Relying on the Third Party
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Relying on the Third Party

on

  • 763 views

We will attempt to look at what outsourcing is and what considerations organizations must take when looking at the option to outsource. Moreover, we will take a deeper look into the standards behind ...

We will attempt to look at what outsourcing is and what considerations organizations must take when looking at the option to outsource. Moreover, we will take a deeper look into the standards behind an audit of services provided by third party companies which include SAS 70, SSAE 16, CICA 5970 and ISAE 3402.

Statistics

Views

Total Views
763
Views on SlideShare
763
Embed Views
0

Actions

Likes
0
Downloads
5
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Relying on the Third Party Presentation Transcript

  • 1. Relying on the Third Party
    Sabrina Maeng
  • 2. Agenda
    What is Outsourcing?
    What to Outsource?
    Types of Outsourcing
    Criticisms and Support
    Why to Outsource?
    Risks
    Mitigating Risks: Audit
    Audit Focus
    Specific Standards
    Recommendations
  • 3. What is Outsourcing?
    “the outsourcing process can be perceived as the activity transferred to be carried out by another company”1
    1Source: Andone, Ioan I and Pavaloaia, Vasile-Daniel. “Outsourcing the Business Services.”InformaticaEconomica. 14.1 (2010) : 163-172. ESCO Host. Web. 28 May 2011.
  • 4. What to Outsource?
    Business Process Outsourcing (BPO)
    Accounting
    Customer Support
    Marketing
    Analysis (Financial and Economic)
    Information Technology Outsourcing (ITO)
    Software development
    Application support and maintenance
    Infrastructure management
  • 5. Types of Outsourcing
    Offshoring: transfer of business activity to another country
    Domestic outsourcing: transfer of business activity to a non-affiliated company within the same country
  • 6. What is Outsourcing?
    Support
    Cost savings for the company – up to 50-60%
    “Transformational Outsourcing” 2
    Price reductions for consumers
    Criticisms
    Reputation at stake
    Loss of product quality
    Loss of intellectual capital (ie. data security)
    2Engardio, Peter. “The Future of Outsourcing.”Bloomberg Business Week.(2006). Web. 28 May 2011. <http://www.businessweek.com/magazine/content/06_05/b3969401.htm>
  • 7. Why to Outsource?
    Current financial situation of the company
    Actual outsourcing costs
    Control of business functions
    Access to documents
    Cultural differences
    Organizational differences
    Hiring practices
    Management attitude
    Competencies required
  • 8. Risks
    Source: Brandas, Claudiu. “Risks and Audit Objectives for IT Outsourcing.” InformaticaEconomica. 14.1. (2010): 113-118. 163-172. ESCO Host. Web. 28 May 2011.
  • 9. Risks
    Source: Brandas, Claudiu. “Risks and Audit Objectives for IT Outsourcing.” InformaticaEconomica. 14.1. (2010): 113-118. 163-172. ESCO Host. Web. 28 May 2011.
  • 10. Risks
    The Agreement
    Roles and responsibilities
    Expertise and experience of supplier
    System capabilities
    Staffing requirements
  • 11. Risks
    Data Security
    Reputation
    System functions and capabilities
    “You can delegate accountability, but not responsibility.”4
    Service providers are accountable
    User organizations are responsible
    4Source: Van Dyk, Peter. “Cloud Computing: Validating accountability and responsibility.” NZ Business.24.10 (2010). ESCO Host. Web. 28 May 2011.
  • 12. Mitigating Risk: Audit
    Why Audit?
    SOX requires that publicly traded companies with outsourced processes obtain audits
    Many companies won’t use a service provider that doesn’t have an audit
  • 13. Audit: Focus
    Security
    Data
    Network
    Connectivity
    Contract
    Country-specific regulatory requirements
  • 14. Audit: SAS 70 and CICA 5970
    SAS 70 and CICA 5970 - similar in nature
    Type I- evaluation of control design at point in time
    Type II- evaluation of control design and operating effectiveness of controls over a period of time
  • 15. Audit: SAS 70 and CICA 5970
    Service organization choose the controls
    Management can circumvent the process
    Too much reliance on management with no assertion
  • 16. Audit: SSAE 16 and ISAE 3402
    Assertion–based engagements
    Type I/Type II and Type A/B
    Reliance on internal audit processes
  • 17. Audit: SSAE 16
    New U.S. standard issued June 15, 2011 issued to replace SAS 70
    Better aligns with international standards (ISAE 3402 discussed later)
  • 18. Audit: SSAE 16
    Management assertion requirement
    Expanded descriptions (inclusive of internal controls, systems and processes)
    Identification of risk points or weaknesses
    Addresses use of subservice organization
    Inclusive
    Carve-out
    Assumptions on user role
    Reliance on internal audit processes
  • 19. Audit: ISAE 3402
    Current acting international standard
    Used as a basis to update existing standards
    “An International Assurance Standard for Third Party Reporting: Benefits and Implications for Service Organizations.” PricewaterHouseCoopers. 2009. Web. 10 June 2011. <http://www.pwc.com/en_CA/ca/controls/business-process-controls/publications/international-assurance-standard-0409-en.pdf>
  • 20. Audit: ISAE 3402
    Management assertion requirement
    Specifies criteria (preparing and presenting system description, control design and operating effectiveness)
    Disclosure of reliance on internal audit processes, and/or external experts used with regard to controls
    Extending the scope beyond financial reporting matters
    Regulatory, compliance, operational, business recovery matters
  • 21. Recommendations
    Use of service organizations is not beneficial to every company
    Cost-benefit analysis
    Risk analysis and mitigation
    Audit or Attest