Many organizations are pursuing sustainable cost reductions via a shared services model. A shared service is a centralized service that was once found in more than one department of the organization such as accounts payable, supply chain, accounts receivable, human resources, and IT. Auditors are increasingly expected to expand their traditional audit services to include consulting expertise around a shared service implementation.
While the benefits of shared services are many, the implementation of a shared services model has potential pitfalls. Though organizations may want to achieve the cost reductions associated with a shared services model, this may be a high-risk decision unless there is a well-thought-out strategy. Internal auditors can play a key role in that strategy during the implementation phases of a shared services model.
Internal auditors can add value to the organization by providing consulting services before implementation of a shared services model. During the pre-implementation phase, decisions include determination of the business functions best suited for a shared service, technology platforms to improve efficiency of the shared service, and personnel decisions that will align employees with the shared services model. During this phase, management also should be developing the project charter and metrics for the shared service center. Internal audit can provide insight on various operational, financial, and regulatory risks, and evaluate management internal control design during this stage.
A primary goal for internal audit during this phase is to consult with the business to ensure an effective internal control structure is designed during the implementation. To accomplish this goal, coordination with management should focus on areas management has determined to be best suited for shared services implementation and the various risk factors that can negatively impact a successful implementation. Internal auditors with backgrounds in IT, human resources, or accounts payable may be considered particularly helpful in these discussions. IT auditors can be used to ensure IT system decisions are given appropriate due diligence.
Another consideration during the pre-implementation phase is identifying operational redundancies that can be eliminated within the processes. Current industry practices or trends regarding shared service centers also should be considered. For example, traditional financial shared service centers (e.g., accounts payable) versus nontraditional (e.g., corporate communication and legal) can present different challenges. The internal auditor’s knowledge of operational processes can provide insight to management in the decision-making process. Auditors also can help ensure the right stakeholders are identified and decisions are approved correctly during product charter development.
Scorecards can alert management of a process or control breakdown and help determine which reports should be used to gather performance metrics. Scorecards can include a variety of key performance indicators, and can be developed in these categories.
- Cost savings achieved.
- Year-over-year unit-cost targets and trends since implementation.
- Budget vs. actual vs. historical reviews.
- Fixed vs. variable expenses.
- Activity-based costing to evaluate the cost effectiveness of specific activities within the shared service center.
Customer or Stakeholder Satisfaction
- Tracking of information received from customer satisfaction surveys.
- Number of customer complaints.
- Feedback from internal stakeholders.
- Productivity measures.
- Quality metrics.
- Turnaround trends (e.g., the number of invoices processed per day and per employee).
- Number of transactions processed in a day, reviewed for trends.
- Cases touched or issues raised multiple times.
- Number of transactions in a hold or pending status.
- Employee engagement survey results.
- Employee retention and attrition rates.
The challenges management may encounter during a shared services implementation include coordinating various geographic locations, maintaining a good transaction turnaround time, and ensuring quality customer service. Internal audit should focus its efforts on helping management address these challenges. As part of its consulting services, internal audit can work with management to ensure these questions have been addressed adequately or anticipated by management before implementation:
- Are the decision rights well defined, communicated, and understood?
- Have policies and procedures been established?
- Has a project management plan, aligned with the goals of the shared service center, been submitted and approved?
- Are appropriate internal controls being planned?
- Will the shared service use the existing system/technology platform, a new system, or both?
- Have IT solutions such as e-procurement or imaging tools been considered to improve process efficiency?
- Do employees have the appropriate system access with attention given to segregation of duty concerns?
- Is the right staff in place with the skills and desire to deliver quality services to customers, drive cost efficiencies, and initiate improvements?
- Do employees have appropriate training?
- Has management considered how to ensure a control environment is maintained after the transition?
- Have regulatory considerations in different states or countries been evaluated and addressed?
- Have key performance indicators (KPIs) been determined to evaluate performance and make adjustments accordingly?
- Have KPIs been organized into effective scorecards? (See “Scorecard Metrics” on this page.)
While providing consulting services, internal auditors should maintain objectivity and independence. Most independence concerns can be removed by ensuring the auditors do not assume management decisions and do not process transactions. However, careful consideration should be given to safeguard compliance with professional standards.
Once the shared service center is in operation, auditors can test transactions, monitor service levels, and recommend process improvements through objective reviews of operations. Auditors should review the monitoring and testing of shared service controls as part of continuous monitoring, or compliance, operational, or process-driven audits. Because the shared service is now functioning for the entire organization and the impact can be greater if there is a process breakdown, audits should be conducted promptly. After implementation of the shared services model, auditors should consider these audit procedures:
- Test IT access to ensure appropriate access and segregation of duties.
- Test reports (KPIs) to determine data accuracy and completeness.
- Identify transactions outside established parameters using data analytic tools and techniques.
- Determine specific regulations by geographic location or industry.
- Test controls to verify regulatory compliance.
- Review the reporting process management has established to ensure performance is in line with expectations. Gain an understanding of the actions taken when actual metrics are outside of expectations. Review the scorecards in place to assess and manage performance.
- Verify the application of policies and procedures to the process, review known control breakdowns and ongoing challenges, and verify that appropriate approval controls have been embedded in the process.
Refer to Standard 1130.A3 regarding the internal audit activity providing assurance services where it previously performed consulting services to ensure independence and objectivity.
In addition to cost savings, a successful shared services implementation can result in important benefits for organizations, including consistent processes and quality standards across the organization and enhanced business process integration following mergers or acquisitions, which can result in improved quality and productivity. The alignment of business services in a global operating structure often results in better information for management decision-making. A shared services model also allows local business managers to focus more on items of strategic importance, such as business development and improved customer service. On the technology side, system enhancements typically involved in a shared services environment serve to improve the effectiveness of the shared service operation.
There also are human resource benefits to a shared services model, as the expertise of shared service employees benefit the entire organization, and in-house expertise is developed versus outsourcing for that skill. Challenges with attracting and retaining employees have decreased as companies find innovative ways to make shared services a specific career path.
Because of their knowledge of the business and its related processes, auditors should work with management during the planning and implementation phases of a shared services model. When wearing their consultant hats, internal auditors can add value during the post-implementation phase of the shared service to ensure the service is functioning as intended and significant problems are quickly identified and corrected. Performing consulting activities is part of the Definition of Internal Auditing, and it can be a significant benefit to organizations in the rapidly changing global business environment.