Perfecting Service Management

Issue #44

Tuesday, May 11, 2004

The Basics of Outsourcing
by Kurt Jensen

This is the first article in a new series on outsourcing. To begin, what is outsourcing? Besides being an emotional and geopolitical headline, outsourcing is a method of conducting business by contracting to have something built, modified or essentially handled in any way by an outside party. Further, outsourcing is the purchase of a set of contracted expectations and performance levels accompanied by relinquishing procedural control. In simple terms, outsourcing is paying someone else to get a job done.

In this multi-part series we will focus on the various facets of outsourcing Customer Service Operations (although content may be industry neutral). Before we get too far down the road, however, let's all acknowledge that the idea of outsourcing can be unnerving. From job security to loss of control, the mere concept of outsourcing evokes negative feelings. For the purpose of practicality, accepting outsourcing as part of the business landscape will enable the positive benefits associated with an open mind.

Why Outsource?

Specific reasons for outsourcing vary between industries. However, one central theme remains constant: cost savings. Outsourcing provides a powerful combination of scale, process leverage, capital conservation, and core-competency focus.

Scale – Outsource firms often maintain operations in areas which allow them to draw from a large pool of employable talent. This allows the outsourcing firm to ramp according to client requirements. From a different perspective, outsourcing helps clients avoid taking downsizing action if volume decreases.

Process Leverage – By defining common tasks, outsourcing firms are able to leverage repetitive processes through dedicated or shared resources. These firms 'do it for a living' and understand the power of breaking down otherwise complicated tasks into trainable and repeatable processes.

Capital conservation – Shifting the burden of contact center technologies, hardware and square footage costs to an experienced outsourcer keeps those dollars in house. The constant grind of 'keeping up to date' becomes their challenge…and your volume becomes their leverage with technology suppliers!

Core competency focus – Aligning with an outsourcer versus handling volume in-house can enhance the customer experience if Customer Service Operations is not a core competency. Additionally, resources freed by the outsourced relationship can be focused upon core competencies.

Considering the raw cost implications, outsourcing appears to be compelling enough to at least explore as an alternative or enhancement to many service operations. In the next issue we will explore the "Request for Proposal" process (a next step in exploring outsourcing) and managing the flood of information that an RFP can generate.

If you are thinking about outsourcing, we can help you manage the process (while you focus on your business!) - feel free to contact us.

Introduction to Systems Auditing: SAS 70
by Amy Lozano

Let's face it. Most people cringe when they hear the word "audit." In the past only staff members who worked directly with financial information had to work with third-party auditors. Everyone else in the company would feel sorry for these individuals while at the same time thinking, "I am glad it's not me."

The business world has changed and now Finance is not the only department that has to participate in audits. Given new regulatory requirements and commonly accepted guidelines, almost every department has to roll up its sleeves and work with third-party auditors. This change has occurred for reasons I will not go into at this time, since most of you can take a good guess. The word "Enron" should come to mind.

Any service provider, especially those supporting public companies, now has to respond to business clients' questions regarding controls in place to protect customer information throughout the service/product life cycle. This new scenario has implications for a company's technology environment and strategic plans.

An audit of the technology environment can generally be considered a review of the processes and checks in place to ensure the integrity and security of client companies' customer information. A shorthand term for this kind of audit is a "systems audit."

Having to conduct audits means that a company has to budget for such activity. Audits are often expensive endeavors. One important reason to proactively conduct a widely accepted kind of audit is to avoid having client companies conduct their own audits of your company. Multiple client audits are expensive, stressful, and distracting. It is much easier and less costly to be able to tell clients that you have conducted a standard audit that should answer many of their questions and to show them the corresponding reports.

If a service company chooses to conduct an internal audit, the challenge then becomes deciding on which kind of audit. An employee investigating the options will be overwhelmed by acronyms and differing audit strategies. For this reason, the rest of this article will focus on one form of audit, a "SAS 70" audit.

The SAS 70 audit was developed by the American Institute of Certified Public Accounts (AICPA) in response to the fact that many companies use service organizations (i.e., outsource) certain business functions that have an impact on their financial statements. To borrow language from the publication Service Organizations: Applying SAS No. 70, as Amended: AICPA Audit Guide, "Because many of the service organizations' functions affect a company's financial statement, auditors auditing the company's financial statements may need information about those services, the related service organization's controls, and their effects on the company's financial statements."

