Readings
- What different kinds of IT outsourcing are there?
- What is business process outsourcing and how is it related to IT?
- If you were the manager of a major outsourced service and heard you were to be audited, what aspects of the outsourcing arrangement would you want to make sure were strong?
- What is the difference between an outsourcing contract and a statement of work? Which should you be interested in as an auditor? Why?
- What are the different reasons a firm may wish to outsource a particular function or process?
Crafting and Executing an Offshore IT Sourcing Strategy: GlobShop’s Experience
Think about these questions as you prepare for next week’s Webex .
- If you were auditing GlobShop’s move to offshoring how would you evaluate their decision? Did they do the right thing? Why or why not? What evidence do you see?
- Briefly list the critical challenges that GlobShop faced in executing its offshore strategy? What would you look for if you were auditing the implementation of this outsourcing deal?
- Suppose GlobShop moved its more mission-critical activities offshore. How would your audit of the relationship change?
Rich
Donald Hoxhaj says
1. What different kinds of IT outsourcing are there?
Information Technology outsourcing works in many ways and depends on the needs of the company and the nature of outsourcing deals to be managed with an external vendor. Outsourcing for companies has always proved to be not only beneficial in terms of cost, but also in terms of time and operational effectiveness. The different IT outsourcing models are mentioned below:
– Nearshore Outsourcing:
Nearshore Outsourcing focuses in outsourcing IT work to countries that are near to geographical boundaries so that the communication and effectiveness of managing the work becomes easier.
-Offshore Outsourcing:
Offshore outsourcing is the most traditional work of IT outsourcing where a company exports its IT work to companies that are located in a different country. Most such outsourcing happens to developing economies where the cost of labour is low, manpower availability is in abundance, and where skilled workers are highly available. Apart from these benefits, outsourced countries also act as tax havens offering tax incentives, political stability, and a stabilized economy.
-Onshore Outsourcing:
Onshore Outsourcing is a form of IT outsourcing that is usually done with companies that are located in the same country and the management is either done remotely or from the vendor site. This type is usually preferred by companies to have more control on the outsourcing deal.
-Managed Services:
Managed Services are a type of contracting arrangement in IT Outsourcing that involves Network related management functions such as Call Centres and IP Telephony, Firewall management, and Router configurations.
Vince Kelly says
Interesting perspectives on outsourcing venues Donald – I agree. We are probably saying the same thing here but one definition that I’d wonder about though is the last one, Managed Services. Do you think that MSP’s only limit themselves to ‘infrastructure-like’ management or would the major ones include pretty much any service that a traditional IT organization also offers as well? (e.g., in addition to the services you mention a LOT of them are leveraging offshore applications development and support as well as RIM). Many customers that have not chosen this approach (that I’m aware of anyway), are frequently forced to compare their internal service offerings against one or more MSPs in order to justify their value. If they fail to do this adequately (obviously over a couple of quarters) the business starts to evaluate MSP alternatives for that service. I just took it as the first three definitions, (nearshore, offshore, offshore) are dictated by *where* the managed service offering takes place whereas ‘Managed Services’ refers to *what* service offering can be sold to a perspective customer.
Richard Flanagan says
Guys – anyone have any examples outside of infrastructure and network? The examples I know of all fit within those categories.
Vince Kelly says
Plenty. Your basically correct, at one time pretty much the only services that you could get was IaaS but even then they were offering a LOT more than simple networking services – BMaaS, Access Control, Data Integrity, Logical security services, and obviously Physical security for example.
Service providers soon realized however that offering only those services could actually be unprofitable if they didn’t have the scale to compete with ‘WalMart-like’ business entities like AWS .
So today, *ANY* viable outsourcer offers much, MUCH more than just ‘infrastructure and networking’.
Here’s a couple of examples:
I know of several MSPs that provided Analytic service offerings as far back as 2009/2010. But here are a couple of other (non-network, IaaS service offerings that have been around – basically forever 🙂
– Cloud Labs: Cloud enabled virtual simulation and lab automation
– Cloud offerings for Microsoft Exchange and SharePoint as a service
– UCaaS: Unified communications services
– TaaS: Telepresence as a service
– Application Platform Services: These are just PaaS services like application transformation, migration, rationalization and testing offerings. This also includes PaaS run/maintain services as well
– Automated Applications testing services
– MANY BPaaS and BI offerings – like SFDC for example
– I love this one 🙂 An Analytics-aaS offering. The MSP provided an API which allowed the customer to write queries or pay the MSP to write queries. The queries ran against a customer owned or MSP owned Data Lake.
This architecture basically consisted of:
– Packaged Apps and custom apps that could query either customer owned or MSP created Data Lake.
– A Cloudera HADOOP, , Kafka based message bus service that provided an Apache Storm based Complex Event Processing (CEP) streaming service to the customer – for a fee of course;) Another related ‘premium’ offering was an Ad-hoc query service that was based on Hbase, Accumulo, Elastic Search, and Splunk.
– ALL of this was offered over pretty much any type of infrastructure that the customer wanted; including Public cloud (AWS ECS, OpenStack, etc), Private (vSphere, etc.) or Hybrid environments (a combination of the customer DC and one or more cloud environments)
I love this one too, but its so old (2014) that I had to pull out the old architecture diagrams 😉
– A Risk management engine service that provided data aggregation, CEP and analytic services that spanned critical financial industry risk functions. The offering was specifically developed by a well-known MSP and targeted for seven very, very, very, V E R Y large financial institutions 🙂
– The engine was based on a three tier data architecture that integrated cold, (HADOOP based data), warm, (SAP IQ) and hot, (SAP HANA) data to provide a single composite risk analysis service.
– The service basically aggregated and provided real time dashboard services and visualization for major financial institution risk exposure areas including:
– Risk functions like Trade monitoring
– Risk Measures like; Stress testing, Regulatory Margining, Funding, P&L Distribution and Arbitration, Disclosures and Interday P&L
– Applied against four ‘risk pillars’: Credit Risk (Banking and Trading Book), Market Risk (Trading Book), Liquidity Risk (Group & LoB) and Operational Risk
– It included asset classes like Credit, Interest Rate, Equity, Commodity, Foreign Exchange and Cash classes.
Don’t ask me what all that financial stuff means, we just helped build it ;);)
GO EAGLES !!!!!!
Richard Flanagan says
Vince – great examples, I am surprised particularly about the analytics examples. I can see firm’s outsourcing the creation and use of high end analytics but are you saying that the MSP’s are taking on the firm’s internal analysts the way MSP’s used to take over everyone in the datacenter?
Vince Kelly says
Absolutely! In fact, analytics is radically shifting every aspect of more than just the service provider industry – its also being used as a competitive advantage/market differentiator by hardware and software vendors (versus competitors who built their platforms on cheap, generic, ‘commodity’ chipsets like Broadcom).
For example, hardware vendors can create recommendation engines that an engineer can query to find out if that firmware upgrade that they were considering in order to support some new device will really work or crash the entire system. A lot of Malware is being encrypted today. Analytics is allowing security software to actually identify malware even if it is encrypted,(there is a patent pending on this).
Here’s two other MSP examples:
From the MSP perspective, use case number 1:
The Northwestern part of Australia has huge strip mining operations. Ore and raw materials are brought out of these mines by ENORMOUS, autonomous, multi-million dollar ‘dump trucks’ over narrow roads that are carved out of the mine. The trucks line up, one behind the other to get filled with ore and then they make their way out of the mine to the offload facility. There is literally only one way into the mine and one way out of the mine – the dump trucks just make a continuous circuit from the bucket loader in the mine, then out of the mine, then over to the offload facility where they dump their loads onto (automated) freight trains that then move the ore away. The trucks in the meantime trundle back down into the mine to get their next load – it’s like a big conveyor belt.
Now imagine what would happen if just one of those trucks broke down or had a flat tire? The *entire* operation would come to a complete halt – hundreds of thousands of dollars wasted every hour as an entire logistical system – trucks backing up behind the dead unit, empty trains that have nothing to ferry down to the ships that are scheduled to carry the ore to other ports around the world. Everything comes to a screeching halt.
In walks an MSP that sells a predictive analytic’s service (that they developed) to the mining company. Each truck has sensors placed on key locations of the vehicle as well as a WiFi Access Point. These sensors feed a constant stream of telemetry back to the MSPs operations center in Perth. The information is stored in *gigantic* “data lakes”. These lakes are constantly scoured by unsupervised machine learning algorithms that can predict when a given part on any given dump truck is about to fail, sometimes days in advance of the event, and then schedule that truck to be taken out of service and repaired.
From the MSP perspective, use case number 2:
If you were a large retail chain – let’s say Sears for example – the names have been changed to protect the innocent here, Sears doesn’t do this, (probably one of the reasons they are in financial trouble;).
If you were Sears, wouldn’t you like to know things that could have an immediate, real time impact on your business? Or to be able to tangibly prove whether your Marketing organization really was able to drive revenue in the ways that many of them claim that they do? Of course you would!
Wouldn’t it be even better if the majority of the computational hardware needed to do this was (almost) free? And wouldn’t it be even BETTER if you could get a look at all of the data that’s vacuumed into the system in an easy to understand, digestible, GLOBAL business perspective? All for only an extremely small monthly subscription service? Of course you would!
In walks *yet another* MSP who provides, installs, and then manages a complete WiFi hardware system,(access points, controllers, security, and network connectivity), for all 1,000 of your stores along with a software application that they developed – let’s just call it the, “Sears Engagement Analytic System” software for basically next to nothing.
For brevity, we’ll only look at the non-opt-in customer walking in off the street use case (many other permutations for this use case exist though). If your ‘Sears’ there’s no need to buy equipment or waste money on tech support or space needed to store backups , no need to hire additional IT staff to do the work, etc., etc .etc. The MSP does it all.
