New standards for service organisation controls reporting allow companies to manage outsourcing risks confidently.
While many economies are on the road to recovery from the global financial crisis, companies continue to face challenges in today's volatile operating environment. In such uncertain times, companies are identifying strategies and opportunities to grow their business and distinguish themselves from the competition. Yet, these expansionary efforts are sometimes undermined by the immense pressure to demonstrate profitability through cost reduction.
To rein in cost, some companies look to outsourcing non-core operations to service organisations so that they can focus their energy on core activities that provide the most business value. Cloud services are one of the latest incarnations of IT outsourcing that is gaining prevalence among companies.
Cloud services provided by third-party service providers cover infrastructure (e.g., data processing and storage); development platforms (e.g., open source, service-oriented architecture) and software (e.g., enterprise applications, office productivity, Web-based e-mail). Cloud services are attractive for a variety of reasons. In addition to minimal upfront costs, they offer shorter contract durations, on-demand scaling of resources, and a way to deliver leading IT services that would have otherwise cost more if done internally.
Over the years, cloud awareness has gained momentum, with more companies building their own private clouds and public cloud offerings maturing with more established vendors entering the market. However, it remains arguable if cloud sourcing has truly taken off. Companies remain concerned over accountability issues. While they outsource operational responsibilities and may not have direct control over all aspects of the outsourced processes, they remain fully accountable to stakeholders such as customers, shareholders and regulators. This puts them in a "catch-22" situation.
Managing Outsourcing Risks
To mitigate this, one way is for companies to include a "right to audit" clause in the outsourcing contract with the service organisation. Unfortunately, this is not a perfect solution. Service organisations achieve economies of scale and keep costs low by having multiple customers. If all their customers were to exercise the "right to audit", this could lead to operational disruptions and inefficiencies, and increased cost that would likely be passed back to the customer.
A better solution is through the use of service organisation control reports. Hence, in 1993, the American Institute of Certified Public Accountants (AICPA) introduced Statement of Auditing Standards No. 70 (SAS 70). SAS 70 reports provide customers of service organisations independent assurance over the processes and controls that are managed by the service organisations. These reports are meant to be shared only with the service organisation's customers and their auditors, and allow customers to evaluate the effectiveness of the controls over their outsourced functions and the impact on their financial reporting.
Sign up for CIO Asia eNewsletters.