welcome! control over external and internal outsourcing isaca london chapter meeting london november...
TRANSCRIPT
Welcome!
Control Over External and Internal Outsourcing
ISACA London Chapter MeetingLondon
November 28th 2002
Charles Mansour, CISA
©Charles Mansour 2002
Objectives
• To look at the control issues surrounding outsourcing– From an auditing and control point of view– rom an audit planning perspective
• From the point of view of the outsourcer
©Charles Mansour 2002
Presentation Outline
Life Cycle of an Outsource DealKey RisksInitial StagesContract ItemsTouch PointsAudit Planning IssuesInternal Outsourcing
TPSP=‘Third Party Service Provider’‘Outsourcing Organisation’ the company
using the services of the TPSP
©Charles Mansour 2002
What is Outsourcing (or Privatisation in
Government)?Many definitionsoutsourcing. Work done for a company by people other than the company's full-time employeesOutsourcing is the practice of contracting job responsibilities or project work out to professionals who can focus on the work and get it done quickly, efficiently and accurately. Outsourcing is an arrangement in which one company providesservices for another company that could also be or usually have been provided in-house. Outsourcing is a trend that is becoming more common in information technology and other industries for services that have usually been regarded as intrinsic to managing a business. In some cases, the
entire information management of a company is outsourced, including planning and business analysis as well as the installation, management, and servicing of the network and workstations. Outsourcing can range from the large contract in which a company like IBM manages IT services for a company like Xerox to the practice of hiring contractors and temporary office workers on an individual basis to the practice of hiring contractors and temporary office workers on an individual basis.
©Charles Mansour 2002
Impact of Outsourcing on Control
Degree of‘Hands on’ ControlOver BusinessActivities
Amount of Activity OutsourcedLow
Low
HighHigh
©Charles Mansour 2002
Scope of an IT Outsource / Privatisation Deal
To
Everything!
©Charles Mansour 2002
Life Cycle of an Outsource Deal
• Advance Notification to Regulator (if UK Bank and outsource is ‘material’)
• Initial Agreement• Due Diligence• Negotiation• Risk Assessment• Formal Agreement• Implementation• Operation and Maintenance (Incl. Governance)• Terminations
©Charles Mansour 2002
Key Risks
• Dogmatic approach to outsourcing blinds senior management to weaknesses
• Projected Savings not Achieved• Excessive focus on cost containment blurs control
issues (both TPSP and outsourcing organisation)• Poor communication between TPSP and Outsourcing
Organisation– ‘We thought they were doing that’
• Process Ownership and Responsibilities not clear• Outsourcing organisation / TPSP issues not addressed
in development / change• Unauthorised access to data / systems
©Charles Mansour 2002
Initial Stages
• It’s going well if…– Audit gets involved early (preferably during Due
diligence)– There’s a meaningful risk assessment– Business appreciates the ‘new’ risks inherent in
outsourcing– Controls are designed to address significant risks– There’s a distinct ‘Project’ feel rather than a series
of loosely connected initiatives– Process ownership is aggressively sought within
the outsourcing company
©Charles Mansour 2002
Contract Items
– RIGHT OF AUDIT! (external and internal) in contact / agreement.
– TPSP systems examination issues are covered in contract.
– Access to systems / documentation specified in contract.
– Use of CAAT’s by auditors.
– Access to TPSP internal audit reports.
– Confidentiality.
– Financial / Data Reconciliation – responsibilities.