As a customer enters a store, the WiFi access point (AP) picks up the device address of the customers phone (either WiFi or Bluethooth) the minute they walk in the door. The AP also has a special antenna (called HALO) that can judge where that customer is at any time to within 1 meter resolution based on the signal strength of their phone. This information is collected and streamed back to the MSP data center, then parsed and sent back to “Sears” headquarters where it provides a GLOBAL, real time dashboard of every single store that displays local, regional and company aggregate information like:
– Is the customer being serviced by store staff at an appropriate rate?
– How much time is the staff spending with each customer?
– Any customer ‘hot spots’/aggregation points that the local store supervisor can be made aware of, and send staff over to?
– How long did each customer dwell at a particular display?
– How long did they dwell within a particular department?
– Is there a correlation between customer dwell time and conversion ratio? (i.e., do we have a product quality or price problem, etc).
– Is the store layout conducive to generating additional revenue like the marketing department recommended – like impulse purchases for example.
– How many visitors have visited the store over the last 10 years? Should we keep it open?
– When will we have a stock out condition based on the unusually high customer traffic this Christmas?
– Was store employee on time this morning?
– Are they taking their breaks for the appropriate length of time?
– Did they really hurt their back carrying a television set out to the customer’s car?
…lots, and lots and lots more information as well – all provided by the MSP back to “Sears” in real time anywhere around the world and all for a for a modest monthly subscription fee.
The system can be purchased with optional facial recognition software that connects the WiFi HALO telemetry stream with in store cameras. This in turn provides real time information about:
– How long a customer spent in front of a particular store shelf, what they were looking at and most importantly, how long they held their gaze on the product. Marketing can now tell if the red display is more appealing to most customers over the green display.
– Is product ‘shrinkage’ the result of poor customer controls by the store or by the store staff itself?
-etc., etc.
Again, lots of good stuff, but this is only half of the story. One additional ripple effect for the MSP (and where the MSP *really* makes its money). ‘Sears’ not only benefits from all this telemetry data, the MSP benefits as well. The data is stored in MSP data lakes. But the MSP also subscribes to other ‘Hoover-like’ services itself and is able to pull down and ‘marry’/correlate HUGE amounts of identifiable customer shopping data (from Sears) with petabytes of other demographic data from various public and semi-public institutions (who sell their informatio to the MSP)
Just collecting this data on its own is not as valuable as when the MSP turns its machine learning algorithms loose within the lake to spot patterns of almost every aspect of every ‘data point’ within that lake – basically it just becomes one big regression analytics problem that allows you to find out (and then resell) a LOT of valuable information.
In effect, the MSP performs the ‘standard Capitalist function’ of taking raw material (the data), in (from “Sears” and other data retailers), creating its own unique, proprietary value on top of that and then reselling that as its own ‘product offering’.
But what if ‘Sears’ finds out that its MSP is basically ‘repackaging’ its customer information? One of several things can happen,(total supposition on my part here):
1. “Sears” should have read the fine print of the MSP outsourcing contract. Which they probably did but may not have realized what the data was being used for – possibly some ambiguous terms were put in the contract like “all collected information will be maintained, backed up and managed in keeping with MSP X’s standard data practices.”
2. “Sears” figures out the MSP X is making money on the data and muscles their way into a revenue split or joint venture – the market for the level of demographic data that they jointly possess is so lucrative that both parties still win.
3. “Sears” decides to cancel the contract. In which case it has to return everything AND MSP X then just takes their business down the street to “Sears” number one competitor – giving them a competitive advantage that puts them way ahead of “Sears”
Richard Flanagan says
Vince – very interesting, who would you say the top four or five MSP’s are in this area?
Donald Hoxhaj says
2. What is business process outsourcing and how is it related to IT?
Business Process Outsourcing (BPO) is a form of outsourcing that focuses largely in exporting non-primary business activities such as Payroll, Human Resource, Customer Support, and a bit of Operations to a 3rd party service provider either in the same location or in a different geography. BPO setting is usually preferred by many companies because they are cost effective, more efficient, and reduces man-hours at the client site, without compromising primary business operations.
BPO is also referred to as ITES (Information Technology Enabled Services) because most non-primary functions, especially in the IT sector, are outsources to countries such as India and China. In fact, India and China are the largest BPO centres for many global companies throughout the world. Example, a call centre is a typical example of a BPO outsourcing operation and involves the 3rd party to offer services with respect to customer support, back office operations, data entry, and telephonic calls.
Richard Flanagan says
Donald – do you see a call center as a BPO? What kind of call center are you speaking off.
Anthony Quitugua says
I would consider a call center a BPO as it deals with a non-primary business activity so that you can focus on your primary business activities. A great example within IT would be outsourcing your customer help desk to an off-shore call center. This is done by pretty much every large IT firm today when they outsource to call centers in India and Manila.
Richard Flanagan says
Anthony – the reason I ask is that BPO usually refers to a major chunk of a business operation like HR, accounts payable, customer service, where the vendor has the responsibility for running the whole function. An IT helpdesk doesn’t seem to fit this definition but is more likely just a normal outsourcing deal. These definitions are not hard and fast, but generally BPO is more business in nature, less IT.
Richard Flanagan says
Anthony – our difference is semantic but it is important. Is hiring a janitorial service business process outsourcing? I think most people in the industry would say no? Its a matter of where you draw the line and different opinions are viable. What do the rest of your think?
Anthony Quitugua says
I didn’t explain the call center definition well enough. A majority of the call center vendors are full-service customer service centers, not just help desks. A large chunk of US based firms will outsource their entire Customer Service arm to these call centers, to include functions such trouble shooting, accounts resolutions etc. If there is anything out side of their SOW/responsibility, the calls are directed to US based support to handle.
Smaller firms in particular, commonly use this out sourcing to take care of their customer service needs. It is much cheaper for them to contract the duties out than to retain their own customer service arm.
Patrick DeStefano (tuc50677) says
I see what you’re getting at here, Anthony. Instead of just being a call center, it’s more along the lines of a customer relations department. Some companies in this sense can outsource these types of departments, however other larger companies just offshore the jobs. For these larger companies, it creates a similar benefit to outsourcing, where you are able to gain specialized and cheaper labor in an offshore location, however still keeping the employees under the umbrella of the company.
Donald Hoxhaj says
By call centre here I refer to support centres. Most fortune companies today have outsourced or either exported customer support and telesales activities to countries such as India and China. While for many companies they are primary activities, for many they are non-primary functions and these activities are outsources to Support (Call) centres in different parts of the world. Example, Salesforce Inc.’s most support centre activities happen from India where the resources are hired to answer customer issues and queries.
Donald Hoxhaj says
3. If you were the manager of a major outsourcing service and heard you were to be audited, what aspects of the outsourcing arrangement would you want to make sure were strong?
If I was the manager of a major outsourcing service, I would be taking care of business continuity, quality standards in outsourcing, review of company’s plans in unexpected contract termination, etc. Firstly, as a manager of an outsourced service, I would want to know compliance with the standard SLA defined in the terms of arrangement and this would include Response time to requests, Performance as per agreed upon SLAs with the client teams, Security of operations, and KPI’s performance over a period of time.
With respect to BCP (Business Continuity Plan), I would like to have adequate disaster recovery mechanisms in place during an event of a business discontinuity. For this I would need to standardize operations and have work centres across all offices in the particular country so that in the event of any disaster, the same operation can be done from a different office location too. This ensures that the business is running smoothly and without interruption.
Moreover, in the event of a discontinuation of contract with the client, I would like to ensure smooth transition steps and measures implemented within the team. The need to easily cross transition or switch operations with another vendor is the main steps that needs to be taken care of.
Donald Hoxhaj says
4. What is the difference between an outsourcing contract and a statement of work? Which should you be interested as an auditor? Why?
The difference in outsourcing contract and statement of work (SOW) lies primarily in the level of control that a company has over the business processes. A typical outsourcing contract requires a company to export some of its business operations to an external 3rd party service provider and the scope of operations is not specific but rather a broad area of tasks that are required to be performed on an ongoing basis, whereas an SOW (Statement of Work) requires a service provider to perform a specific set of tasks under the contract. These agreements require legal bindings and a document detailing the different tasks a service provider is required to perform in the specific set of time, cost, and resources.
Richard Flanagan says
Donald – most outsourcing arrangements have both and MSA and an SOW, why?
Donald Hoxhaj says
MSA is another umbrella contractual agreement that comprises of high-level agreements such as IP Rights, Payment terms and conditions, Financial Liabilities, Product or Service warranties etc. Most of the legal settings are undertaken in this document and this serves as a master document for sub-agreements in a project. On the other hand, SOW defines detailed project related stuff including Scope of work, Resources, Type of agreements, etc. Both these documents are just an arrangement between the client and the service provider. Many organizations have their SOW as part of the MSA itself. If the contract agreement is long-term, let’s say for 10 years, and every year there is a change in project scope, then the MSA still remains same, just that the SOW changes.
Donald Hoxhaj says
5. What are the different reasons a firm may wish to outsource a particular function or process?
There are many reasons why a firm wishes to outsource a particular function or process. It is mainly a strategic objective where a particular company exports its non-primary functions or operations to an external 3rd party vendor. The below are the reasons for outsourcing:
1. Controlling costs and Reducing operating costs in Primary locations
2. Improving efficiency of work by having access to global skilled resources
3. Streamlining focus of company on primary activities such as Research and Development, Sales, and Marketing. This allows company to focus on core business operations and get rid of redundant tasks
4. Sharing risks with the 3rd party vendor company
5. Gain access to new markets and opportunities for trade
6. Mobilizing resources effectively so that internal resources can be put in core operations and major business functions, rather than mundane tasks
Patrick DeStefano (tuc50677) says
Very nicely put. To add on to your responses:
1. Controlling costs and Reducing operating costs in Primary locations
– While we always hear about outsourcing and offshoring due to high labor costs, keep in mind that this doesn’t only include labor costs. Some companies decide to outsource due to the high cost of real estate when not outsourcing would require expanding the real estate footprint of the company. Some use this type of outsourcing to control these types of costs as well.
