session 2b auditing third party outsourced arrangements
TRANSCRIPT
Session 2B Auditing third party outsourced
arrangements
Alana Bailey AMIIA, EGM Internal Audit, Suncorp
Session Number 2BAuditing third party
outsourced arrangementsAlana Bailey
Executive General Manager Internal Audit
SOPAC7 March 2016
SOPAC
Auditing third party outsourced arrangements
• Outsourcing at Suncorp
• Internal Audit’s Involvement in Outsourcing
‒ Pre-Implementation and Post Implementation
‒ Service Level Agreements and Meaningful Metrics
‒ Outsourcing Oversight and Governance
• Lessons Learnt
• Key Themes arising from Internal Audits
• Adapting internal audit strategy and practice
7 March 2016
3
SOPAC
Internal Audit’s involvement in outsourcing
7 March 2016
Operating effectiveness
of key controls
governing the
outsourcing processes,
Alignment with APRA
CPS231 requirements
Adequacy of controls to
manage outsourcing
risks.
Operating effectiveness
of key controls governing
the outsourcing processes
Alignment with APRA
CPS231 requirements
Adequacy of controls to
manage outsourcing risks.
MONITORand
REVIEW
5.BAU
ANALYSEGAPS
MANAGECHANGE
Phase 4 – Deliver /
Deploy
Execution and Handover to
BAU/Operate
Phase 2 – Concept
Assessing the Opportunity
and Defining the Scope
Phase 3 – Initiate
Quantifying and agreeing the
opportunity and planning
delivery
Pre-implementation Post-implementation
Phase 1 – Idea
Identifying the
Opportunity
Internal Audit Involvement
5
SOPAC
Internal Audit’s involvement in outsourcing
7 March 2016
Operating effectiveness
of key controls
governing the
outsourcing processes,
Alignment with APRA
CPS231 requirements
Adequacy of controls to
manage outsourcing
risks.
Operating effectiveness
of key controls governing
the outsourcing processes
Alignment with APRA
CPS231 requirements
Adequacy of controls to
manage outsourcing risks.
Pre-implementation
Phase 1 – Idea
Identifying the
Opportunity
Objective: Register the initiative and enable
an informed decision to proceed
into Concept.
IA Focus: Seek understanding of the
proposed outsourcing, context
and business drivers.
6
Internal Audit Involvement
SOPAC
Internal Audit’s involvement in outsourcing
7 March 2016
Operating effectiveness
of key controls
governing the
outsourcing processes,
Alignment with APRA
CPS231 requirements
Adequacy of controls to
manage outsourcing
risks.
Operating effectiveness
of key controls governing
the outsourcing processes
Alignment with APRA
CPS231 requirements
Adequacy of controls to
manage outsourcing risks.
Phase 2 – Concept
Assessing the Opportunity
and Defining the Scope
Phase 3 – Initiate
Quantifying and agreeing the
opportunity and planning
delivery
Pre-implementation
Objective: Assess outsourcing risks and
controls and quantify and qualify
benefits to enable a decision to
proceed into “Initiate”.
Maximise the potential for
success in “Delivery” through
Business Unit, BT and Provider
collaboration and Policy
compliance.
IA Focus: • Feedback and challenge on:
• Business Case
• Materiality assessments
• Risk profiles
• Appropriate Stakeholder involvement
• Compliance with regulatory and statutory obligations
• IA review is not complete until all review are comments
addressed
• Attendance at the Outsourcing Governance Committee.
7
Internal Audit Involvement
SOPAC
Internal Audit’s involvement in outsourcing
7 March 2016
Operating effectiveness
of key controls
governing the
outsourcing processes,
Alignment with APRA
CPS231 requirements
Adequacy of controls to
manage outsourcing
risks.
Operating effectiveness
of key controls governing
the outsourcing processes
Alignment with APRA
CPS231 requirements
Adequacy of controls to
manage outsourcing risks.
Phase 4 –
Deliver / Deploy
Execution and Handover to
BAU/Operate
Pre-implementation
Objective: Deliver and deploy a robust and
sustainable outsourcing solution
which meets with business
imperatives.
IA Focus: Implementation of this phase is
assessed in internal audits:
• Monitoring of SLAs, escalation
and remediation of issues.
A Service Level Agreement is the commitment a provider makes to deliver the services to the agreed target
Meaningful Metrics:
• What is important to the business?
• Are SLAs in place for services before they are outsourced?
• Are they end to end services?
• Training
• Quality Assurance Framework
• BAU – performance and reported
Commercials:
• LoD3 to LoD3 connections
• Independent report reviews to check for issues
• Join the dots from business process audits on key themes.
