Advise businesses on external IT resources: help clients and employers find the best IT vendors - when needed.Companies can't compete effectively if their information technology (IT) systems don't have the power or flexibility to perform essential business functions. But many organizations find it difficult to set up or maintain the IT resources necessary to do these jobs in-house. This article will show CPAs how to help their clients or employers find the most effective and economical way to obtain the network administration, computerized billing, payroll, customer service, human resources The fancy word for "people." The human resources department within an organization, years ago known as the "personnel department," manages the administrative aspects of the employees. or other electronic logistical lo·gis·tic also lo·gis·ti·cal adj. 1. Of or relating to symbolic logic. 2. Of or relating to logistics. [Medieval Latin logisticus, of calculation services they need to support mission-critical business processes. (For brevity's sake, the article will use the term client in contexts applicable to both clients and employers.) The first and most important decision a company must make is whether to outsource one or more of its technology-dependent functions. To help make that decision, the CPA (Computer Press Association, Landing, NJ) An earlier membership organization founded in 1983 that promoted excellence in computer journalism. Its annual awards honored outstanding examples in print, broadcast and electronic media. The CPA disbanded in 2000. should become familiar with the most common reasons companies consider farming out IT functions (see "Deciding Whether to Seek Outside IT Help," page 56). If a client chooses to outsource, the CPA can help evaluate vendors, work with legal counsel to document service terms in a clear and accurate contract and provide tools for measuring vendor performance once a written agreement takes effect. If going outside for IT help doesn't appear to make economic or business sense for the company, the CPA instead can provide a reasoned analysis showing the advantages of improving in-house systems. IMPORTANT BECOMES URGENT Many factors influence companies to outsource IT, but few are as pressing as the financial reporting requirements of the Sarbanes-Oxley Act See SOX. of 2002. Compliance with these provisions requires computing resources that a growing number of company executives feel are best obtained from vendors with superior systems and skilled personnel. Some managers worry that the risks of outsourcing IT functions may be too high--approaching financial and organizational catastrophe. It's not uncommon, for example, for organizations to incur fees higher than originally estimated or for vendors suddenly to be unable to deliver services for protracted pro·tract tr.v. pro·tract·ed, pro·tract·ing, pro·tracts 1. To draw out or lengthen in time; prolong: disputants who needlessly protracted the negotiations. 2. periods, putting their client companies at great competitive disadvantage. According to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. Yigal Rechtman, CPA/CITP, partner at Person & Co: LLP LLP - Lower Layer Protocol , a five-person New York City New York City: see New York, city. New York City City (pop., 2000: 8,008,278), southeastern New York, at the mouth of the Hudson River. The largest city in the U.S. firm, "Many vendors focus on the IT functions they can provide and ignore others that are equally important to their customers. That's why it's important for clients to have business continuation strategies that reduce their exposure to the risk of vendor service delivery problems." The following shows how a CPA who understands both business and technology risks can lead a client through each aspect of the outsourcing decision process. IS IT NECESSARY? When internal systems fail to perform as required, company management may consider outsourcing a way to acquire what seems unobtainable in house. For example, a manufacturer that needs its local area network to be nearly always available instead may have to contend with recurrent periods of downtime The time during which a computer is not functioning due to hardware, operating system or application program failure. that confound con·found tr.v. con·found·ed, con·found·ing, con·founds 1. To cause to become confused or perplexed. See Synonyms at puzzle. 2. the help desk, interrupt customer transactions and decrease revenue. In such cases a skilled CPA can use cost-benefit analysis cost-benefit analysis In governmental planning and budgeting, the attempt to measure the social benefits of a proposed project in monetary terms and compare them with its costs. to help management decide whether and how the organization can solve its IT problems by making internal improvements such as buying new equipment, hiring more staff and paying for systems training. If the cost of rehabilitating in-house systems appears to be prohibitive pro·hib·i·tive also pro·hib·i·to·ry adj. 1. Prohibiting; forbidding: took prohibitive measures. 2. , the CPA can assist the organization in issuing a request for proposal (RFP (Request For Proposal) A document that invites a vendor to submit a bid for hardware, software and/or services. It may provide a general or very detailed specification of the system. 1. (business) RFP - Request for Proposal. 