The Basics of Outsourcing
by Kurt Jensen
This is the first article in a new series on outsourcing. To begin, what
is outsourcing? Besides being an emotional and geopolitical headline,
outsourcing is a method of conducting business by contracting to have
something built, modified or essentially handled in any way by an outside
party. Further, outsourcing is the purchase of a set of contracted
expectations and performance levels accompanied by relinquishing
procedural control. In simple terms, outsourcing is paying someone else to
get a job done.
In this multi-part series we will focus on the various facets of
outsourcing Customer Service Operations (although content may be industry
neutral). Before we get too far down the road, however, let's all
acknowledge that the idea of outsourcing can be unnerving. From job
security to loss of control, the mere concept of outsourcing evokes
negative feelings. For the purpose of practicality, accepting outsourcing
as part of the business landscape will enable the positive benefits
associated with an open mind.
Specific reasons for outsourcing vary between industries. However, one
central theme remains constant: cost savings. Outsourcing provides a
powerful combination of scale, process leverage, capital conservation, and
Scale – Outsource firms often maintain operations in areas which
allow them to draw from a large pool of employable talent. This allows the
outsourcing firm to ramp according to client requirements. From a
different perspective, outsourcing helps clients avoid taking downsizing
action if volume decreases.
Process Leverage – By defining common tasks, outsourcing firms are
able to leverage repetitive processes through dedicated or shared
resources. These firms 'do it for a living' and understand the power of
breaking down otherwise complicated tasks into trainable and repeatable
Capital conservation – Shifting the burden of contact center
technologies, hardware and square footage costs to an experienced
outsourcer keeps those dollars in house. The constant grind of 'keeping up
to date' becomes their challenge…and your volume becomes their
leverage with technology suppliers!
Core competency focus – Aligning with an outsourcer versus handling
volume in-house can enhance the customer experience if Customer Service
Operations is not a core competency. Additionally, resources freed by the
outsourced relationship can be focused upon core competencies.
Considering the raw cost implications, outsourcing appears to be
compelling enough to at least explore as an alternative or enhancement to
many service operations. In the next issue we will explore the "Request
for Proposal" process (a next step in exploring outsourcing) and managing
the flood of information that an RFP can generate.
If you are thinking about outsourcing, we can help you manage the process
(while you focus on your business!) - feel free to
Introduction to Systems Auditing: SAS 70
by Amy Lozano
Let's face it. Most people cringe when they hear the word "audit." In the
past only staff members who worked directly with financial information had
to work with third-party auditors. Everyone else in the company would feel
sorry for these individuals while at the same time thinking, "I am glad
it's not me."
The business world has changed and now Finance is not the only department
that has to participate in audits. Given new regulatory requirements and
commonly accepted guidelines, almost every department has to roll up its
sleeves and work with third-party auditors. This change has occurred for
reasons I will not go into at this time, since most of you can take a good
guess. The word "Enron" should come to mind.
Any service provider, especially those supporting public companies, now
has to respond to business clients' questions regarding controls in place
to protect customer information throughout the service/product life cycle.
This new scenario has implications for a company's technology environment
and strategic plans.
An audit of the technology environment can generally be considered a
review of the processes and checks in place to ensure the integrity and
security of client companies' customer information. A shorthand term for
this kind of audit is a "systems audit."
Having to conduct audits means that a company has to budget for such
activity. Audits are often expensive endeavors. One important reason to
proactively conduct a widely accepted kind of audit is to avoid having
client companies conduct their own audits of your company. Multiple client
audits are expensive, stressful, and distracting. It is much easier and
less costly to be able to tell clients that you have conducted a standard
audit that should answer many of their questions and to show them the
If a service company chooses to conduct an internal audit, the challenge
then becomes deciding on which kind of audit. An employee investigating
the options will be overwhelmed by acronyms and differing audit
strategies. For this reason, the rest of this article will focus on one
form of audit, a "SAS 70" audit.
