Recent Scandal Shines Light on Need for Improved Outsourcing Oversight

When news broke in January about the billion-dollar fraud committed by one of India’s biggest outsourcing firms, it sent shockwaves through the developing country’s business community and left its U.S. clients with more questions than answers.

B. Ramalinga Raju, founder and chairman of software and systems integration outsourcer Satyam Computer, admitted that the firm had falsified accounts and assets and inflated its profits over several years, including overstating its cash and bank balances by more than $1 billion in its September 2008 balance sheet.

Now, the firm’s clients in 65 countries, including Nestle, General Motors and General Electric, are demanding answers, including how Satyam’s auditor, PricewaterhouseCoopers, could endorse the firm’s accounts.  It is also raising questions about how clients missed signs that something was going terribly wrong, including:

• The World Bank’s decision in September to ban Satyam from doing any of its work after discovering that the firm’s employees had hacked its system
• The December announcement by Satyam of its plans to buy two infrastructure companies run by Raju’s sons for $1.6 billion, a decision that was immediately reversed under pressure from its shareholders and was later confirmed by Raju to be a last-ditch effort to replace its fictitious assets with real ones
• A lawsuit filed against Satyam by a former client claiming intellectual fraud and forgery

The Critical Need for Oversight

The magnitude of the Satyam scandal and the failure of clients to recognize the warning signs that trouble was brewing has renewed focus on the critical role oversight must play in any outsourcing relationship.  It also made clear that oversight must extend beyond performance to include mitigation of the risks and liabilities associated with outsourcing key business functions.

Oversight is “extremely important,” said David S. Schafran, president, Transformation Strategies, Inc. (www.transstrat.com), a consulting firm that works with outsourced IT services providers.  “There are a variety of areas to be monitored, including timely delivery of services, SLA compliance, as well as security and regulatory compliance.”

Upping the ante for improved oversight is the reality that the global economic recession is accelerating outsourcing of business processes, general and administrative (G&A) in particular.  That was the finding of a December 2008 report from The Hackett Group (www.thehackettgroup.com), a global strategic advisory firm.

The Hackett Group estimates that globalized positions at Global 1000 companies will reach 826,000 by the end of 2010, a net increase of approximately 359,000 full-time positions.  Across finance, human resources, procurement and IT, the two-year projected number of positions that will be moved represents approximately 9.6 percent of all transactional full-time employees across the four functions.

The report notes that the rationale behind the projected acceleration of G&A business process globalizations can be explained through the perspective of economic risk. 

“Certainly, mitigating the risk of being uncompetitive from a cost-structure perspective now requires virtually all large companies to globalize at least some G&A work,” states the report.  “But, on the other hand, there is also risk associated with the globalization of G&A services; geopolitical risk, execution risk, supplier risk (in a BPO model), exchange-rate risk and so on.  However, as G&A globalization matures and best practices are better understood, this risk will diminish.”

The Role of Internal Audit

One aspect of outsourcing oversight that is often overlooked in broader discussions is the need to involve internal audit.  Outsourcing requires management of the complexities, risks and challenges that come along with the benefits, which is where internal auditors come into play.

“The role of internal auditing in an organization is to ensure that risks are mitigated by determining whether the appropriate controls, policies and procedures are in place, and that things are working as expected by management and the board of directors,” said Scott McCallum, manager of communications, The Institute of Internal Auditors (www.theiia.org).  “If an organization is outsourcing various functions, the internal audit activity may review those contracts and outsourcing arrangements to ensure that laws and regulations are adhered to, and that the goals of the organization can still be sufficiently and efficiently met.”

For example, when a company outsources a portion of its IT systems management, it is critical to ensure that the service provider is adequately protecting the client’s data and providing secure, well-maintained systems. 

“If any outsourcing arrangement carries with it any significant risk – and inherently, it probably would – an internal audit function would most likely rank this a priority and would consider making this area of the organization a part of the annual or ongoing audit plan,” said McCallum.

In its Global Technology Audit Guide for IT outsourcing, the IIA notes that internal auditors are well-positioned to help their organizations with a comprehensive review of outsourcing operations, identity risks and evaluation of the outsourcing activity’s compliance with applicable laws and regulations.  For IT outsourcing, key questions to ask during audits include:

• Are internal auditors appropriately involved during key stages of the outsourcing lifecycle?
• Do internal auditors have sufficient outsourcing knowledge and experience to provide the right input?
• Do internal auditors understand the roles and expectations of stakeholders within the context of the organization’s outsourcing initiative?
• If IT audit plans are outsourced, are created plans based on a complete, top-down and risk-based scope of work?
• Are internal auditors able to present outsourcing recommendations in a way that managers understand to facilitate their implementation?
• Are internal auditors able to communicate outsourced IT audit findings in a way that is understood and taken seriously by the organization’s board of directors?

Among the risks identified by the IIA are an outsourcing strategy that is not aligned with corporate objectives, which can lead to an improperly set-up and managed contract.  Also, incorrect assumptions regarding the feasibility of outsourcing, such as payback periods, customer and supply chain impacts and cost savings, can result in inefficient and ineffective management of supplier issues and the inability to derive full benefits from the arrangements.

