CHAPTER 2: IT ENABLED SERVICES AND EMERGING TECHNOLOGIES... 2 PART 1: IT ASSURANCE SERVICES AND ROLE OF CAs IN BPO-KPO... 2 Learning Objectives...

Transcription

1 CHAPTER 2: IT ENABLED SERVICES AND EMERGING TECHNOLOGIES... 2 PART 1: IT ASSURANCE SERVICES AND ROLE OF CAs IN BPO-KPO... 2 Learning Objectives Introduction Opportunities for CAs IT Consulting and Assurance Services by CAs Using COBIT for providing IT-enabled services Set and maintain the IT Governance Framework Define IT Strategy Planning Manage Risk Review IT Security Management Compliance with external requirements Manage Continuity Business Process Outsourcing Knowledge Processing Outsourcing Medical Transcription Legal Transcription Data Entry and data processing IT Help-desk support Application development Risks and Controls of outsourced services... 9 Risks... 9 Controls Using global best practices Compliance with external requirements: Managing Business Continuity Summary References Questions Answers

2 CHAPTER 2: IT ENABLED SERVICES AND EMERGING TECHNOLOGIES PART 1: IT ASSURANCE SERVICES AND ROLE OF CAS IN BPO-KPO Learning Objectives To understand the need for CAs to embrace IT To understand opportunities for CAs in IT enabled services To gain an understanding of using best practice frameworks To gain an overview of IT enabled services like BPO To understand how to use best practices for providing assurance and consulting services 1.1 Introduction Information Technology has pervaded most of the aspects of every organisations be it an SME (Small and Medium Enterprises) or a huge organisation. Adoption of Information Technology carries its own threats, but the nature of threats could be different for SMEs or Large Enterprises. The threats to SME relate more to size and limited manpower. Some of the threats could be in the form of: Breakdown/failure of IT infrastructure: Hardware, network, system software, application software, etc. Loss or theft of IT resources including data impacting business due to lack of awareness of the need for IT security and low level of controls. Lack of adequate security affecting the confidentiality, integrity and availability of IT resources. Dependence on few personnel on managing IT, dependency on IT vendors and lack of skilled manpower due to lack of processes, policies, procedures, standards and guidelines. Lack of independent assurance of the status of IT security and controls In case of large enterprises they could be more in the nature of: Breach of security due to hacking resulting in non-availability of IT resources Breakdown of IT infrastructure due to inadequate business continuity plans 2

3 Lack of adequate risk management strategy and remedial measures Over dependency on key personnel Lack of appropriate clauses in SLA resulting in enterprises being at mercy of IT vendors Chartered Accountants have to embrace IT as IT is a key enabler in enterprises of all sizes and this is so even in enterprises providing services. CA firms are impacted by IT in two ways: By automation of their client s operations resulting in client s data being digital; and CA firms have to use IT in their own offices to provide services. 1.2 Opportunities for CAs For Chartered Accountants there exist opportunities in Auditing and Assurance as well as consulting areas. Chartered Accountants with their expertise in data and in depth understanding of systems and process functions are uniquely suited for providing consulting in control implementation of IT enabled services as well as review of the same. IT by default rather than by design has become critically relevant for CA firms. Technology deployment by design from a strategic perspective by CA firms could act as catalyst of growth and key differentiator to not only provide current service offerings to existing clients but also develop innovative delivery capabilities for new service offerings to existing /new clients. This can empower CA firms to stay ahead of the curve by enhancing capabilities to not only transform the way current services are provided but also provide IT enabled services in the areas of IT governance, risk, compliance assurance, consulting and implementation. For this transition to happen, it is important to determine how IT would be used by the enterprise and to invest in IT from a long-term perspective and after a well thought out assessment of the firm s needs. This will ensure that right technology and tools are available for use by the firm s staff. However, to develop their capabilities and technological infrastructure, the CA firms will have to do an assessment of the following: Identifying areas of specialization: It is important that the gaps between the current situation and the future needs are assessed and areas of specialisation planned. IT skills and competencies: The firm should inventorise its IT assets both in terms of skill levels and resources and plan on path required to reach its requirements. Assessing the existing and future applications: The evaluation of existing service delivery mechanism and other related procedures has to be carried out from the automation perspective. The firm should assess whether its processes and the software applications being used, are in tune with the future IT strategy or not. Determining type of technology infrastructure required: Identification of development areas of IT to ensure its appropriateness for future, is essential. Considering the technological changes, a firm should carefully assess its budgets and resource plans to serve both the present and future clients. 3

