welcome! control over external and internal outsourcing isaca london chapter meeting london november...

Welcome!

Control Over External and Internal Outsourcing

ISACA London Chapter MeetingLondon

November 28th 2002

Charles Mansour, CISA

©Charles Mansour 2002

Objectives

• To look at the control issues surrounding outsourcing– From an auditing and control point of view– rom an audit planning perspective

• From the point of view of the outsourcer


Presentation Outline

Life Cycle of an Outsource DealKey RisksInitial StagesContract ItemsTouch PointsAudit Planning IssuesInternal Outsourcing

TPSP=‘Third Party Service Provider’‘Outsourcing Organisation’ the company

using the services of the TPSP


What is Outsourcing (or Privatisation in

Government)?Many definitionsoutsourcing. Work done for a company by people other than the company's full-time employeesOutsourcing is the practice of contracting job responsibilities or project work out to professionals who can focus on the work and get it done quickly, efficiently and accurately. Outsourcing is an arrangement in which one company providesservices for another company that could also be or usually have been provided in-house. Outsourcing is a trend that is becoming more common in information technology and other industries for services that have usually been regarded as intrinsic to managing a business. In some cases, the

entire information management of a company is outsourced, including planning and business analysis as well as the installation, management, and servicing of the network and workstations. Outsourcing can range from the large contract in which a company like IBM manages IT services for a company like Xerox to the practice of hiring contractors and temporary office workers on an individual basis to the practice of hiring contractors and temporary office workers on an individual basis.


Impact of Outsourcing on Control

Degree of‘Hands on’ ControlOver BusinessActivities

Amount of Activity OutsourcedLow

Low

HighHigh


Scope of an IT Outsource / Privatisation Deal

To

Everything!


Life Cycle of an Outsource Deal

• Advance Notification to Regulator (if UK Bank and outsource is ‘material’)

• Initial Agreement• Due Diligence• Negotiation• Risk Assessment• Formal Agreement• Implementation• Operation and Maintenance (Incl. Governance)• Terminations


Key Risks

• Dogmatic approach to outsourcing blinds senior management to weaknesses

• Projected Savings not Achieved• Excessive focus on cost containment blurs control

issues (both TPSP and outsourcing organisation)• Poor communication between TPSP and Outsourcing

Organisation– ‘We thought they were doing that’

• Process Ownership and Responsibilities not clear• Outsourcing organisation / TPSP issues not addressed

in development / change• Unauthorised access to data / systems


Initial Stages

• It’s going well if…– Audit gets involved early (preferably during Due

diligence)– There’s a meaningful risk assessment– Business appreciates the ‘new’ risks inherent in

outsourcing– Controls are designed to address significant risks– There’s a distinct ‘Project’ feel rather than a series

of loosely connected initiatives– Process ownership is aggressively sought within

the outsourcing company


Contract Items

– RIGHT OF AUDIT! (external and internal) in contact / agreement.

– TPSP systems examination issues are covered in contract.

– Access to systems / documentation specified in contract.

– Use of CAAT’s by auditors.

– Access to TPSP internal audit reports.

– Confidentiality.

– Financial / Data Reconciliation – responsibilities.


Contract Items

– Fixing problems

– Guarantees re system recovery / business resumption

– Detailed requirements as attachments to Contract


Touch Points

• Interfaces– Control of data passed to / received from

TPSP

• Business Resumption• Day to day control over operations

– Data– Financial operations

• Security of data / processes• Especially when TPSP holds main data sets

• Supervisory / Quality Controls


Control of data passed to / Received from TPSP

• Interfaces• Day to day control over operations

– Data• Usually transmitted in batch run• Comms links

– Financial operations• Need for a Service Level Agreement

– What needs to be done and when files have to be available and balanced

• G/L Accounts can be posted by TPSP but should be reconciled by outsourcing organisation


Business Resumption

• Business Resumption if TPSP needs to recover– What priority do you have for recovery– Business and audit attend D.R. / Business

Resumption tests– Need to co-ordinate your side with the TPSP’s test

• Business Resumption if TPSP goes out of business– Copies of data files / program files in escrow

• Refreshed regularly

– Alternative site


Day to day control over operations

• Data• Are all interfaces identified• Responsibility for correcting errors

• Financial operations• How are errors / imbalances treated and corrected• Responsibility clearly identified

• Testing of data controls / reconciliations prior to implementation

• Both outsourcing organisation and TPSP

• Ensure that all changes incorporate data integrity / reconciliation control aspects


Security of Data and Processes

• Especially when TPSP holds main data sets and programs

• Segregation from other clients programs / data• Change Control

– What does the outsourcing organisation have to approve

• Journals / Console Logs – Has outsourcing organisation stipulated what events it wants

journalling• Important parameter changes such as interest rates

– How often reviewed?– Who by?– What for


Supervisory / Quality Controls

• Checks by TPSP– Risk based– Periodic review by outsourcing

organisation

• Checks by outsourcing organisation– Quality checking team


External Outsourcing - Planning

• Problem – operation’s away from your firm’s direct control, but you have to comment on internal controls – over the business operation that you have outsourced– over the outsourcing arrangements themselves

• Options– Audit using own resources– Audit with joint outsourcing organisation /TPSP audit teams– Place reliance on TPSP auditors

• Audit Forum– outsourcing organisations set scope for annual audit plan

– Service Audits• External Audit firms provide assurance about TPSP operations


Ownership and Responsibilities

• Who is responsible for outsourced operations• Who in the outsourcing organisation can

understand and accept business risks – Especially IT risks

• If only IT functions have been outsourced– Who is responsible for running the relationship

with the TPSP – Is there anyone left in the outsourcing

organisation’s IT area to advise


IT Governance

• Same considerations apply– Does IT support the strategic direction of the organisation

• Management Information must be supplied to outsourcing organisation senior management– Key Goal Indicators– Key Performance Indicators– Balanced Scorecard

• Not only over operations but also over the outsource arrangement itself


Internal Outsourcing

• Usually in large companies / groups• Internal company and profit centre• Business Units become clients• Main Issues

– Process Ownership • May appear convenient to make it the internal outsource

company (especially IT related) • Process ownership should always be within the business area

– Control– Risk Management– Communication and account management


Other Issues

• Personnel issues– TUPE rights– Regulatory Issues


Sources of Information

• CObIT– Section DS2: Manage Third Party Resources

• K-Net– http://www.isaca.org/@member/auditprograms.htm

• http://www.firmbuilder.com– 140 page report"Best Practices for Managing the

Outsourcing Relationship", on offer if you register

• FSA Prudential Guidebook (400+ pages)– http://www.fsa.gov.uk/pubs/cp/cp97a.pdf


http://www.isaca.org/@member/auditprograms.htm

http://www.firmbuilder.com/

Reprise

• We’ve looked at– Life Cycle of an Outsource Deal– Key Risks– Initial Stages– Contract Items– Touch Points– Audit Planning Issues– Internal Outsourcing


Conclusions

• To exercise the pre-outsource level of control over an outsourced operation will always be more costly – risk acceptance?

• Control costs need to be taken on board as an additional cost at the outset – most aren’t

• Process Ownership and Responsibilities in the outsourcing organisation needs to be clearly and unambiguously allocated

• Cut through the euphoria, and take a reality check


Questions???


welcome! control over external and internal outsourcing isaca london chapter meeting london november...

Documents