IT Controls Part I,Sarbanes-Oxley and IT Governance:Outsourcing the IT Function

Outsourcing the IT Function

The costs, risks, and responsibilities associated with maintaining an effective corporate IT function are significant. Many executives have therefore opted to outsource their IT functions to third-party vendors who take over responsibility for the management of IT assets and staff and for delivery of IT services such as data entry, data center operations, applications development, applications maintenance, and net- work management. Often-cited benefits of IT outsourcing include improved core business performance, improved IT performance (because of the vendor’s expertise), and reduced IT costs. By moving IT facilities offshore to low labor-cost areas and/or through economies of scale (by combining the work of several clients), the vendor can perform the outsourced function more cheaply than the client firm could have otherwise. The resulting cost savings are then passed to the client organization. Furthermore, many IT out- sourcing arrangements involve the sale of the client firm’s IT assets, both human and machine, to the vendor which the client firm then leases back. This transaction results in a significant one-time cash infusion to the firm.

The logic underlying IT outsourcing follows from core competency theory, which argues that an organization should focus exclusively on its core business competencies, while allowing outsourcing vendors to efficiently manage the non–core areas such as the IT functions. This premise, however, ignores an important distinction between commodity and specific IT assets.

Commodity IT assets are not unique to a particular organization and are thus easily acquired in the marketplace. These include such things as network management, systems operations, server maintenance, and help-desk functions. Specific IT assets, in contrast, are unique to the organization and support its strategic objectives. Because of their idiosyncratic nature, specific assets have little value outside their current use. Such assets may be tangible (computer equipment), intellectual (computer programs), or human. Examples of specific assets include systems development, application maintenance, data warehousing, and highly skilled employees trained to use organization-specific software.

Transaction Cost Economics (TCE) theory is in conflict with the core competency school by suggesting that firms should retain certain specific non–core IT assets in-house. Because of their esoteric nature, specific assets cannot be easily replaced once they are given up in an outsourcing arrangement. Therefore, if the organization should decide to cancel its outsourcing contract with the vendor, it may not be able to return to its pre-outsource state. On the other hand, TCE theory supports the outsourcing of commodity assets, which are easily replaced or obtained from alternative vendors.

Naturally, a CEO’s perception of what constitutes a commodity IT asset plays an important role in IT outsourcing decisions. Often this comes down to a matter of definition and interpretation. For exam- ple, most CEOs would define their IT function as a non–core commodity, unless they are in the business of developing and selling IT applications. Consequently, a belief that all IT can, and should, be managed by large service organizations tends to prevail. Such misperception reflects, in part, both lack of executive education and dissemination of faulty information regarding the virtues and limitations of IT outsourcing.4

RISKS INHERENT TO IT OUTSOURCING

Large-scale IT outsourcing events are risky endeavors, partly because of the sheer size of these financial deals, but also because of their nature. The level of risk is related to the degree of asset specificity of the outsourced function. The following sections outline some well-documented issues.

Failure to Perform

Once a client firm has outsourced specific IT assets, its performance becomes linked to the vendor’s performance. The negative implications of such dependency are illustrated in the financial problems that have plagued the huge outsourcing vendor Electronic Data Systems Corp. (EDS). In a cost-cutting effort, EDS terminated seven thousand employees, which impacted its ability to serve other clients. Following an 11-year low in share prices, EDS stockholders filed a class-action lawsuit against the company. Clearly, vendors experiencing such serious financial and legal problems threaten the viability of their clients also.

Vendor Exploitation

Large-scale IT outsourcing involves transferring to a vendor ‘‘specific assets’’ such as the design, development, and maintenance of unique business applications that are critical to an organization’s survival. Specific assets, while valuable to the client, are of little value to the vendor beyond the immediate con- tract with the client. Indeed, they may well be valueless should the client organization go out of business. Because the vendor assumes risk by acquiring the assets and can achieve no economies of scale by employing them elsewhere, the client organization will pay a premium to transfer such functions to a third party. Further, once the client firm has divested itself of such specific assets it becomes dependent on the vendor. The vendor may exploit this dependency by raising service rates to an exorbitant level. As the client’s IT needs develop over time beyond the original contract terms, it runs the risk that new or incremental services will be negotiated at a premium. This dependency may threaten the client’s long-term flexibility, agility, and competitiveness and result in even greater vendor dependency.

Outsourcing Costs Exceed Benefits

IT outsourcing has been criticized on the grounds that unexpected costs arise and the full extent of expected benefits are not realized. One survey revealed that 47 percent of 66 firms surveyed reported that the costs of IT outsourcing exceeded outsourcing benefits. One reason for this is that outsourcing clients often fail to anticipate the costs of vendor selection, contracting, and the transitioning of IT operations to the vendors.