4 Module 1: Facilitating e-learning Service delivery: The CA firm has to assess the way it provides and delivers its services and the internal processes adopted by it, to develop new methodologies and ways to deliver services, to tune up with the capabilities of the implemented IT. IT culture and training: To develop and implement an IT solution, the firm not only requires investment in the technology but also has to ensure the automation of key processes and provide training to all the staff as per requirements, to imbibe the right IT culture. Right Migration Plan: Investing in the right technology solution is the most critical decision to make. Reviewing the current technology and application infrastructure and then identifying the gaps for future requirements and then implementing the migration plan makes it a very critical decision. Apart from adopting IT for their own office, CAs will have myriad challenges and opportunities in the area of Information Technology. Once CA has a good understanding of IT and related processes, they can provide assurance and consulting services to clients as well as other enterprises in many different sectors and industries. CAs can also help their clients in various areas such as: Meet the challenges in adoption of emerging technologies and computing models, like, cloud computing, BYOD, Social Media Usage, Big Data etc. Mitigation of risks in BPO-KPO and related areas. Use of BI using Data Warehouses, Data Mining, Data Marts, DSS, ESS, AI, etc. Adoption of ERP, E-Commerce etc. 1.3 IT Consulting and Assurance Services by CAs CAs could use global best practices for Consulting and Assurance in IT enabled services. COBIT 5 is one such framework which could be used to provide standardised approach to enable auditors to provide different types of IT enabled services. These processes have detailed management practices, input-output matrix, RACI (Responsible, Accountable, Consulted and Informed) chart and activities which can be used as a benchmark and customised for scoping assignments as required. The contents from each of these processes or a combination of selected processes as relevant can be referred and adapted for preparing the proposal. This could then become the starting point for discussing the scope and objectives of assurance/consulting assignment. Once the scope is agreed upon, the extracted contents from these processes can be customised and used as a benchmark for providing the required services. CAs using their cross functional and in depth knowledge can help an organisation implement Governance framework or help an organisation develop IT strategy for itself or provide assurance services in these areas Using COBIT for providing IT-enabled services CAs can use and adopt the best practices framework such as COBIT to provide various IT-enabled services. Some of the services in terms of scope and objectives derived from COBIT are given with sample scope, objectives and areas of review. These can be updated and expanded as per requirements of the assignment. 4

5 1. Set and maintain the IT Governance Framework Scope: Analyse and articulate the requirements for the governance of enterprise IT, and put in place and maintain effective enabling structures, principles, processes and practices, with clarity of responsibilities and authority to achieve the enterprise's mission, goals and objectives. Objective: Provide a consistent approach integrated and aligned with the enterprise governance approach. To ensure that IT---related decisions are made in line with the enterprise's strategies and objectives, IT---related processes are overseen effectively and transparently, compliance with legal and regulatory requirements are confirmed, and the governance requirements for board members are met. Areas of Review Evaluate design of enterprise governance of IT. Direct the Governance System. Monitor the Governance System. 2. Define IT Strategy Planning Scope: Provide a holistic view of the current IT environment, the future direction, and the initiatives required to migrate to the desired future environment, leveraging upon enterprise architecture building blocks and components to enable nimble, reliable and efficient response to strategic objectives. Objective: Align strategic IT plans with business objectives and clearly communicate the objectives and associated accountabilities so that these are understood by all, with the strategic options identified, structured and integrated with the business plans. Areas of review Understand enterprise direction. Assess the current environment, capabilities and performance. Define the target IT capabilities. Conduct a gap analysis. Define the strategic plan and road map. Communicate the IT strategy and direction. 3. Manage Risk Scope: Continually identify, assess and reduce IT related risks within levels of tolerance set by enterprise executive management. Objective: Integrate the management of IT related enterprise risk with overall enterprise risk management, and balance the costs and benefits of managing IT related enterprise risks. Areas of review 5

