Auditing Outsourcing Arrangements Eileen Healy Enterprise Risk Services Director 16 April 2015 Contact Details: - Email: - ehealy@deloitte.ie Mobile: - 086 164 3082
Session Objectives To provide an understanding of the types of arrangements that may be in place in the modern organisation, and the range of risks associated with these To understand the source of risk and the importance of managing partner risks To assist Internal Auditors in thinking about how they can audit the risks associated with outsourcing 1
Enterprise Risk Services Over 100 risk, governance, and control professionals across 3 offices in Dublin, Cork and Limerick Breadth of skills to support multi faceted client requirements Support clients with special projects and outsource arrangements 2
Setting the Scene In todays fast, interconnected business environment, companies are outsourcing activities more than ever before. Outsourcing may occur for a variety of reasons: Increased rate of global expansion Access to skills and expertise Flexibility in serving customers Cost savings Allows the company to focus on core competencies and free up internal resources 3
Setting the Scene In a Global Outsourcing survey conducted by Deloitte in 2014, the following trends were identified: 53% of respondents currently outsource elements of their IT function, with 26% of those who do not currently outsource, planning to. 25% of respondents currently outsource real estate and facilities management, with 19% of those who do not currently outsource, planning to. 16% of respondents currently outsourcing HR functions, with 22% of those who do not currently outsource, planning to. 89% of respondents believe that offshoring will continue unless legislation is enacted to limit it. 40% of respondents believe increased data privacy regulation will likely lead to a decrease in outsourcing 4
Outsourced Activities The activities outsourced are as varied as the reason to outsource Non Value Adding Non-core services Logistics, Facilities Management Back Office Services Payroll, HR, Data Storage IT Services Cloud based software and data storage Value Adding Customer facing roles Customer support, online and phone sales and retention Manufacturing Component manufacturing, assembly 5
The Extended Enterprise Macro Economic and Industry Players Governments (Regulators) Industry and market leaders Sponsorships/Marketing Suppliers, Distributors, Consumers and Resellers The Value Chain Outsourced Due Diligence Service Traceability and Sustainability Providers The Company Internal Processes Core Competencies Value Adding Activities Source of competitive advantage Non-core, essential processes Back office, IT, legal, property maintenance 6
Outsourcing Arrangements Traditionally, High Complexity and Low Strategic Importance were the ideal activities to be outsourced Typical outsourced arrangements include: Logistics IT Outsourcing Back Office Processes However today, more strategically important, and customer facing items are outsourced For example Component - manufacture and assembly The key to a successful outsourcing arrangement is hinged on a number of factors: Ability to work with the provider Regular, swift communication Establishment and achievement of agreed service levels A mutually beneficial relationship Seamless transition to service provider Trust, transparency and collaboration 7
How do you identify the risks? Organisations need to understand the associated risks before deciding to outsource. Knowing the risks is the first step in managing the risks What process is considered being outsourced? Is this a key value adding activity? What would be the worst scenario in an badly run/managed outsourced arrangement? Strategic damage in terms of new markets or company direction? Operational disruption? Financial loss in either the short or long term? Reputational damage to the brand? What is the driver behind the outsourcing? 8
The impact on the customer! The customer is a key factor in the decision to outsource Would a decision to outsource be accepted by customers? Would outsourcing affect the customers perception of the company / brand and the value provided to them? Has the customer given permission for their data to be transferred to a third party, if required? Remember that all outsourcing partners actions that affect the customer are a reflection on the company in the eyes of the customer? 9
The risk of outsourcing In 2012, Deloitte undertook a Global Outsourcing and Insourcing survey. Upon completion, Dave Zechnich, a retired partner from Deloitte & Touche, who previously served as the global leader for its Contract Risk and Compliance practice noted: These risks (associated with Business Process Outsourcing), if not managed effectively, can lead to value leakage and adversely impact an organization s financial performance, operating model integrity and reputation, In addition to complexities and risks, improperly planned and managed initiatives typically fail to deliver the anticipated benefits. The 2012 Global Outsourcing and Insourcing Survey, conducted by Deloitte, found that 48% of companies had previously terminated an outsourcing contract, primarily due to concerns with service quality. In addition, 24% indicated a less-than-satisfactory rating for their most recent outsourcing initiative. The survey reflected the views of 111 executives from companies with median revenue between $1 billion and $5 billion, spanning 23 different countries. 10
The risk of outsourcing Risk is usually categorised into four key areas which aid in identifying and assessing the level of risk posed by an action or outcome. In identifying and assessing these risks, a company can put in place the appropriate mitigating actions and controls Strategic - Failure to achieve strategic goals - Requirement to deviate from strategic plan - Inability to grow the business at a desired rate - Inability to capitalise and capture key markets or customers Operational - Requirement to cease or alter production - Requirement to change the business processes - Inability to meet customer expectations Financial - Loss of customer revenue - Unexpected liabilities in the form of settlements or legal costs - Failed outsourcing contracts - Cost of outsourcing greater than cost of servicing the requirement in house Reputational - Reputational damage based on poor quality service from outsourcing partner - Inferior quality products or service reaching the customer - Media coverage based on outsourced partners actions or inactions 11
The Role of Internal Audit Management are responsible for establishing, managing and monitoring contract performance for all outsourcing arrangements. As with all risks, Internal Audit have a key role to play in providing re-assurance to the Audit Committee that risks are monitored and managed effectively by management, including those arising from relationships with external organisations. Risk Universe need to take account of the extended enterprise which includes all organisations interacting with the company in providing its product or service to the customer and ensuring operational continuity Review approach is dependent on activity Supplier Outsourced service provider Distributor Reseller Approach should always have two components: - 12 1. Review of contractual and service level agreements and compliance with these (audits of the arrangement) 2. Review of key activities to ensure they are conducted in an appropriate and controlled manner (audits of the activity)
