Outsourced service providers are getting more attention as a possible source of risk, according to the latest research from Financial Executives International.
Insight on Outsourced Service Providers, published by the Financial Executives Research Foundation, says companies are beefing up their scrutiny of outsourced service providers after implementing the 2013 COSO Internal Control -- Integrated Framework. The framework has “explicit content,” says FERF, in a dozen of the 17 critical principles of effective internal control that relate to the relationships companies form when they outsource any number of non-core business functions to third parties.
Companies are increasingly relying on outsourcing so they can improve efficiencies and focus more on their core businesses, says Ron Kral, managing partner at governance CPA firm Candela Solutions and a contributor to the report. But that means risks are harder to manage. In interviews with public companies, FERF reports, companies say they are doing more internet searches of their service providers, researching officers and directors, interviewing members of management, and reviewing their codes of conduct and policies to assess tone at the top, among others.
“Organizations need to look beyond a SOC report,” says Kral. SOC reports are audit reports prepared under professional standards and provided by service organizations to their clients to demonstrate that the service organization has submitted to an audit of internal controls. “Too many times we see companies request the SOC report from a service provider, put it on a shelf, and then give it to an auditor and they’re done. There are many more aspects and risks to consider.”
Beyond simply securing the report and presenting it to external auditors, companies are being asked what more they are doing to truly understand the risks that come with reliance on any given outsource service provider, says Kral. They need to consider, for example, whether the service provider is ethical and competent, whether they have good monitoring and communications controls, and whether they are reporting control deficiencies to the user organization before they show up in a SOC report. “These are all expectations that user organizations need to become comfortable with, pre-engagement,” he says.
The FERF report indicates companies should take at least three “commonsense” steps beyond simply securing any SOC report. They should verify the scope of the audit work at the service provider covers the services the company is receiving. They should verify that the firm signing the licensed and authorized to do the work under professional standards. And they should be aware of any noted deficiencies in the report, getting follow-up from management as necessary.