IT Controls Part I,Sarbanes-Oxley and IT Governance:Outsourcing the IT Function

By -

Outsourcing the IT Function

The costs, risks, and responsibilities associated with maintaining an effective corporate IT function are significant. Many executives have therefore opted to outsource their IT functions to third-party vendors who take over responsibility for the management of IT assets and staff and for delivery of IT services such as data entry, data center operations, applications development, applications maintenance, and net- work management. Often-cited benefits of IT outsourcing include improved core business performance, improved IT performance (because of the vendor’s expertise), and reduced IT costs. By moving IT facilities offshore to low labor-cost areas and/or through economies of scale (by combining the work of several clients), the vendor can perform the outsourced function more cheaply than the client firm could have otherwise. The resulting cost savings are then passed to the client organization. Furthermore, many IT out- sourcing arrangements involve the sale of the client firm’s IT assets, both human and machine, to the vendor which the client firm then leases back. This transaction results in a significant one-time cash infusion to the firm.

The logic underlying IT outsourcing follows from core competency theory, which argues that an organization should focus exclusively on its core business competencies, while allowing outsourcing vendors to efficiently manage the non–core areas such as the IT functions. This premise, however, ignores an important distinction between commodity and specific IT assets.

Commodity IT assets are not unique to a particular organization and are thus easily acquired in the marketplace. These include such things as network management, systems operations, server maintenance, and help-desk functions. Specific IT assets, in contrast, are unique to the organization and support its strategic objectives. Because of their idiosyncratic nature, specific assets have little value outside their current use. Such assets may be tangible (computer equipment), intellectual (computer programs), or human. Examples of specific assets include systems development, application maintenance, data warehousing, and highly skilled employees trained to use organization-specific software.

Transaction Cost Economics (TCE) theory is in conflict with the core competency school by suggesting that firms should retain certain specific non–core IT assets in-house. Because of their esoteric nature, specific assets cannot be easily replaced once they are given up in an outsourcing arrangement. Therefore, if the organization should decide to cancel its outsourcing contract with the vendor, it may not be able to return to its pre-outsource state. On the other hand, TCE theory supports the outsourcing of commodity assets, which are easily replaced or obtained from alternative vendors.

Naturally, a CEO’s perception of what constitutes a commodity IT asset plays an important role in IT outsourcing decisions. Often this comes down to a matter of definition and interpretation. For exam- ple, most CEOs would define their IT function as a non–core commodity, unless they are in the business of developing and selling IT applications. Consequently, a belief that all IT can, and should, be managed by large service organizations tends to prevail. Such misperception reflects, in part, both lack of executive education and dissemination of faulty information regarding the virtues and limitations of IT outsourcing.4

RISKS INHERENT TO IT OUTSOURCING

Large-scale IT outsourcing events are risky endeavors, partly because of the sheer size of these financial deals, but also because of their nature. The level of risk is related to the degree of asset specificity of the outsourced function. The following sections outline some well-documented issues.

Failure to Perform

Once a client firm has outsourced specific IT assets, its performance becomes linked to the vendor’s performance. The negative implications of such dependency are illustrated in the financial problems that have plagued the huge outsourcing vendor Electronic Data Systems Corp. (EDS). In a cost-cutting effort, EDS terminated seven thousand employees, which impacted its ability to serve other clients. Following an 11-year low in share prices, EDS stockholders filed a class-action lawsuit against the company. Clearly, vendors experiencing such serious financial and legal problems threaten the viability of their clients also.

Vendor Exploitation

Large-scale IT outsourcing involves transferring to a vendor ‘‘specific assets’’ such as the design, development, and maintenance of unique business applications that are critical to an organization’s survival. Specific assets, while valuable to the client, are of little value to the vendor beyond the immediate con- tract with the client. Indeed, they may well be valueless should the client organization go out of business. Because the vendor assumes risk by acquiring the assets and can achieve no economies of scale by employing them elsewhere, the client organization will pay a premium to transfer such functions to a third party. Further, once the client firm has divested itself of such specific assets it becomes dependent on the vendor. The vendor may exploit this dependency by raising service rates to an exorbitant level. As the client’s IT needs develop over time beyond the original contract terms, it runs the risk that new or incremental services will be negotiated at a premium. This dependency may threaten the client’s long-term flexibility, agility, and competitiveness and result in even greater vendor dependency.