2. ) to provide the required IT support and evaluate vendors' responses to it. The Financial Services The examples and perspective in this article or section may not represent a worldwide view of the subject. Please [ improve this article] or discuss the issue on the talk page. Roundtable, a banking industry trade group, provides a helpful guide to RFP preparation in its BITS Framework for managing IT-service-provider technology risk (see "Other Resources," page 62). The CPA can use the RFP to help his or her client better communicate its service expectations and needs to vendors. He or she then can help the client evaluate whether a vendor's proposal responds effectively to the various aspects of the RFP. CPAs can raise awareness of, for example, needs not sufficiently addressed by the vendor's proposal. EVALUATE THE OFFERING Many managers do not fully understand the technology services they're considering outsourcing. They also may have difficulty effectively reviewing proposals from competing vendors and evaluating their service contracts. The client's attorney, too, may not he aware of certain risks peculiar to outsourcing agreements; but the CPA, whose professional strength includes quantitative analysis Quantitative Analysis A security analysis that uses financial information derived from company annual reports and income statements to evaluate an investment decision. Notes: , could alert the client to any unacceptable aspects of the vendor's proposal. For example, a promised service level may be less than the description implies: If a vendor's proposal guarantees the client access to its system at least 99% of the time, this means the vendor would be in compliance with the contract even if its system was unavailable for nearly a half hour during each 40-hour workweek. "Another opportunity for the CPA," says Maria Michaelson, CPA and senior vice-president and auditor at Suffolk County Suffolk County may refer to:
New York, Middle Atlantic state of the United States. It is bordered by Vermont, Massachusetts, Connecticut, and the Atlantic Ocean (E), New Jersey and Pennsylvania (S), Lakes Erie and Ontario and the Canadian province of , "is to maximize the client's knowledge of the technology function being outsourced. This will enable it to manage the vendor relationship effectively and maintain customer service at levels that distinguish the organization from its competitors." CPAs also can help a client evaluate whether the vendor's performance satisfies expectations. Unless there is a financial incentive to do otherwise, IT vendors generally meet but do not exceed performance goals specified in the service contract, often referred to as a service level agreement. For example, a client may contract for hardware replacement within a 24-hour-period without specifying the quality of the components. Mark Fajfar, special counsel at Fried, Frank, Harris, Shriver shrive v. shrove or shrived, shriv·en or shrived, shriv·ing, shrives v.tr. 1. To hear the confession of and give absolution to (a penitent). 2. & Jacobson LLP, a law firm that advises on outsourcing matters, says attorneys and CPAs can work closely together to determine whether * Systems and procedures specified in the contract are robust enough to meet the company's needs. * The client has a pertinent, relevant and concise description of the functions being outsourced. * The cost of risks that are inherent in the contract--such as limitations of the vendor's liability--are clear to the client, which thus can make more informed decisions during contract negotiations. * Based on their dialogue with the client, it is fully aware of the risk of fraud and other improprieties. The CPA can help the client identify cost-effective service levels and, working with legal counsel, can help ensure relevant descriptions of such levels are specified in a contract that protects the client's interests. Although they can't render legal advice, CPAs can use questionnaires, checklists and other traditional audit tools to ensure the client and its attorney adequately consider all significant contract issues. Examples include * Right-to-audit clauses that enable the client to examine aspects of the vendor's operations, such as the nature and method of delivering services and the computation and submission of bills. * Prohibiting the unreasonable use of clauses that automatically renew the contract if no action is taken by the client to end it. HELP CLIENTS MANAGE IT VENDOR RISKS The client's ability to do business may rely heavily on a vendor's capacity to deliver contracted services. CPAs can help clients identify risks not previously considered during contract negotiations. Some of the more valuable ways they can do this include * Examining independent-auditor-prepared assessments and reviewing reports such as those prepared by CPAs in a SysTrust or WebTrust engagement or those performed in accordance with SAS (1) (SAS Institute Inc., Cary, NC, www.sas.com) A software company that specializes in data warehousing and decision support software based on the SAS System. Founded in 1976, SAS is one of the world's largest privately held software companies. See SAS System. no. 70, Service Organizations, as amended. The CPA should focus not only on the controls included in the report but also on relevant controls or risks not addressed. The CPA can use the AICPA AICPA See American Institute of Certified Public Accountants (AICPA). and Canadian Institute of Chartered Accountants The Canadian Institute of Chartered Accountants (CICA) is the umbrella body for the Chartered Accountant profession in Canada and Bermuda. Membership of the CICA totals 70,000 Chartered Accountants and 8,500 students. trust services principles and criteria as a checklist of issues that should be addressed. Missing controls should be discussed with the vendor and an assessment of the impact of the relationship