Many organizations around the world are outsourcing business processes to specialized service providers. Important factors driving outsourcing decisions stem from the desire to reduce cost, increase customer satisfaction, and improve their ability to continuously deliver new and enhanced services to their customers.
IT is the most likely business function or process to be outsourced, notes Deloitte’s 2012 global survey, “Outsourcing, Today and Tomorrow,” which polled 111 service professionals from organizations on six continents and from 10 industry segments with annual revenues ranging from less than US $500 million to more than US $25 billion. More than three-fourths of participants say their organization is currently outsourcing its IT function.
These statistics are not surprising. With rapid development in IT, many organizations are seeking to gain or maintain a competitive edge over their competitors by deploying more modern IT solutions. For these organizations, outsourcing IT processes or the entire IT function to highly skilled and specialist IT service/product providers will allow them to gain this competitive advantage quickly and effectively.
Despite its benefits, outsourcing does create risks that should be managed adequately to ensure that these benefits are realized fully. A common risk is early termination of contracts; nearly half of respondent organizations in the Deloitte survey have ended a contract early, with concerns about service quality being the top reason. In the case of IT products/services, it will be difficult for organizations to develop in-house expertise to replace the outsourced service/product. That may explain why 66 percent of respondents to Deloitte’s survey moved to another vendor after terminating a contract, rather than bringing the function in-house.
Because risk assessment and management are key to fully realizing the greatest value from IT outsourcing relationships, this is an area where internal auditors can apply their expertise.
Assessing Management's Risk Assessment
As a first step in auditing an outsourced IT function or process, internal auditors should determine whether management has performed a formal and comprehensive risk assessment related to the outsourced service provider. Auditors should not be satisfied merely by the existence of such a document, but also should thoroughly analyze the adequacy of management’s assessment.
Key Risks of Outsourcing
While outsourcing certain activities can create many benefits for organizations, there are numerous risks that need to be managed effectively to bring out the best from such a relationship. A 2005 Basel Committee for Banking Supervision document, Outsourcing in Financial Services, provides guidance on which risks should be covered while performing a risk assessment of outsourced functions.
The guidance, although intended for financial service organizations, can be used across all organizations and for any function that has been outsourced. The document organizes risk areas into several broad categories: strategic risk, reputational risk, compliance risk, operational risk, exit strategy risk, counterparty risk, country risk, contractual risk, access risk, and concentration and systemic risk. It is available from the Bank of International Settlements’ website.
The Basel Committee for Banking Supervision’s Outsourcing in Financial Services document provides guidance for performing risk assessments of outsourced service providers. The document recommends risk areas that should be managed related to outsourced service providers (see “Key Risks of Outsourcing” at right). Internal auditors who are assessing their organization’s outsourced operations should read the guidance and recommend that management use it when performing its risk assessment related to outsourced service providers.
Often when organizations use the Basel guidance to assess their outsourcing-related risks, management may present or document that it has addressed all risk areas adequately — even if that is not the case. There are two reasons for such behavior:
- Management has built a comfort level with the outsourced service provider that results in management having blind faith in the provider.
- Management is aware that it has not adequately addressed risks related to outsourcing of IT but does not want to admit this in formal risk assessment documentation.
Internal auditors should investigate the details of management’s risk assessment, and if need be, challenge the outcomes and conclusions reached by management. "Risk Assessment Issues"shows some common shortcomings found in risk assessments related to outsourced service providers, along with justifications management will typically give to internal auditors and ways auditors can tackle such situations.
Ensuring Risks are Considered
It is important to understand that in many cases there may not be a single answer to adequately address a given risk or risk areas that can come up when an IT process is outsourced. However, it is important that each risk area is given reasonable consideration and such consideration is documented formally. Formal documentation can increase the effectiveness of the overall risk assessment process.
Internal auditors should assess whether management has implemented whatever controls are necessary. They also should ensure that the organization has not developed a culture of blind trust on a service provider based on its length of service or reputation. By bringing an independent view and developing a broad understanding of the outsourcing relationship, internal auditors can help their organization manage risks related to such arrangements.