Reduced Security

Information outsourced to offshore IT vendors raises unique and serious questions regarding internal control and the protection of sensitive personal data. When corporate financial systems are developed and hosted overseas, and program code is developed through interfaces with the host company’s network, corporations are at risk of losing control of their information. To a large degree U.S. firms are reliant on the outsourcing vendor’s security measures, data-access policies, and the privacy laws of the host country. For example, a woman in Pakistan obtained patient-sensitive medical data from the University of California Medical Center in San Francisco. She gained access to the data from a medical transcription vendor for whom she worked. The woman threatened to publish the records on the Internet if she did not get a raise in pay. Terrorism in Asia and the Middle East raises additional security concerns for companies outsourcing technology offshore. For example, on March 5, 2005, police in Delhi, India, arrested a cell of suspected terrorists who were planning to attack outsourcing firms in Bangalore, India.

Loss of Strategic Advantage

IT outsourcing may affect incongruence between a firm’s IT strategic planning and its business planning functions. Organizations that use IT strategically must align business strategy and IT strategy or run the risk of decreased business performance. To promote such alignment, firms need IT managers and chief information officers (CIOs) who have a strong working knowledge of the organization’s business. A survey of 213 IT managers in the financial services industry confirmed that a firm’s IT leadership needs to be closely aligned with the firm’s competitive strategy. Indeed, some argue that the business competence of CIOs is more important than their IT competence in facilitating strategic congruence.

To accomplish such alignment necessitates a close working relationship between corporate management and IT management in the concurrent development of business and IT strategies. This, however, is difficult to accomplish when IT planning is geographically redeployed offshore or even domestically. Further, because the financial justification for IT outsourcing depends upon the vendor achieving economies of scale, the vendor is naturally driven to toward seeking common solutions that may be used by many clients rather than creating unique solutions for each of them. This fundamental underpinning of IT outsourcing is inconsistent with the client’s pursuit of strategic advantage in the marketplace.

AUDIT IMPLICATIONS OF IT OUTSOURCING

Management may outsource their organizations’ IT functions, but they cannot outsource their management responsibilities under SOX for ensuring adequate IT internal controls. The PCAOB specifically states in its Auditing Standard No. 2, ‘‘The use of a service organization does not reduce management’s responsibility to maintain effective internal control over financial reporting. Rather, user management should evaluate controls at the service organization, as well as related controls at the user company, when making its assessment about internal control over financial reporting.’’ Therefore, if an audit client firm outsources its IT function to a vendor that processes its transactions, hosts key data, or performs other significant services, the auditor will need to conduct an evaluation of the vendor organization’s controls, or alternatively obtain a SAS No. 70 auditor’s report from the vendor organization.

Statement on Auditing Standard No. 70 (SAS 70) is the definitive standard by which client organiza- tions’ auditors can gain knowledge that controls at the third-party vendor are adequate to prevent or detect material errors that could impact the client’s financial statements. The SAS 70 report, which is prepared by the vendor’s auditor, attests to the adequacy of the vendor’s internal controls. This is the means by which an outsourcing vendor can obtain a single audit report that may be used by its clients’ auditors and thus preclude the need for each client firm auditor to conduct its own audit of the vendor organization’s internal controls.

Figure 15-7 illustrates how a SAS 70 report works in relation to the vendor, the client firms, and their respective auditors. The outsourcing vendor serves clients 1, 2, 3, and 4 with various IT services. The in- ternal controls over the outsourced services reside at the vendor location. They are audited by the ven- dor’s auditor, who expresses an opinion and issues a SAS 70 report on the control adequacy. Each of the client firms is audited by different auditors A, B, C, and D, respectively, who as part of their respective audits rely on the vendor’s SAS 70 report and are thus not compelled to individually test the vendor’s controls. Given that a vendor may have hundreds or even thousands of clients, individual testing under SOX would be highly disruptive to the vendor’s operations, costly to the client, and impractical.

Service provider auditors issue two types of SAS 70 reports. An SAS 70 Type I report is the less rigorous of the two and comments only on the suitability of the controls’ design. An SAS 70 Type II report goes further and assesses whether the controls are operating effectively based on tests conducted by the vendor organization’s auditor. The vast majority of SAS 70 reports issued are Type II. Because Section 404 requires the explicit testing of controls, SAS 70 Type I reports are of little value in a post-SOX world.

IT Controls Part I,Sarbanes-Oxley and IT Governance-0078

F I G U R E

15-7

SAS 70 OVERVIEW

Vendor Auditor

Outsourcing Vendor

Client 1

Client 4

SAS 70 Report Client

Client Client

2 SAS 70 Report Auditor B

Client

Auditor C

Client

Comments

Popular posts from this blog

The Conversion Cycle:The Traditional Manufacturing Environment

The Revenue Cycle:Manual Systems

Nassi-Shneiderman charts