors’ responsibility

28