2. Improving efficiency of work by having access to global skilled resources
– We’ve all learned about globalization and specialization where a nation limits the diversity of what it produces in order to focus its resources on becoming the best in the business at one or two products. Same thing at play here. Instead of your company trying to be the “handyman/woman” and trying to have a little bit of experience in a lot of different things, sometimes it is better to outsource to a company that specializes in doing one thing, whether it’s HR, Accounting, or even some form of IT.
Paul Needle says
1. What different kinds of IT outsourcing are there?
This question can be answered it two ways. We can address what can be outsourced and what types of outsourcing is available for IT. Things that can be outsourced from an IT perspective would be email, help desk, software and application development, website hosing, data back up, data centers, various infrastructure in the form of hardware, software, and network installation/set up, as well as many others. The types or outsourcing would include offshore outsourcing, nearshore outsourcing, onshore or domestic outsourcing, cloud computing, and managed services. The first three are fairly self-explanatory. Cloud computing could involve a third party involving software as a service, platform as a service, infrastructure as a service, etc. Managed services would include network management services such as VPN’s, firewalls, monitoring and reporting, and network activity. I found this website helpful along with the readings: http://www.itmanagerdaily.com/it-outsourcing/
Donald Hoxhaj says
Paul – I liked your perspective in answering this question. While there could be many ways of IT outsourcing, the bottom line depends on the needs of the company and the services that can be outsourced. Cloud Computing is an interesting point that you brought up. Yes, Cloud is definitely a form of Outsourcing to 3rd party companies and is quite relevant for businesses today that want to cut down fixed costs and focus largely on pay per use models. In fact, many companies have started to realize the potential of Cloud based models rather than acquire fixed IT assets as this is more cost effective and efficient for them. Thanks for sharing your thoughts on this.
Michelangelo C. Collura says
Very detailed response. I’d also add that a firm relying on cloud should not simply use free services to save costs. An outsourcing contract is necessary no matter how small the firm because of the potential risks inherent in the method. I know that smaller companies jump at the chance to go to the cloud for basic stuff like email, but this is potentially dangerous without adequate safeguards.
Michael Gibbons says
I agree Michelangelo. I think the outsourcing contract gets skimmed over when the people signing the contracts believe they are getting a great deal and do not take into consideration that the vendor they selected is outsourcing the majority of their services as well so the risk is amplified and number of people with access to your data if you even know where it is has increased significantly.
Michelangelo C. Collura says
That’s a funny point. Outsourcing to people who are outsourcing to people who… may be outsourcing? This is the sort of rabbit hole that leads to simplistic contracts promising “great service” and “what you need when you need it” and firms just crossing their fingers, because the alternative is a nearly impossible analysis of one or more external firms.
Patrick DeStefano (tuc50677) says
This can be a very dangerous situation and can happen far too easily if you’re not careful. I’m not trying to say that they are con-artists, but there are a lot of sketchy businesses out there and people who will try to see how far they can bend the rules or get away with in order to squeeze out some more profits for themselves. This is why a strong and very detailed contract/Service Level Agreement should be hammered out and looked over by good contract lawyers to ensure that your company doesn’t end up in a situation where you have some systems compromised and end up having to spend hours trying to track down the right person only to be passed around from subcontractor to subcontractor.
Paul Needle says
2. What is business process outsourcing and how is it related to IT?
Business processing outsourcing BPO is a type of outsourcing that involves a specific business process being outsourced to a third party. The operations and responsibilities of running a business process falls to the third party. It’s typically utilized when a company does not consider it to be a core business function of the company. In relation to IT this would be a help desk, email, software development, internet hosing, application or system design, data back up, and infrastructure. These services are referred to as Information Technology Enabled Services. These services are commonly outsourced and need the same attention that any other vendor risk management would require. The vendor will likely have access to vast majority of the infrastructure as well as sensitive information. It is important to have a master service agreement with all BPO’s being utilized.
Donald Hoxhaj says
Paul – You nailed it down. In fact, I liked one of your points in this answers that says that BPO focuses on outsourcing one of the specific business functions i.e. when an organizations outsources a non-core business function. Well, this sort of model definitely makes sense because organizations benefit from a larger skilled pool of resources that are not only cheaper, but also efficient. This allows the company to share risks too. One very interesting point that you made in the end and that opens up possibilities of further research is that the vendor will have access to Infrastructure and Critical business Information. What is important here is to know the level of information possessed by the vendor and the safety measures incorporated in this deal.
Richard Flanagan says
Guys – remember, to outsource a business process it must be organized and run well (high quality). If it isn’t, then the outsourcer is apt to get bad inputs, require rework and work arounds, and generally start adding up the out-of-scope charges, resulting in increasing costs. If a company has high quality business and IT processes, then unbolting part of it is much easier than if everything is done on an ad hoc basis.
Michael Gibbons says
Professor – have you seen examples where the service provider has exercised the right to terminate clause because of customer causing these types of issues?
I have not seen it from an IT side but more from the external accounting firm side whether ethics and interpretations of accounting rules/principles come into play.
Richard Flanagan says
Michael – I’ve not seen anyone terminate an existing contract but I have seen them not want to renew at expiration I’ve also heard of vendors not bidding on a piece of work because their due diligence warned them that it would be a disaster.
Paul Needle says
This was an nice chain. Greatly appreciate the feedback and thoughts.
Paul Needle says
3. If you were the manager of a major outsourced service and heard you were to be audited, what aspects of the outsourcing arrangement would you want to make sure were strong?
There are several areas that are extremely important to audit when entering an outsourcing agreement. The article addressing the 19 articles in a master service agreement sums it up best.
1. Guiding Principles. I would want to make sure that guiding principles provide a overall objective for both sides of the agreement
2. Services. A clear documentation of the services provided in a service level requirement should be incorporated
3. Personnel. Key personnel should be addressed along with training requirement, supervision, and proficiency levels should be documented
4. Assessment of third party contracts. A definition of the ownership and process for service recipient retained equipment and software should be incorporated
5. Retained authorities. Rights and authorities retained by the service recipient should be defined
6. Fees and payments. Clearly defined.
7. Record keeping and audit rights. Compliance with SOX should be addressed and documented.
8. Representations, warranties and covenants. Protection that the servicer can perform the services outlined
9. Term and termination. Terms at renewal should be addressed so that they servicer can’t drastically increase the price once they are contracted
10. Disentanglement. Clear documentation when the contract ends.
11. Limits of liability. Financial liability caps should be determined.
12. Proprietary rights. IP should be protected.
13. Security and confidentiality. Documentation of how this is achieved should be spelled out and confirmed.
14. Legal compliance. Any unique laws or regulatory bodies should be addressed
15. Indemnification. Hold harmless and indemnification for financial reimbursement
16. Insurance. They should carry limits equal to or greater than their own E&O, D&O, and cyber liability
17. Dispute Resolution. Clearly defined process.
18. Miscellaneous.
While these are all important I would spend a lot of time on the guiding principles so that everyone is clear on the overall intent of the MSA.
Donald Hoxhaj says
Paul – You covered most of the points that are required in any business engagement practice and things that need to be take care during audit. Three points that caught my attention were IP Proprietary Rights, Limits of Liability, and Dispute Resolution. While other details in the business engagement right from contract arrangement, terms and termination, etc. are always taken care by legal experts, these 3 points are usually not given enough importance. Financial Liability is definitely the most important because outsourcing engagements rely on heavy financial obligations from both vendor and client’s end. Similarly, IP protection is very important too. Companies in America, especially Apple and Microsoft, have in the last 6 years seen many IP violation and companies lose billions of dollars in fighting for IP rights. Moreover, in an Outsourcing arrangement, the conflict of IP is critical and is of vital importance for organizations to ponder over this.
Vince Kelly says
Wow, nice job – very complete answer Paul! Donald also good observation on the IP aspects as well. It really jogged my memory on two somewhat nefarious aspects of the outsourcing business. Although I believe that the Gartner article calls it out, two things that really strikes me about *SOME – not all* MSP business practices are how they capitalize on customer requests and how they can be extremely reluctant to innovate or introduce new technologies for the customer.
It typically goes something like this:
– Senior management at a company realizes at some point that they have fallen behind in maintaining their infrastructure and internal service offerings, so they decide to ‘take a strategic approach’ by leveraging the ‘cost efficiencies’ of outsourcing – i.e., they fall behind the innovation S-curve and then realize that ‘it’ll cost us a fortune to upgrade this stuff so let’s get rid of it’.
– In strolls an MSP who needs to show that they are winning business in an EXTREMELY competitive market (to analysts, investors, etc). The outsourcing industry is undergoing huge shifts in business models – at one time, a service provider could count on a mult-year exclusive, lucrative agreement with each of their customers. Today though, they are facing a greater number of global competitors and shorter, less profitable, multi-vendor ‘transactions’.
– The MSP basically buys the customers business by taking all of their assets and people – ‘lock, stock and barrel’ onto their own books, initially at a loss – this is often referred to as an, ‘your mess for less’ approach by the MSP. It’s really more like an M&A transaction than it is true outsourcing.
– The MSP really doesn’t care about due diligence activities like baselining or developing an appropriate transition plan because many customers literally don’t even know what is running in their network anyway. It is not uncommon for an MSP to call in the customers *vendors* instead of the customer in order to have them provide the insights and information they need about the customers environment. This puts the vendor in an extremely awkward position because they get caught between the MSP demands for information and respecting the privacy of people who may be losing their jobs as a result of the process. It also ultimately provides a ‘lock-in’ effect for the MSP because once *they* understand the customers IT infrastructure, the switching costs become prohibitive for the customer if they are unhappy.
As a result, SOME – not all MSPs initially end up with unprofitable and obsolete technology but an EXCELLENT understanding of what is running in that environment. So the MSP count on getting their margins back by ‘creating operational efficiencies’ like:
1. “Sweating the assets”, i.e., never upgrading anything that was moved over from the customer.