How do we audit the outsourcing arrangements Two key areas Pre Appointment Identify project risks, key performance indicators (KPIs) and minimum acceptance criteria for outsourced provider Undertake appropriate due diligence Ensure adequate certification (ISO, NSAI, ISAE3402) is in place and is up to date Ensure that the appropriate resources and skills exist within the third party and processes are embedded Ensure third party management commitment to quality and independently seek customer testimonies Establish and agree acceptable and attainable Service Level Agreements (SLAs) and reporting requirements Post Appointment Monitor approach to third party service level management Review performance against targets (quality, quantity, customer satisfaction) and assess adequacy of action plans where targets are not met. Undertake independent contract compliance audits on a periodic basis With outsourcing no one size work programme fits all so work with management to identify and assess the risks that should be included in the work programme. 13
Pre-Appointment Detailed Considerations Pre Appointment Identifying risks, KPIs and minimum acceptance criteria Undertake a detailed risk analysis of the function which is proposed to be outsourced Determine any legal implications or requirements in outsourcing the function Identify the KPIs that measure the effectiveness of the service to be outsourced Identify the minimum acceptance criteria to qualify as a successful outsourcing arrangement Identify the key stakeholders and project manager in the outsourcing arrangement Pre Appointment Due Diligence Assess potential outsourcing partners based on their competencies and experience Seek references from customer organisations Assess their financial and operational stability, including their work practices to ensure that they are ethically sound Assess if they plan to subsequently outsource any other activities (sub-contracting) Pre Appointment Quality Certification Verify that they have quality certified work practices and processes Ensure that these have been recently certified and that management are committed to continuous improvement Assess if the potential partner is pursuing any further certification and if quality training is undertaken by employees on a regular basis 14
Pre-Appointment Detailed Considerations Pre Appointment Resourcing Verify that the skills and experience required to meet outsourcing requirements are already possessed by the outsourcing organisations existing employee base Ensure that a programme for up-skilling or attracting adequate talent is in place should additional resources be required or if the outsourcing firm has identified the potential requirement to scale up its operations Pre Appointment Management experience and commitment to quality Assess the management team to ensure that they possess the necessary experience and skills required to successfully implement the project Assess the commitment of management to the outsourcing firm (duration of service, past employment experience) Assess the background, qualifications and experience of management to ensure that they possess the capabilities to adapt and be flexible Pre Appointment Establishment of SLAs and project reporting Review formal agreement on minimum service requirements and performance standards, as well as the remediation terms should performance not meet the agreed levels Ensure level of reporting is sufficient based on associated risk Right to Audit Clause! 15
Post-Appointment Detailed Considerations Post Appointment Reporting Assess that the outsourcing partner is reporting on the predefined metrics in a timely manner Ensure reports are clear, understandable and are independently verified Ensure management are robustly challenging the reports in a timely manner Post Appointment Monitoring performance to target Assess the outsourcing partners performance based on previously agreed criteria e.g. production volume, quality, response time, customer satisfaction surveys, etc. Assess performance against KPIs Determine what quality enhancement plans have been implemented and are planned to increase the value of the service Post Appointment Independent contract risk & compliance (CRC) audits Third party assurance on the performance, reporting and compliance of the outsourcing partner with the agreed contract is appropriate Independently verify that reporting by the outsourcing partner is complete and accurate Independently verify that the third party has the required control environment to ensure that the company is protected from unacceptable risk Undertake independent assessment to ensure that the service being provided by the third party represents value for money - Benchmark services offered and cost against similar service providers 16
Summary and concluding Comments Maintaining close control of the outsourcing arrangement is the key to increased efficiency and capturing the benefits of an efficient outsourcing arrangement It is vital to validate that your vendors, service providers, and outsourcing partners do not succumb to pressures to control their costs at your expense. It is equally important to verify they are delivering on service levels with the quality of deliverables and qualified personnel that they committed to deliver. The third party selection process plays a pivotal role! Audit the pre-appointment processes as well as post appointment contract Regular third party audits aid in ensuring robust third party management and in identifying underperforming partners Contract Risk Compliance (CRC) services help companies optimize relationships with other businesses to maximize revenue, manage costs, address risks, strengthen relationships, and boost performance 17
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/ie/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Deloitte s 1,300 people in Dublin, Cork and Limerick provide audit, tax, consulting, and corporate finance to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte s approximately 200,000 professionals are committed to becoming the standard of excellence. This publication contains general information only, and none of Deloitte Touche Tohmatsu Limited, Deloitte Global Services Limited, Deloitte Global Services Holdings Limited, the Deloitte Touche Tohmatsu Verein, any of their member firms, or any of the foregoing s affiliates (collectively the Deloitte Network ) are, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your finances or your business. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this publication. 18