1 © 2001 deloitte & touche. this presentation contains proprietary information and materials...
TRANSCRIPT
1
© 2001 Deloitte & Touche. This presentation contains proprietary information and materials which are the property of Deloitte & Touche. All rights reserved.
Outsourcing orThird Party Service
Management
Karen [email protected]
Deloitte & Touche Enterprise Risk Services
October 25, 2001Presentation to ISACA
2
© 2001 Deloitte & Touche. This presentation contains proprietary information and materials which are the property of Deloitte & Touche. All rights reserved.
Agenda
Introduction
Areas of risk to consider before outsourcing
The outsourcing project
Managing the relationship
Audit considerations
Why do outsourcing arrangements often fail?
Conclusions
3
© 2001 Deloitte & Touche. This presentation contains proprietary information and materials which are the property of Deloitte & Touche. All rights reserved.
Introduction
A HIGH LEVEL DEFINITION OF OUTSOURCING:
When the management of a company decides for
strategic, economic, technological or other reasons to
cease managing a business function itself and to
delegate the responsibility to a third party.
“Outsourcing” generally associated with IT management,
but it could be any service
“Third Party Service Management” is a more accurate
description
4
© 2001 Deloitte & Touche. This presentation contains proprietary information and materials which are the property of Deloitte & Touche. All rights reserved.
Dominant Type of Outsourcing
0
20
40
60
80
%
ICT BPO
ICT- BPO Split by Total Market Value
Source - www.cw360.com/outsourcing report
Information and Communications Technology (ICT)
Business Process Outsourcing (BPO)
5
© 2001 Deloitte & Touche. This presentation contains proprietary information and materials which are the property of Deloitte & Touche. All rights reserved.
Who are the big suppliers?
FTSE 100 Top Six Suppliers Total Market Values ICT and BPO
0100020003000400050006000
£m
BPO
ICT
Source - www.cw360.com/outsourcing report
6
© 2001 Deloitte & Touche. This presentation contains proprietary information and materials which are the property of Deloitte & Touche. All rights reserved.
Who are the big purchasers?
Source - www.cw360.com/outsourcing report
Distribution by Market Sector (BPO and ICT)
Banks
Aerospace & Defence
Telecommunications Services
Oil & Gas
Food & Drug Retailers
Pharmaceuticals
Life Assurance
Electricity
Beverages
Insurance
Water
Transport
Chemicals
Others
7
© 2001 Deloitte & Touche. This presentation contains proprietary information and materials which are the property of Deloitte & Touche. All rights reserved.
Areas of risk to consider before outsourcing
The Business Case
Human Resources Risks
Legal Risks
Avoiding Disaster before you start
8
© 2001 Deloitte & Touche. This presentation contains proprietary information and materials which are the property of Deloitte & Touche. All rights reserved.
The Business Case - why outsource?
Business Re-engineering
Cost Reduction
Access to new skills and technology
Delegation of “difficult” functions
Optimal use of scarce management resources
A sound business case is very important to the future success of the arrangement Management must understand why they want to
outsource and what the consequences will be
9
© 2001 Deloitte & Touche. This presentation contains proprietary information and materials which are the property of Deloitte & Touche. All rights reserved.
Common Pros and Cons of Outsourcing
Pros:
increased focus on strategic issues and core competencies
improved use of management resources
predictable, reduced (?) and controllable costs
access to improved services because of supplier size and functional focus
access to improved technology and staff resources
10
© 2001 Deloitte & Touche. This presentation contains proprietary information and materials which are the property of Deloitte & Touche. All rights reserved.
Common Pros and Cons of Outsourcing
Cons:
loss of control/influence coupled with increased management time re disputes
poorer service quality
higher than expected costs
poorer relationships with staff and customers
lack of integration with corporate infrastructure and culture
loss of skills
11
© 2001 Deloitte & Touche. This presentation contains proprietary information and materials which are the property of Deloitte & Touche. All rights reserved.
Human Resources Risks
What are the current and future staffing numbers and skills?
What concerns will existing staff have? - Communication is important.
Who will carry out the function after outsourcing?
Staff currently employed by the contractor; or
Staff currently employed by the company.
Will the contract be subject to the 1981 Transfer of Undertakings Regulations (TUPE)?
