The financial services market is highly regulated and backed by a sophisticated legal framework. This has led many financial-services companies to outsource certain functions. At the same time, organisations in other sectors are outsourcing a large amount of their finance and accounting work. The challenge is to ensure that greater outsourcing does not lead to a loss of control.
The outsourcing of financial business functions is an established trend. A recent survey1 by business-process firm WNS found that 93% of organisations surveyed - 126 large enterprises in Australia, South Africa, the United Kingdom and the United States - were outsourcing 25-50% of their finance and accounting activities.
Outsourcing need not be a business risk. Indeed, it has numerous efficiency benefits. In the WNS survey1, 62% of respondents said that they preferred finance and accounting co-sourcing, or hybrid shared services.
However, regardless of which financial functions are being outsourced – be they asset administration, IT or accounting - having a sound internal control environment for the company and the service organisation is key. This indicates to stakeholders and potential investors that you are operating with adequate safeguards and controls to protect their investment.
Internal controls over financial reporting should include controls over accepting clients; authorising and processing transactions; maintaining financial and other records; cash management and segregation of assets; monitoring compliance; reporting to clients; and information technology.
Assessing the adequacy of these controls is the crux of the matter in an environment where outsourcing is endemic. Hence the need for international standards.
One of the ways through which sound internal controls are demonstrated is through ISAE 3402 (International Standard on Assurance Engagements 3402) reports, and the US equivalent, SSAE 16 (Statement on Standards for Attestation Engagements) reports. These reports detail an organisation’s controls over financial reporting and the IT environment.
A service organisation’s report would detail the control environment, applicable controls, and control objectives. The external auditor would then also provide an opinion on the service organisation’s descriptions of the controls environment, applicable controls and control objectives.
There are two types of ISAE 3402 reports – Type 1 and Type 2. Type 1 reports provide reasonable assurance on the fairness and presentation of the organisation's description of controls at a specific point in time and highlight any gaps in the internal control environment.
The Type 2 report provides reasonable assurance on the fairness of the presentation of the description and on the suitability of the design and implementation and operating effectiveness of the controls during a specified period, to achieve the respective control objectives stated in the description.
An ISAE 3402 report has many benefits. It gives the client a detailed understanding of the service organisation’s controls and control environment. It also provides assurance to the client and external auditors about the effectiveness of the service organisation’s controls design, implementation and operation.
The ISAE 3402 report also provides the kind of assurance that encourages potential investors to invest in a company, given that its controls are regularly evaluated. It has further benefits too, including that it can identify opportunities for improvement in the control environment and give a service organisation a competitive advantage by demonstrating that it has effectively designed control objectives and control activities.
In this way, internal control framework standards provide assurance about the adequacy of an organisation’s internal controls from a financial perspective. This may in turn help give assurance to the organisation's customers and service users, in line with their own assurance needs – thus giving a measure of assurance around an entire supply chain.
Assurance is in many ways the glue that holds the outsourcing pyramid together. Where a complex network of skills and services is in play, it takes a respected, mutually agreed-upon standard to ensure that quality is consistent and universally applied.
Read more BDO Insights