In addition, the only third-party auditors that can assess SAS 70 controls and "certify" a company's compliance are qualified CPA firms. Most companies prefer to use well-known accounting firms that they already use for financial audits. Therefore, a SAS 70 audit fits nicely with financial audit processes that are already in place.

To cut down on the cost of an audit, many organizations first engage a professional services firm to perform a pre-assessment validation against the industry recommended controls to determine if the organization is truly prepared for a third-party audit and to then work with the company to address any gaps. This approach can significantly reduce the number of billable hours clocked by accounting companies that are generally much more expensive to engage than consulting organizations performing readiness assessments.

In addition, a SAS 70 is perhaps the simplest of the systems audits than can be performed because it is not based on external standards or regulations. On the other hand, its simplicity can be very confusing because it is not something you "pass." Almost any organization looking for a way to explain the SAS 70 process quotes from the SAS 70 website Frequently Asked Questions (FAQ):

Is there a list of SAS 70 standards, control objectives, or checklists?
Since service organizations are responsible for describing their controls and defining their control objectives, there is no published list of SAS 70 standards. Generally, the control objectives are specific to the service organization and their customers. However, there are some great sources* of control objectives and other published standards that can be used to prepare for a SAS 70 audit or another type of third party assurance.

*See Recommended Reading section for information about these sources.

Because a SAS 70 builds on an organization's existing controls, the effort put into conducting a SAS 70 audit is also beneficial for the company in general because it is motivation to address any existing internal control issues and to document processes. This is a good thing to do whether an audit is being conducted or not!

As with any company undertaking, the most important goal is to meet clients' expectations regarding what type of audit(s) they expect their service providers to conduct. SAS 70 is but one of many options.

Future articles will address the SAS 70 audit in more depth and provide a comparison of the various audit options. For more information about systems audits, or for help preparing for SAS 70 certification, feel free to contact us.

Managing the Enterprise Customer Relationship

+ Recommended Reading

+ Introduction to System Auditing: SAS 70


If you have received this newsletter from a friend and would like to subscribe: Click here to subscribe

View previous newsletters


Managing the Enterprise Customer Relationship
Looking for the next article in this series? This series will resume next issue with an article on the critical topic "it is not what you say but how you say it." Stay tuned!

View previous articles in this series.

Recommended Reading
There are several references available to assist with understanding the SAS 70 process presented in Amy Lozano's article:

Service Organizations: Applying SAS No. 70, as Amended: AICPA Audit Guide, published by the AICPA, last updated April 2002. This is available for purchase by AICPA members. There is very likely someone in your organization who is a member.

The Information Systems Audit and Control Association (ISACA) publishes a set of control objectives referred to as "CoBIT". Information on CoBIT and how to purchase the latest editions is on the ISACA website. ISACA also publishes a great comparison of different standards and frameworks.

The WebTrust Principles and Criteria and the SysTrust Principles and Criteria (WebTrust and SysTrust are other audit types) can be downloaded for free from the AICPA website. Each principle has specific criteria elements and illustrative controls that can serve as a baseline for your organization.

The IT Governance Institute has published a reference guide entitled "IT Control Objectives for Sarbanes-Oxley". This powerful research tool maps many of the CobIT control objectives to the widely recognized COSO framework for internal control. The control objectives contained in this document could be used as the basis or framework for a SAS 70 service auditor's examination.

The IT Infrastructure Library (ITIL) is an international standard for service management.

The book, Auditing Information Systems, by Jack J. Champlain, is available for purchase through Amazon.


About Customer Centricity, Inc.
We strengthen overall company performance through better service delivery and management.

We boost efficiencies in front-line customer service and technical support teams, order processing, fulfillment, field service, logistics and other key operations functions.

In short, we align the resources of your organization to exceed your customers' expectations in the most effective and efficient manner possible.

See What Our Customers Say

Quick Links

About Us

Contact Us


Previous Newsletters

© Copyright 2004 Customer Centricity, Inc. All Rights Reserved

5 Old Coach Road Hudson, NH 03051 (603) 491-7948