• Challenge as necessary.
• Checking controls (controls testing audit).
• Audit performance against SLAs or review of contractual terms
• Provider site visits8
Internal Audit Involvement
SOPAC
Internal Audit’s involvement in outsourcing
7 March 2016
Operating effectiveness
of key controls
governing the
outsourcing processes,
Alignment with APRA
CPS231 requirements
Adequacy of controls to
manage outsourcing
risks.
MONITORand
REVIEW
5.BAU
ANALYSEGAPS
MANAGECHANGE
Post-implementation
Objective: Deliver and deploy a robust
and sustainable outsourcing
solution which meets with
business imperatives.
IA Focus: • Annual outsourcing audit to
assess compliance CPS
231
• Internal audit of business
processes that are
outsourced
• Control testing of risk
assessments 9
Internal Audit Involvement
• 3LOD
• Reviews of third party assurance reports to check for issues
• Join the dots from business process audits on key themes and raise/challenge as necessary
• Checking of controls (controls testing audits)
• Audit of performance against SLA’s or review of contractual terms
• Visit provider sites
SOPAC
Outsourcing oversight and governance
7 March 2016
10
Audience
Senior Executive
Management
Outsourcing Governance Committee
Board Risk Committee
Board Audit Committee
Executive Management
Business Unit Operational Management
Annual Oversight
Frequency Types of Activity
Quarterly Oversight
Monthly Oversight
Weekly, Fortnightly,
Monthly and
Quarterly Oversight
• Senior executive oversight of governance
arrangements
• Longer-term (e.g. 3 year) strategy and direction
setting
• Review overall outsourcing performance and value
Overview of material business activities and
offshore outsourcing
• Review of audit plans and recent audits
• Review provider performance
• Incident Management of systemic/problem issues
• Actively manage the provider relationships
• Outsourcing Commercial and contractual issues
• All operational management
• Review of provider performance reports
• Review and control of service level failures;
continuous improvement initiatives; and pipeline of
work and resourcing requirements
SOPAC
Lessons learnt
7 March 2016
Operating effectiveness
of key controls
governing the
outsourcing processes,
Alignment with APRA
CPS231 requirements
Adequacy of controls to
manage outsourcing
risks.
Third Party Provider Fit
Key Controls
• Dedicate Shared Services Teams manage offshore providers
• Cultural awareness training for those working with diverse providers
• Immersion training for leaders, project managers and iteration
managers with a focus on global trends, managing change, cross
cultural relationship management and communication
• Provider staff viewed as an extension of the Suncorp team
• Staff rotations between Suncorp and providers
• Providers utilise the same Way of Working as Suncorp e.g. Agile and
Lean practices
• Most successful initiatives are those where providers are well
managed and strong governance is in place in BAU
Key Challenges
• Communication Methods including language barriers
• Retention strategies to prevent attrition
• Work practices
• Escalation of issues
• Expectation differences in timeliness of deliverables
Regulatory and Governance
Key Controls
• Regulatory updates via Neo reports and notifications of changes from
specialist advisors within Suncorp provide notifications on changes.
• Risk Event alert monitoring provides governance over providers and
offshore locations
• Regular risk functions held with the Providers where any changes to
legislation or regulation that impact operations are discussed and
brought to both parties’ attention
• Suncorp facilitates innovation days at the offshore provider locations to
create team unity, provide an opportunity for offshore team members
to share their ideas, improve processes and be a part of the change
process.
Key Challenges
• Maintaining awareness of changes to regulatory environments,
especially where offshore outsource providers operate
• Understanding the risk and assurance plans of our providers
• Ensuring ongoing risk and governance
11
SOPAC
Key themes arising from internal audits
7 March 2016
Assess and approve
offshoring and material
outsourcing arrangements
Oversee the Group’s
offshoring and material
outsourcing portfolio,
ensuring all arrangements
(proposed and existing)
comply with CPS 231
12
Initiative Risk Profiles
Consistency of interpretation and understanding of ‘Materiality’ and ‘Outsourcing’
Alignment of documented controls to actual controls in
BAU
Understanding roles and responsibilities
SOPAC
Adapting internal audit strategy and practice
7 March 2016
13
2008Outsourcing Back Office and Data
Processing Functions
Internal Audit Strategy and Practice
Maturity of Outsourcing
= Challenged to match the pace of change and maturity of our business =
2014Outsourcing to the Cloud,
supporting IT Transformation
2016 and beyond…Next wave of outsourcing evolution:
Robotics, Automation and more…