20 Questions. Directors Should Ask about Information Technology Outsourcing

20 Questions Directors Should Ask about Information Technology Outsourcing 2005

How to use this publication Each 20 Questions briefing is designed to be a concise, easy-to-read introduction to an issue of importance to directors. The question format reflects the oversight role of directors which includes asking management and themselves tough questions. The questions are not intended to be a precise checklist, but rather a way to provide insight and stimulate discussion on important topics. The comments that accompany the question summarize current thinking on the issues of leading organizations and provide directors with a basis for critically assessing the answers they get and digging deeper as necessary. Thus, although the questions apply to most medium to large organizations, the answers will vary according to the size, complexity and sophistication of each individual organization. The Information Technology Advisory Committee

20 Questions Directors Should Ask about Information Technology Outsourcing 2005

Library and Archives Canada Cataloguing in Publication 20 questions directors should ask about information technology outsourcing. ISBN 1-55385-146-3 1. Information technology Management. 2. Information resources management. 3. Contracting out. I. Canadian Institute of Chartered Accountants. II. Title: Twenty questions directors should ask about information technology outsourcing. HD2365.T84 2005 004.068 4 C2005-900070-8 Copyright 2005 Canadian Institute of Chartered Accountants 277 Wellington Street West Toronto, ON M5V 3H2 Printed in Canada Disponible en français www.icca.ca/ccti

Preface The CICA s Information Technology Advisory Committee developed this brochure to guide the members of boards of directors in evaluating information technology outsourcing issues that might arise while they discharge their board responsibilities. This document might also be of interest and use to members of other governance bodies in particular audit committees and strategic bodies such as IT steering committees. The CICA would like to express its gratitude to the principal author of this brochure, Ray Henrickson, CA CISA, CA IT, a member of the Information Technology Advisory Committee, and to the other members of this Committee for providing advice and comments. Directors of organizations are expected to satisfy themselves that the information technology function is effective, whether it is outsourced or not. This briefing provides suggested questions for boards to ask the Chief Information Officers and others. For each question there is a brief explanatory background. We hope that directors, CEOs and CIOs will find it useful in assessing their approach to the management of risk and internal control. CICA Information Technology Advisory Committee Chair Donald E. Sheehy, CA CISA, Deloitte & Touche LLP, Toronto Committee Gary S. Baker, CA, Deloitte & Touche LLP, Toronto David Chan, CA CISA, Ontario Government Information Protection Centre, Toronto Allan W.K. Cheung, CA IT, CA CISA, The Canadian Depository for Securities Limited, Toronto Henry Grunberg, CA IT, Ernst & Young LLP, Toronto Ray Henrickson, CA CISA, CA IT, Scotiabank, Toronto Carole Le Néal, CISA, CISM, Mouvement des caisses Desjardins, Montreal James R. Murray, CA, CISA, CIA, Grant Thornton LLP, Halifax Erlinda L. Olalia-Carin, CISA, KPMG LLP, Toronto Robert G. Parker, FCA, CA CISA, Deloitte & Touche LLP, Toronto Robert J. Reimer, CA CISA, CA IT, CISM, PricewaterhouseCoopers LLP, Winnipeg Douglas G. Timmins, CA, Office of the Auditor General of Canada, Ottawa Gerald D. Trites, FCA, CA CISA, CA IT, St. Francis Xavier University, Antigonish (also technical consultant for the Committee) Bryan C. Walker, CA, The Canadian Institute of Chartered Accountants, Toronto CICA Staff William J.L. Swirsky, FCA, Vice President, Knowledge Development Andrée Lavigne, CA, Principal, Research Studies 3

