Category: Assurance

Home / Assurance
Nov252015

Outsourcing trends

Outsourcing trends


Organisations are continually seeking ways to leverage competitive advantage to expand markets and increase profits. Increasingly, they are outsourcing non-core activities. Nevertheless, management remains ultimately responsible for risk management and implementing an effective control framework. This has led to a greater demand for assurance standards such as ISAE 3402 or ISAE 3000 for activities performed by third parties.

History

For much of the 20th century, the most popular business model was the large integrated company that managed and controlled its assets directly, focusing on diversification to broaden its business base and benefit from economies of scale. Many large companies developed a new strategy to concentrate on their core activities, enhancing flexibility and creativity. This required identifying critical processes and deciding which processes could be outsourced.

Outsourcing

Due to globalisation, increased competition, and cost pressures, organisations are outsourcing more essential business functions to service providers. Outsourcing core processes has a direct impact on a company’s financial statements and key business processes. It is no longer limited to routine back-office tasks. How can organisations gain confidence in outsourced business processes? How can they ensure control and assurance over these outsourced processes?

The increase in outsourcing, especially of crucial business information, also brings heightened risks and security concerns. Organisations may face operational, financial, or even reputational damage due to security shortcomings of external service providers. An independent review of critical outsourced business processes or IT systems helps organisations identify and manage these risks and regain assurance over outsourced processes.

The most common reasons for outsourcing are:

  • Control and reduce operating costs
  • Improve focus on core business processes
  • Access world-class capabilities
  • Free up internal resources for other purposes
  • Increase efficiency in specific functions
  • Insufficient internal resources
  • Share risk with other organisations

The current phase in the evolution of outsourcing involves strategic partnerships. Until recently, it was taken for granted that organisations could not outsource core competencies. This has changed, and ISAE 3402/SOC1 or ISAE 3000/SOC2 has become commonplace.

 

May192015

TelecityGroup Nederland realiseert ISAE 3402 certificering

TelecityGroup Netherlands

realises ISAE 3402 certification


Amsterdam, 19 May 2015 – All TelecityGroup locations in Amsterdam have been certified according to the international outsourcing standard ISAE 3402. With this certification, TelecityGroup Netherlands demonstrates that its data centres meet internationally accepted quality and security standards. For customers, this certification provides proof that their outsourced processes are effectively controlled within the data centre.

Secure Data Centres

The certification indicates that the processes in TelecityGroup’s data centres comply with the security requirements of the internationally recognised ISAE 3402 (International Standard for Assurance Engagements). TelecityGroup customers who have placed their IT equipment in one or more data centres in Amsterdam can use the ISAE 3402 report to demonstrate that security processes within the data centre are in order. “Many companies using our data centre services want transparency on how we, as a service organisation, ensure the quality and security of our data centres,” says Alexandra Schless, Vice President Western Europe & Managing Director at TelecityGroup Netherlands.

Different Types

Securance has implemented ISAE at TelecityGroup. In the certification process, the auditors distinguish between Type I and Type II. In a Type I ISAE 3402 report, they assess the control organisation at a specific point in time. During the audit, Securance evaluates the design and existence of control measures. In a Type II audit, they also assess the operating effectiveness of these measures. Schless: “We are working to ensure that our control organisation also operates according to the ISAE 3402 standard and expect to have the Type II report completed later this year. This will provide our customers worldwide with a clear and definitive guarantee.”

Telecity is pleased with this certification: it shows both Dutch and international organisations that we have correctly set up all processes regarding security.

  • Alexandra Schless | Vice President Western Europe –

About Telecity Group

TelecityGroup is a leading provider of premium carrier-neutral data centres with locations across Europe. TelecityGroup’s data centres offer high connectivity and secure environments for IT and telecom equipment, which are the driving force behind the digital economy. In these data centres, the networks that make up the internet converge, and data-intensive online applications, content, and information are securely hosted. TelecityGroup is listed on the London Stock Exchange (LSE: TSY).

Nov252014

Agency Theory in Outsourcing

Agency Theory in Outsourcing

 

Economies of Scale

Since the Industrial Revolution, organizations have been questioning how to leverage their competitive advantage to expand their market share and profitability. The dominant model in the 19th and 20th centuries was the large integrated organization. In the 1950s and 1960s, companies broadened their bases to benefit from economies of scale.

