Category: Other

Managing the risks of outsourcing

By Richard Kleiner & Carl Lundberg

11 Mar 2019

Business models have evolved enormously over the last 20 years or so...

...as firms have sought competitive advantages over their rivals through utilising their resources more efficiently and offering their clients extra services. A key question which businesses should consider when trying to develop business models is, if someone else can do it better and cheaper, why do it in-house?

One area that has seen significant change is the integration of outsourced service providers (OSPs) into the value chain. This has enabled organisations to concentrate on the parts of their operating models that they are good at, whilst benefiting from the expertise of third-parties to assist with the rest.

Outsourcing is not without its risks. Questions that organisations who are looking to outsource their activities to third-party service providers need to ask themselves include:

  • What are the key risks of the outsourcing arrangement?

  • Are these key risks acceptable to them?

  • What mitigating actions need to be implemented to manage the risks?

  • Does the OSP have the necessary governance and oversight arrangements in place to deliver the service within the parameters of the organisation’s risk appetite?

  • How effective are the internal controls implemented by the OSP? 

Outsourcing key elements of an organisation’s processes to third parties exposes it to risks that are outside its ‘immediate’ governance and oversight perimeter. When all of an organisation’s activities are contained within its usual boundaries, the organisation can design and implement processes and activities to mitigate key risks, but this may not be possible when these activities are carried out by third parties.

Historically, organisations that have outsourced some of their activities have attempted to mitigate this risk by inserting ‘right of audit’ clauses in contracts. These clauses allow the parties to send their staff, typically risk, compliance or audit teams, to undertake periodic reviews of relevant third-party processes. These reviews usually involve examining generic corporate governance documentation including operational manuals, meetings with representatives of relevant functions, perfunctory reviews of the occasional business-specific document and limited testing of the OSP’s processing activity. In most cases, significant restrictions are placed on what these teams can review by the service providers, due to data protection issues, as the service provider will also hold sensitive data on other clients.

In response to the requirement for more robust assurance on outsourced operations, the two most prominent professional accounting bodies – American Institute of Certified Public Accountants (AICPA) and the International Federation of Accountants (IFAC) – both issued standards providing a framework for the issuance of independent assurance to customers of third-party service providers. These standards are the Statement on Standards for Attestation Engagements no. 18 (SSAE 18) issued by AICPA, and the International Standard on Assurance Engagements (ISAE) No. 3402 issued by IFAC.

Although the standards are similar in many respects, there are differences between the two which should be considered when determining which report (SSAE 18, ISAE 3402 or both) to commission when acting as an OSP:

  • Is the assurance required to provide assurance over the internal controls of a process affecting the financial statements of the customers e.g. payroll bureaus and procurement support?
  • Is the assurance required to provide assurance over non-financial internal controls e.g. software as a service (SaaS) and cloud computing services?
  • Is the assurance required at a point in time or over a period? 
  • Where are the customers located? Although acceptable globally, customers may prefer one over the other due to market requirements.

These reports provide numerous advantages to both the outsourced service providers and their customers, including:

  • The independence of the relationship between the outsourced service provider reduces probable conflicts e.g. those arising from having to maintain working relationships or negotiate commercial terms;
  • The independence of the auditors also means that they can review all the relevant details, documents and records without the data protection restrictions that inhibit customer teams;
  • The detailed nature of the audit reports enables customers to scrutinise the robustness of the tests performed and the outcomes of the testing;
  • The testing is generally undertaken by specialists who bring wider market understanding (including knowledge of best practice) to the audit process;
  • The higher quality evidence results in increased acceptance of the reports in the market;
  • Organisations can deploy their resources to other areas of the business that require attention;
  • OSP’s do not need to accommodate multiple customer assurance teams throughout the year, all looking to achieve the same objectives. One report meets all their requirements.   

Undertaking an independent controls assurance report requires initial investment in time and resources to ensure key objectives are met and this effort should not be under-estimated. To ensure that the process is successful, a considered approach needs to be undertaken by a team that understands the standards and the requirements of both the outsourced service providers and their customers. The starting point for each organisation is different and therefore so is their route to a successful audit. If you would like further information on outsourcing and what you should consider before engaging with an OSP, then please get in touch.

Back to top

To download this report, please provide the following information.