1 / 28

Outsourcing or Third Party Service Management Karen Sharpe kasharpe @deloitte.co.uk

Outsourcing or Third Party Service Management Karen Sharpe kasharpe @deloitte.co.uk Deloitte & Touche Enterprise Risk Services October 25, 2001 Presentation to ISACA. Agenda. Introduction Areas of risk to consider before outsourcing The outsourcing project Managing the relationship

duy
Télécharger la présentation

Outsourcing or Third Party Service Management Karen Sharpe kasharpe @deloitte.co.uk

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Outsourcing or Third Party Service Management Karen Sharpe kasharpe@deloitte.co.uk Deloitte & Touche Enterprise Risk Services October 25, 2001 Presentation to ISACA

  2. Agenda • Introduction • Areas of risk to consider before outsourcing • The outsourcing project • Managing the relationship • Audit considerations • Why do outsourcing arrangements often fail? • Conclusions

  3. Introduction • A HIGH LEVEL DEFINITION OF OUTSOURCING: • When the management of a company decides for strategic, economic, technological or other reasons to cease managing a business function itself and to delegate the responsibility to a third party. • “Outsourcing” generally associated with IT management, but it could be any service • “Third Party Service Management” is a more accurate description

  4. Dominant Type of Outsourcing • Information and Communications Technology (ICT) • Business Process Outsourcing (BPO) Source - www.cw360.com/outsourcing report

  5. Who are the big suppliers? Source - www.cw360.com/outsourcing report

  6. Who are the big purchasers? Source - www.cw360.com/outsourcing report

  7. Areas of risk to consider before outsourcing • The Business Case • Human Resources Risks • Legal Risks • Avoiding Disaster before you start

  8. The Business Case - why outsource? • Business Re-engineering • Cost Reduction • Access to new skills and technology • Delegation of “difficult” functions • Optimal use of scarce management resources • A sound business case is very important to the future success of the arrangement • Management must understand why they want to outsource and what the consequences will be

  9. Common Pros and Cons of Outsourcing Pros: • increased focus on strategic issues and core competencies • improved use of management resources • predictable, reduced (?) and controllable costs • access to improved services because of supplier size and functional focus • access to improved technology and staff resources

  10. Common Pros and Cons of Outsourcing Cons: • loss of control/influence coupled with increased management time re disputes • poorer service quality • higher than expected costs • poorer relationships with staff and customers • lack of integration with corporate infrastructure and culture • loss of skills

  11. Human Resources Risks • What are the current and future staffing numbers and skills? • What concerns will existing staff have? - Communication is important. • Who will carry out the function after outsourcing? • Staff currently employed by the contractor; or • Staff currently employed by the company. • Will the contract be subject to the 1981 Transfer of Undertakings Regulations (TUPE)? • The contract must include appropriate warranties and indemnities in relation to the parties liability for the transferred staff. • Management and the third party must be aware of the potential cost.

  12. Legal Risks • Confidentiality agreements • Structure of contracts and schedules • Financial considerations (e.g. flexibility, VAT issues) • Property & Assets • Defining respective responsibilities • Exit plan - expiry and termination • Regulatory requirements (e.g. FSA) • Legal requirements (e.g. Data Protection Act)

  13. Avoiding disaster before you start • Companies need to be prepared to do plenty of pre-work • Technically - know and understand existing processes and what services the third party is expected to provide • Commercially - know and understand your cost base and the understand the pricing model proposed by the service provider • Legally - be prepared to negotiate the finer details of the deal

  14. The Outsourcing Project • The outsourcing project is subject to the same risks as any other major project • Failure to deliver and cost overruns could arise from a number of directions, including: • lack of commitment from senior staff • failure to engage all parts of the business in the process • poor project governance • lack of detailed plans • failure to monitor and manage adequately

  15. Proposed Methodology for Outsourcing USER ORGANISATIONTransition of CONTRACTOR Responsibility Phase 5 Manage & Review Phase 0 Initiate Phase 1 Assess Phase 2 Plan Phase 3 Contract Phase 4 Transition Key Documents Feasibility Study Service Definition Service Level Agreement Transition Plan Review Procedures Source: Oracle Corporation

  16. The Outsourcing Project • Ensure that there is full commitment at the most senior level • Appoint the appropriate Project Manager • Devise and agree the project methodology that is going to be applied • Draft the project plan • Implement the assessment study • Report findings / proposal for specific projects • Select and plan specific projects • Migration of control