determined. Additional information about assurance services Assurance services have been defined by the American Institute of Certified Public Accountants (AICPA) as 'Independent Professional Services that improve information quality or its context'. is available at the AICPA Web page (www. aicpa.org/assurance/trust services/index.asp), which describes such services for any defined electronic system or for electronic commerce and discusses related online privacy, security, confidentiality, availability and processing integrity issues. * Evaluating a vendor's financial stability. The CPA can help the client analyze the vendor's financial statements to determine whether it has the financial resources and strength to deliver on the contract terms. The CPA can make sense of footnote Text that appears at the bottom of a page that adds explanation. It is often used to give credit to the source of information. When accumulated and printed at the end of a document, they are called "endnotes." disclosures and information contained in public filings--such as a Form 10K disclosure of pending litigation An action brought in court to enforce a particular right. The act or process of bringing a lawsuit in and of itself; a judicial contest; any dispute. When a person begins a civil lawsuit, the person enters into a process called litigation. or evidence that the contracted services constitute only a very small share of the vendor's business--that can compromise the vendor's ability to deliver contracted services. * Assessing whether a vendor's products and services will facilitate compliance with legal and other regulatory requirements Regulatory requirements are part of the process of drug discovery and drug development. Regulatory requirements describe what is necessary for a new drug to be approved for marketing in any particular country. . Although certain industries are subject to numerous regulations, not all vendors will be able to comply with, for example, the security and privacy regulations currently mandated in the banking and health care industries. * Identifying, additional risks related to the vendor's subcontracting, activities. CPAs can help clients identify vendors' reliance on third parties--especially foreign organizations--to process critical or confidential data that, if mishandled, could significantly increase business risk for the client. CPAs are particularly suited to helping clients manage the risk of IT outsourcing. Bruce Sussman, CPA, general auditor at NYCE See New York Cotton Exchange. NYCE See New York Cotton Exchange (NYCE). Corp., an electronic-payment-services company serving banking and other industries, says: "Increased reliance on outside technology providers is a business reality. CPAs are uniquely qualified to help their clients with related due diligence Research; analysis; your homework. This term has caught on in all industries, because it sounds so "wired." Who would want to do analysis or research when they can do due diligence. See wired. and monitoring outsourced services. The CPA can leverage experience in auditing vendor-related activities such as performance management, accounts payable and service quality control to help develop and implement IT outsourcer risk-management strategies." Terry Treadwell, CPA, director of market strategies for credit-union-technology services provider Summit Information Systems, a division of Fiserv Inc. of Brookfield, Wisconsin
Brookfield is a city in Waukesha County, Wisconsin, United States. The population was 38,649 at the 2000 census, but the city's population recently exceeded 40,000 people. , has had experience as a consultant and now as a vendor. "To protect customers' privacy, company executives must ensure their vendor has a detailed information security plan," she says. "This is clearly an area where executives should not simply accept the assurances of technical staff or vendors unless they're satisfied that processes are clearly laid out, documented and aligned with industry standards." To obtain that assurance, Treadwell says CPAs should educate the client on appropriate security practices. For added security, in addition to reviewing the vendor's WebTrust, SysTrust or SAS no. 70 report, Treadwell recommends that, on the client's behalf, the CPA conduct a security audit of the prospective vendor. (If the contract provides for such an audit, only the client would get the report; the vendor would not.) Information on the specific additional skills a CPA/CITP could apply to such an audit are available at the CITP (Certified Information Technology Professional) A specialty credential awarded by the AICPA to its CPA members who excel in the provision of technology-related business services. Web site, www.aicpa.org/ infotech/homepage.htm. CONTINUOUSLY MONITOR VENDOR PERFORMANCE Even with the best-hid plans, it's still necessary to oversee the vendor's work after the contract has been signed. CPAs can help clients establish a vendor performance-monitoring program, or they can perform periodic vendor compliance reviews on the client's behalf. CPAs in industry frequently perform such reviews for their companies. For example, says Maria Michaelson, "internal audit departments can provide significant value to their organizations by using audit skills gained in due diligence exercises, business negotiations and fraud investigations, as well as general knowledge of industry best practices. The CPA's ability to perform a quick review can be an invaluable asset." Critical issues such programs should address include * Using a contract abstract (typically a document developed by the client's attorney