control, and governance
Reviewing External Work
A chief audit executive considers how to make a case for including outsourced operations in the annual audit plan.
Jan was recently hired as the new chief audit executive at the Doless Manufacturing Corp. (DMC), a producer of oil-drilling equipment. One of his first priorities was to update the audit universe inventory while meeting with corporate executives and line managers to learn about the business. During one of these meetings, Jan learned that the company maintains onshore and offshore outsourcing arrangements for several areas of the business, including payroll, billing and claims, human resources, and IT.
Jan has experience with outsourcing arrangements, and he is familiar with the risks and rewards. However, when he suggested to DMC’s chief executive officer (CEO) that outsourced operations be included in the annual audit plan, the CEO responded, “Why would you squander your scarce internal audit resources on outsourced operations? We fixed those areas by outsourcing them!”
How should Jan make his case for including outsourced operations in DMC’s audit plan? What approaches should he consider including in such audits, and how can he highlight lessons learned from his previous experience? What potential business risks should he highlight to senior management and the audit committee?
MICHAEL S. KING
Director, IT Business Solutions
Jan should welcome the opportunity to help senior management and the audit committee understand the risks and rewards of outsourcing these important business functions. First, Jan should determine if DMC’s requirements for controls and risk management are included in the scope of the outsourcing contract. Also, just like internal operations, certain financial, regulatory, and operational risks remain with this type of relationship. Jan should inform the CEO that outsourcing does not necessarily fix broken processes.
In some cases, outsourcers will take over an organization’s functions and operate them with the same processes and controls used by in-house staff prior to outsourcing. However, if the processes and controls were “broken” before, then action must be taken to ensure improvements occur. DMC’s audit plan should consider this possibility.
New operational risks may emerge, particularly around service levels and delineation of operational responsibilities between DMC and the outsourcer. For example, contractual service levels may not use clear calculation methods or align with business objectives. Moreover, contracts may neglect to define service levels appropriately or fail to include financial provisions that require the outsourcer to pay back fees when service levels are not met.
Complex outsourcing arrangements should clearly delineate the roles of the outsourcer and the customer. The contract’s value may be diluted if DMC assumes work that is the responsibility of the outsourcer. This is especially true in organizations where skepticism exists as to whether the outsourcer can perform the same standard of work delivered internally by the organization.
Other risks may also exist. For example, many outsourcers use leveraged and off-site teams to perform technical tasks that were previously handled by one or two people. The increased number of employees on such teams could amplify logical security risks. Moreover, working with a higher number of employees generally leads to increased turnover.
Companies subject to the U.S. Sarbanes-Oxley Act of 2002 must maintain compliance with the act’s Sections 404 and 302. Compliance may be maintained via Statement on Auditing Standards No. 70 (SAS 70) audit reports. If provided by the outsourcer, previously issued SAS 70 audit reports should be evaluated to address risks relevant to DMC. If there are gaps, or if a SAS 70 report does not exist, internal audit resources may be required to identify and audit controls performed by the outsourcer. Furthermore, timing of the SAS 70 report issuance also must be considered to ensure that it coincides with DMC’s needs.
For Section 302 compliance, risks over quarterly compliance must be assessed. To gauge compliance, outsourcers should be required to communicate any changes that occurred to their controls and control environment that may need to be considered for disclosure.
PATRICK MCCAFFERTY, CIA, CPA
Chief Audit Executive
The most important point that Jan most likely learned from his previous experience is that when a company outsources its process activities, it retains overall responsibility for process results and the associated business risks. A key part of these retained responsibilities is the fiduciary responsibility for maintaining effective risk management programs, including an appropriate internal control structure. With this guiding principle in mind, Jan should be able to communicate effectively to the CEO that DMC should have strong governance processes in place, including internal audit review of the outsourced operations.
Jan also should stress to senior management and the audit committee that just because DMC has outsourced certain processes, the financial, operational, and compliance risks associated with those processes have not necessarily been reduced. If anything, their likelihood of occurring — at least in the short term — has most likely increased due to the significant changes in processes, systems, and reporting relationships.
In addition, Jan should realize that certain categories of risk, including public relations and strategic risks, have become more prominent in the outsourcing model. The increased public relations risk is driven by the potential change in the customer experience and the scrutiny typically applied by external parties — such as media and regulators — during such changes. Strategic risk becomes prominent as the achievement of the business case for outsourcing becomes critical to DMC’s profit goals.
Most likely, there are numerous service-level agreements (SLAs) and associated penalty clauses within the contract to protect DMC. Jan, while acknowledging that these SLAs help mitigate some of the financial risks, should point out that they do not fully address the myriad of other risks associated with an outsourcing initiative.
Finally, Jan should provide recommendations based on his previous lessons learned. If not already completed during the transition period, DMC’s policies and procedures should be updated to clearly reflect accountabilities for financial, operational, and compliance controls related to the outsourcing arrangement. DMC should establish a robust governance function to monitor key aspects of the outsourcing relationship, including SLA performance, quality assurance processes, invoice processing, contract changes, and business case tracking. Jan’s plan should include an audit of these governance processes, as well as individual on-site audits of those outsourced processes deemed to be high risk.
RANDALL J. LEWIS
Executive Vice President, Internal Audit, and Chief Compliance Officer
Consideration of outsourcing as part of DMC’s audit universe should start with identifying the impact of the outsourced areas on the organization’s ability to meet its strategic objectives. Could a lack of adequate controls in any of these areas impede DMC’s ability to achieve its goals? If so, this fact, supplemented by details such as the number of customers, transactions, employees, and expenditures involved can help Jan make a strong case for including outsourced areas in the audit universe.
Although outsourcing can improve quality, efficiency, and costs, many of the risks inherent in processes considered for outsourcing will still exist regardless of whether or not they’re performed in-house. In fact, with outsourcing, the additional risk of managing outsourced vendors becomes another concern for the organization. Overall, the potential risk areas that Jan should highlight are vendor contract compliance, transition plans and execution, transaction and service quality assurance, regulatory compliance, data integrity, data privacy, currency translation exposure, disaster recovery, and human rights considerations.
Although many of these risk areas can be addressed through traditional approaches, vendor contract and human rights compliance may require more than traditional diligence. In managing the risks related to vendor contract compliance, it is important to understand the performance standards DMC expects from the vendor, how the standards are measured and monitored, and what the contractual consequences are if the standards are not met. Opining on such issues can help identify potential contracting issues while ensuring that DMC’s goals are being achieved.
Jan’s audit approach also should include on-site visits to the locations where the work is actually performed. The visits will allow auditing to assess working conditions and the treatment of employees, while also providing insights on local vendor management competency and the rigor followed in choosing and managing vendors.
Essentially, Jan needs to communicate several things to senior management and the audit committee. First, an effective outsourcing initiative requires rigorous inspection and monitoring to ensure the organization’s goals are being met in a manner consistent with its core values. Second, on-site visits are critical to assess risks posed by DMC’s vendors. Finally, an in-depth understanding of the contracts, performance metrics, and general control environments governing vendor operations enables auditors to opine effectively on these critical risk areas while also allowing them to add value by serving as knowledgeable and consultative resources for both vendors and company management.
To comment on this article, e-mail the editors at firstname.lastname@example.org.
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.