6 Module 1: Facilitating e-learning Collect data Analyse risk. Maintain a risk profile. Articulate risk. Define a risk management action portfolio Respond to risk. 4. Review IT Security Management Scope: Define, operate and monitor a system for information security management Objectives: Keep the impact and occurrence of information security incidents within the enterprise's risk appetite levels. Areas of review Establish and maintain ISMS (Information Security Management System). Define and manage an information security risk treatment plan. Maintain and review the ISMS. 5. Compliance with external requirements Scope: Evaluate that IT processes and IT- supported business processes are compliant with laws, regulations and contractual requirements. Obtain assurance that the requirements have been identified and complied with and that the IT compliance integrates with overall enterprise compliance. Objectives: Ensure that the enterprise is compliant with all applicable external requirements. Areas to review Identify external compliance requirements Optimise response to external requirements Confirm external compliance Obtain assurance to external compliance 6. Manage Continuity Scope: Establish and maintain a plan to enable the business and IT to respond to incidents and disruptions in order to continue operations of critical business processes and required IT services and maintain availability of information at a level acceptable to the enterprise. Objectives: Continue critical business operations and maintain availability of information at a level acceptable to the enterprise in the event of a significant disruption. Areas to review 6

7 Define the business continuity policy, objectives and scope. Maintain a continuity strategy. Develop and implement a business continuity response. Exercise, test and review the business continuity plan Review, maintain and improve the continuity plan. Conduct continuity plan training Manage backup arrangements Conduct post resumption review. 1.4 Business Process Outsourcing A Chartered Accountant could play a significant role in areas like outsourcing, cloud services, mobile computing, BPO/KPO, SLA, report validations etc. Let us understand the relevance of these in areas of BPO/KPO. Every modern organisation is dependent upon various operations that would enhance the productivity of the organisation. Outsourcing of various activities/services by an organisation takes advantage of core competences of service providers in these areas, so that the organisation can concentrate on its core business. Many of the IT enabled companies, a big chunk of which are Indian companies today provide a lot of outsourcing solutions/services. BPOs usually deal with fringe business activities such as customer care, finance and HR. The basic purpose is to cut on costs, and the functions outsourced do not have much value add to the organisation. Some of the activities which are outsourced are cheque clearing, ATM cash replenishment, account opening forms and Adhaar Card enrolment. Some of the IT Enabled business processes could be: Knowledge Processing Outsourcing Knowledge Process Outsourcing (KPO) is a subset of BPO. KPO involves outsourcing of core functions which may or may not give cost benefit to the organisation but helps in value addition. These processes are usually more specialized and knowledge based as compared to BPOs, and includes services related to R&D, Capital and insurance market services, legal services, biotechnology, animation and design, etc. KPO is application of specialized domain pertinent knowledge of a high level and is the high end of BPO. This may include, o Risk Management: The process includes services like monitoring the risk factor of various investments, looking after the returns, looking after at the viability of projects a company undertakes. It also includes making quarterly reports of investments and sending it to the company. o Claims Processing: The process includes checking of documents supporting the claim and storing online data of claims. o Consultation on accounting and tax implications of significant agreements and transactions helping in SEC Reporting, Mergers and Acquisitions, Private Placement Memorandum. 7

