June 2011

The Outsourcing Relationship - pg. 2

 

Cost

One of the major reasons for off-shoring is to obtain cost savings from generally lower salaries of qualified individuals in other parts of the world. Human resource and infrastructure expenses in developing countries, for example, may be lower than those within more established technology regions. Many U.S. organizations contract these services overseas with the expectation of achieving significant cost savings. However, the situation seems to be changing slowly as conditions both in the United States and other countries change. Auditors should ensure that the relationship’s cost effectiveness is monitored continually.

 

Managing the Relationship

Evaluating the vendor relationship begins with verifying the steps taken by the organization during the vendor selection process. Internal auditors should ensure several items have been addressed in the selection process and recorded as part of the relationship terms:

  1. Relationship requirements are adequately defined and accurately reflect the needs of the organization.
  2. Service level agreements (SLAs) have been documented and agreed to by both parties that adequately define financial, business, ethical, legal, privacy, and security requirements. SLAs must include monitoring, reporting, escalation, and conflict resolution clauses to ensure that issues can be addressed appropriately.
  3. Business insurance has been arranged to adequately cover the risk associated with initiating the relationship.
  4. The organization has verified the vendor partner’s insurance coverage in areas that apply to the supported process, such as workers’ compensation (e.g., for time lost due to injury), professional indemnity, public liability, and motor vehicle use.
  5. The organization has confirmed that the vendor has a management program in place to ensure compliance on the part of its own subcontractors who help support the process.
  6. The organization has confirmed that no conflict of interest exists in initiating the outsourcing relationship.
  7. The agreement includes appropriate compensation for use of the organization’s intellectual property.
  8. The organization has performed due diligence in verifying the stability of the selected vendor.
  9. The organization has confirmed that the selected vendor has controls in place to ensure the privacy and security of the organization’s data, and that these controls protect the interest of the organization adequately.
  10. The organization has implemented internal structures and processes to support the relationship.

During the life of an outsourcing relationship, the organization must continually manage supported processes to ensure its requirements are being met. All organizations, and in particular those that are required to meet specific regulatory requirements, should develop and implement a mature vendor management program that includes several components:

  1. A defined vendor selection process and a definition of the data over which the vendor is to have control.
  2. Defined business objectives that the agreement is required to meet.
  3. Contractually defined responsibilities and SLAs, with regular management oversight ensuring compliance.
  4. A right-to-audit clause in the contract.
  5. A periodic risk assessment to update and respond to outsourcing risks the organization faces.
  6. Organizational support for on-site vendor audits.
  7. Periodic rating of services provided against defined objectives.
  8. Regular assessment of the adequacy and cost effectiveness of the service.
  9. Regular, proactive reporting to the company that ensures vendor compliance with defined requirements.

The key to successful vendor management lies in defining the relationship correctly before it begins, and in actively managing the relationship once it has been established.

 

Legal Considerations

Although off-shoring may be an excellent solution for some processes, organizations must seriously consider the compliance and security risks — the laws and regulations that apply to U.S. businesses, for example, may be enforced in foreign countries only through contractual arrangements. Requirements under HIPAA, the U.S. Sarbanes-Oxley Act of 2002, the Gramm-Leach-Bliley Act of 1999, and other legal and regulatory provisions are applicable only within the United States. An overseas outsourcing firm can be required to comply with these provisions only via stated contractual terms. Auditors should ensure that compliance needs are included in all applicable contracts.

 

Regional Considerations

Cultural differences are a key factor in off-shoring arrangements, especially when regulatory requirements must be met. Specifically, local cultural practices may take precedence over formal procedures required by the organization’s legal agreements, and they can undermine compliance efforts.

 

From past experience, internal auditors know that employees do not always follow corporate policy. This situation is only made worse by cultural norms that exist in some parts of the world that encourage informal procedures. Adherence to policies can be even more difficult to achieve when the requirements stem from a legal agreement that may not be widely known within the services provider firm and are based neither on corporate policy nor local practice.

 

Temporal and language differences also must be factored into the outsourcing decision. Companies may use off-shoring, for example, to help address support problems when trying to maintain customer support activities around the clock. However, choosing to operate within certain time zones can also introduce language difficulties that cause significant resentment or frustration among customers. Vendors sometimes offer near-shoring as an alternative, enabling a combination of desired time zones and appropriate cultural fit.

 

A WELL-MANAGED RELATIONSHIP

Each organization is responsible for ensuring the adequacy of its own operations, security, and privacy, whether those services are provided through internal or outsourced functions. Managing external functions is more problematic because external service providers fully expect to manage their own processes and often restrict their clients’ ability to observe and assess controls. Nonetheless, regulatory and standards bodies do not relieve organizations of their responsibility to ensure outsourced services meet stated requirements. Nor do the organization’s customers and investors exempt it from financial reporting requirements or from protecting the privacy and security of their information, regardless of where that information is processed or the function is performed. Every organization needs to develop mature vendor management programs to ensure any outsourced services are provisioned effectively and securely, including specifying agreement requirements before finalizing and monitoring the service during the contract period to ensure that the vendor is compliant.

 

Regulatory and Corporate Policy Compliance

Many companies assume a potential service provider has a firm grasp on specific regulatory and compliance obligations and will proactively modify its procedures to meet their needs. This seldom occurs, however, because most service providers have numerous clients in various lines of business, each with different compliance requirements. Typically, service providers develop standard procedures that meet the basic needs of most of their clients, most of the time.

Many companies believe an annual Statement on Auditing Standards (SAS) 70 — or, as of June 15, the new Statement on Standards for Attestation Engagements 16 (SSAE 16) — review of their service provider is sufficient to manage the vendor relationship and verify compliance with applicable regulations and internal policy. However, SAS 70 and SSAE 16 reports do not constitute a compliance certification. Instead, they simply provide a review of specific services identified by the service provider as appropriate to provide validation of its internal controls. In practice, such internally defined controls seldom reflect the regulatory, security, or privacy requirements of the organization. The report does not reveal the provider’s ability to satisfy each of its client’s specific requirements. Moreover, the report is most often generic, provided to all of the vendor’s clients, and not necessarily a fulfillment of regulatory requirements. In short, it does not replace management’s responsibility to manage the vendor appropriately. Internal oversight and management of vendor control processes for areas such as access management are essential to ensure that the vendor meets the organization’s requirements and maintains its compliance status.

If the organization has specific regulatory or compliance requirements — such as HIPAA or PCI — it must define exactly how the third party is expected to provide services and how those services will be monitored and confirmed before executing a contract. The organization must clearly define this process with the outsourcing provider so that it can anticipate any impact on its normal operations. Attempting to negotiate specific requests after the contract is signed typically leads to resistance from the service provider, and it leaves the organization with little to no leverage to enhance the service provider’s responsiveness and compliance. Discussions pertaining to the contract’s regulatory provisions should involve the legal department as well as business operations, IT, internal auditing, and any internal compliance group.


 

Super Globals Articles
Your articles are excellent for knowledge seekers and others. Rating myself, I am only in the elementary stage of opening an outsourcing management company. Thank you for the info.
Posted By: VIKNESWARAN SEEVARATNAM
2012-04-18 4:06 AM


Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.

Name:

Email:

Subject:

Comment:

To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>

April 2012 IA Online Cover

CCH 2012-2

UCMC 2012 

 International Conference Boston 2012

 

GRC August 2012 

 

 Twitter 
 

facebook IAO 

IA APP