The SAS 70 audit was developed by the American Institute of Certified
Public Accounts (AICPA) in response to the fact that many companies use
service organizations (i.e., outsource) certain business functions that
have an impact on their financial statements. To borrow language from the
publication Service Organizations: Applying SAS No. 70, as Amended:
AICPA Audit Guide, "Because many of the service organizations'
functions affect a company's financial statement, auditors auditing the
company's financial statements may need information about those services,
the related service organization's controls, and their effects on the
company's financial statements."
In addition, the only third-party auditors that can assess SAS 70 controls
and "certify" a company's compliance are qualified CPA firms. Most
companies prefer to use well-known accounting firms that they already use
for financial audits. Therefore, a SAS 70 audit fits nicely with financial
audit processes that are already in place.
To cut down on the cost of an audit, many organizations first engage a
professional services firm to perform a pre-assessment validation against
the industry recommended controls to determine if the organization is
truly prepared for a third-party audit and to then work with the company
to address any gaps. This approach can significantly reduce the number of
billable hours clocked by accounting companies that are generally much
more expensive to engage than consulting organizations performing
In addition, a SAS 70 is perhaps the simplest of the systems audits than
can be performed because it is not based on external standards or
regulations. On the other hand, its simplicity can be very confusing
because it is not something you "pass." Almost any organization looking
for a way to explain the SAS 70 process quotes from the
SAS 70 website
Frequently Asked Questions (FAQ):
Is there a list of SAS 70 standards, control
objectives, or checklists?
Since service organizations are responsible for describing their controls
and defining their control objectives, there is no published list of SAS
70 standards. Generally, the control objectives are specific to the
service organization and their customers. However, there are some great
sources* of control objectives and other published standards that can be
used to prepare for a SAS 70 audit or another type of third party
*See Recommended Reading section for information about these sources.
Because a SAS 70 builds on an organization's existing controls, the effort
put into conducting a SAS 70 audit is also beneficial for the company in
general because it is motivation to address any existing internal control
issues and to document processes. This is a good thing to do whether an
audit is being conducted or not!
As with any company undertaking, the most important goal is to meet
clients' expectations regarding what type of audit(s) they expect their
service providers to conduct. SAS 70 is but one of many options.
Future articles will address the SAS 70 audit in more depth and provide a
comparison of the various audit options. For more information about
systems audits, or for help preparing for SAS 70 certification, feel free
to contact us.
Managing the Enterprise
+ Recommended Reading
+ Introduction to System Auditing:
If you have received this newsletter from a friend
and would like to subscribe:
here to subscribe
View previous newsletters
Managing the Enterprise Customer Relationship
Looking for the next article in this series? This series will resume next
issue with an article on the critical topic "it is not what you say but
how you say it." Stay tuned!
View previous articles in this series.
There are several references available to assist with understanding the
SAS 70 process presented in Amy Lozano's article:
Service Organizations: Applying SAS No. 70, as Amended: AICPA Audit Guide,
published by the AICPA, last updated April 2002. This is available for
purchase by AICPA members. There is very likely someone in your
organization who is a member.
The Information Systems Audit and Control Association (ISACA) publishes a
set of control objectives referred to as "CoBIT". Information on CoBIT and
how to purchase the latest editions is on the
ISACA website. ISACA
also publishes a great comparison of different standards and frameworks.
WebTrust Principles and Criteria and the
SysTrust Principles and Criteria (WebTrust and SysTrust are other
audit types) can be downloaded for free from the AICPA website. Each
principle has specific criteria elements and illustrative controls that
can serve as a baseline for your organization.
The IT Governance Institute has published a reference guide entitled
"IT Control Objectives for Sarbanes-Oxley". This powerful research
tool maps many of the CobIT control objectives to the widely recognized
COSO framework for internal control. The control objectives contained in
this document could be used as the basis or framework for a SAS 70 service
Infrastructure Library (ITIL) is an international standard for service
Auditing Information Systems, by Jack J. Champlain, is available for
purchase through Amazon.
About Customer Centricity, Inc.
We strengthen overall company performance through
better service delivery and management.
We boost efficiencies in front-line customer service and technical support
teams, order processing, fulfillment, field service, logistics and other
key operations functions.
In short, we align the resources of your organization to exceed your
customers' expectations in the most effective and efficient manner
See What Our Customers Say