©Charles Mansour 2002
Contract Items
– Fixing problems
– Guarantees re system recovery / business resumption
– Detailed requirements as attachments to Contract
©Charles Mansour 2002
Touch Points
• Interfaces– Control of data passed to / received from
TPSP
• Business Resumption• Day to day control over operations
– Data– Financial operations
• Security of data / processes• Especially when TPSP holds main data sets
• Supervisory / Quality Controls
©Charles Mansour 2002
Control of data passed to / Received from TPSP
• Interfaces• Day to day control over operations
– Data• Usually transmitted in batch run• Comms links
– Financial operations• Need for a Service Level Agreement
– What needs to be done and when files have to be available and balanced
• G/L Accounts can be posted by TPSP but should be reconciled by outsourcing organisation
©Charles Mansour 2002
Business Resumption
• Business Resumption if TPSP needs to recover– What priority do you have for recovery– Business and audit attend D.R. / Business
Resumption tests– Need to co-ordinate your side with the TPSP’s test
• Business Resumption if TPSP goes out of business– Copies of data files / program files in escrow
• Refreshed regularly
– Alternative site
©Charles Mansour 2002
Day to day control over operations
• Data• Are all interfaces identified• Responsibility for correcting errors
• Financial operations• How are errors / imbalances treated and corrected• Responsibility clearly identified
• Testing of data controls / reconciliations prior to implementation
• Both outsourcing organisation and TPSP
• Ensure that all changes incorporate data integrity / reconciliation control aspects
©Charles Mansour 2002
Security of Data and Processes
• Especially when TPSP holds main data sets and programs
• Segregation from other clients programs / data• Change Control
– What does the outsourcing organisation have to approve
• Journals / Console Logs – Has outsourcing organisation stipulated what events it wants
journalling• Important parameter changes such as interest rates
– How often reviewed?– Who by?– What for
©Charles Mansour 2002
Supervisory / Quality Controls
• Checks by TPSP– Risk based– Periodic review by outsourcing
organisation
• Checks by outsourcing organisation– Quality checking team
©Charles Mansour 2002
External Outsourcing - Planning
• Problem – operation’s away from your firm’s direct control, but you have to comment on internal controls – over the business operation that you have outsourced– over the outsourcing arrangements themselves
• Options– Audit using own resources– Audit with joint outsourcing organisation /TPSP audit teams– Place reliance on TPSP auditors
• Audit Forum– outsourcing organisations set scope for annual audit plan
– Service Audits• External Audit firms provide assurance about TPSP operations
©Charles Mansour 2002
Ownership and Responsibilities
• Who is responsible for outsourced operations• Who in the outsourcing organisation can
understand and accept business risks – Especially IT risks
• If only IT functions have been outsourced– Who is responsible for running the relationship
with the TPSP – Is there anyone left in the outsourcing
organisation’s IT area to advise
©Charles Mansour 2002
IT Governance
• Same considerations apply– Does IT support the strategic direction of the organisation
• Management Information must be supplied to outsourcing organisation senior management– Key Goal Indicators– Key Performance Indicators– Balanced Scorecard
• Not only over operations but also over the outsource arrangement itself
©Charles Mansour 2002
Internal Outsourcing
• Usually in large companies / groups• Internal company and profit centre• Business Units become clients• Main Issues
– Process Ownership • May appear convenient to make it the internal outsource
company (especially IT related) • Process ownership should always be within the business area
– Control– Risk Management– Communication and account management
©Charles Mansour 2002
Other Issues
• Personnel issues– TUPE rights– Regulatory Issues
©Charles Mansour 2002
Sources of Information
• CObIT– Section DS2: Manage Third Party Resources
• K-Net– http://www.isaca.org/@member/auditprograms.htm
• http://www.firmbuilder.com– 140 page report"Best Practices for Managing the
Outsourcing Relationship", on offer if you register
• FSA Prudential Guidebook (400+ pages)– http://www.fsa.gov.uk/pubs/cp/cp97a.pdf
©Charles Mansour 2002
Reprise
• We’ve looked at– Life Cycle of an Outsource Deal– Key Risks– Initial Stages– Contract Items– Touch Points– Audit Planning Issues– Internal Outsourcing
©Charles Mansour 2002
Conclusions
• To exercise the pre-outsource level of control over an outsourced operation will always be more costly – risk acceptance?
• Control costs need to be taken on board as an additional cost at the outset – most aren’t
• Process Ownership and Responsibilities in the outsourcing organisation needs to be clearly and unambiguously allocated
• Cut through the euphoria, and take a reality check
©Charles Mansour 2002
Questions???
©Charles Mansour 2002