by Michael Werneburg
Specialist information technology services organizations play a substantial role in regulated industries such as finance and life insurance. These service organizations make their living by being able to provide the expertise, flexibility, and speed in developing information-based solutions within their niche that their clients often simply can’t. IT processes, standards, and technologies have so drastically improved that continuous excellence in service delivery is simply expected.
But they are now coming under new pressures. Regulators, auditors, and boards are becoming more aware of the hazards posed by regulated industries sharing risk with service organizations. This propels regulators to establish risk management guidance on outsourcing arrangements that set the bar for service organizations at the same level as the regulated firms themselves. Even the finance industry's internal "self-regulatory organizations" are setting standards for outsourcing arrangements. Regulated firms effectively come to download portions of their regulator-mandated enterprise risk management regimes to the technology service organizations that serve them.
In turn, service organizations—even small-scale operations—are adopting annual external audits to provide evidence of effective enterprise risk management. For service organizations to adapt to the new requirements and thrive in their regulated market place, a solution exists in adopting enterprise risk management through an initiative for risk-centric process improvement.
And it's a solution that allows the service organization to unlock new opportunities.
For a technology service organization to obtain a clean third-party audit, it must meet or exceed standards in several areas, for example:
Executive: setting and communicating objectives; monitoring performance, and directing improvements; establishing service level agreements; business continuity planning; and risk-aware strategy planning.
Human Resources: background checks; hiring, management, and termination policies; code of conduct; and site security.
Production management: the software development life cycle; the service desk function; and identity and asset entitlements management.
Data management: information classification; data aging &disposal; data &data processing integrity.
IT: disaster recovery; technology standards; information security management; systems availability, capacity, and performance management; version &package management; entitlements custody management.
Internal control: internal audit; operational risk management; policy management.
It’s a broad list, but also deep. Regulators are directly referencing complex and prescriptive guidance such as the AICPA/CICA "trust services principles", which outline hundreds of controls for a service organization. The COSO standard similarly has seventeen principles in five areas, each supported by countless detailed controls for implementation.
Complicating matters, the field is currently in flux. Some evolving trends include:
And after all the effort, expense, and change imposed, after adopting new standards of performance and a perpetual cycle of audit-and-remediation, there is no guarantee of success. The auditors will be the ones to decide when their requirements are met.
So it’s worth spending some time looking at the opportunity that lies on the far side of all of this work. What are the payoffs? Is it all about a piece of paper?
Speaking from my experience in the field, integrating risk-centric business practice improvements into a business strategy can revolutionize a firm’s self-conception, improve the sales cycle, and dramatically improve its alignment with the strategies and necessities of its clients.
Why a service organization should undertake an audit.