The contract must include appropriate warranties and indemnities in relation to the parties liability for the transferred staff.
Management and the third party must be aware of the potential cost.
12
© 2001 Deloitte & Touche. This presentation contains proprietary information and materials which are the property of Deloitte & Touche. All rights reserved.
Legal Risks
Confidentiality agreements
Structure of contracts and schedules
Financial considerations (e.g. flexibility, VAT issues)
Property & Assets
Defining respective responsibilities
Exit plan - expiry and termination
Regulatory requirements (e.g. FSA)
Legal requirements (e.g. Data Protection Act)
13
© 2001 Deloitte & Touche. This presentation contains proprietary information and materials which are the property of Deloitte & Touche. All rights reserved.
Avoiding disaster before you start
Companies need to be prepared to do plenty of pre-work
Technically - know and understand existing processes and what services the third party is expected to provide
Commercially - know and understand your cost base and the understand the pricing model proposed by the service provider
Legally - be prepared to negotiate the finer details of the deal
14
© 2001 Deloitte & Touche. This presentation contains proprietary information and materials which are the property of Deloitte & Touche. All rights reserved.
The Outsourcing Project
The outsourcing project is subject to the same risks as any other major project
Failure to deliver and cost overruns could arise from a number of directions, including:
lack of commitment from senior staff
failure to engage all parts of the business in the process
poor project governance
lack of detailed plans
failure to monitor and manage adequately
15
© 2001 Deloitte & Touche. This presentation contains proprietary information and materials which are the property of Deloitte & Touche. All rights reserved.
Proposed Methodology for Outsourcing
Phase 0Initiate
Phase 1Assess
Phase 2Plan
Phase 3Contract
Phase 4Transition
Phase 5Manage &
Review
USER ORGANISATION Transition of CONTRACTOR Responsibility
KeyDocuments
FeasibilityStudy
ServiceDefinition
ServiceLevelAgreement
TransitionPlan
ReviewProcedures
Source: Oracle Corporation
16
© 2001 Deloitte & Touche. This presentation contains proprietary information and materials which are the property of Deloitte & Touche. All rights reserved.
The Outsourcing Project
Ensure that there is full commitment at the most senior level
Appoint the appropriate Project Manager
Devise and agree the project methodology that is going to be applied
Draft the project plan
Implement the assessment study
Report findings / proposal for specific projects
Select and plan specific projects
Migration of control
17
© 2001 Deloitte & Touche. This presentation contains proprietary information and materials which are the property of Deloitte & Touche. All rights reserved.
Managing the Relationship
The SLA is the key to success in the ongoing relationship
It should be considered as a “living document”, to be changed when supplier or customer circumstances change
The SLA should clarify the expectations of both sides but should not be overly prescriptive or used as something to wave at the other party
Possible Service Level parameters:
Availability
System specific metrics (engineer response times, mean time between failures etc.)
Turnaround or delivery times
Levels of customer satisfaction
Minimum security standards
18
© 2001 Deloitte & Touche. This presentation contains proprietary information and materials which are the property of Deloitte & Touche. All rights reserved.
Suggested structure of an SLA
There is no standard format - the SLA should be tailored to the particular circumstances of the arrangements to be made. A suggested structure could be:
Introduction
Service Definition and Responsibilities
Service Expectations and Future Targets
Reporting arrangements
Customer Responsibilities
Procedures for Customer / Service Provider Liaison
Cost of services
Exit arrangements
Appendices - Services and Service Levels / Definitions
19
© 2001 Deloitte & Touche. This presentation contains proprietary information and materials which are the property of Deloitte & Touche. All rights reserved.
Why SLAs fail
Document not sufficiently business oriented
Document too brief
Document too detailed
Lack of commitment to the outsourcing process, which may include:
resources
finance
monitoring tools
support tools
management
control
20
© 2001 Deloitte & Touche. This presentation contains proprietary information and materials which are the property of Deloitte & Touche. All rights reserved.
Customer/Supplier versus Partnership
Research from Compass suggests that while less than 5% of outsourcing contracts are taken back in house, another 50% of contracts fail to deliver initial expectations.
Average length of a contract is between 5 and 10 years - this is a long term business commitment!
