SOURCING PRACTICES
Relates to the way in which the organization will obtain the IS functions required to support the business Delivery of IS functions can include: Insourcing, Outsourcing and Hybrid.
FACTORS TO CONSIDER Is this a core function of the organization? Does this function have specific knowledge, processes and staff that are critical to meeting its goals and objectives, and that cannot be replicated externally or in another location?
FACTORS TO CONSIDER Can this function be performed by another party or in another location for the same or lower price, with the same or higher quality, and without increasing risk? Does the organization have experience managing third parties or using remote/offshore locations to execute IS or business functions?
ROLE OF IS STEERING COMMITTEE Upon completion of the IS steering committee should review and approve the strategy. The following steps should be taken: Define the IS function to be outsourced Describe the service levels required and minimum metrics to be met Know the expected service provider knowledge, skills and quality desired Know the current in-house cost information to compare with third-party bids
OUTSOURCING PRACTICES
WHICH DO YOU CHOOSE? Enjoy a Successful Outsourcing Endeavour. OR Endure a Recurring Corporate Nightmares.
IT OUTSOURCING Definition of Outsourcing Reasons for Outsourcing Third Party Services Possible Advantages of Outsourcing Possible Disadvantages of Outsourcing Business Risks of Outsourcing Audit / Security Concerns of Outsourcing Strategies in Audit of Outsourcing
DEFINITION OF OUTSOURCING It is a contractual agreements under which an organization hands over control of part, or all, of the functions of the IS department to an external party. It also means an IS organization goes “outside” for the knowledge and experience required to do a specific job. (Vallabhaneni)
POINTS TO NOTE In an outsourcing relationship, the organization pays a fee and the contractor delivers a level of service that is defined in a contractually binding Service Level Agreement (SLA) The contractor provides the resources and expertise needed to perform the agreed service.
POINTS TO NOTE Specific objectives of outsourcing vary from organization to organization but the general objective is to achieve a lasting improvement in IS to take advantage of a vendor’s core competencies. As with the decision to downsize or right size, management must revisit the control framework when they outsource.
REASONS FOR OUTSOURCING A desire to focus on core activities Pressure on profit margins Increasing competition that demands cost savings Flexibility with respect to both organization and structure
THIRD PARTY SERVICES Providing all IT-related functions Providing connectivity of internal networks to the Internet Website hosting, development, maintenance, management, security and monitoring services Application hosting, development, maintenance and hosting (such as ERP and e-commerce systems) Call center services Data entry
THIRD PARTY SERVICES (contd) Design and development of new systems Maintenance of existing applications to free in-house staff to develop new applications Conversion of legacy applications to new platforms. e. t. c
POSSIBLE ADVANTAGES OF OUTSOURCING Commercial outsourcing companies can achieve economies of scale through the deployment of reusable component software. Outsourcing vendors are likely to be able to devote more time and focus more effectively and efficiently on a given project than in- house staff.
POSSIBLE ADVANTAGES OF OUTSOURCING (contd) Outsourcing vendors are likely to have more experience with a wide array of problems, issues and techniques than in-house staff. The act of developing specifications and contractual agreements using outsourcing services is likely to result in better specifications than if developed by in-house staff.
POSSIBLE ADVANTAGES OF OUTSOURCING (contd) As vendors are highly sensitive to time-consuming diversions and changes, feature creep is substantially less with outsourcing vendors.
POSSIBLE DISADVANTAGES OF OUTSOURCING Costs exceeding customer expectations Loss of internal IS experience Loss of control over IS Vendor failure Limited product access Difficulty in reversing or changing outsourced arrangements Deficient compliance with legal requirements
BUSINESS RISKS FROM OUTSOURCING Financial viability of the vendor Hidden costs Contract term not been met Lack of loyalty of contractor personnel toward the customer Disgruntled customers/employees as a result of the outsource arrangement Obsolescence of Vendor IT systems Service costs not been competitive over the period of the entire contract
BUSINESS RISKS FROM OUTSOURCING (contd) Failure of either company to receive the anticipated benefits of the outsourcing arrangement Damage to either, or both, company’s reputations due to project failures Lengthy, expensive litigation
WAYS OF MANAGING OUTSOURCING RISKS Establishing measurable, partnership-enacted shared goals and rewards Utilizing multiple suppliers or withholding a piece of business as an incentive. Developing contract performance metrics
WAYS OF MANAGING OUTSOURCING RISKS (contd) Performing period competitive reviews and benchmarking / bench- trending Implement short term contracts Addressing data ownership in the contract Requiring confidentiality agreements Requiring security-level measures and legal compliance.