that summarizes key contract provisions and responsibilities in laymen's terms) to develop audit programs or project checklists that can be used to verify compliance. The CPA can train the client's staff in using such tools or execute the program on behalf of the client. * Reviewing reports produced by the vendor to demonstrate achievement of service-level-agreement objectives. The CPA can help determine the reasonableness and accuracy of information provided as we]l as recommend changes to the agreement as business events dictate. * Analyzing invoices to ensure they reflect contract terms. The client should approve all unanticipated charges, including cost overruns Noun 1. cost overrun - excess of cost over budget; "the cost overrun necessitated an additional allocation of funds in the budget" cost - the total spent for goods or services including money and time and labor , in advance of a vendor's incurring these costs. * Ensuring the vendor includes unique client requirements as part of its overall information and security and business-continuity plans. For example, when the vendor tests its ability to provide ongoing support to its clients, it should confirm that capability for each service specified in the client's contract. The CPA should help the client determine whether routine functions such as basic program ruing should be specified in the contract and subsequently monitored. According to Bruce Nearon, CPA, director of IT security audit at J.H. Cohn LLP: "Contracts often do not require vendors' programmers to document their software code in accordance with minimum programming standards. Consequently, there often is no documentation of custom applications, which puts the client at risk if it terminates the vendor relationship. In the worst case, the undocumented programs may be supportable only by the vendor's programmer." THE POINT OF IT ALL Because there's no sign the IT services companies need will become any easier to choose, implement or manage, a wide span of professional opportunities beckons to knowledgeable CPAs. Practitioners interested in entering or expanding their involvement in this field should stay attuned at·tune tr.v. at·tuned, at·tun·ing, at·tunes 1. To bring into a harmonious or responsive relationship: an industry that is not attuned to market demands. 2. not only to the latest technological developments but also to one of the primary reasons they're in practice--to help clients meet their evolving business needs. Deciding Whether to Seek Outside IT Help It isn't easy for a company's managers to determine whether to provide technology services internally or have a vendor supply them. The following are important considerations CPAs should discuss with clients when addressing this issue: * The strength of the company's technical staff and managers. * The need/cost for a large IT staff to support multiple technology platforms. * The fact that companies often see technology as a cost center rather than as a potential competitive advantage. * Management's dissatisfaction with internal IT services. * Internal politics' interference with IT'S role in achieving business objectives. * Deficient de·fi·cient adj. 1. Lacking an essential quality or element. 2. Inadequate in amount or degree; insufficient. deficient a state of being in deficit. customer service systems and support. * Constant changes in technology. * The countering of viruses and other threats to company systems. * Company preference for just-in-time IT staffing. EXECUTIVE SUMMARY * CLIENTS WHO ARE DISSATISFIED with their internal IT functions do not always understand the remedial options available to them. So CPAs can provide a reasoned analysis to help them decide between internal system improvements and getting help from an outside source. * A COMPANY MAY CONSIDER OUTSOURCING its IT functions simply because it doesn't know how to address problems with its own systems. The CPA can work with management to see that outsourcing lowers costs, increases control and improves performance. * TO ASCERTAIN WHETHER A COMPANY REALLY NEEDS to outsource its IT functions, the CPA should identify any internal systems deficiencies and determine what management is willing to do and spend to resolve them--internally or by outsourcing. * THE CPA CAN HELP THE CLIENT develop a request for proposal that details the services needed and also can assist in evaluating whether vendor proposals satisfy the client's business and technology needs cost effectively. * CPAs MUST TAKE CARE not to inadvertently practice law by evaluating vendor contracts for their clients. Instead they can pool their business and technology skills with an attorney's legal skills to ensure the contract enables the client to effectively manage the risk of the vendor relationship. JOEL LANZ, CPA/CITP, is founder and principal of a technology assurance and advisory practice and is the vice-chairman of the New York State Society of CPAs' technology assurance committee. He also is an adjunct professor at the School of Professional Accountancy at the C.W. Post campus of Long Island University. His e-mail address See Internet address. e-mail address - electronic mail address is jlanz@joellanzcpa.com. ROBERT TIE is a senior editor on the JofA. Mr. Tie is an employee of the AICPA and his views, as expressed in the article, do not necessarily reflect the views of the Institute. Official positions are determined through certain specific committee procedures, due process and deliberation deliberation n. the act of considering, discussing, and, hopefully, reaching a conclusion, such as a jury's discussions, voting and