Board Responsibilities for Information Technology Outsourcing The Board of Directors oversees an organization s overall strategic direction and management. As part of this responsibility, it must keep abreast of issues pertaining to the management and control systems in place to keep the risk of loss arising from fraud and error to an acceptable level. In addition, the Canadian Securities Administrators (CSA), in January 2004, passed new Investor Confidence 1 rules that contain requirements similar to those that flowed from the Sarbanes- Oxley Act in the United States and establish new and important responsibilities for internal control. Of greatest interest from an Information Technology (IT) perspective is rule 52-109, which requires the CEO and CFO to certify, among other things, that: they have designed disclosure controls and procedures and internal control over financial reporting (or caused them to be designed under their supervision); they have evaluated the effectiveness of such disclosure controls and procedures and caused their issuers to disclose their conclusions regarding their evaluation; and they have caused their issuers to disclose certain changes in internal control over financial reporting. IT outsourcing is increasingly used by business as a means of reducing costs and for achieving strategic technical and operational objectives. IT outsourcing changes the risk profile of an organization by transferring some of the responsibility for operational management to a third party while simultaneously introducing new risks and responsibilities to management. The issues related to the transfer of risk and management, sometimes on a cross-border basis, challenge the confidence of management that it remains in control of its business risks. This brochure suggests the questions that Board members should ask in exercising their governance responsibilities as they relate to outsourcing. The questions are grouped in five main areas: strategic considerations, risk mitigation, contract management, issues resolution, and performance monitoring. By inference, there would be a responsibility for Board members to monitor the control systems and ask the right questions to ensure that the systems are designed and operating as they should and that there are processes in place to ensure that management s legal requirements are met. 1 The Investor Confidence rules include Multilateral Instruments 52-108 (Auditor Oversight), 52-109 (Certification of Disclosure in Issuers Annual and Interim Filings) and 52-110 (Audit Committees). 4

Strategic Considerations Just as there are many variations to what is outsourced, there are many reasons why an organization would opt for outsourcing. Chief among them are the operational, technological and financial benefits to be gained. Regardless of the motives, it is important to acknowledge that outsourcing is more than a simple purchase decision based upon economic or financial criteria. It is a strategic decision that can have significant, long lasting influence on the reputation and the performance of an organization. It is a decision that results in management relinquishing ownership and control of the outsourced processes to a third party service provider. In exchange, management takes on added responsibility for defining, in advance, the results of the process and for holding the service provider accountable for the provision of those results. Key, therefore, to the understanding of outsourcing is that while service delivery has been transferred, accountability has not. Accordingly, from the outset, an IT outsourcing strategy should be developed as an integral part of the overall business strategy. An organization seeking to outsource activities or to continue in an outsourcing relationship should define specific criteria for making decisions about outsourcing that will ensure the continued alignment with the overall business strategy. These should include a risk-based due diligence evaluation of the extent to which processes are, or remain, appropriate for outsourcing as well as an assessment of the service provider s ability to supply the desired results. This analysis requires a thorough assessment of the organization s strategies, its core competencies, managerial strengths and weaknesses, and impact on its customers and other stakeholders. The organization s Board of Directors has overall responsibility for ensuring that all outsourcing decisions taken by management are in keeping with the organization s policies and risk management practices. To execute this responsibility, the Board should seek answers to the following questions: 1. Has management clearly defined its operational, technical and financial objectives, the service levels and the desired outcomes to be achieved for processes that are to be outsourced? 2. Has management considered how the organization will be affected by the loss of skills or intellectual capital that the company is giving up by outsourcing? 3. Does management monitor the service provider s expertise, size, financial health, culture, operational capability and experience levels to ensure the service provider can meet the organization s service requirements over the duration of the contract? 4. Does the organization have the core competency, capacity, tools and policies to evaluate and manage the quality of service delivered by the service provider, to keep abreast of changing business needs and new technology and to ensure changing business needs, regulations, policies, standards, and priorities are effectively communicated to the service provider? 5

Risk Mitigation A key component of an organization s governance framework is the establishment of effective management practices and internal controls to mitigate outsourcing risk. There is a wide range of risks that need to be managed, which include strategic risk, reputation risk, operational risk, country risk, and contractual risk. The assessment of outsourcing risk at an organization will depend on several factors including: the impact outsourcing may have on the satisfaction of strategic goals, objectives, and business needs of the organization; the importance of the IT service to the organization and the financial, reputational and operational consequences of failure of the service provider to adequately perform the activity; the complexity, size, and interdependence of the activities to be outsourced; the legal and regulatory requirements; the political, legal and societal implications of the specific geographical location of an outsourcing service provider; the service provider s reputation and credentials, its experience, expertise, size, financial health, and its own use of downstream partners to support the delivery of the outsourced services; the availability of alternative service providers; and the implications of terminating the agreement by changing service providers or reverting to an in-house solution. The organization should establish governance policies and relevant risk management practices that guide the outsourcing decisions. These risk management practices should be embedded in the ongoing monitoring and controlling of all relevant aspects of the outsourcing arrangements as well as being used to decide the corrective actions to be taken when unintended or undesirable events occur. Equally important, the organization requires ongoing assurance that its own internal control framework and that of the service provider operate continuously and effectively to protect its reputation and IT assets. This assurance needs to extend beyond the routine processes to include special risk situations such as material changes in the structure or management of the service provider or to deal with foreign-based service delivery. 6