  17. Managing the Relationship • The SLA is the key to success in the ongoing relationship • It should be considered as a “living document”, to be changed when supplier or customer circumstances change • The SLA should clarify the expectations of both sides but should not be overly prescriptive or used as something to wave at the other party • Possible Service Level parameters: • Availability • System specific metrics (engineer response times, mean time between failures etc.) • Turnaround or delivery times • Levels of customer satisfaction • Minimum security standards

  18. Suggested structure of an SLA • There is no standard format - the SLA should be tailored to the particular circumstances of the arrangements to be made. A suggested structure could be: • Introduction • Service Definition and Responsibilities • Service Expectations and Future Targets • Reporting arrangements • Customer Responsibilities • Procedures for Customer / Service Provider Liaison • Cost of services • Exit arrangements • Appendices - Services and Service Levels / Definitions

  19. Why SLAs fail • Document not sufficiently business oriented • Document too brief • Document too detailed • Lack of commitment to the outsourcing process, which may include: • resources • finance • monitoring tools • support tools • management • control

  20. Customer/Supplier versus Partnership • Research from Compass suggests that while less than 5% of outsourcing contracts are taken back in house, another 50% of contracts fail to deliver initial expectations. • Average length of a contract is between 5 and 10 years - this is a long term business commitment! • Choosing the right partner is essential - look for cultural and business fit before you start • Outsourcing does not involve a shift of power from the organisation to the outsourcer - management is still responsible for the outsourced functions and assets • More than 80% of contracts fail because of poor governance • Governance resource costs should be around 5 - 10 % of the total contract value (source: Compass) • A balance must be created between micromanagement and abdication of responsibility • The arrangement must be beneficial to BOTH parties - in general, low costs will mean reduced service

  21. Audit considerations Statement of auditing standard, SAS 480 “Service Organisations” states: • “Auditors should identify whether a reporting entity uses service organisations and assess the effect of any such use on the procedures necessary to obtain sufficient appropriate audit evidence to determine with reasonable assurance whether the user entity’s financial statements are free of material misstatement (SAS 480.1)”

  22. Audit considerations On obtaining audit evidence, the standard is clear: “Based on their understanding of the aspects of the user entity’s accounting system and control environment relating to relevant activities, user entity auditors should: a) assess whether sufficient appropriate audit evidence concerning the relevant financial statement assertions is available from records held at the user entity; and if not, b) determine effective procedures to obtain evidence necessary for the audit, either by direct access to records kept by service organisations or through information obtained from the service organisations or their auditors. (SAS 480.6)”

  23. Audit considerations Internal and external auditors cannot ignore the outsourced operations when providing assurances to management and shareholders

  24. Auditing considerations Effectively, auditors have 3 alternatives: • 1) Rely on a Service Auditor’s report from the outsourcer; • 2) Carry out audit procedures directly with the outsourcer as if the processes were still in-house; or • 3) Consider whether evidence from the user entity, together with independent confirmations from the service organisation, amount to sufficient evidence. • Not always feasible if the evidence is not independent, e.g. where the service organisation can initiate transactions on the user entity’s behalf without prior agreement or approval. • If the external auditors cannot obtain adequate evidence, they must qualify or issue a disclaimer of the audit opinion on the basis of scope limitation (SAS 480.8)

  25. Service Auditor’s reports • Reports carried out by the service organisation’s auditors which can be provided to the auditors of customers; • Subject to separate terms of engagement from the external audit opinion (if carried out by the external auditors); • Must be independent; • Customers’ external auditors must verify that the scope of the audit is sufficient and appropriate for its intended use (SAS 480.7). • There are 2 standards in place which define the work to be carried out: • SAS 70 (a US standard); and • FIT 1/94 (an ICAEW standard). • Both standards cover IT audit work only, but provide a good benchmark for the extent of work and the opinion required.

  26. What are the most common reasons for Outsourcing arrangements to fail? • Unrealistic or politically motivated business case • Inadequate matching of requirements against supplier capabilities • Poor management and governance • Personnel motivational issues • Inadequately drafted service level agreement(s) • Lack of partnership / trust in relationship

  27. High Level Conclusions • Remember that the reason for outsourcing is to benefit the Business • Look forward, not backwards - retrospection is negative • The supplier has to make a profit • a partnership works, a basic commercial arrangement doesn’t • The outsourcing arrangement is “living” and must be constantly reviewed and refined • An outsourcing arrangement makes little or no difference to the auditors’ responsibility

  28. Questions ?

More Related