2. Cutting the people and other associated costs that were part of the transition by at least 2 to 4% every year.
3. Increasing what is considered to be ‘out of scope’- i.e., chargeable services to the customer every year.
With all of this in mind, *SOME – not all* MSPs refuse to innovate or entertain any thoughts of capital or operating expenditures for the customer until well after they have recouped their money and even then some MSP’s will only do it if they need to. One clear example of this when the industry switched to VoIP. This technology created HUGE cost effieciencies that many customers desperately wanted but could not take advantage of because the MSP owned everything.
The other practice that *SOME* MSP’s frequently take advantage of is how they capitalize on customer requests for changes or innovation. The customer has a great idea or wants to innovate in some way, and asks the MSP to do it. The MSP charges them a HUGE ‘out of scope’ fee to do the work and then monetizes the customers idea across the rest of their install base – in effect they get paid multiple times for a single idea – nice;)
The point here is that even though Gartner alludes to it in the article, it is almost impossible to take into consideration or include all of the things that should be considered before going down the path.
Richard Flanagan says
Vince – a depressing overall view of the industry, but I believe an accurate one. I’m glad you added the paragraph about changes and innovations. In my experience, charging a lot to implement such enhancements is a key way to increase pocket share (ie the amount of the company’s money you get out of their pocket). The original deal is kind of a loss leader to get you in the door with a now captive customer.
Everyone – the governance issue here is that you need to go into such an arrangement with a clear view of what your goals are and understanding the risks of what might happen.
Vince Kelly says
…at the risk of pontificating here – your right, but like everything else professor, I think its only depressing when/if you have to deal with unethical ‘bottom feeders’. I think that none of the articles point out the one thing that’s more important than any MSA or SoW – which is the reputation and ethical behavior (or lack of ethical behavior) by the MSP.
Michelangelo C. Collura says
This was a very insightful analysis, and I appreciate it. The point the prof made about risks is, I believe, the main problem here. A firm may see the supplier, perhaps in the example of provider for VoIP, and see nothing but bright future ahead. Auditors and analysts in-house may do the research and determine some risks with the supplier, but they may be sidelined in the pursuit of that bright future. The moral would then be that risk assessment is useless if decision-makers ignore it to pursue a pipe dream, and the result if the firm suffering. I would think this is where the board of directors would need to come in and provide some meaningful pushback to avoid such. Not sure if this is a common occurrence.
Paul Needle says
Thank you for the comments Vince. It’s nice getting a real world view. I particularly like how you address reputation. This can be a real determining factor in doing business.
Vince Kelly says
1. What different kinds of IT outsourcing are there?
A better question might be; What kinds of IT outsourcing are *NOT* available? 🙂 Pretty much anything that is an IT process can be outsourced. These services include anything related to activities and serices like ;on-prem and/or off-prem IaaS, PaaS and SaaS services, deployment services, end user computing, hosted collaboration services, customer experience and help desk, employee management and compensation services, migration services, facilities management and/or operation, BC & DR services, etc.,etc.,etc.
Patrick DeStefano (tuc50677) says
Your first line made me laugh. It’s so true though. Today, if you have some money to pay and a job to be done, someone is willing to do it somewhere in the world. You can outsource anything your heart desires from IT Security services to data warehousing to application development. We can outsource to a different company located right down the street because they are better at something than we are. We can outsource to a different country to lower our expenses. Any process we have, we can find someone to outsource it to. We just have to be conscious of what we should outsource as well as the repercussions for doing so.
Vince Kelly says
2. What is business process outsourcing and how is it related to IT?
Business Process Outsourcing (BPO) is a contractual agreement whereby one party assigns,(typically non-core), elements of their business management and/or operations to another party for a fee. BPO has a significant impact on IT in terms of what services that IT needs to offer to the business. For example, if the business decides to outsource the management and operations of the company payroll, then IT would not be required to provide the compute, storage or networking personnel or infrastructure needed to run that process – just the secure connectivity required to do the data ETL (extract, transfer and load).
Richard Flanagan says
Vince – correct, but payroll is a very simple example. What if you outsourced all of the transactional parts of HR? The hiring, firing, benefits, compliance, etc. Doesn’t the integration become a much bigger IT issue?
Vince Kelly says
agreed professor, but it was an example so the intent was to be simple. Yes, of course anything becomes more complex when more variables are factored in. But one thing that I’d point out here is that it’s not an ‘all or nothing’ choice by the customer – i.e., all MSP’s not only provide a ‘complete stack’ of services (like HR in this case), they also offer various *levels* of service – in other words, you can ‘purchase’ elements/components of a particular service (like HR) as well.
Vince Kelly says
3. If you were the manager of a major outsourced service and heard you were to be audited, what aspects of the outsourcing arrangement would you want to make sure were strong?
This would probably depend upon what services had been outsourced and the level of management involved in the audit. Generally speaking, strategically focused managers would obviously want all aspects of the audit to be strong, but would probably be most cognizant of the ‘bigger picture’; business and technical aspects of the arrangement as well as the outsourcing contract details and if they were being executed correctly. In addition, these managers would also want to ensure that the company was financially stable and was reputable in terms of the industry and customer service. Managers focused at the operational level would probably be most interested in making sure of the technical details of the arrangement as well as anything that was called out in the terms of the SoW.
Vince Kelly says
4. What is the difference between an outsourcing contract and a statement of work? Which should you be interested in as an auditor? Why?
An outsourcing contract is an overall contractual agreement between two parties – a service provider and a service receiver. An SoW are the detailed descriptions of exactly what work will be delivered. The SoW is part of the overall MSA.
Vince Kelly says
5. What are the different reasons a firm may wish to outsource a particular function or process?
The article “Audit of Outsourcing” states that many companies outsource “for a variety of reasons including to reduce costs, to enable the organization to focus on its core activities, to overcome the nonavailability of skilled personnel and to improve the quality of service.”
Tamekia P. says
What different kinds of IT outsourcing are there?
IT outsourcing includes software development, application support and maintenance, and infrastructure management services.
Tamekia P. says
What is business process outsourcing and how is it related to IT?
Business process outsourcing is the outsourcing of non-IT business related processes. These could include Human Resources, back office functions, etc. This is related to IT because when you outsource a business process, you need to determine how the third-party will access internal system. This could include VPN, bulk uploads of data, or application access depending on the business process.
Vince Kelly says
Agreed Tamekia. In addition to what you’ve already pointed out and at the risk of stating the obvious, each service that a company outsources, is also one less service that IT needs to focus on as well right? i.e, If you outsource HR for example then it frees up the hardware, software, and technical skill resources that would otherwise be needed in order for IT to support the HR function, (the upside).
That being said though, in many cases the company still has liability & fiduciary responsibility for what happens – so in effect, you ‘transfer the risk’ and responsibility from the domain of purely IT back over to the business owners and to some extent the MSP if it is negligent.
Richard Flanagan says
Tamekia and Vince – quite right about compliance and other legal liabilities remaining with the company that outsourced the service. So if you outsource HR, you are still responsible for ensuring that your employees health data is stored in a US data center. How do you know? It can become a problem.
IT issues don’t go away entirely. When outsourcing a function like HR you need to integrate your system(S) with the outsource companies systems. Such integrations can be troublesome and you still have role access and authentication issues.
Michael Gibbons says
Great examples Tamekia and Vince. To the professors point, an example I lived through involved an organization with a very decentralized approach to IT functions. HR did not want to work with IT anymore so they selected a SaaS vendor. Because it longer was in house, many other departments had worked directly with IT to get access to the HR database without HR knowledge/approval. The day the SaaS HR solution went live, several critical processes broke throughout the organization because the data no longer resided in house and there was not a formal process for documenting system dependencies.
Tamekia P. says
If you were the manager of a major outsourced service and heard you were to be audited, what aspects of the outsourcing arrangement would you want to make sure were strong?
I would want to make sure there was real-time monitoring of the KPIs. This would ensure that actions could be taken where necessary if there is significant deviation from agreement. The company’s data including the network should be secure to prevent security issues or data breaches. Additionally, the availability of data, how does the vendor ensure there is no downtime or quickly address incident.
Tamekia P. says
What is the difference between an outsourcing contract and a statement of work? Which should you be interested in as an auditor? Why?
Outsourcing contract is legal document that details expectations of the arrangement . Statement of work details the work that will be done . I would be more interested in the SOW because it contains the detail of what will be performed and that information is important for monitoring adherence to contract terms.
Tamekia P. says
What are the different reasons a firm may wish to outsource a particular function or process?
There are several reasons for outsourcing function. The company may want to free up capacity to work on core competencies. Outsourcing work costs less than retaining the function in house. The process is time intensive and does not add much value to the organization.
Richard Flanagan says
Tamekia – outsourcing may not cost less, it may be more of a question of quality or having a fee for service model rather than tying up corporate assets in employees. If you see an employee group performing inadequately in-house and bench marks tell you that you can get a much better service for a little more money, than you might be tempted to outsource. Also, remember, there are lots of hidden costs to employees so you need to do a very good job of comparing costs.
Patrick DeStefano (tuc50677) says
I completely agree Professor. Several years ago, the company I was working for needed a specialized application built to assist with ensuring the quality of the code we were delivering. After analyzing all the factors and variables needed to build the application, we decided that, rather than taking our resources away from our critical functions to work on it, we would outsource the job to a vendor who had already built similar products. In times like this, where RTE operations remain critical to the company and resources are limited, outsourcing may make the most sense, even if it isn’t any less expensive.
Heiang Cheung says
5. What are the different reasons a firm may wish to outsource a particular function or process?
There are many reasons to outsource particular function or processes because that function might not be worth your time in maintaining. The function might cost less to maintain if you outsource. The company might not have enough know-how or resources to do particular functions. This actually gave me a better perspective on outsourcing because when people hear about outsourcing people just think it’s about cost only. I think there was an article talking about Apple can’t even move their factories to the US if they wanted to because the US doesn’t have the workers able to make the phone.
Richard Flanagan says
Heiang – not sure that there are not enough skilled workers for Apple but I do believe that many companies enter into outsourcing looking to reduce cost. This often turns out not to be true and you see articles about companies bring work back. I don’t have any numbers but I believe such failed outsourcing attempts are do the the company not really defining their goals beforehand and doing their due diligence.