The following questions should be asked: 5. Is management confident in the effectiveness of the service provider s internal controls over the systems, data and software to ensure their integrity, security and availability as well as compliance with laws and regulations? 6. Is management satisfied that effective risk mitigation mechanisms related to information protection, business continuity, change control and regulatory compliance exist to govern the processes and controls that have been relinquished or transferred to the service provider? 8. Are actual and attempted security violations, operations problems and control breakdowns promptly recorded and reported to the organization by the service provider? 9. Does the service provider maintain adequate business continuity and disaster recovery plans to mitigate the effects of a processing interruption? 10. Do effective contingency plans exist should the service provider fail temporarily or permanently to continue providing service? 7. If the outsourcing services are provided by a supplier that is located in or subject to the laws of a foreign jurisdiction, has management effectively mitigated the risks related to the economic, cultural and political backdrop, the technological sophistication, and the legal and regulatory profile of the foreign jurisdiction? 7

Contract Management Through outsourcing, an organization replaces operational responsibilities for the day-to-day management of a process with strategic responsibilities for managing a business relationship with a third party service provider. The competencies required for managing the new responsibilities are not always readily available. Problems can occur in the new relationship if the organization continues to try to manage the outsourced processes or be involved in the detailed process events rather than focusing on the achievement of overall service results that drive the outsourcing decision. To effectively govern an outsourced IT process requires a significant change in management activity and skill. In managing the contractual relationship it is important to note that some service requirements cannot be defined until after the contract is implemented and others should be improved over the life of the contract. Underpinning successful management of an outsourced IT process is the requirement that the respective roles and responsibilities for both parties to the outsourcing be defined and understood. Responsibility should be formally assigned for the management of all aspects of the outsourcing arrangement, from service level monitoring, to problem resolution, to executive level steering committees. For clarity, these should be documented in the outsourcing contract that defines all material aspects of the outsourcing arrangement, including the rights, responsibilities and expectations of all parties. The following questions should be addressed: 11. Does the outsourcing contract describe the significant terms of the outsourcing arrangement including the level of service to be provided by the service provider, all regulatory obligations, the rights and responsibilities of both parties, and the provisions for terminating the contract should the need arise? 12. Are the respective roles and responsibilities defined and understood by both the organization and the service provider? 13. Does the organization have rights to audit the service provider s internal controls, records and audit trails or to obtain independent audit reports on the existence and the effectiveness of the service provider s internal controls? 14. Is management able to impose control requirements in the event that the service provider offers services to a competitor, changes key personnel, or engages third party subcontractors to help deliver the services? 8

Issues Resolution An outsourcing arrangement brings two separate organizations together in a relationship that acts for their mutual benefit. It is important to realize that while the parties to the arrangement share many common interests, as separate and distinct enterprises they have different strategic motives, different corporate cultures, and different ideas of how common objectives can be achieved. It is inevitable that the differences that exist between parties to the outsourcing will, from time to time, result in tension or, if not effectively resolved, dispute. An organization s failure to recognize and respond to these differences can undermine the value of the outsourcing. The questions to address are: 15. Do effective accountabilities and processes exist to monitor and manage the relationship with the service provider, to maintain good communication between the parties, to ensure mutual understanding of business needs and service quality, and to resolve issues that may arise from time to time? 16. Has management considered the issues or disputes that remain unresolved with the service provider and the impediments to their resolution? A balance must be achieved that enables both parties to meet common service level objectives while, at the same time, satisfying their unique business objectives. The organization needs to establish a framework that facilitates the business relationship between the outsourcing partners and ensures effective communication of priorities and service requirements as well as resolving any issues that may arise. 9