8 Module 1: Facilitating e-learning Medical Transcription Medical transcription is the process of converting voice-recorded reports into text. A medical transcriptionist listens to a recorded medical report. While listening, they type out the report. The medical reports are dictated (into Dictaphones) by physicians and other medical personnel. Clinical health systems and hospitals often reduce costs and increase efficiency by outsourcing tasks such as transcription and billing rather than assigning to doctors or physician who are overqualified for these duties. Outsourcing medical transcription gives the responsibility to more dedicated professionals (transcribers) in countries like India and other Asian countries, which leaves doctors to focus on core medical practice and procedures leading to better patient care. India incidentally has been a big beneficiary in this outsourced work, Medical transcribers and solution providers in India allow global healthcare practitioners, clinics and hospital deliver best results in medicine by performing transcription, editing / QA support through IT enabled processes Legal Transcription Legal transcription Similar to medical transcription but involves converting audio dictation by legal professionals and other recordings from legal cases into the printed word. Solicitors, attorneys and legal professionals use the services of legal transcriptionists to assist them in transcribing meetings memorandums, correspondence and court documents. Legal transcription is also used for recording court proceeding and interviews of witnesses. At a higher end, even preparation of legal cases are also outsourced which come in category of knowledge process outsourcing Data Entry and data processing Data entry in the area of accounting and many other business processes is increasingly being outsourced because of cost effectiveness. India is again a big data entry outsourcing hub, since we have a comprehensive range of quality of manpower with professionals in their desirable fields. This enables low cost data entry services with timeliness and high volume of data-entry operations possible along with data processing and analytics. Example of some these areas are outlined here. Taxation / Financial Accounting Outsourcing: India is known for having both cost as well as technical advantages when it comes to outsourcing IT services and processes. India has emerged as one of the most preferred country for outsourcing various services globally. These include supply chain management, sales, marketing, customer care, human resource besides financial services and E-Accounting services such as: o Accounts Payable: The process helps client to track payments originating across different locations and in different currencies. It helps to efficiently settle payment issues with vendors. o Accounts Receivable Management: The process includes managing as well as tracking the client's receivables in different locations. It also helps to manage the limit of credit extended by the client. 8

9 o Tax Processing: The process includes keeping proper tax data and auditing it and also maintenance of various documents and forms relating to taxation. o Cash Management: The process includes checking the cash flow statement of the company. It also includes checking the liquidity of the company, managing current assets like cash, inventories, bills payable and receivables etc IT Help-desk support IT help desk is a resource which provides a kind of single point of contact service to end users for all kinds of IT support. Their purpose is to trouble shoot problems and provide guidance on the technologies powering the business. For End User there are endless IT challenges to deal with on a daily basis. IT help desk facilitates all these challenges and provide a one point support for all of these. These days a help desk generally manages its requests for support through the use of software such as issue tracking systems. This software allows helpdesk to keep a track of users requests, sort user requests with the help of a unique number, and can frequently classify problems by user, computer program, or similar categories Application development Outsourcing Application Development allows the organisation to focus on its core competencies and at the same time take the benefit of core competency of vendor. Application Development services are also being catered by a large number of Indian companies, who are developing applications and solutions for a large number of overseas clients Risks and Controls of outsourced services Risks If we consider all the above areas of BPO, there are some common risks or security concerns: Privacy and Confidentiality- Disclosure of information related to overseas customer could lead to privacy and confidentiality issues which could create a liability. Attrition of staff-a high turnover rate has an indirect impact on the client organisation because it forces it to increase time spent on knowledge transfer and training new individuals. Legal Compliances- Vendors are liable for lot of compliances under several laws of India as well as of outsourcing country. For example medical transcription vendor liability has become important in light of HIPAA privacy and security regulations, which place an obligation on covered healthcare providers to ensure that their vendors safeguard confidentiality. Timeliness-In most of outsourcing Time is of essence and the service level agreements normally provide for Turn Around Time (TAT) which has to be adhered to. 9

10 Module 1: Facilitating e-learning Providing service in disaster- Most of SLAs also provide for clauses relating to provision of services in disaster also. Complying with SLAs-SLAs could provide for imposition of fee claw back in case of poor service. SLAs also provide for organisations to have in place a risk management program. Controls The security concerns can be mitigated by implemented appropriate controls. CAs as IS Auditors can understand the relevant security concerns and confirm whether appropriate controls have been implemented to address these risks, identify areas of control weaknesses and provide recommendations for risk mitigation. Access Controls- Have Information security management systems in place with secure practices like each employee required to have a secure password; Voice files and data files maintained in a secure data safe; Security during transmission using VPNs etc. HR Controls- Proper background checks, employee bonding Good Processes-Have documented processes and quality management systems Quality Assurance-Have quality assurance processes in place. Compliance Management- Have a system of legal compliances in place and regular review of the same. Contingency and Backup Plans- Have contingency and BCP in place 1.5 Using global best practices Compliance with external requirements: An Indian BPO service provider, located in India, is duty bound to comply with the various provisions of Indian laws which impact the outsourcing industry. There are numerous Indian legislations which Indian BPOs have to comply with apart from International legislations of the outsourcing country. For example: SOX or HIPAA of USA and PCI DSS or Basel Framework applicable to banking companies. CA can use the best guidance practice available in COBIT relating to: Process MEA03 Compliance with External requirements discussed earlier to ensure such regulatory compliances. COBIT also provides step by step approach for providing assurance of such areas. For example, in case of regulatory compliances, the steps could be: Identify external compliance requirements. Optimise response to external requirements. Confirm external compliance. Obtain assurance external compliance. 10