Michelangelo C. Collura says
I fidn your point about failed outsourcing cost-savings to be fascinating. It shows the truly deplorable state of governance in the firm if the entire purpose for outsourcing is missed, much less than any fringe benefits, such as increased reach perhaps. A notable example I found is #3 on this list, and it hits home because I know just how terrible governance and communication can be in the military.
https://www.itproportal.com/2015/12/19/five-of-the-biggest-outsourcing-failures/
Richard Flanagan says
Michelangelo – great article, thanks for posting it.
Patrick DeStefano (tuc50677) says
I read a similar article on Apple and why they can’t move manufacturing to the U.S. It didn’t mention anything about skilled labor, but it did paint the picture of how Guangzhou, a city in southeast China, is where a huge majority of the world’s electronics manufacturing takes place. Suppliers and manufacturers can literally be found right down the street from one another. Even if Apple tried to move all its manufacturing to the US, the suppliers would still all be in China. In order for Apple to “Outsource” their manufacturing back to the US, there would have to be some major cost savings or other factor making it worth it, and that’s simply not there currently. I have seen articles floating around that China’s economy may surpass the US in a few dozen years. If Apple is still around then, maybe labor in the US might be cheaper and manufacturing will move back.
Pascal Allison says
What different kinds of IT outsourcing are there?
IT outsourcing is when an organization contracts an external service provider to work a specific IT function or knowledge-related work. The service provider can be:
Onsite – contracting a service provider locally. Service provider located in
same country as the company.
Near site – contracting a service provider near or adjacent company
country. Most time the culture, languages, environmental
circumstances are similar.
Offshore – contracting a service provider located in a different company.
Most time the culture, language, environmental circumstance
are different.
There are lots of services that can be outsourced:
• Application development and maintenance;
• Infrastructure Management;
• Testing and validation;
• Data Center Management;
• Managed security;
• Cloud computing; etc.
These services can be placed under one of the three IT area:
Software Development – a service provider performing some or all the activities in the software development life cycle.
Application support and maintenance – problems, bugs, and all other request pertaining of a software or application is handle by a service provider.
Infrastructure management service – enterprise collection of hardware, software, network, data center, facilities related equipment. A service provider plays the role of a system administrator, network and security manager, backup and restoring, availability, etc.
Pascal Allison says
What is business process outsourcing and how is it related to IT?
Business process outsourcing (BPO) is contracting a service provider to handle a specific business task. IT refer to business process outsourcing as information technology enabled services (ITES) which is the delegation of IT intensive business process to a service provider. Most times this function is non-primary.
Pascal Allison says
If you were the manager of a major outsourced service and heard you were to be audited, what aspects of the outsourcing arrangement would you want to make sure were strong?
As the manager of a major outsourced service hearing of audit I would review the contract and statement of work for all expectation and sure they are met. Some areas I will look at closely area:
• Financials and Going concern (business continuity);
• Connectivity, application, network, data, personnel, physical, and environmental security;
• Project monitoring and governance;
• Compliance with regulatory requirement and laws (local and international);
• Customers satisfaction review (sheet or report);
On the overall, I would want to ensure all risks are covered, the contract and statement of work (SOW) executed accordingly, and have all undiscussed risks highlighted with controls and or contingency plan in place.
Pascal Allison says
What is the difference between an outsourcing contract and a statement of work? Which should you be interested in as an auditor? Why?
The difference between an outsourcing contract and statement of work is that outsourcing contract is a legal agreement between a business and a service provide (external) in which the service provider commits to providing a partial or complete service(s). In the IT environment, a service provider could agreement to application, infrastructural, or business process management. That legal agreement signed by both the business and the service provider is the outsourced contract while a statement of work is the specification of service to be performed or provided (level, quality, time, etc.) by the service provider. A statement of work is a part of the contract. The statement of work defines liability, responsibility, and work consensus.
Since the statement of work is a part of the outsourcing contract, the auditor should be interested in the contract. That way, every aspect of outsourcing and jobs will be viewed.
The section of the contract the audit will focus during an audit will be the statement of work.
Michelangelo C. Collura says
I’d be interested in hearing from auditors how thoroughly they dissect the SoW in an OC, as it likely gets into a lot of detail beyond the mere framework of the contract, but rather more into the technical. I imagine the SoW may be prone to scope creep, with the supplier switching gears as the client’s needs change. This increases chances for disruption or miscommunication, but also increase the risks of security concerns popping up.
Pascal Allison says
What are the different reasons a firm may wish to outsource a particular function or process?
There many reasons a firm may wish to outsource a function or process. Some of those reasons are:
• Managing and or controlling the entity resources (cost, time, material, etc.) with the intend of saving;
• Refining or redefining the entity focus on core values and Redirecting the entity resources;
• Accessing external resources and gaining access to proficient services; and
• Transferring or sharing business risks.
Duy Nguyen says
1. What different kinds of IT outsourcing are there?
• Software development: the organization can provide requirement and possibly design and specs to a provider. The service provider would be contracted to analysis, designs, code, test, and integration. The service provider is contracted to do pretty much most of SDLC.
• Application support: application could be previous implementation or in-house development, but the service provider is contracted to pretty much provide system support. Anything from maintenance to assisting with helpdesk tickets.
• Infrastructure management services: Service provider is to provide support pertaining to IT technology. Anything from support and maintenance of servers, databases, networks and data center management.
Duy Nguyen says
2. What is business process outsourcing and how is it related to IT?
• Business process outsourcing refers to the outsourcing of non-primary business function to a third-party service provider. With this process, any organization can outsource much or all their IT needs. Virtually all function of IT can be outsourced with the more efficient allocation of in-house resources to focus on core business activities. Many of the benefits of outsourcing are increased efficiency, controlled costs and reducing risks associated with having effective in-house IT.
Duy Nguyen says
3. If you were the manager of a major outsourced service and heard you were to be audited, what aspects of the outsourcing arrangement would you want to make sure were strong?
• The most important aspect would have to be a strong Contract. The Contract should have a detailed process of evaluation of the service provider, and all terms and conditions are legally enforceable. All agreements and expectations from the organization and service provided must be documented.
Duy Nguyen says
4. What is the difference between an outsourcing contract and a statement of work? Which should you be interested in as an auditor? Why?
• The contract would be a higher-level agreement and statement of work is a finer detailed of work. The Contract which should contain a SOW is the legally binding agreement between an organization and a service provider. SOW is details of the agreement, what the organization is expecting and all deliverables. Auditors should focus on the SOW, within the statement of work is all fine details of what the organization is essentially paying for.
Duy Nguyen says
5. What are the different reasons a firm may wish to outsource a function or process?
• As in process outsourcing, there are many advantages in outsourcing of a process. Outsourcing done right can enable an organization to be more efficient allocating roles and responsibilities, reduce risks associated with running the process effectively, controlled costs, obtain a service that otherwise would be not affordable for the organization to conduct in-house, and the ability to focus on core business function almost other things.
Michael Gibbons says
Great examples Duy. Another one I thought of after posting my answer was regulatory/compliance. Most companies but specifically publicly traded companies are required to have external audits of their financial statements performed by an independent third party. Most companies already have accounting/finance departments along with internal audit but as a necessary evil, the company must contract with a third party to perform the financial statement review which usually leads to other services being contracted by that firm.
Richard Flanagan says
Guys – another take on compliance is that you may not currently compliant and not want to invest in the service in question. Instead you may outsource it to a provider who does run a compliant service.
Anthony Quitugua says
Wouldn’t an external compliance agency just be another name for an external auditor? Personally, compliance is something that I would be hesitant to outsource. If you are dealing with anything that could be the target of an external audit, it is best to have an in house compliance staff to keep you in line and CYA. Compliance is an ongoing process and keeping it in house is the best way to make sure your programs, processes and agreements remain “audit proof”.
Jonathan Duani says
1. What different kinds of IT outsourcing are there?
I think during this day and age almost anything in IT can be outsourced. When I first started working in IT I worked for a MSP or a Mass Service Provider. We took care of everything the company needed IT wise from networking to device administrator to computer work. We were the boots on the ground and the admins. The company fully outsourced their IT to be taken care of by an outside company so it was not done in house. I think as we move farther into the 21st century we are going to be seeing that more and more especially with cloud services where you can now stand up all the essential services like AD, DHCP, DNS and everything else that fall udner that umbrella somewhere in a cloud and then just have you systems talk to it. In my current job we outsource a lot of work to contractors especially when there is a big project and we will need extra hands. All of this will fall under outsourcing.
Jonathan Duani says
2. What is business process outsourcing and how is it related to IT?
Business process outsourcing is when you take non-essential services on the business side of the company and outsource to a 3rd party company who specializes in that specific service. The way this relates to IT is that a lot of the services that the business sides of the organization would outsource has a decent amount of integration with IT. For example, a lot of the minimal tasks in payroll could be outsourced like payroll, and hiring of new employees. They could outsource the hiring process to 3rd party recruiters and then also have a different company take care of all the payroll however they will need to have IT be invest into this outsourcing because IT will have to give access or control to specific systems to the 3rd part company and explain how the flow of information works within the specific system so that the 3rd party company can do their job.
Jonathan Duani says
3. If you were the manager of a major outsourced service and heard you were to be audited, what aspects of the outsourcing arrangement would you want to make sure were strong?
If I was a manager of a major outsourced service and I heard that we were going to be audited I would first want to look at my contract with the company that we outsourced the service too. I would check to make sure that all the i’s are dotted and t’s are crossed. I will make sure it is clearly written what the reasonability’s are for the company and make sure that these reasonability’s have been meet. I would also make sure that any potential risk that might exist in the environment is looked at to make sure that the risk does not exist. I would spend a decent amount of time going through all the different layers of the services and make sure that we are within code for everything.
Richard Flanagan says
Jonathan -yes, but waiting to do all that once an audit is upon you is too late. You need to be on top of those things (or have someone who is) and be actively managing any issues.
Jonathan Duani says
4. What is the difference between an outsourcing contract and a statement of work? Which should you be interested in as an auditor? Why?