Performance Monitoring A commonly held business sentiment is that you cannot manage what you do not measure. In outsourcing, the ownership and the execution of the process belong to the service provider. Performance metrics that were formerly used to manage and control the process prior to outsourcing may no longer be appropriate or sufficient. It is important, therefore, to define relevant performance and control measures that enable the organization to benchmark the service provider s performance and to assess the quality of the service delivered. The agreement should provide for the continuous monitoring and assessment by the organization of the service provider so that any necessary corrective measures can be taken immediately. The development of useful performance metrics is not a simple task. Effective reporting of performance results should be a mix of pointin-time and period-of-time metrics that demonstrate task performance and strategic achievement. Care should be taken not to introduce an excessive number and type of measures that consume a large amount of management and service provider resources to collect and analyse. However, not having sufficient appropriate measures of performance can leave the organization in doubt as to whether or not it is receiving the value it expects from the arrangement. The definition of relevant service level metrics can be further complicated by the need to monitor multiple performance characteristics in order to develop an end-to-end perspective of performance. For example, in a call centre operation, service adequacy may be based upon a composite measurement of specific performance criteria such as the length of time it takes to answer calls, the number of calls that hang up before being satisfactorily dealt with, the call duration, and the number of transfers before the call is completed. Metrics should also be defined to address the qualitative or intangible aspects of the service, for example accuracy of information provided and customer satisfaction. The frequency at which the metrics will be applied depends on the nature and the significance of process that is outsourced and the consequences to the organization of performance failure. Some aspects of IT service are more important to business reputation and customer service than others and will require more frequent measurements of performance, for example data security or Internet availability. Each organization has unique service priorities that must be reflected in the nature, timing and extent of its performance measures. 10

A final and vitally important aspect of performance measurement relates to the cost of the performance being provided by the service provider. Pricing of outsourcing services can be or become complex over time as changes are introduced into the outsourcing agreement. Existing services may be extended or curtailed, new services or processes may be implemented, and technology developments may improve productivity. An organization must understand what it is paying for in order to be able to ascertain the value it is receiving. Special processes may need to be enacted within the organization to satisfy management of the correctness of the service provider s billings. These measures not only assure the organization it is getting the service that it is paying for, they also establish the rules of the game, so to speak, and reduce the need for managing through continual reference to the provisions of the outsourcing contract. They reinforce to the service provider the organization s priorities and, in doing so, enable the service provider to identify where process improvements are needed. The Board should seek answers to the following questions: 17. Are clear, objective and reliable measures of performance defined and operating to benchmark the service provider s performance and assess the quality and cost of the service delivered? 18. Has the service provider been able to consistently meet or exceed service delivery expectations? 19. Is management able to respond to situations where the service provider fails to meet service delivery expectations? 20. Does management ensure the correctness of billings under the agreement? 11

Conclusion IT outsourcing is a strategic component of many leading businesses and is increasingly becoming a pervasive management solution to the IT-related challenges of competing in today s marketplace. A failure to achieve the sought after benefits of outsourcing can be expensive and highly disruptive to the operations of both the organization and the service provider. The oversight the Board of Directors provides and the responsibility it assumes for the success of the outsourcing arrangement is extensive and onerous. All Board members share this responsibility. This responsibility includes a duty to pursue the answers to these questions. 12