11 For Example, there are compliance requirements under the Information Technology Act which are applicable for any BPO-KPO. The specific areas of compliance which could be reviewed by the IS Auditor are: Section 43 A Section 67C Section 69B Section 70B Section 72A General Are various components of sensitive personal data or information vis-à-vis users/customers defined by the enterprise? Does the enterprise have a security policy? Is the security policy documented? Does the enterprise have an electronic record preservation and retention policy? Has the enterprise adopted/established appropriate policy, procedures and safeguards for monitoring and collecting traffic data or information? Are these documented? Does the enterprise have appropriate documented procedure to comply with the requests of CERT-IN regarding cyber security incidents? Does the enterprise have an adequate privacy policy? Whether the enterprise has provided for opt-in/opt-out clause in the privacy policy? Has the enterprise appointed designated officer/nodal officer/computer-in-charge to comply with the directions of competent authority/agency under various provisions of the Act? Whether details of such designated officer/nodal officer readily available online (at its website)? Managing Business Continuity Most of SLAs (Service Level Agreements) of BPOs provide for provision of services during disaster also. CAs as IS Auditors can use the best practices provided in the COBIT management process: DSS04 Manage Continuity to provide assurance in this area by assessing. Whether the organisation has a defined business continuity policy, with clear objectives and scope. Whether organisation maintains a continuity strategy. Whether the organisation has developed and implemented a business continuity response plan. 11

12 Module 1: Facilitating e-learning Whether the organisation exercises, tests and reviews the business continuity plan. Whether the organisation reviews, maintains and improves the continuity plan. Whether the organisation conducts continuity plan training. Whether the organisation manages backup arrangements. Whether the organisation conducts post resumption reviews. Apart from providing assurance services, a Chartered Accountant could also help a BOP KPO to manage continuity by providing consulting in the above areas. 1.6 Summary IT is a big enabler and a CA should understand IT for use in their own practice as well as for helping their clients implement and develop IT enables processes. CAs can use best practices framework such as COBIT for providing Assurance and Consulting services. IT has been a big enabling factor in BPO in medical transcription, legal transcription and data entry processing areas. There are, however, risks in these areas which have to be mitigated. CAs because of their understanding of IT risks, security and controls can provide assurance or consulting on mitigation of these risks and thus provide value addition to their clients. 1.7 References Questions 1. Why do Chartered Accountants need to embrace IT? A. IT is a trendy thing B. IT is a buzzword C. IT is a key enabler in Enterprises D. IT is interesting 2. Which of the following is an advantage of Outsourced services? A. Privacy and confidentiality B. Attrition of staff C. Cost cutting 12

13 D. Legal compliances 3. While auditing an Outsourced agreement, an IS auditor would be most concerned with: A. The commercial terms of outsourcing arrangement B. The continuity of operations in case of failure of service provider C. The location from which services are provided D. The loss of in-house IT competencies 4. Embracing IT will enable Auditors to provide Consulting and Assurance services in the areas of: A. IT Risk Management B. IT Strategic Planning C. IT Security Management D. All the above. 5. An IS Auditor auditing the on-line transaction processing system of an organization outsourced to a third party will be most concerned that A. Transactions are authorized by the outsourced agency. B. Transaction log is not printed on daily basis. C. Organization does not have adequate trained IT personnel. D. The third party is providing outsourced services to other clients also. 1.9 Answers 1 C 2 C 3 B 4 D 5 A 13