decision-making. DELIBERATION, contracts, crimes. . PRACTICAL TIPS TO REMEMBER * CPAs should carefully explore their clients' or employers' views of how IT can address their corporate needs. By doing so they can ensure managers understand whether and how changing hardware or software or adding IT staff could resolve systems problems and help achieve business goals. * If the CPA and the client or employer conclude that new or additional IT resources would resolve processing deficiencies or help attain corporate objectives, they can compare the cost and benefits of augmenting the organization's technological resources to those of outsourcing certain IT functions. * In cases where the cost or difficulty of improving in-house systems is prohibitive, the CPA can help the company prepare and distribute to vendors a request for proposal (RFP) that clearly identifies the required IT support and specifies the time frames and other conditions under which they are required. * When outsourcing vendors respond, the CPA should guide the organization in evaluating the offerings to determine how well they meet the RFP requirements in terms of scope, quality and timeliness. At the same time, the client's lawyer should evaluate the extent to which the provisions in each vendor's service contract protect the client's interests. * Once a vendor is selected, the CPA should help the entity monitor its performance on an ongoing basis to ensure services are reliably delivered at appropriate levels. AICPA RESOURCES Credential Certified Information Technology Professional Certified Information Technology Professional (CITP) is a Certified Public Accountant recognized for their technology expertise and unique ability to bridge the gap between business and technology. (CITP) designation, www.aicpa.org/infotech/homepage.htm. Conference Controllers Workshop July 22-23, 2004 Caesar's Palace, Las Vegas Las Vegas (läs vā`gəs), city (1990 pop. 258,295), seat of Clark co., S Nev.; inc. 1911. It is the largest city in Nevada and the center of one of the fastest-growing urban areas in the United States. CPE (Customer Premises Equipment) Communications equipment that resides on the customer's premises. CPE - Customer Premises Equipment CPE Direct: "Legal and Ethical Considerations Regarding Outsourcing," JofA, Mar.04, page 31, and www.aicpa.org/pubs/jofa/mar2004/miller.htm. Publications * AICPA Audit Guide, Service Organizations: Applying SAS No. 70, as Amended (# 012772JA). * Business Process Outsourcing Business process outsourcing (BPO) is the contracting of a specific business task, such as payroll, to a third-party service provider. Usually, BPO is implemented as a cost-saving measure for tasks that a company requires but does not depend upon to maintain its position in : Process, Strategies, and Contracts, John Wiley John Wiley may refer to:
See Dow Jones Averagesr (DJA). ). * "The Pros and Cons pros and cons Noun, pl the advantages and disadvantages of a situation [Latin pro for + con(tra) against] of IT Outsourcing," JofA, Jun.98, page 26, and www.aicpa.org/pubs/jofa/jun98/antonuci.htm. * Suitable Trust Services Criteria and Illustrations, AICPA/CICA, 2003, www.cpawebtrust.org/download/ final-Trust-Services.pdf. For more information about any of these resources, to place an order or to register, go to www.cpa2biz biz n. Informal Business. biz Noun Informal business Noun 1. .com or call the Institute at 888-777-7077. Other Resources * Leading Commercial Practices for Outsourcing of Services, GAO, www.gao.gov/cgi-bin/getrpt?GAO-02-214, 2001. * Information Technology Outsourcing Information Technology Outsoucing or ITO is a company's outsourcing of computer or Internet related work, such as programming, to other companies. It is used in refence to Business Process Outsourcing or BPO, which is the outsourcing of the work that does not require so much , Canadian Institute of Chartered Accountants, www.cica.ca/multimedia/download_ library/research_guidance/it_advisory_committee/English/eit outsourcing0204.pdf, 2003. * BITS Framework for Managing Technology Risk for Information Technology (IT) Service Provider Relationships (version II), www.bitsinfo.org/bits2003framework.pdf, 2003. * Special Publication 800-35, Guide to Information Technology Security Services Security services are state institutions for the provision of intelligence, primarily of a strategic nature, but also including protective security intelligence. Examples include the Security Service (MI5) and the Secret Intelligence Service (MI6) in the United Kingdom, and the : Recommendations of the National Institute of Standards and Technology National Institute of Standards and Technology, governmental agency within the U.S. Dept. of Commerce with the mission of "working with industry to develop and apply technology, measurements, and standards" in the national interest. , http://csrc.nist.gov/publications/ nistpubs/800-35/NIST-SP800-35.pdf, 2003. * Outsourced Managed Security Services, Carnegie Mellon Software Engineering Institute, www.cert (Computer Emergency Response Team) A group of people in an organization who coordinate their response to breaches of security or other computer emergencies such as breakdowns and disasters. .org/security-improvement/modules/omss, 2003. Tasks Banks Love to Delegate Provided externally Percentage of banks Transaction processing 25% Account statement issuance 21 PC support 20 Computer network management 15 Telecommunications management 13 Source: The Cornerstone Report: Benchmarks and Best Practices for Mid-Size Banks, Cornerstone Advisors, www.crnrstone.com |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion