Category: Cyber Security

Agency Theory in Outsourcing

Agency Theory in Outsourcing

 

Economies of Scale

Since the Industrial Revolution, organizations have been questioning how to leverage their competitive advantage to expand their market share and profitability. The dominant model in the 19th and 20th centuries was the large integrated organization. In the 1950s and 1960s, companies broadened their bases to benefit from economies of scale.

The large integrated organization diversified its product range, and expansions required more management layers. Technological developments, such as the internet, forced organizations in the 1980s and 1990s to compete more globally. They were handicapped by a lack of flexibility due to bloated management structures. To increase agility, many large organizations developed a strategy focused on their core activities and core processes.

Principal-Agent Problem

The focus on core processes sparked a discussion about which processes were essential and crucial for business continuity and which could be outsourced to external service providers. Processes or functions lacking internal resources were outsourced to specialised agencies or providers. Consequently, the principal-agent problem evolved between the user organization and the service organization, and the principal-agent theory and related information asymmetry gained importance in line with the growth of outsourcing.

Information Asymmetry

The most common agency relationship in the financial domain occurs between investors (or shareholders) and the management of a company. The principal may be unaware of the agent’s activities or prohibited by the agent from obtaining information. The result is information asymmetry between the principal and the agent. For example, management might want to invest in emerging economies, while the principal’s risk tolerance is unfavourable. This management strategy might sacrifice short-term profitability and increase company risks, potentially leading to higher future revenues. Investors desiring high current capital income with low risks might not be aware of these management plans. If the consequence of this strategy is certain losses, management may be inclined not to disclose this information to shareholders. The development of the accounting profession was a crucial step in mitigating the agency problem globally. In 1992, the SAS 70 standard became relevant for outsourcing assurance, later replaced by the ISAE 3402 standard in 2011. Outsourcing assurance reduced information asymmetry and improved trust between the user (organizations outsourcing) and the service organization (organizations providing services to these organizations).

Agency Theory in Outsourcing

In general terms, agency theory concerns all relationships between two parties where one party is the principal and the other is the agent representing the principal in transactions with third parties. Agency relationships occur when principals hire agents to perform a service on behalf of the principals. Principals typically delegate decision-making authority to agents. Since contracts and decisions with third parties are made by the agent, affecting the principal, agency problems can arise.

In the situation where activities are outsourced by a user organization to a service organization, agency theory is relevant to all described aspects: information asymmetry, risk tolerance, and engaged resources. For instance, a financial institution outsources IT services to a managed services provider. The managed service provider may not be aware of the institution’s risk tolerance and might decide that a weekly backup is acceptable or that data storage outside the EU is permissible. The service provider might not inform the organization about certain server failures if the network issue is not identified by the financial institution. The service organization might also be inclined to minimise the resources performing activities while attempting to maximise received fees. A service organization may also have a different tolerance towards fraud or may commit fraud itself. In the pension sector, asset managers might profit from front-running pension fund transactions. This results in the principal-agent problem described above.

 Front running is also known as tailgating, is the prohibited practice of entering into trade to capitalize on advance, nonpublic knowledge of a large pending transaction that will influence the price of the underlying security.

Securance advises TelecityGroup

Securance advises TelecityGroup


TelecityGroup is Europe’s leading carrier-neutral data centre provider. TelecityGroup’s data centres offer high connectivity and secure environments for IT and telecom equipment, which are the driving force behind the digital economy. Telecity has data centre clusters in 12 major European cities. In Telecity’s data centres, the networks that make up the Internet converge, and bandwidth-intensive applications, content, and information are securely hosted. Telecity’s newest 9MW data centre, AMS 5, located in Amsterdam South-East, provides not only robust power supply, efficient cooling, and extensive security but also unparalleled connectivity. Besides connectivity, security and control are crucial for data centres. There are several standards for this, with ISAE 3402 being one of the most important.

 

ISAE 3402 and Data Centres

As of December 2014, the COSO framework has been replaced by COSO2013. De Nederlandsche Bank has mandated CObit 4.1 and its maturity model in the information security assessment framework. Due to these developments, multinationals are increasingly demanding ISAE 3402 from hosting providers, in addition to SaaS providers. This trend is supported by the increase in the number of registered data centres in the ISAE 3402 register from 3 to 10 within one year. Securance will support and advise Telecity in the implementation of ISAE 3402.

Telecity and Securance

Emile ten Hoor is delighted that Securance has been selected as the assurance and security advisor for the Telecity Group. Within our current portfolio of asset managers, SaaS, and hosting providers, the Telecity Group is a welcome addition. We are highly motivated and enthusiastic to support Telecity in this process. We support every step towards professionalization and strive for better security and control in the ICT sector.

Outsourcing Excellence™

Outsourcing Excellence™


When impro
ving processes in an organization, the Theory of Constraints (TOC) emphasizes the importance of including the supply chain and market engagement in the analysis. Operational Excellence is achieved by eliminating constraints throughout the entire process, from procurement to production (operations) to sales. This seems simple, but according to Goldratt (the creator of TOC), “The more complex a system is, the more profound its inherent simplicity.” The execution is complex, not the solution. The same applies to outsourcing; the process is straightforward, but adapting it to a user organization’s processes is complex. Outsourcing is essentially always based on comparative advantages.

