This document discusses outsourcing and the risks and audits involved. It defines outsourcing as transferring business activities to another company. The main types are business process outsourcing and IT outsourcing. While outsourcing can provide cost savings, there are also risks like loss of quality, security, and intellectual property. Audits of service providers help mitigate these risks by focusing on security, contracts, and regulatory compliance. The document examines audit standards like SAS 70, SSAE 16, and ISAE 3402 which require management assertions and evaluate control design and effectiveness. It recommends companies carefully assess costs and risks before outsourcing.

1. Relying on the Third Party Sabrina Maeng

2. Agenda What is Outsourcing? What to Outsource? Types of Outsourcing Criticisms and Support Why to Outsource? Risks Mitigating Risks: Audit Audit Focus Specific Standards Recommendations

3. What is Outsourcing? “the outsourcing process can be perceived as the activity transferred to be carried out by another company”1 1Source: Andone, Ioan I and Pavaloaia, Vasile-Daniel. “Outsourcing the Business Services.”InformaticaEconomica. 14.1 (2010) : 163-172. ESCO Host. Web. 28 May 2011.

4. What to Outsource? Business Process Outsourcing (BPO) Accounting Customer Support Marketing Analysis (Financial and Economic) Information Technology Outsourcing (ITO) Software development Application support and maintenance Infrastructure management

5. Types of Outsourcing Offshoring: transfer of business activity to another country Domestic outsourcing: transfer of business activity to a non-affiliated company within the same country

6. What is Outsourcing? Support Cost savings for the company – up to 50-60% “Transformational Outsourcing” 2 Price reductions for consumers Criticisms Reputation at stake Loss of product quality Loss of intellectual capital (ie. data security) 2Engardio, Peter. “The Future of Outsourcing.”Bloomberg Business Week.(2006). Web. 28 May 2011. <http://www.businessweek.com/magazine/content/06_05/b3969401.htm>

7. Why to Outsource? Current financial situation of the company Actual outsourcing costs Control of business functions Access to documents Cultural differences Organizational differences Hiring practices Management attitude Competencies required

8. Risks Source: Brandas, Claudiu. “Risks and Audit Objectives for IT Outsourcing.” InformaticaEconomica. 14.1. (2010): 113-118. 163-172. ESCO Host. Web. 28 May 2011.

9. Risks Source: Brandas, Claudiu. “Risks and Audit Objectives for IT Outsourcing.” InformaticaEconomica. 14.1. (2010): 113-118. 163-172. ESCO Host. Web. 28 May 2011.

10. Risks The Agreement Roles and responsibilities Expertise and experience of supplier System capabilities Staffing requirements

11. Risks Data Security Reputation System functions and capabilities “You can delegate accountability, but not responsibility.”4 Service providers are accountable User organizations are responsible 4Source: Van Dyk, Peter. “Cloud Computing: Validating accountability and responsibility.” NZ Business.24.10 (2010). ESCO Host. Web. 28 May 2011.

12. Mitigating Risk: Audit Why Audit? SOX requires that publicly traded companies with outsourced processes obtain audits Many companies won’t use a service provider that doesn’t have an audit

13. Audit: Focus Security Data Network Connectivity Contract Country-specific regulatory requirements

14. Audit: SAS 70 and CICA 5970 SAS 70 and CICA 5970 - similar in nature Type I- evaluation of control design at point in time Type II- evaluation of control design and operating effectiveness of controls over a period of time

15. Audit: SAS 70 and CICA 5970 Service organization choose the controls Management can circumvent the process Too much reliance on management with no assertion

16. Audit: SSAE 16 and ISAE 3402 Assertion–based engagements Type I/Type II and Type A/B Reliance on internal audit processes

17. Audit: SSAE 16 New U.S. standard issued June 15, 2011 issued to replace SAS 70 Better aligns with international standards (ISAE 3402 discussed later)

18. Audit: SSAE 16 Management assertion requirement Expanded descriptions (inclusive of internal controls, systems and processes) Identification of risk points or weaknesses Addresses use of subservice organization Inclusive Carve-out Assumptions on user role Reliance on internal audit processes

19. Audit: ISAE 3402 Current acting international standard Used as a basis to update existing standards “An International Assurance Standard for Third Party Reporting: Benefits and Implications for Service Organizations.” PricewaterHouseCoopers. 2009. Web. 10 June 2011. <http://www.pwc.com/en_CA/ca/controls/business-process-controls/publications/international-assurance-standard-0409-en.pdf>

20. Audit: ISAE 3402 Management assertion requirement Specifies criteria (preparing and presenting system description, control design and operating effectiveness) Disclosure of reliance on internal audit processes, and/or external experts used with regard to controls Extending the scope beyond financial reporting matters Regulatory, compliance, operational, business recovery matters

21. Recommendations Use of service organizations is not beneficial to every company Cost-benefit analysis Risk analysis and mitigation Audit or Attest