Other risks come into play when procurement policies are not met, proper service-level agreements are not implemented, operational HR and regulatory implications are not considered and contingency arrangements are not planned.  A lack of formal transition planning, failure to plan for retention of appropriate skills, and an ineffective escalation and resolution of operational IT issues can also present significant risks.

McCallum also notes that while management is typically responsible for compliance with Sarbanes-Oxley, many organizations tap those working in internal auditing to help fill this need when it comes to outsourcing oversight.  Most internal audit activities will also ensure that compliance is complete and accurate.

“It’s important, though, that the same individuals who are responsible for designing or consulting on internal controls over financial reporting are not those that are responsible for conducting the audit that assures whether those controls are effective.  When it comes to obtaining external assistance in this area, just like any other co-sourced function, internal auditing would review that relationship and the related issues to ensure risks are minimized,” he said.

Performance Oversight

When it comes to monitoring the actual performance of outsourced service providers, many agree that it is a two-way street.  Expectations should be clearly defined in service and service level agreements (SLAs), and the client and outsourced providers should share management responsibilities.

“It is important to have monitoring in place for outsourced services so that the client can have insight as to if their return-on-investment is being achieved by moving the service to an outsourced provider.  It is also equally important to have the right reporting and analytical processes in place to analyze if the outsourced provider is improving the businesses need of IT or impeding the business from increasing revenue and decreasing costs associated with IT,” said Jon Unger, president, SmallCart Systems LLC (www.smallcart.com), which specializes in helping businesses improve the productivity and cost efficiency of their IT infrastructure.

He notes that one of the primary challenges clients and vendors face is defining a service catalog that truly represents the client’s needs.  When services are defined in a silo or without the complete input of the business, it leads to prioritization problems and internal political issues.

Unger cites as an example of what can happen with proper oversight is not in place a situation that arose with a SmallCart client that worked with two managed services providers.  One was responsible for managing the database environment and the other was responsible for the application servers that ran a help desk software suites.  There were proper procedures in place to manage the transition of patches or projects into the production environment that was used by the help desk, but not for moving updates and patches from a development system to a test environment.  When the SmallCart team was ready to move its changes to the test environment, they discovered it did not match the development environment.

“Furthermore, dealing with two different managed services vendors meant that we had two different sets of service level agreements and time frames to establish modifications to the environment.  The resolution involved resynchronizing all of the environments while development and testing were placed on hold,” he said.  “Had the client originally set up a process and service level agreements that matched with both vendors, the problem and lost project time could have been avoided.”

Larry Hefling, senior vice president of operations for Sitel (www.sitel.com), a global outsourcing provider for customer care and back-office business processes, breaks oversight into two critical areas:  strategic governance and delivery performance management. 

On the strategic side, the Sitel team meets monthly and quarterly with the client management team to ensure strategic alignment, track progress and plan and resolve and critical issues that may arise.  On the delivery side, they hold weekly and monthly operational management reviews to track staff performance and customer satisfaction, as well as conduct transition and implementation reviews to track program performance and key performance indicator reviews of financials and SLA performance.

“Governance activities should occur at multiple levels and stages to reflect the varied points of interaction and interests between [provider] and client,” said Hefling.  “This approach allows for planned escalation and control points across all key areas of the contact center business and throughout the life cycle of the relationship in a dynamic and responsive way.”

Clear, Proactive Communication is Key

At the heart of effective governance of outsourcing relationships is clear and proactive communications between clients and providers.

“Effective governance is to a large extent defined by taking care of the basics – ensuring communication between the two parties.  The key is to implement and manage a process to ensure that communication takes place,” said Bob Mather, a senior consultant with Compass, a management consultant to Fortune 1000 organizations on business performance improvement and IT.

For example, it is important to mandate periodic meetings between the respective executive teams to review strategic goals.  Too often, deals are negotiated at the executive level and handed off to operational teams.

“Without the high-level oversight, the relationship devolves into micro-managing and nitpicking, losing sight of the larger goals,” he said, adding that is it also important to have a documented escalation process in place if either party doesn’t fulfill a commitment, which helps ensure that problems are resolved and do not recur. 

Mather also notes that, when managing business process sourcing, it is essential to apply competitive industry standards and best practices to optimize the operation.  For example, if a bank’s loan processing operation is outsourced, the vendor should be striving for world-class levels of performance in terms of cost efficiency, quality, etc.  The vendor should also be applying best practices to drive improvements.

Finally, while oversight is shared responsibility, it is important for the vendor to take the lead to ensure the client is receiving – and understanding – the information they need to fully evaluate how well the relationship is achieving expectations.  This includes meeting regularly with clients to review performance and to proactively identify any areas where the client is unhappy.

“A service provider who is committed to continually raising the level of their services will not shy away from these conversations, but seek them out to address issues while they remain small,” said Transformation Strategies’ Schafran.  “Another important element of reviewing performance with clients is admitting to mistakes and SLA violations.  The honest dialog of ‘we messed up, here is how, here is what we are doing/have done to make sure it does not happen again’ will build tremendous credibility, while trying to gloss over problems will quickly chip away at it.”
 

ALSO IN THIS MONTH'S ISSUE:

SEC:  First Phase of XBRL Filings to Launch in Second Quarter

Social Networking and Web 2.0 in the Workplace