 

Comparative Advantages – Ricardo

One of my mentors said, “Processes that others can do better or cheaper than you should be outsourced.” Why? Because it gives you more time and space to focus on what you are truly good at. This is essentially the theory of David Ricardo on comparative cost differences, or rather comparative advantages. More processes are being outsourced; accounting software is more often offered as a SaaS solution than as a software package.

More Outsourcing

Outsourcing also happens unnoticed; LinkedIn replaces networking events, Evernote replaces the traditional notebook. We are increasingly dependent on these outsourced activities. This also means that assurance about this outsourcing becomes more important, and standards like ISAE 3402 or ISO 27001 exist for this reason. Outsourcing only works if it is optimally organized; better or cheaper. Additionally, alignment with the processes of the user organization is crucial.

Example

On island A, sheep are kept, and on island B, grain is grown. Trade between A and B will result in a higher level of prosperity for both islands than if both islands kept sheep and grew grain.

Relationship with ISAE 3402

An ISAE 3402 certification or implementation project is an opportunity to optimize outsourcing, remove constraints, and view outsourcing within the total business process, from procurement to production to sales. Outsourcing Excellence is derived from Operational Excellence, based on LEAN and TOC. In the change process, three questions are important:

  1. What needs to change?
  2. What should it change to?
  3. How can the change be achieved?

Optimization Process

The optimization process can be broadly divided into the following phases:

  1. Identify and analyze the bottleneck that is the main limiting factor for achieving goals (cf. strategic objectives COSO ERM).
  2. Exploit the bottleneck and align all business processes (including the processes at the user organization; user control considerations) to fully exploit the bottleneck.
  3. Increase the capacity of the bottleneck to enhance throughput. Once the bottleneck is resolved, start again at point

Example An IT service provider (application management and hosting) struggles with structuring internal processes, maintaining security guidelines, and spends a lot of time on unnecessary incidents. By analyzing these processes, structuring them, and leveraging the natural discipline that arises from monitoring and audit procedures, the organization achieves significant internal improvements. Through ISAE 3402 certification, the organization qualifies for various tender processes, winning two important ones. Due to ISAE 3402, the organization gains new customers and, through process improvements, can deliver 100% service to these important new clients.

Key Points

It is important to realize that:

  • Outsourcing is part of processes that occur at the outsourcing party; process improvements can only occur if constraints are analyzed within this context.
  • Bottlenecks can only be resolved if all processes, including those at the user organization, are adjusted accordingly. It is important to document this in SLAs or user control considerations.
  • ISAE 3402 is an effective tool for reviewing processes, improving discipline, and genuinely enhancing processes; outsourcing excellence.

What next?

At SASconsult, we have developed various tools to ensure organizations not only align their processes with the ISAE 3402 standard but also improve internal processes. This approach serves dual purposes; ISAE 3402 provides more market opportunities (more customers), and these customers receive a better product or service through simultaneous process improvements at the service organization.

Five reasons to implement ISAE 3402

Five Reasons to Implement ISAE 3402

ISAE 3402 is the standard for outsourcing processes and security. It is increasingly required across various industries and by government entities for participation in tenders.

 

1. Your Clients Expect an ISAE 3402 Report.

Your clients expect you to have robust procedures in place for IT, data security, and transaction processing, and to provide assurance regarding these processes. An ISAE 3402 report includes the outsourced processes, internal controls, and all the security measures you have implemented. Especially after the economic crisis, your clients expect you to comply with mandatory standards and to be transparent about how you have organised your internal controls. This is so well-established that you have had it assessed by an external professional party.

2. Convert Prospects into New Clients.

Many organisations require ISAE 3402 certification to procure your services or products. Any organisation subject to statutory audit obligations must include all its processes within the scope of this audit, including outsourced processes. An ISAE 3402 report is the tool you can use as a service organisation (the outsourced party) to demonstrate controlled processes. This means that all publicly listed companies, financial institutions, and even medium-sized legal entities outsourcing processes will (soon) require ISAE 3402 reports from their suppliers. Government demand (including municipalities) has also been increasing significantly recently.

3. Create a Level Playing Field with Your Competitors.

Without an ISAE 3402 report, you risk losing clients to your competitors. If your competitors have an ISAE 3402 report or at least an ISO 27001 report, they have an advantage in tenders or requests for proposals for your services. Many tender procedures state that ‘certification’ is required. More professional parties specifically request ISAE 3402 or an ISO certification.

4. Comply with the Highest Standards and Best Practices.

The ISAE 3402 report is a powerful tool. It demonstrates compliance with the leading global standard for internal control. ISAE 3402 is issued by the International Federation of Accountants (IFAC). National accounting organisations, such as the Royal Netherlands Institute of Chartered Accountants (NBA) in the Netherlands, have integrated this standard into national regulations. This means that with an ISAE 3402 report, you not only meet high national requirements but also internationally prove that you are ‘in control’.

 

5. Lead in Your Market.

By undertaking an ISAE 3402 audit and producing the report, you signal that you take security and internal control seriously. You have your organisation under control; you identify risks, have measures in place to manage these risks, and continuously monitor them. Many of your competitors may not have their processes as well-structured as you do and may not be able to demonstrate this through an independent assessment of their internal controls by a legally recognised certifying accountant.