Choosing the right partner is essential - look for cultural and business fit before you start
Outsourcing does not involve a shift of power from the organisation to the outsourcer - management is still responsible for the outsourced functions and assets More than 80% of contracts fail because of poor governance Governance resource costs should be around 5 - 10 % of the total
contract value (source: Compass) A balance must be created between micromanagement and
abdication of responsibility
The arrangement must be beneficial to BOTH parties - in general, low costs will mean reduced service
21
© 2001 Deloitte & Touche. This presentation contains proprietary information and materials which are the property of Deloitte & Touche. All rights reserved.
Audit considerations
Statement of auditing standard, SAS 480 “Service Organisations” states:
“Auditors should identify whether a reporting entity uses service organisations and assess the effect of any such use on the procedures necessary to obtain sufficient appropriate audit evidence to determine with reasonable assurance whether the user entity’s financial statements are free of material misstatement (SAS 480.1)”
22
© 2001 Deloitte & Touche. This presentation contains proprietary information and materials which are the property of Deloitte & Touche. All rights reserved.
Audit considerations
On obtaining audit evidence, the standard is clear:
“Based on their understanding of the aspects of the user entity’s accounting system and control environment relating to relevant activities, user entity auditors should:
a) assess whether sufficient appropriate audit evidence concerning the relevant financial statement assertions is available from records held at the user entity; and if not,
b) determine effective procedures to obtain evidence necessary for the audit, either by direct access to records kept by service organisations or through information obtained from the service organisations or their auditors. (SAS 480.6)”
23
© 2001 Deloitte & Touche. This presentation contains proprietary information and materials which are the property of Deloitte & Touche. All rights reserved.
Audit considerations
Percentage of operations outsourced
Core
Outsourced
Internal and external auditors cannot ignore the outsourced operations when providing assurances to management and shareholders
24
© 2001 Deloitte & Touche. This presentation contains proprietary information and materials which are the property of Deloitte & Touche. All rights reserved.
Auditing considerations
Effectively, auditors have 3 alternatives:
1) Rely on a Service Auditor’s report from the outsourcer;
2) Carry out audit procedures directly with the outsourcer as if the processes were still in-house; or
3) Consider whether evidence from the user entity, together with independent confirmations from the service organisation, amount to sufficient evidence. Not always feasible if the evidence is not independent, e.g. where
the service organisation can initiate transactions on the user entity’s behalf without prior agreement or approval.
If the external auditors cannot obtain adequate evidence, they must qualify or issue a disclaimer of the audit opinion on the basis of scope limitation (SAS 480.8)
25
© 2001 Deloitte & Touche. This presentation contains proprietary information and materials which are the property of Deloitte & Touche. All rights reserved.
Service Auditor’s reports
Reports carried out by the service organisation’s auditors which can be provided to the auditors of customers;
Subject to separate terms of engagement from the external audit opinion (if carried out by the external auditors);
Must be independent;
Customers’ external auditors must verify that the scope of the audit is sufficient and appropriate for its intended use (SAS 480.7).
There are 2 standards in place which define the work to be carried out: SAS 70 (a US standard); and FIT 1/94 (an ICAEW standard).
Both standards cover IT audit work only, but provide a good benchmark for the extent of work and the opinion required.
26
© 2001 Deloitte & Touche. This presentation contains proprietary information and materials which are the property of Deloitte & Touche. All rights reserved.
What are the most common reasons for Outsourcing arrangements to fail?
Unrealistic or politically motivated business case
Inadequate matching of requirements against supplier capabilities
Poor management and governance
Personnel motivational issues
Inadequately drafted service level agreement(s)
Lack of partnership / trust in relationship
27
© 2001 Deloitte & Touche. This presentation contains proprietary information and materials which are the property of Deloitte & Touche. All rights reserved.
High Level Conclusions
Remember that the reason for outsourcing is to benefit the Business
Look forward, not backwards - retrospection is negative
The supplier has to make a profit a partnership works, a basic commercial
arrangement doesn’t
The outsourcing arrangement is “living” and must be constantly reviewed and refined
An outsourcing arrangement makes little or no difference to the auditors’ responsibility
28
© 2001 Deloitte & Touche. This presentation contains proprietary information and materials which are the property of Deloitte & Touche. All rights reserved.