Outsourcing Costs Exceed Benefits

IT outsourcing has been criticized on the grounds that unexpected costs arise and the full extent of expected benefits are not realized. One survey revealed that 47 percent of 66 firms surveyed reported that the costs of IT outsourcing exceeded outsourcing benefits. One reason for this is that outsourcing clients often fail to anticipate the costs of vendor selection, contracting, and the transitioning of IT operations to the vendors.

Reduced Security

Information outsourced to offshore IT vendors raises unique and serious questions regarding internal control and the protection of sensitive personal data. When corporate financial systems are developed and hosted overseas, and program code is developed through interfaces with the host company’s network, corporations are at risk of losing control of their information. To a large degree U.S. firms are reliant on the outsourcing vendor’s security measures, data-access policies, and the privacy laws of the host country. For example, a woman in Pakistan obtained patient-sensitive medical data from the University of California Medical Center in San Francisco. She gained access to the data from a medical transcription vendor for whom she worked. The woman threatened to publish the records on the Internet if she did not get a raise in pay. Terrorism in Asia and the Middle East raises additional security concerns for companies outsourcing technology offshore. For example, on March 5, 2005, police in Delhi, India, arrested a cell of suspected terrorists who were planning to attack outsourcing firms in Bangalore, India.

Loss of Strategic Advantage

IT outsourcing may affect incongruence between a firm’s IT strategic planning and its business planning functions. Organizations that use IT strategically must align business strategy and IT strategy or run the risk of decreased business performance. To promote such alignment, firms need IT managers and chief information officers (CIOs) who have a strong working knowledge of the organization’s business. A survey of 213 IT managers in the financial services industry confirmed that a firm’s IT leadership needs to be closely aligned with the firm’s competitive strategy. Indeed, some argue that the business competence of CIOs is more important than their IT competence in facilitating strategic congruence.

To accomplish such alignment necessitates a close working relationship between corporate management and IT management in the concurrent development of business and IT strategies. This, however, is difficult to accomplish when IT planning is geographically redeployed offshore or even domestically. Further, because the financial justification for IT outsourcing depends upon the vendor achieving economies of scale, the vendor is naturally driven to toward seeking common solutions that may be used by many clients rather than creating unique solutions for each of them. This fundamental underpinning of IT outsourcing is inconsistent with the client’s pursuit of strategic advantage in the marketplace.

AUDIT IMPLICATIONS OF IT OUTSOURCING

Management may outsource their organizations’ IT functions, but they cannot outsource their management responsibilities under SOX for ensuring adequate IT internal controls. The PCAOB specifically states in its Auditing Standard No. 2, ‘‘The use of a service organization does not reduce management’s responsibility to maintain effective internal control over financial reporting. Rather, user management should evaluate controls at the service organization, as well as related controls at the user company, when making its assessment about internal control over financial reporting.’’ Therefore, if an audit client firm outsources its IT function to a vendor that processes its transactions, hosts key data, or performs other significant services, the auditor will need to conduct an evaluation of the vendor organization’s controls, or alternatively obtain a SAS No. 70 auditor’s report from the vendor organization.

Statement on Auditing Standard No. 70 (SAS 70) is the definitive standard by which client organiza- tions’ auditors can gain knowledge that controls at the third-party vendor are adequate to prevent or detect material errors that could impact the client’s financial statements. The SAS 70 report, which is prepared by the vendor’s auditor, attests to the adequacy of the vendor’s internal controls. This is the means by which an outsourcing vendor can obtain a single audit report that may be used by its clients’ auditors and thus preclude the need for each client firm auditor to conduct its own audit of the vendor organization’s internal controls.