An outsourcing contract is a legal document that is between the main company and the company that you will be outsourcing to. It will list out all the expectations of the agreement between the two parties including financial and legal. A statement of work is different because this is actually the document that outlines the work that will be done under that contract. As an auditor I would take a look at both documents to get a whole picture of the situation. First, I would look over the contract just to see the stipulations that are in the agreement between the two parties. However, I will be the most interested and focused on the statement of work because it will tell me exactly what the outsourced company was responsible for and it is important to check up on that to make sure that the contact terms are being followed.
Jonathan Duani says
5. What are the different reasons a firm may wish to outsource a particular function or process?
The biggest reason I can think of is the monetary aspect. Even though sometimes when you outsource services to a different company it is not always cheaper there are a lot of other reason that it winds up being more cost effective. First you do not need as many employees in order to run a specific service. If something goes wrong you call the company and they fix it. This will alleviate a need for a whole networking team or a whole server team and limit it to a couple key people to make sure operations are running smoothly. It will also cut down on costs. It may be more expensive to run the service on the cloud but you will no longer need to pay for the hardware, HVAC, power that goes along with it. Also, you will no longer need to worry about maintenance and the cost that are associated with that because a different company is reasonable for up keep. Finally, you will not have to worry about systems going down as much especially if you are outsourcing them to a cloud based solution. This is because you can easily incorporate redundancies which will allow the services to stay online even in the event of an outage.
Anonymous says
What different kinds of IT outsourcing are there?
A firm could outsource IT services in much the same way as any other services. One method is out-tasking – a process of breaking up delivery aspects of a process and tossing some to an external provider. This minimizes security risks a bit while still saving costs. Multi-sourcing is another method and of course means multiple suppliers handle the process. This is unlikely because it increases data theft risks, but it does help promote competition among suppliers, thereby potentially meaning greater cost-savings to the firm. Managed services is another method using specific detailed costs going in and the ability to change as the situation changes, a sort of real-time needs-based outsourcing. Finally, augmentation allows a firm to outsource hiring for seasonal or specific times, boosting their department numbers at given times.
Michelangelo C. Collura says
I forgot to sign in before I posted this.
Michelangelo C. Collura says
What is business process outsourcing and how is it related to IT?
A biz process is defined as a collection of tasks used to deliver a service to a client. Therefore, outsourcing would mean taking one or more of these tasks and handing them off to an external supplier, thereby reducing costs and being more competitive. In IT, concerns are often raised about PII and proprietary data – the lifeblood of the firm. Outsourcing creates unique risks for these two things, as well as applications and and business planning. In IT audit, we’d concern ourselves with these aspects of outsourcing so as to minimize risks inherent in giving pieces of our firm to someone else – even with a strongly constructed master service agreement.
If you were the manager of a major outsourced service and heard you were to be audited, what aspects of the outsourcing arrangement would you want to make sure were strong?
What is the difference between an outsourcing contract and a statement of work? Which should you be interested in as an auditor? Why?
What are the different reasons a firm may wish to outsource a particular function or process?
Michelangelo C. Collura says
If you were the manager of a major outsourced service and heard you were to be audited, what aspects of the outsourcing arrangement would you want to make sure were strong?
I’d say software development because our firm is providing the guidelines for the product. If our guidelines are flawed or miscommunicated, then the supplier is going to provide us a bad product, and only one firm will suffer the consequences from clients – our firm. Communication and requirements, from the beginning of the development life cycle to the end, must be strong. This transitions into maintenance and support, which would be equally concerning after the product has been delivered, but without an initially successful delivery, the second part is irrelevant.
Michelangelo C. Collura says
What is the difference between an outsourcing contract and a statement of work? Which should you be interested in as an auditor? Why?
The OC is the overarching structure for the outsourcing agreement, covering all aspects of it from objectives, communication plans, and even an innovation plan. Within these many components is a statement of work, describing how the supplier will deliver the service/product. Since the SoW is within the OC, I’d think that both are of interest to the auditor. The granularity of the SoW may go into detail unnecessary to complete an outsourcing audit, but then again there may be a conflict described in the SoW, perhaps compromising firm data and unnoticed in other areas of the OC. This would therefore be just as relevant to the auditor as any other attachment.
Michelangelo C. Collura says
What are the different reasons a firm may wish to outsource a particular function or process?
Reasons are as varied as there are firms. Most common reasons tend to be monetary – a firm can save money by outsourcing the specific process/function, so it does so. Sometimes, it’s also core competency; a firm strives to provide quality service, even in an area it does not consider a strength, such as delivery, so it outsources. Within the week’s readings, we’re told how efficiency is a strong incentive, and this ties into both cost savings and core competencies. Also added to the list are increased reach of a firm’s services and reduced risk. The last one is debatable as outsourcing will inevitably create some new risk. However, the new risk may outweigh the previous, so it may still be a net positive.
Michael Gibbons says
Michelangelo, I like how you put the emphasis on the reduced risk being debatable. I think it’s possible to reduce the risk but it definitely requires many other pieces to be working properly (vendor due dilligence process, risk management function, good governance in general).
Richard Flanagan says
Guys – I would say that you are correct in wondering about reduced risk. It certainly changes your risk profile. The business relationship is a major risk that can be mitigated by a good MSA and SOW and good vendor management. Don’t make the mistake of think that you are just adding risk, companies also eliminate some risk by outsourcing, particularly if they are not doing it well. The real question is whether the residual risk is higher or lower is aggregate.
Michelangelo C. Collura says
Well stated, Professor. The question needs to be asked, and an answer should be calculated. In a scenario where a firm discovers the vendor has atrocious security after a contract to handle client PII is made, they would be kicking themselves for not assessing the risk beforehand. In aggregate, this may be less risky than keeping it in-house, but it should always be assessed.
Michael Gibbons says
1. What different kinds of IT outsourcing are there?
Software Development – you provide your requirements and money, the service provider delivers the code or application and should follow a formal SDLC process.
Application Support and Maintenance – the vendor takes resolving problems with applications, upgrades to applications, bugs with applications and helping the company keep the applications running.
Infrastructure management services – Database administration, server administration, desktop administration, network administration, security services, data center management, and support for these respective functions.
Richard Flanagan says
Michael – don’t forget about Business Process Outsourcing and other IT services like Helpdesk, network., etc. BPO is especially important as it is often seen as non-IT outsourcing but it is very often IT dependent. I have seen an HR department outsource all of its back-end functions without investigating if the vendor’s systems could be interfaced to their own. The result was close to $1 million worth of a last minute integration problem.
Michael Gibbons says
2. What is business process outsourcing and how is it related to IT?
Business process outsourcing is a subset of outsourcing related to specific operations being outsourced to a third party (i.e. Payroll, Finance, Accounting, Legal, etc.) It is related to IT by needing to integrate this service into the organization (secure exchange of data between company and third party). IT will need to manage credentials, implement network access controls (principle of least privilege) to keep the third party out of areas they do not need to perform their function, and monitoring (may need to be performed by multiple business units due to the nature of a third party not being your companies employees).
Michael Gibbons says
3. If you were the manager of a major outsourced service and heard you were to be audited, what aspects of the outsourcing arrangement would you want to make sure were strong?
IT General Controls – you want to make sure you are doing the basic things well and have documented repeatable processes in place for these items (Access Control, Change Management, System Development LifeCycle controls, backup and recovery, etc.). Any glaring weakness in these areas would lead an auditor to look deeper into other areas of the outsourcing arrangement. If IT General Controls are ignored or not implemented properly, it would be safe to say the risk would be higher that there could be significant control deficiencies in other areas as well.
Richard Flanagan says
Michael – excellent point
Michael Gibbons says
4. What is the difference between an outsourcing contract and a statement of work? Which should you be interested in as an auditor? Why?
An outsourcing contract is an agreement between an organization and a third party describing all aspects of the business relationship. A statement of work is typically an attachment to a contract to specify certain items that the third party is being hired to perform (customize an application, implement a new module, perform a health check on an existing service, etc.) The Statement of work will detail time frames, deliverables and pricing.
As an auditor, I would be interested in looking at the master service agreement and any addendums to the master service agreement followed by a review of the statement of work. The master service agreement should be more detailed regarding the business relationship as a whole (more of a legal document). The statement of work would follow the terms of the master service agreement and then get into the details of the work to be done.
Michael Gibbons says
5. What are the different reasons a firm may wish to outsource a particular function or process?
Possible cost savings, expertise of third party over internal resources, difficulty obtaining or retaining employees for a particular function or process. Managed Security Services would be an example where it would save money to outsource this function because it is something that the vendors can do at scale vs. having a group of security professionals staffed 24×7. The MSSP can alert internal staff when they see an issue and work directly with the organization on how they wish to handle these events.
Anthony Quitugua says
1.What different kinds of IT outsourcing are there?
There are may different types of outsourcing, as mentioned in a previous post, it might the a better question to ask what can’t be outsourced. Outsourcing refers to the transfer of a business activity or function from a client/customer to a local or foreign third party service provider.
There are many different descriptions on the types of IT Our sourcing, but they all pretty much fit into these (5) categories:
1. Offshore outsourcing – sending IT-related work to a company in a foreign country that offers political stability, lower labor costs and tax savings; India, China and the Philippines are popular offshore outsourcing countries.
2. Nearshore outsourcing – sending IT-related work to a company in a country that shares a border with your own; presumably, it is easier to travel between the two and for the company and the provider to communicate with one another.
3. Onshore or domestic outsourcing – contracting with a third party located in the same country to provide IT-related work, off-site or in-house.
4. Cloud Computing – contracting with a third party to provide IT-related functions over the Internet or a proprietary network. Examples include Infrastructure-as-a-Service, Platform-as-a-Service and Software-as-a-Service.
5. Managed Services – contracting with a third party to provide network management functions including IP telephony, messaging and call centers, virtual private networks (VPNs), firewalls, and the monitoring of and reporting on network activity. In this type of outsourcing arrangement, a special emphasis is placed on the integration and certification of Internet security.
