Relying on the Third Party


Published on

We will attempt to look at what outsourcing is and what considerations organizations must take when looking at the option to outsource. Moreover, we will take a deeper look into the standards behind an audit of services provided by third party companies which include SAS 70, SSAE 16, CICA 5970 and ISAE 3402.

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Relying on the Third Party

  1. 1. Relying on the Third Party<br />Sabrina Maeng<br />
  2. 2. Agenda<br />What is Outsourcing?<br />What to Outsource?<br />Types of Outsourcing<br />Criticisms and Support<br />Why to Outsource?<br />Risks<br />Mitigating Risks: Audit<br />Audit Focus<br />Specific Standards<br />Recommendations<br />
  3. 3. What is Outsourcing?<br />“the outsourcing process can be perceived as the activity transferred to be carried out by another company”1<br />1Source: Andone, Ioan I and Pavaloaia, Vasile-Daniel. “Outsourcing the Business Services.”InformaticaEconomica. 14.1 (2010) : 163-172. ESCO Host. Web. 28 May 2011.<br />
  4. 4. What to Outsource?<br />Business Process Outsourcing (BPO)<br />Accounting<br />Customer Support<br />Marketing<br />Analysis (Financial and Economic)<br />Information Technology Outsourcing (ITO)<br />Software development<br />Application support and maintenance<br />Infrastructure management<br />
  5. 5. Types of Outsourcing<br />Offshoring: transfer of business activity to another country<br />Domestic outsourcing: transfer of business activity to a non-affiliated company within the same country<br />
  6. 6. What is Outsourcing?<br />Support<br />Cost savings for the company – up to 50-60% <br />“Transformational Outsourcing” 2<br />Price reductions for consumers<br />Criticisms<br />Reputation at stake<br />Loss of product quality<br />Loss of intellectual capital (ie. data security)<br />2Engardio, Peter. “The Future of Outsourcing.”Bloomberg Business Week.(2006). Web. 28 May 2011. <><br />
  7. 7. Why to Outsource?<br />Current financial situation of the company<br />Actual outsourcing costs<br />Control of business functions<br />Access to documents<br />Cultural differences<br />Organizational differences<br />Hiring practices<br />Management attitude<br />Competencies required<br />
  8. 8. Risks<br />Source: Brandas, Claudiu. “Risks and Audit Objectives for IT Outsourcing.” InformaticaEconomica. 14.1. (2010): 113-118. 163-172. ESCO Host. Web. 28 May 2011.<br />
  9. 9. Risks<br />Source: Brandas, Claudiu. “Risks and Audit Objectives for IT Outsourcing.” InformaticaEconomica. 14.1. (2010): 113-118. 163-172. ESCO Host. Web. 28 May 2011.<br />
  10. 10. Risks<br />The Agreement <br />Roles and responsibilities<br />Expertise and experience of supplier<br />System capabilities<br />Staffing requirements<br />
  11. 11. Risks<br />Data Security<br />Reputation<br />System functions and capabilities<br />“You can delegate accountability, but not responsibility.”4<br />Service providers are accountable<br />User organizations are responsible<br />4Source: Van Dyk, Peter. “Cloud Computing: Validating accountability and responsibility.” NZ Business.24.10 (2010). ESCO Host. Web. 28 May 2011.<br />
  12. 12. Mitigating Risk: Audit<br />Why Audit?<br />SOX requires that publicly traded companies with outsourced processes obtain audits<br />Many companies won’t use a service provider that doesn’t have an audit<br />
  13. 13. Audit: Focus<br />Security<br />Data<br />Network <br />Connectivity<br />Contract<br />Country-specific regulatory requirements<br />
  14. 14. Audit: SAS 70 and CICA 5970<br />SAS 70 and CICA 5970 - similar in nature<br />Type I- evaluation of control design at point in time<br />Type II- evaluation of control design and operating effectiveness of controls over a period of time<br />
  15. 15. Audit: SAS 70 and CICA 5970<br />Service organization choose the controls<br />Management can circumvent the process<br />Too much reliance on management with no assertion<br />
  16. 16. Audit: SSAE 16 and ISAE 3402<br />Assertion–based engagements<br />Type I/Type II and Type A/B<br />Reliance on internal audit processes<br />
  17. 17. Audit: SSAE 16<br />New U.S. standard issued June 15, 2011 issued to replace SAS 70<br />Better aligns with international standards (ISAE 3402 discussed later)<br />
  18. 18. Audit: SSAE 16<br />Management assertion requirement<br />Expanded descriptions (inclusive of internal controls, systems and processes)<br />Identification of risk points or weaknesses<br />Addresses use of subservice organization<br />Inclusive <br />Carve-out<br />Assumptions on user role<br />Reliance on internal audit processes<br />
  19. 19. Audit: ISAE 3402<br />Current acting international standard<br />Used as a basis to update existing standards<br />“An International Assurance Standard for Third Party Reporting: Benefits and Implications for Service Organizations.” PricewaterHouseCoopers. 2009. Web. 10 June 2011. <><br />
  20. 20. Audit: ISAE 3402<br />Management assertion requirement<br />Specifies criteria (preparing and presenting system description, control design and operating effectiveness)<br />Disclosure of reliance on internal audit processes, and/or external experts used with regard to controls<br />Extending the scope beyond financial reporting matters<br />Regulatory, compliance, operational, business recovery matters<br />
  21. 21. Recommendations<br />Use of service organizations is not beneficial to every company<br />Cost-benefit analysis <br />Risk analysis and mitigation<br />Audit or Attest <br />