Figure 15-7 illustrates how a SAS 70 report works in relation to the vendor, the client firms, and their respective auditors. The outsourcing vendor serves clients 1, 2, 3, and 4 with various IT services. The in- ternal controls over the outsourced services reside at the vendor location. They are audited by the ven- dor’s auditor, who expresses an opinion and issues a SAS 70 report on the control adequacy. Each of the client firms is audited by different auditors A, B, C, and D, respectively, who as part of their respective audits rely on the vendor’s SAS 70 report and are thus not compelled to individually test the vendor’s controls. Given that a vendor may have hundreds or even thousands of clients, individual testing under SOX would be highly disruptive to the vendor’s operations, costly to the client, and impractical.

Service provider auditors issue two types of SAS 70 reports. An SAS 70 Type I report is the less rigorous of the two and comments only on the suitability of the controls’ design. An SAS 70 Type II report goes further and assesses whether the controls are operating effectively based on tests conducted by the vendor organization’s auditor. The vast majority of SAS 70 reports issued are Type II. Because Section 404 requires the explicit testing of controls, SAS 70 Type I reports are of little value in a post-SOX world.

IT Controls Part I,Sarbanes-Oxley and IT Governance-0078

F I G U R E

15-7

SAS 70 OVERVIEW

Vendor Auditor

Outsourcing Vendor

Client 1

Client 4

SAS 70 Report Client

Client Client

2 SAS 70 Report Auditor B

Client

Auditor C

Client

Comments

Post a Comment

Popular posts from this blog

The Conversion Cycle:The Traditional Manufacturing Environment

By -
Image
The Traditional Manufacturing Environment The conversion cycle consists of both physical and information activities related to manufacturing products for sale. The context-level data flow diagram (DFD) in Figure 7-1 illustrates the central role of the conversion cycle and its interactions with other business cycles. Production is triggered by customer orders from the revenue cycle and/or by sales forecasts from marketing. These inputs are used to set a production target and prepare a production plan, which drives production activities. Purchase requisitions for the raw materials needed to meet production objectives are sent to the purchases procedures (expenditure cycle), which prepares purchase orders for vendors. Labor used in production is transmitted to the payroll system (expenditure cycle) for payroll processing. Manufacturing costs associated with intermediate work-in-process and finished goods (FG) are sent to the general ledger (GL) and financial reporting system. Dependin
Read more

The Revenue Cycle:Manual Systems

By -
Image
Manual Systems The purpose of this section is to support the system concepts presented in the previous section with models depicting people, organizational units, and physical documents and files. This section should help you envision the segregation of duties and independent verifications, which are essential to effective internal control regardless of the technology in place. In addition, we highlight inefficiencies intrinsic to manual systems, which gave rise to modern systems using improved technologies. SALES ORDER PROCESSING The system flowchart in Figure 4-12 shows the procedures and the documents typical to a manual sales order system. In manual systems, maintaining physical files of source documents is critical to the audit trail. As we walk through the flowchart, notice that in each department, after completion of the assigned task, one or more documents are filed as evidence that the task was completed. Sales Department The sales process begins with a customer cont
Read more

HIPO (hierarchy plus input-process-output)

By -
Image
HIPO (hierarchy plus input-process-output) 64.1 Purpose The HIPO (Hierarchy plus Input-Process-Output) technique is a tool for planning and/or documenting a computer program. A HIPO model consists of a hierarchy chart that graphically represents the program’s control structure and a set of IPO (Input-Process-Output) charts that describe the inputs to, the outputs from, and the functions (or processes) performed by each module on the hierarchy chart. 64.2 Strengths, weaknesses, and limitations Using the HIPO technique, designers can evaluate and refine a program’s design, and correct flaws prior to implementation. Given the graphic nature of HIPO, users and managers can easily follow a program’s structure. The hierarchy chart serves as a useful planning and visualization document for managing the program development process. The IPO charts define for the programmer each module’s inputs, outputs, and algorithms. In theory, HIPO provides valuable long-term documentation. However
Read more