WAYS OF MANAGING OUTSOURCING RISKS (contd) Incorporating service quality expectations, including usage of capability maturity models (CMMs) or ISO methodologies. Ensuring adequate contractual consideration of access control/security administration, whether vendor or owner- controlled.
WAYS OF MANAGING OUTSOURCING RISKS (contd) Ensuring violation reporting and follow-up are required by the contract, and any requirements for owner notification and cooperation with any investigations. Ensuring that change/version control and testing requirements are contractually required for the implementation and production phases Ensuring that the parties responsible and the requirements for network controls are adequately defined, and any necessary delineation of these responsibilities established.
WAYS OF MANAGING OUTSOURCING RISKS (contd) Stating specific, defined performance parameters that must be met, for example, minimum processing times for transactions or minimum hold times for contractors Incorporating capacity management criteria Providing contractual provisions for making changes to the contract. Providing a clearly defined dispute resolution process
WAYS OF MANAGING OUTSOURCING RISKS (contd) Ensuring that the contract indemnifies the company from damages caused by the organization responsible for the outsourced services Incorporating clear, unambiguous “right to audit” provisions, providing the right to audit vendor operations (e.g. access to records, right to make copies, access to personnel, provision of computerized files) as they relate to the contracted services.
WAYS OF MANAGING OUTSOURCING RISKS (contd) Ensuring the contract adequately addresses business continuity and disaster recovery provisions and appropriate testing. Requiring that the vendor comply with all relevant legal and regulatory requirements, including those enacted after contract initiation
WAYS OF MANAGING OUTSOURCING RISKS (contd) Establishing ownership of intellectual property developed by the vendor on behalf of the customer Establish clear warranty and maintenance periods Providing software escrow provisions
GLOBALIZATION PRACTICES AND STRATEGIES Globalization involves moving IS functions offsite or Offshore. The IS Auditor must ensure that the following risks and audit concerns are addressed: Legal, regulatory and tax issues, Continuity of operations, Personnel, Telecommunication issues and Cross-border and cross-cultural issues.
GOVERNANCE IN OUTSOURCING Organizations must recognize that while service delivery is transferred, accountability remains firmly with the management of the client organization The decision to outsource and subsequently successfully manage that relationship demands effective governance
Responsibilities of both parties: Ensuring contractual viability through continuous review, improvement and benefit gain to both parties Inclusion of an explicit governance schedule to the contract Management of the relationship to ensure that contractual obligations are met through SLAs and OLAs Identification and management of all stakeholders, their relationship and expectations GOVERNANCE IN OUTSOURCING (contd)
Establishment of clear roles and responsibilities for decision making, issue escalation, dispute management, demand management and service delivery Allocation of resources, expenditure and service consumption in response to prioritized needs Continuous evaluation of performance, cost, user satisfaction and effectiveness On-going communication across all stakeholders GOVERNANCE IN OUTSOURCING (contd)
CAPACITY AND GROWTH PLANNING This is essential because of the strategic importance of IT and the constant change in technology. In large organizations, some system programmers are designated capacity planners. They identify the most significant recurring peak processing period on a daily basis and the most significant workload and resources consumed. They also build historical information in estimating future workloads. Capacity and growth planning must be reflective of the long and short-range business plans and must be considered within the budgeting process.
USER SATISFACTION Users and IT should agree on a level of service (Internal SLA) Compliance with the service level agreement should be periodically audited.
INDUSTRY STANDARDS/BENCHMARKING It provides a means of determining the level of performance provided by similar IPF. These standards or bench-marking statistics can be obtained from vendor user groups, industry publications and professional associations.
THANK YOU