Outsourcing Excellence™

When improving processes in an organization, the Theory of Constraints (TOC) emphasizes the importance of including the supply chain and market engagement in the analysis. Operational Excellence is achieved by eliminating constraints throughout the entire process, from procurement to production (operations) to sales. This seems simple, but according to Goldratt (the creator of TOC), “The more complex a system is, the more profound its inherent simplicity.” The execution is complex, not the solution. The same applies to outsourcing; the process is straightforward, but adapting it to a user organization’s processes is complex. Outsourcing is essentially always based on comparative advantages.

Comparative Advantages – Ricardo

One of my mentors said, “Processes that others can do better or cheaper than you should be outsourced.” Why? Because it gives you more time and space to focus on what you are truly good at. This is essentially the theory of David Ricardo on comparative cost differences, or rather comparative advantages. More processes are being outsourced; accounting software is more often offered as a SaaS solution than as a software package.

More Outsourcing

Outsourcing also happens unnoticed; LinkedIn replaces networking events, Evernote replaces the traditional notebook. We are increasingly dependent on these outsourced activities. This also means that assurance about this outsourcing becomes more important, and standards like ISAE 3402 or ISO 27001 exist for this reason. Outsourcing only works if it is optimally organized; better or cheaper. Additionally, alignment with the processes of the user organization is crucial.

Example

On island A, sheep are kept, and on island B, grain is grown. Trade between A and B will result in a higher level of prosperity for both islands than if both islands kept sheep and grew grain.

Relationship with ISAE 3402

An ISAE 3402 certification or implementation project is an opportunity to optimize outsourcing, remove constraints, and view outsourcing within the total business process, from procurement to production to sales. Outsourcing Excellence is derived from Operational Excellence, based on LEAN and TOC. In the change process, three questions are important:

1. What needs to change?
2. What should it change to?
3. How can the change be achieved?

Optimization Process

The optimization process can be broadly divided into the following phases:

1. Identify and analyze the bottleneck that is the main limiting factor for achieving goals (cf. strategic objectives COSO ERM).
2. Exploit the bottleneck and align all business processes (including the processes at the user organization; user control considerations) to fully exploit the bottleneck.
3. Increase the capacity of the bottleneck to enhance throughput. Once the bottleneck is resolved, start again at point
   
   

Example An IT service provider (application management and hosting) struggles with structuring internal processes, maintaining security guidelines, and spends a lot of time on unnecessary incidents. By analyzing these processes, structuring them, and leveraging the natural discipline that arises from monitoring and audit procedures, the organization achieves significant internal improvements. Through ISAE 3402 certification, the organization qualifies for various tender processes, winning two important ones. Due to ISAE 3402, the organization gains new customers and, through process improvements, can deliver 100% service to these important new clients.

Key Points

It is important to realize that:

• Outsourcing is part of processes that occur at the outsourcing party; process improvements can only occur if constraints are analyzed within this context.
• Bottlenecks can only be resolved if all processes, including those at the user organization, are adjusted accordingly. It is important to document this in SLAs or user control considerations.
• ISAE 3402 is an effective tool for reviewing processes, improving discipline, and genuinely enhancing processes; outsourcing excellence.

What next?

At SASconsult, we have developed various tools to ensure organizations not only align their processes with the ISAE 3402 standard but also improve internal processes. This approach serves dual purposes; ISAE 3402 provides more market opportunities (more customers), and these customers receive a better product or service through simultaneous process improvements at the service organization.

Five Reasons to Implement ISAE 3402

ISAE 3402 is the standard for outsourcing processes and security. It is increasingly required across various industries and by government entities for participation in tenders.

1. Your Clients Expect an ISAE 3402 Report.

Your clients expect you to have robust procedures in place for IT, data security, and transaction processing, and to provide assurance regarding these processes. An ISAE 3402 report includes the outsourced processes, internal controls, and all the security measures you have implemented. Especially after the economic crisis, your clients expect you to comply with mandatory standards and to be transparent about how you have organised your internal controls. This is so well-established that you have had it assessed by an external professional party.