The large integrated organization diversified its product range, and expansions required more management layers. Technological developments, such as the internet, forced organizations in the 1980s and 1990s to compete more globally. They were handicapped by a lack of flexibility due to bloated management structures. To increase agility, many large organizations developed a strategy focused on their core activities and core processes.

Principal-Agent Problem

The focus on core processes sparked a discussion about which processes were essential and crucial for business continuity and which could be outsourced to external service providers. Processes or functions lacking internal resources were outsourced to specialised agencies or providers. Consequently, the principal-agent problem evolved between the user organization and the service organization, and the principal-agent theory and related information asymmetry gained importance in line with the growth of outsourcing.

Information Asymmetry

The most common agency relationship in the financial domain occurs between investors (or shareholders) and the management of a company. The principal may be unaware of the agent’s activities or prohibited by the agent from obtaining information. The result is information asymmetry between the principal and the agent. For example, management might want to invest in emerging economies, while the principal’s risk tolerance is unfavourable. This management strategy might sacrifice short-term profitability and increase company risks, potentially leading to higher future revenues. Investors desiring high current capital income with low risks might not be aware of these management plans. If the consequence of this strategy is certain losses, management may be inclined not to disclose this information to shareholders. The development of the accounting profession was a crucial step in mitigating the agency problem globally. In 1992, the SAS 70 standard became relevant for outsourcing assurance, later replaced by the ISAE 3402 standard in 2011. Outsourcing assurance reduced information asymmetry and improved trust between the user (organizations outsourcing) and the service organization (organizations providing services to these organizations).

Agency Theory in Outsourcing

In general terms, agency theory concerns all relationships between two parties where one party is the principal and the other is the agent representing the principal in transactions with third parties. Agency relationships occur when principals hire agents to perform a service on behalf of the principals. Principals typically delegate decision-making authority to agents. Since contracts and decisions with third parties are made by the agent, affecting the principal, agency problems can arise.

In the situation where activities are outsourced by a user organization to a service organization, agency theory is relevant to all described aspects: information asymmetry, risk tolerance, and engaged resources. For instance, a financial institution outsources IT services to a managed services provider. The managed service provider may not be aware of the institution’s risk tolerance and might decide that a weekly backup is acceptable or that data storage outside the EU is permissible. The service provider might not inform the organization about certain server failures if the network issue is not identified by the financial institution. The service organization might also be inclined to minimise the resources performing activities while attempting to maximise received fees. A service organization may also have a different tolerance towards fraud or may commit fraud itself. In the pension sector, asset managers might profit from front-running pension fund transactions. This results in the principal-agent problem described above.

 Front running is also known as tailgating, is the prohibited practice of entering into trade to capitalize on advance, nonpublic knowledge of a large pending transaction that will influence the price of the underlying security.

Nov252014

Securance advises TelecityGroup

Securance advises TelecityGroup


TelecityGroup is Europe’s leading carrier-neutral data centre provider. TelecityGroup’s data centres offer high connectivity and secure environments for IT and telecom equipment, which are the driving force behind the digital economy. Telecity has data centre clusters in 12 major European cities. In Telecity’s data centres, the networks that make up the Internet converge, and bandwidth-intensive applications, content, and information are securely hosted. Telecity’s newest 9MW data centre, AMS 5, located in Amsterdam South-East, provides not only robust power supply, efficient cooling, and extensive security but also unparalleled connectivity. Besides connectivity, security and control are crucial for data centres. There are several standards for this, with ISAE 3402 being one of the most important.

 

ISAE 3402 and Data Centres

As of December 2014, the COSO framework has been replaced by COSO2013. De Nederlandsche Bank has mandated CObit 4.1 and its maturity model in the information security assessment framework. Due to these developments, multinationals are increasingly demanding ISAE 3402 from hosting providers, in addition to SaaS providers. This trend is supported by the increase in the number of registered data centres in the ISAE 3402 register from 3 to 10 within one year. Securance will support and advise Telecity in the implementation of ISAE 3402.

Telecity and Securance

Emile ten Hoor is delighted that Securance has been selected as the assurance and security advisor for the Telecity Group. Within our current portfolio of asset managers, SaaS, and hosting providers, the Telecity Group is a welcome addition. We are highly motivated and enthusiastic to support Telecity in this process. We support every step towards professionalization and strive for better security and control in the ICT sector.