Anthony Quitugua says
2. What is business process outsourcing and how is it related to IT?
Business process outsourcing (BPO) is the contracting of non-primary business activities and functions to a third-party provider. BPO services can include payroll, human resources (HR), accounting and customer/call center relations.
Outsourcing these non-primary business activities will allow an IT organization to focus its effort and resources on it’s core business activities.
Anthony Quitugua says
3. If you were the manager of a major outsourced service and heard you were to be audited, what aspects of the outsourcing arrangement would you want to make sure were strong?
Above all else, I would ensure that the contract was the most “audit proof”. It is a legally binding, and enforceable, document that holds both parties accountable to the agreed upon expectations of the outsourcing arrangement. All other aspects of the outsourcing agreement are based on this document.
Richard Flanagan says
Anthony – that find of begs the question. What are “the agreed upon expectations of the outsourcing arrangement?” And which ones do you think are most critical in general?
Anthony Quitugua says
The contract is supposed to reference the SOW that lists those expectations in detail. In general, I would include any requirement that has a legal or regulatory implication as most critical. Basically anything that could either cost me money in fines, or time in jail.
Anthony Quitugua says
4.What is the difference between an outsourcing contract and a statement of work? Which should you be interested in as an auditor? Why?
A contract is a voluntary, deliberate, and legally binding agreement between two or more competent parties. Within that contract is included the Statement of Work (SOW) which is, Detailed description of the specific services or tasks a contractor is required to perform under a contract.
As an auditor I would be interested in both documents. The contract will give the overall expectations of the agreement and any general implications based on the SOW. The SOW will go deeper into the weeds about the specific expectation on the contractor.
It is important and an auditor to ensure that the work spelled out in the SOW matches what is expected within the contract.
Anthony Quitugua says
5. What are the different reasons a firm may wish to outsource a particular function or process?
– Cost savings: non-essential business costs will now be pushed to the contractor
– third party expertise: you may not have the in house expertise for a particular function, so out sourcing would be a better option than trying to build up the capability
– Disaster Recovery: Cloud services would be a great example of out sourcing to facilitate disaster recovery.
Mohammed Syed says
1. What different kinds of IT outsourcing are there?
There are many different kinds of IT outsourcing services. For example: as ecommerce outsourcing, Website Design to name a few. These outsourcing services are frequently gathered into some key categories like skilled process, engineering, process-specific, functioning and project outsourcing, and some of these can be found outside the country. Currently, many companies are from the United States outsourcing to organizations to all over the world.
Mohammed Syed says
2. What is business process outsourcing and how is it related to IT
The business process outsourcing involves contracting of the processes and tasks of a specific to a third-party service provider. The main benefit of any BPO is the method in which it helps growth a company flexibility.
Mohammed Syed says
3. What is the difference between an outsourcing contract and a statement of work? Which should you be interested in as an auditor? Why?
The difference between an outsourcing contract and statement of work is that outsourcing contract is composite businesses, and a good outsourcing contract will inspect service level agreements, penalties and rewards, timeframes and measurements, regular reviews, and exit strategies. The statement of work (SOW) is a document routinely employed in the field of project management. It defines project-specific activities, deliverables and timelines for a vendor providing services to the customer.
According to audit guideline: Contract—Most outsourcing arrangements are put in place after a detailed process of evaluations, due diligence and negotiations, with exchange of communications between the company and the service provider over a period. Notwithstanding all this, it is important for both parties to have a legally enforceable contract documents that details the agreed expectations on all the various facets of the arrangement. For the IS auditor, a good starting point should be the outsourcing contract. The IS auditor should make a thorough scrutiny of the contract, as would be done for any major commercial contract, and evaluate all risks as done in any contract audit. The State of work the next important information from the contract should be the statement of work that lists the work to be done by the service provider. The work may fall into one or more of the categories described above. The auditor should ascertain from the activities at the company’s IT department what activities have been outsourced and what are being done in-house. The auditor should examine whether the work projects actually performed by the service provider and those mentioned in the contract are the same.
Mohammed Syed says
Question 4, not 3.
BIlaal Williams says
What different kinds of IT outsourcing are there?
The different kinds of IT outsourcing can be generally grouped into the following areas:
• Software development – The service provider does the analysis, design, coding, testing and integration of design specifications provided by the company.
• Application support and maintenance – The service provider attends to the problems and bugs and all requests from users related to the application software. The service provider also attends to any modifications or additional requests from users regarding the application. These services are typically provided via help desk and ticketing procedures.
• Infrastructure management services – The service provider delivers services relating to system administration, database administration, network management, desktop management, security management, data center management. These services also include handling help desk trouble tickets relating to these areas.
These services can be provided via one or a combination of the following:
• Onsight – The service provider delivers services in the same facility as the organization.
• Onshore (domestic) – The service provider delivers the services from a different site but in the same country as the organization.
• Offshore (foreign) – The service provider delivers services from a different site and in a different country than the organization.
Mohammed Syed says
4.What is the difference between an outsourcing contract and a statement of work? Which should you be interested in as an auditor? Why?
The difference between an outsourcing contract and statement of work is that outsourcing contract is composite businesses, and a good outsourcing contract will inspect service level agreements, penalties and rewards, timeframes and measurements, regular reviews, and exit strategies. The statement of work (SOW) is a document routinely employed in the field of project management. It defines project-specific activities, deliverables and timelines for a vendor providing services to the customer.
According to audit guideline: Contract—Most outsourcing arrangements are put in place after a detailed process of evaluations, due diligence and negotiations, with exchange of communications between the company and the service provider over a period. Notwithstanding all this, it is important for both parties to have a legally enforceable contract documents that details the agreed expectations on all the various facets of the arrangement. For the IS auditor, a good starting point should be the outsourcing contract. The IS auditor should make a thorough scrutiny of the contract, as would be done for any major commercial contract, and evaluate all risks as done in any contract audit. The State of work the next important information from the contract should be the statement of work that lists the work to be done by the service provider. The work may fall into one or more of the categories described above. The auditor should ascertain from the activities at the company’s IT department what activities have been outsourced and what are being done in-house. The auditor should examine whether the work projects actually performed by the service provider and those mentioned in the contract are the same.
Mohammed Syed says
5. What are the different reasons a firm may wish to outsource a particular function or process?
There is different reason a firm may to wish would outsource particular functions are usually for most commons reasons. Reducing and controlling operating costs, improving company focus, gaining access to world-class capabilities, freeing internal resources, streamlining, sharing risk with a partner company. The company should ensure that they consider all the components are able to meet the requirements for successful outsourcing.
BIlaal Williams says
What is business process outsourcing and how is it related to IT?
Business process outsourcing is the contracting of a specific business task to a third-party service provider. BPO is typically implemented as a cost-saving measure for tasks that a company requires but does not depend upon to make profit and maintain their position in the market place. IT related tasks such as data entry, data management, payment processing and technical support are among the business processes that many organizations choose to outsource. BPO categories are front-office customer services such as tech support and back-office business functions such as billing. BPO is closely related to IT operations and is often used interchangeably with ITES Information Technology Enabled Services, although BPO can be comprised of non-technical services a well.
Mohammed Syed says
1. What are different kinds of IT outsourcing there?
There are many different kinds of IT outsourcing services. For example: as e-commerce outsourcing, Website Design to name a few. These outsourcing services are frequently gathered into some key categories like skilled process, engineering, process-specific, functioning and project outsourcing, and some of these can be found outside the country. Currently, many companies are from the United States outsourcing to organizations to all over the world.
Mohammed Syed says
What is business process outsourcing and how is it related to IT
The business process outsourcing involves contracting of the processes and tasks of a specific to a third-party service provider. The main benefit of any BPO is the method in which it helps growth a company flexibility.
Mohammed Syed says
What is the difference between an outsourcing contract and a statement of work? Which should you be interested in as an auditor? Why?
The difference between an outsourcing contract and statement of work is that outsourcing contract is composite businesses, and a good outsourcing contract will inspect service level agreements, penalties and rewards, timeframes and measurements, regular reviews, and exit strategies. The statement of work (SOW) is a document routinely employed in the field of project management. It defines project-specific activities, deliverables and timelines for a vendor providing services to the customer.
According to audit guideline: Contract—Most outsourcing arrangements are put in place after a detailed process of evaluations, due diligence and negotiations, with the exchange of communications between the company and the service provider over a period. Notwithstanding all this, it is important for both parties to have a legally enforceable contract documents that detail the agreed expectations on all the various facets of the arrangement. For the IS auditor, a good starting point should be the outsourcing contract. The IS auditor should make a thorough scrutiny of the contract, as would be done for any major commercial contract, and evaluate all risks as done in any contract audit. The State of work the next important information from the contract should be the statement of work that lists the work to be done by the service provider. The work may fall into one or more of the categories described above. The auditor should ascertain from the activities at the company’s IT department what activities have been outsourced and what are being done in-house. The auditor should examine whether the work projects actually performed by the service provider and those mentioned in the contract are the same.
Mohammed Syed says
What are the different reasons a firm may wish to outsource a particular function or process?
There is the different reason a firm may wish would outsource particular functions are usually for most commons reasons. Reducing and controlling operating costs, improving company focus, gaining access to world-class capabilities, freeing internal resources, streamlining, sharing risk with a partner company. The company should ensure that they consider all the components are able to meet the requirements for successful outsourcing.
BIlaal Williams says
If you were the manager of a major outsourced service and heard you were to be audited, what aspects of the outsourcing arrangement would you want to make sure were strong?
I would make sure the risks associated with outsourcing are properly mitigated with the appropriate security controls as outlined in the organizations risk management strategy. This includes controls that affect the confidentiality, integrity, and availability of any information that is accessed by the service provider.
Heiang Cheung says
4. What is the difference between an outsourcing contract and a statement of work? Which should you be interested in as an auditor? Why?
An outsourcing contract is a legally enforceable contract document that details the agreed expectations on all the various facets of the arrangement a statement of work states the work to be done by the provider. As an auditor you should be interested in both documents but first should be the contract to evaluate the risk of the contract. Second would be the statement of work to make sure the work that was outsourced is actually what the outsourcing company is performing.
