|
Booklet:
Outsourcing
Technology Services Section: Risk Management Subsection: Ongoing Monitoring |
|||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||
Action
Summary 
Financial
institutions should have an oversight program to ensure service providers
deliver the quantity and quality of services required by the contract.
The monitoring program should target the key aspects of the contracting
relationship with effective monitoring techniques. The program should
monitor the service provider environment including its security controls,
financial strength, and the impact of any external events. The resources
to support this program will vary depending on the criticality and complexity
of the system, process, or service being outsourced.
To increase monitoring effectiveness, management should periodically rank
service provider relationships according to risk to determine which service
providers require closer monitoring. Management should base the rankings
on the residual risk of the relationship after analyzing the quantity
of risk relative to the controls over those risks. Relationships with
higher risk ratings should receive more frequent and stringent monitoring
for due diligence, performance (financial and/or operational), and independent
control validation reviews. Personnel responsible for provider oversight
should have the necessary expertise to assess the risks and should maintain
suitable documentation. Management should use the oversight documentation
when renegotiating contracts as well as developing contingency planning
requirements.
User groups are another mechanism financial institutions can use to monitor
and influence their service provider. User groups can participate and
influence service provider testing (i.e., security, disaster recovery,
and systems) as well as promote client issues. Independent user groups
can monitor and influence a service provider better than its individual
clients. Collectively, the group will constitute a significant portion
of the service provider’s business.
KEY SERVICE LEVEL AGREEMENTS AND CONTRACT PROVISIONS
Management should include SLAs in its outsourcing contracts to specify
and clarify performance expectations, as well as establish accountability.
These SLAs formalize the performance criteria against which the quantity
and quality of service should be measured. Management should closely monitor
the service provider's compliance with key service level agreements. To
ensure an effective oversight program, the institution should develop:
|
|
A formal policy that defines the SLA program; |
|
|
An SLA monitoring process; |
|
|
A recourse process for non-performance; |
|
|
An escalation process; |
|
|
A dispute resolution process; and |
|
|
A termination process. |
FINANCIAL CONDITION OF SERVICE PROVIDERS
Institutions should have on-going monitoring of the financial condition
of their provider(s). To fulfill its fiduciary responsibility, an institution
involved in an outsourcing arrangement should determine the financial
viability of its provider(s) on an annual basis. However, if the financial
condition of the provider is declining or unstable, more frequent financial
reviews are warranted. Once the financial review is complete, management
should report the results to the board of directors or to a designated
committee. At a minimum, management's review should contain a careful
analysis of the provider’s annual financial statement. Institution
management may also use other forms of information to determine a provider’s
condition, such as independent auditor reports. These reports may contain
information that can be vital in determining a provider's financial condition.
Managers also can use information provided by public media (trade magazines,
newspapers, television, etc.).
If the institution becomes aware that the provider's financial condition
is unstable or deteriorating, the institution should implement its contingency
plan. Even if the provider remains in operation, its financial problems
may jeopardize the quality of its service and possibly the integrity of
the data in its possession. Institutions should consider a provider's
failure to provide adequate financial data as a potential red flag that
there may be serious financial stability issues.
Termination of services due to the bankruptcy of the service provider
can have a devastating effect on a serviced institution’s operations.
There may not be sufficient advance notice of termination, an effective
contingency plan, or adequate access to provider personnel. In such a
situation, the serviced institution is put into the position of having
to find an alternate processing site with little advance notice.
At this point, a serviced institution has several alternatives including:
|
|
Paying off the servicer’s creditor(s) and hiring outside specialists to operate the center; |
|
|
Obtaining required equipment and software for in-house processing; and |
|
|
Transferring data files to another provider. |
Most
options are costly and may cause harmful operating delays.
In some instances, the provider owns the programs and documentation required
to process the institution’s files. Unless the contract contains
an escrow agreement for source code, the program and documentation are
unavailable to the institution. These programs are often the TSPs only
significant assets. Therefore, a creditor of a bankrupt TSP, in an attempt
to recover outstanding debts, might seek to attach those assets and further
limit their availability to institutions. The bankruptcy court may provide
remedies to the institution, but only after adjudicating substantive matters.
GENERAL CONTROL ENVIRONMENT OF THE SERVICE PROVIDER
To oversee the risks associated with the use of external providers effectively,
the institution should evaluate the adequacy of a provider’s internal
and security controls. Management should ensure the provider develops
and adheres to appropriate policies, procedures, and standards. When conducting
its evaluation, the institution should consider the results of internal
audits conducted by institution staff or a user group, as well as external
audits and control reviews conducted by qualified sources The IT Handbook’s
“Audit Booklet” provides additional details on the various
types of external audit engagements for third-party audits of a service
provider.
The institution’s review of the audit should include an assessment
of the following factors in order to determine the adequacy of a service
provider’s internal and security controls:
|
|
The practicality of the service provider having an internal auditor, and the auditor's level of training and experience; |
|
|
The service providers external auditors’ training and background; and |
|
|
Internal IT audit techniques of the service provider. |
Financial
institutions should conduct a regular, comprehensive audit of their service
provider relationships. The audit scope should include a review of controls
and operating procedures that help protect the institution from losses
due to irregularities and willful manipulations.
SAS 70 reports generated on external providers typically identify certain
internal control measures that client institutions are responsible for
implementing in order for the provider's accounting systems to be effective.
These client institution internal control measures are essential. Financial
institution management and audit personnel should verify that the recommended
institution internal controls are working effectively, and that the controls
effectively complement the accounting system controls described in the
provider's third-party review.
Because of the need for an effective internal control program, designated
personnel should periodically perform “around-the-computer”
audit techniques that:
|
|
Develop data controls (proof totals, batch totals, document counts, number of accounts, and pre-numbered documents) at the institution before submission to the provider. The auditor should sample the controls periodically to ensure their accuracy. |
|
|
Include spot-checking reconcilement procedures to ensure output totals agree with input totals, less any rejects. |
|
|
Sample rejected, un-posted, holdover, and suspense items to determine why they did not process and how they are addressed (to assure they are properly corrected and reentered on a timely basis). |
|
|
Verify selected master file information (such as service charge codes), review exception reports, and crosscheck loan extensions and deposit account entries to source documents. |
|
|
Spot-check computer calculations, such as loan rebates, interest on deposits, late charges, service charges, and past-due loans. |
|
|
Trace transactions to final disposition to ensure there are adequate audit trails. |
|
|
Review source input to ensure sensitive master-file change requests have the required prior approval by appropriate staff or management. |
|
|
Visit the provider periodically to assess the status of controls. |
|
|
Review other provider audits. |
In
addition, “through-the-computer” audit techniques allow the
auditor to use the computer to check processing steps. These techniques
use audit software programs to test extensions and footings and to prepare
direct verification statements. These audit software programs often can
invoke statistical sampling routines in generating their audit confirmations.
If a serviced institution has audit software, it should make arrangements
with the provider to allow its use.
Regardless of whether the information processing is internal or outsourced,
the financial institution’s board of directors should ensure adequate
audit coverage. If the institution has no technical audit expertise, the
non-technical audit methods can provide minimum coverage. The institution
should supplement the internal audit with comprehensive outside IT audits.
POTENTIAL CHANGES DUE TO THE EXTERNAL ENVIRONMENT
The contract between the institution and the service provider should be
written to encompass the institution’s requirements at the time
the contract is formed. Over time, the institution’s needs may change
due to changes in regulation, the economic environment, competition, and
other factors outside the contract. Although the contract should provide
for flexibility to meet those changing needs, the institution should monitor
for changes and update its contract accordingly.