2. Convert Prospects into New Clients.

Many organisations require ISAE 3402 certification to procure your services or products. Any organisation subject to statutory audit obligations must include all its processes within the scope of this audit, including outsourced processes. An ISAE 3402 report is the tool you can use as a service organisation (the outsourced party) to demonstrate controlled processes. This means that all publicly listed companies, financial institutions, and even medium-sized legal entities outsourcing processes will (soon) require ISAE 3402 reports from their suppliers. Government demand (including municipalities) has also been increasing significantly recently.

3. Create a Level Playing Field with Your Competitors.

Without an ISAE 3402 report, you risk losing clients to your competitors. If your competitors have an ISAE 3402 report or at least an ISO 27001 report, they have an advantage in tenders or requests for proposals for your services. Many tender procedures state that ‘certification’ is required. More professional parties specifically request ISAE 3402 or an ISO certification.

4. Comply with the Highest Standards and Best Practices.

The ISAE 3402 report is a powerful tool. It demonstrates compliance with the leading global standard for internal control. ISAE 3402 is issued by the International Federation of Accountants (IFAC). National accounting organisations, such as the Royal Netherlands Institute of Chartered Accountants (NBA) in the Netherlands, have integrated this standard into national regulations. This means that with an ISAE 3402 report, you not only meet high national requirements but also internationally prove that you are ‘in control’.

5. Lead in Your Market.

By undertaking an ISAE 3402 audit and producing the report, you signal that you take security and internal control seriously. You have your organisation under control; you identify risks, have measures in place to manage these risks, and continuously monitor them. Many of your competitors may not have their processes as well-structured as you do and may not be able to demonstrate this through an independent assessment of their internal controls by a legally recognised certifying accountant.

Social impact Solvency II

Insurers are actively implementing the Solvency II guidelines, managing them alongside their capital and risk management. The repercussions of decisions in this context will extend beyond the boardroom, affecting the relationships between both individual and corporate policyholders and insurers. These potential consequences have been explored and documented in a report by The Economist Intelligence Unit, involving 254 EU organisations, including insurers, financial institutions, and non-financial institutions.

While the Solvency II guidelines aim to provide better protection for policyholders, various parties are questioning who will ultimately bear the cost of the solvency regime. Simultaneously, there are concerns that insurers will be limited in their role as investors, compelled towards ‘safer’ investments and fewer non-investment loans. This could potentially lead to challenges for capital-seeking organisations, as balance sheet constraints might result in banks ceasing to make investments.

With these questions in mind, The Economist Intelligence Unit commenced its investigation into the potential impact of Solvency II on consumers, the insurance industry, and society, where insurers act as investors.

The key findings and conclusions of this research are:

• The requirements of Solvency II are seen as excessive. Respondents believe that the balance is lost and the demands are too stringent.
• Policyholders will ultimately bear the cost of Solvency II, as insurers will pass these costs on to them.
• Insurers expect to take fewer risks in their investment strategies.
• There is ambiguity among organisations about the consequences for debt issuance.
• Legislators will need to reconsider the capital charges.
• The unintended consequences are yet to be fully understood, causing concern among various organisations.

Although a revision of the current legislation is deemed necessary, the potential consequences and timing of Solvency II are causing apprehension. The current political and economic climate leads many to believe that insurers, policyholders, and other stakeholders will be adversely affected by Solvency II. It is expected that premiums will increase and that investments will be impacted. Whatever the exact outcomes may be, it suggests that insurers seek absolute certainty about the application of the rules and their implementation in these uncertain times.

What is the Relationship

Between SOC 2 and SOC 3?

Guidance for accountants reporting on controls of a service organization relevant to the financial reporting of user organizations was primarily included in SAS 70. This regulation focused on risks related to financial reporting. However, it was often misused for reporting on operations or compliance. The SSAE 16 and ISAE 3402 regulations were established to address these issues.

The AICPA identifies three types of Service Organization Control Reports (SOC): SOC 1 (ISAE 3402 and SSAE 16), SOC 2 (Security, Availability, Processing Integrity, Confidentiality, and Privacy), and SOC 3 (a SysTrust for Service Organizations).

For SOC 3, the AICPA has developed a standard logo.
By offering three types of reports that better meet market needs, the AICPA has effectively addressed several issues that existed with SAS 70.