Heiang Cheung says
2. What is business process outsourcing and how is it related to IT?
Business process outsourcing is outsourcing a business process that are non core to the business for example outsourcing account payable. This is related to IT because account payables uses IT so in a way IT have to figure out how to integrate the outsourcing company software in to their own.
Heiang Cheung says
1. What different kinds of IT outsourcing are there?
The different kind of IT outsourcing are end less you could basically get everything outsourced.but there are three different ways of doing it local outsourcing is choosing a company within you own. The second is nearshore outsourcing, which is outsourcing to a country not far from your own like Mexico for US and the last would be offshore outsourcing is an example of outsourcing stuff to China.
BIlaal Williams says
What is the difference between an outsourcing contract and a statement of work? Which should you be interested in as an auditor? Why?
An outsourcing contract is the master service agreement (MSA) between the company and third-party service provider which is the overarching contractual terms and conditions for the outsourcing deal. The MSA specifies generic terms such as payment agreements, product warranties, intellectual property ownership and dispute resolution.
The Statement of Work (SOW) is a schedule attached to the MSA. It defines deliverables and timelines for the service provider. While the MSA is the conceptual contract providing the outline to the agreement between the company and the service provider, the SOW includes detailed requirements and pricing with standard controlling and governance terms and conditions.
Since the SOW is only an attachment to the MSA, I feel the auditor should focus on the MSA to ensure the audit is a complete analysis of the agreement between the two parties. Focusing only on the SOW can cause an auditor to miss key terms and conditions in the agreement.
BIlaal Williams says
What are the different reasons a firm may wish to outsource a particular function or process?
The main reason a firm will choose to outsource is to reduce costs. What processes an organization chooses to outsource depends on what processes it deems can be handled more efficiently by a third-party vendor. Specific reasons to outsource could be to increase efficiency in production, reduce risks by transference, BPO to focus on core business activities, or to increase its reach by utilizing superior third-party services.
Patrick DeStefano (tuc50677) says
Just keep in mind that although a lot of the time a major reason for outsourcing is to reduce cost, there are certainly cases in which a firm may decide to outsource even if costs remain the same or even increase a bit. They may do this to get a better quality of product or service if the vendor is more knowledgable or is better equipped to handle the processes than your firm is. It can also be as simple as you would rather outsource in order to keep your resources focused on priority deliverables and not have them trying to support the other operations at the same time.
Brandan Mackowsky says
1. What different kinds of IT outsourcing are there?
IT outsourcing is widespread and can essentially be done to anything within the IT realm. A common example of an IT outsourced item would be something like a tech support or IT call center. Here, troubled customers can call in for technical support and rather than paying the high wages associated at home, a company is able to outsource this field to another area in the world where they can pay employees and services for a much lower rate. Since IT can have the majority of it outsourced, it is becoming more common place within the technological world. By outsourcing things, a company is able to save a lot of money to invest and reinvest it into future developments. Types of outsourcing for an organization to consider include onshore and offshore outsourcing, managed services, and nearshore outsourcing.
Brandan Mackowsky says
2. What is business process outsourcing and how is it related to IT?
Business Process Outsourcing is when an organization will gather together its non-primary business functions and activates and contract them together to a third party provider who can provide these services for a price that the company is willing to pay rather than create or maintain its own department. This is related to IT in that a big aspect of Business Process Outsourcing can include information technology services because rather than having employees focus on resolving IT related problems, using BPO the organization is able to ensure its speed and efficiency are greater than what it can provide and guarantees that employees are focused on core business strategies and objectives to keep the organization running smoothly and aiming for success.
Heiang Cheung says
3. If you were the manager of a major outsourced service and heard you were to be audited, what aspects of the outsourcing arrangement would you want to make sure were strong?
I would make sure the contract was intact and also make sure the statement of work is accurate making sure the work being stated is the work actually being outsourced.i would want to make sure there is a high level of monitoring making sure the provider is in good financial standing. Last but not least I would want to make sure the connectivity and network security is robust.
Brandan Mackowsky says
3. If you were the manager of a major outsourced service and heard you were to be audited, what aspects of the outsourcing arrangement would you want to make sure were strong?
As the manager of a key outsourced service about to be under an audit, it is essential to ensure that the three key areas expected of the business were followed and that they are complying with the outsourcing contract. First, it is key to ensure that the business has provided connectivity and network security to the outsourced division and that it has access to the network itself that was expanded to them. Without this, the third party would not be able to provide quality service to the organization. It is also key to ensure that data security is available and enforced in order to keep all of the organizations information safe and secure. It is also key to ensure compliance because if an error occurs, the receiving organization is still liable but they will come back with heavy and complicated lawsuits, thus ruining the third party reputation. The main goal is to ensure the contract is followed accordingly to keep all parties content.
Brandan Mackowsky says
4. What is the difference between an outsourcing contract and a statement of work? Which should you be interested in as an auditor? Why?
A outsourcing contract explains why a business is outsourcing a specific service or function to a third party and what specifically is being outsourced while a statement of work explains what and how the third party will provide support for this service or function. As an auditor, it is nice to see both but the key focus should be on the outsourcing contract because it ensures that the business is getting out of the third party what it expects from this service. Without this, an auditor would have a hard time understanding the need for the outsource other than what they are told by the line of business.
Brandan Mackowsky says
5. What are the different reasons a firm may wish to outsource a particular function or process?
The best reason a firm would want to outsource a specific function or process is generally for them to either save money or avoid the hassle of its maintenance. If a firm is able to experience great long term cost saving benefits by outsourcing a business function, it would make the most sense for a firm to simply rid itself of the function and outsource it if it is not a key business focus because the cost savings can be used to help grow and expand the company and allow for greater success. However, sometimes it may cost more to outsource and in this case, the firm realizes that by keeping the function around and maintaining it is too much of a hassle and they would see benefits from its removal. In this case, the business clears the minds of its employees to focus on more key objectives rather than tedious tasks than can be conducted elsewhere for a fee.
Lezlie Jiles says
1. What different kinds of IT outsourcing are there?
Outsourcing is the process in which an organization contracts with another company to provide services for several reasons such as it not being financially conducive for the organization to perform. In this case, IT outsourcing includes several functions, such as web hosting, email, help desk, data back-up, and infrastructure. The types of outsourcing are offshoring, onshore, cloud computing, managed services, and nearshoring.
An example of this would be USIS. This example is more of what not to do when contracting with another company or the importance of VRM. USIS was an organization that the US government contracted with to conduct their government employee background checks. Between 2013 and 2015 it was identified that USIS was not performing the outsourced work as they were hired to do. This eventually led to them losing their governmental contract and ultimately filing for bankruptcy. Also, there were other factors involved but for this comment, I gave a high overview of the issue.
Lezlie Jiles says
2. What is business process outsourcing and how is it related to IT?
Business process outsourcing (BPO) is the process in which an organization hires a third party service provider to perform a particular business process. Typically this could include functions such as HR, cashiering, help desk, and other processes. This relates to IT because at some point these functions are integrated with the company’s systems thereby opening the company’s proprietary data to the third party vendor.
An example of outsourcing would be an online payment portal. The company utilizes at credit card payment processor to receive all online payment for the particular organization. The third party vendor will need access to the company’s network to feed over revenues received on behalf of the organization. The vendor has to be authorized by our IT department in order to gain access to our network to upload the revenue.
Lezlie Jiles says
3. If you were the manager of a major outsourced service and heard you were to be audited, what aspects of the outsourcing arrangement would you want to make sure were strong?
If I were the outsourcing manager I would want to make sure we were meeting all of the expectation within the contract. Things such as service level, terms, liability issues, etc. A company outsources some of their functions because they believe the vendor can do a better job, and/or is more equipped to handle the particular function. Therefore, making sure we are meeting the company’s expectation in their entirety is important. IF not, we as the hired company could put our customers as well as ourselves at risk. Take for instance USIS they chose to circumvent OPM’s processes, which ultimately lost them the government contract and their business.
Lezlie Jiles says
4. What is the difference between an outsourcing contract and a statement of work? Which should you be interested in as an auditor? Why?
An outsourcing contract provides the agreed upon level of service, the excepted timeframe in which the services are to be completed, and the penalties if the agreement is not upheld, etc. Whereas, as SOW lays out the specific activities and standards (regulation) the vendor has to complete the work. I would be interested in both, but I would be more interested in the SOW. The outsourcing contract provides the timeframe and level of services, whereas the SOW would identify if the work is being completed correctly and complying with any standards.
Lezlie Jiles says
5. What are the different reasons a firm may wish to outsource a particular function or process?
There are several reasons for an organization to choose to outsource over in-house processing. I know for my department we chose to use a call center to reduce front-end process and focus more on back-office processing. As for our cashiering system, we didn’t have a choice. The ERP system did not support cashiering, or it did but it was really bad. Therefore, the only other options were to build a new system which wasn’t happening or partner with a vendor who had a system that would successfully merge with our ERP system. To date, it has worked well and has even provided us with process options that we didn’t know we would need, such as check 21.
Nevertheless, there are several reasons for a company to choose to outsource such as cost reduction, unskilled employees, reduction of risk(in some cases), and simply the organization just can’t support the function.
Paul Needle says
4. What is the difference between an outsourcing contract and a statement of work? Which should you be interested in as an auditor? Why?
The contract is part of the MSA and includes several different areas ranging from Guiding principles to a key personal as well as a statement of work. A statement of work is a list of functions are to be provided by the service provider. It is within the contract. Both are are to be reviewed as part of the MSA audit to confirm that the agreed upon services are completed to the expected level.
Paul Needle says
5. What are the different reasons a firm may wish to outsource a particular function or process?
A few of the reasons an organization my want to outsource are as follows:
1. Increased efficiency
2. Reduced Risk associated with running effective IT Departments
3. Increased reach by providing access to world class capabilities that might other side not be affordable
4. Better investments
5. Improved focus on core business activities.