Appendix Summary of Questions Strategic Considerations 1. Has management clearly defined its operational, technical and financial objectives, the service levels and the desired outcomes to be achieved for processes that are to be outsourced? 2. Has management considered how the organization will be affected by the loss of skills or intellectual capital that the company is giving up by outsourcing? 3. Does management monitor the service provider s expertise, size, financial health, culture, operational capability and experience levels to ensure the service provider can meet the organization s service requirements over the duration of the contract? 4. Does the organization have the core competency, capacity, tools and policies to evaluate and manage the quality of service delivered by the service provider, to keep abreast of changing business needs and new technology and to ensure changing business needs, regulations, policies, standards, and priorities are effectively communicated to the service provider? Risk Mitigation 5. Is management confident in the effectiveness of the service provider s internal controls over the systems, data and software to ensure their integrity, security and availability as well as compliance with laws and regulations? 6. Is management satisfied that effective risk mitigation mechanisms related to information protection, business continuity, change control and regulatory compliance exist to govern the processes and controls that have been relinquished or transferred to the service provider? 7. If the outsourcing services are provided by a supplier that is located in or subject to the laws of a foreign jurisdiction, has management effectively mitigated the risks related to the economic, cultural and political backdrop, the technological sophistication, and the legal and regulatory profile of the foreign jurisdiction? 8. Are actual and attempted security violations, operations problems and control breakdowns promptly recorded and reported to the organization by the service provider? 9. Does the service provider maintain adequate business continuity and disaster recovery plans to mitigate the effects of a processing interruption? 10. Do effective contingency plans exist should the service provider fail temporarily or permanently to continue providing service? 13

Contract Management 11. Does the outsourcing contract describe the significant terms of the outsourcing arrangement including the level of service to be provided by the service provider, all regulatory obligations, the rights and responsibilities of both parties, and the provisions for terminating the contract should the need arise? 12. Are the respective roles and responsibilities defined and understood by both the organization and the service provider? 13. Does the organization have rights to audit the service provider s internal controls, records and audit trails or to obtain independent audit reports on the existence and the effectiveness of the service provider s internal controls? 14. Is management able to impose control requirements in the event that the service provider offers services to a competitor, changes key personnel, or engages third party subcontractors to help deliver the services? Issues Resolution 15. Do effective accountabilities and processes exist to monitor and manage the relationship with the service provider, to maintain good communication between the parties, to ensure mutual understanding of business needs and service quality, and to resolve issues that may arise from time to time? 16. Has management considered the issues or disputes that remain unresolved with the service provider and the impediments to their resolution? Performance Monitoring 17. Are clear, objective and reliable measures of performance defined and operating to benchmark the service provider s performance and assess the quality and cost of the service delivered? 18. Has the service provider been able to consistently meet or exceed service delivery expectations? 19. Is management able to respond to situations where the service provider fails to meet service delivery expectations? 20. Does management ensure the correctness of billings under the agreement? 14

Notes 15

16 Notes

About the authors The Information Technology Advisory Committee (ITAC) is part of the Knowledge Development Group at the CICA. Its role is to provide support and advice on IT matters to the CA profession and the business community. CICA Information Technology Advisory Committee Chair Donald E. Sheehy, CA CISA, Deloitte & Touche LLP, Toronto Committee Gary S. Baker, CA, Deloitte & Touche LLP, Toronto David Chan, CA CISA, Ontario Government Information Protection Centre, Toronto Allan W.K. Cheung, CA IT, CA CISA, The Canadian Depository for Securities Limited, Toronto Henry Grunberg, CA IT, Ernst & Young LLP, Toronto Ray Henrickson, CA CISA, CA IT, Scotiabank, Toronto Carole Le Néal, CISA, CISM, Mouvement des caisses Desjardins, Montreal James R. Murray, CA, CISA, CIA, Grant Thornton LLP, Halifax Erlinda L. Olalia-Carin, CISA, KPMG LLP, Toronto Robert G. Parker, FCA, CA CISA, Deloitte & Touche LLP, Toronto Robert J. Reimer, CA CISA, CA IT, CISM, PricewaterhouseCoopers LLP, Winnipeg Douglas G. Timmins, CA, Office of the Auditor General of Canada, Ottawa Gerald D. Trites, FCA, CA CISA, CA IT, St. Francis Xavier University, Antigonish (also technical consultant for the Committee) Bryan C. Walker, CA, The Canadian Institute of Chartered Accountants, Toronto CICA Staff William J.L. Swirsky, FCA, Vice President, Knowledge Development Andrée Lavigne, CA, Principal, Research Studies 3

20 Questions Directors Should Ask about Information Technology Outsourcing 2005 277 Wellington Street West Toronto, ON Canada M5V 3H2 Tel: 416-977-0748 1-800-268-3793 Fax: 416-204-3416 www.cica.ca