Relying on the Third PartySabrina Maeng
Agenda What is Outsourcing? What to Outsource? Types of Outsourcing Criticisms and Support Why to Outsource? Risks Mitigating Risks: Audit
Audit Focus Specific Standards
Recommendations
What is Outsourcing?
“the outsourcing process can be perceived as the activity transferred to be carried out by another company”1
1Source: Andone, Ioan I and Pavaloaia, Vasile-Daniel. “Outsourcing the Business Services.”Informatica Economica. 14.1 (2010) : 163-172. ESCO Host. Web. 28 May 2011.
What to Outsource? Business Process Outsourcing (BPO)
Accounting Customer Support Marketing Analysis (Financial and Economic)
Information Technology Outsourcing (ITO) Software development Application support and maintenance Infrastructure management
Types of Outsourcing
Offshoring: transfer of business activity to another country
Domestic outsourcing: transfer of business activity to a non-affiliated company within the same country
What is Outsourcing? Support
Cost savings for the company – up to 50-60% “Transformational Outsourcing” 2
Price reductions for consumers
Criticisms Reputation at stake Loss of product quality Loss of intellectual capital (ie. data security)
2Engardio, Peter. “The Future of Outsourcing.”Bloomberg Business Week.(2006). Web. 28 May 2011. <http://www.businessweek.com/magazine/content/06_05/b3969401.htm>
Why to Outsource? Current financial situation of the company Actual outsourcing costs Control of business functions Access to documents Cultural differences Organizational differences
Hiring practices Management attitude
Competencies required
Risks
Source: Brandas, Claudiu. “Risks and Audit Objectives for IT Outsourcing.” Informatica Economica. 14.1. (2010): 113-
118. 163-172. ESCO Host. Web. 28 May 2011.
Risks
Source: Brandas, Claudiu. “Risks and Audit Objectives for IT Outsourcing.” Informatica Economica. 14.1. (2010): 113-
118. 163-172. ESCO Host. Web. 28 May 2011.
Risks The Agreement
Roles and responsibilities Expertise and experience of supplier System capabilities Staffing requirements
Risks Data Security
Reputation System functions and capabilities “You can delegate accountability, but not responsibility.”4
Service providers are accountable User organizations are responsible
4Source: Van Dyk, Peter. “Cloud Computing: Validating accountability and responsibility.” NZ Business.24.10 (2010). ESCO Host. Web. 28 May 2011.
Mitigating Risk: Audit Why Audit?
SOX requires that publicly traded companies with outsourced processes obtain audits
Many companies won’t use a service provider that doesn’t have an audit
Audit: Focus Security
Data Network Connectivity
Contract
Country-specific regulatory requirements
Audit: SAS 70 and CICA 5970 SAS 70 and CICA 5970 - similar in nature
Type I- evaluation of control design at point in time
Type II- evaluation of control design and operating effectiveness of controls over a period of time
Audit: SAS 70 and CICA 5970 Service organization choose the controls
Management can circumvent the process Too much reliance on management with no assertion
Audit: SSAE 16 and ISAE 3402 Assertion–based engagements
Type I/Type II and Type A/B
Reliance on internal audit processes
Audit: SSAE 16 New U.S. standard issued June 15, 2011 issued to replace
SAS 70
Better aligns with international standards (ISAE 3402 discussed later)
Audit: SSAE 16 Management assertion requirement Expanded descriptions (inclusive of internal controls,
systems and processes) Identification of risk points or weaknesses Addresses use of subservice organization
Inclusive Carve-out
Assumptions on user role Reliance on internal audit processes
Audit: ISAE 3402 Current acting
international standard
Used as a basis to update existing standards
“An International Assurance Standard for Third Party Reporting: Benefits and Implications for Service Organizations.” PricewaterHouse Coopers. 2009. Web. 10 June 2011. <http://www.pwc.com/en_CA/ca/controls/business-process-controls/publications/international-assurance-standard-0409-en.pdf>
Audit: ISAE 3402 Management assertion requirement Specifies criteria (preparing and presenting system
description, control design and operating effectiveness) Disclosure of reliance on internal audit processes, and/or
external experts used with regard to controls Extending the scope beyond financial reporting matters
Regulatory, compliance, operational, business recovery matters
Recommendations Use of service organizations is not beneficial to every
company Cost-benefit analysis Risk analysis and mitigation
Audit or Attest