Advise Businesses on External IT Resources

Help clients and employers find the best IT vendors—when needed.
BY JOEL LANZ AND ROBERT TIE

EXECUTIVE SUMMARY
CLIENTS WHO ARE DISSATISFIED with their internal IT functions do not always understand the remedial options available to them. So CPAs can provide a reasoned analysis to help them decide between internal system improvements and getting help from an outside source.

A COMPANY MAY CONSIDER OUTSOURCING its IT functions simply because it doesn’t know how to address problems with its own systems. The CPA can work with management to see that outsourcing lowers costs, increases control and improves performance.

TO ASCERTAIN WHETHER A COMPANY REALLY NEEDS to outsource its IT functions, the CPA should identify any internal systems deficiencies and determine what management is willing to do and spend to resolve them—internally or by outsourcing.

THE CPA CAN HELP THE CLIENT develop a request for proposal that details the services needed and also can assist in evaluating whether vendor proposals satisfy the client’s business and technology needs cost effectively.

CPAs MUST TAKE CARE not to inadvertently practice law by evaluating vendor contracts for their clients. Instead they can pool their business and technology skills with an attorney’s legal skills to ensure the contract enables the client to effectively manage the risk of the vendor relationship.

Joel Lanz, CPA/CITP, is founder and principal of a technology assurance and advisory practice and is the vice-chairman of the New York State Society of CPAs’ technology assurance committee. He also is an adjunct professor at the School of Professional Accountancy at the C.W. Post campus of Long Island University. His e-mail address is jlanz@joellanzcpa.com . ROBERT TIE is a senior editor on the JofA . Mr. Tie is an employee of the AICPA and his views, as expressed in the article, do not necessarily reflect the views of the Institute. Official positions are determined through certain specific committee procedures, due process and deliberation.

ompanies can’t compete effectively if their information technology (IT) systems don’t have the power or flexibility to perform essential business functions. But many organizations find it difficult to set up or maintain the IT resources necessary to do these jobs in-house. This article will show CPAs how to help their clients or employers find the most effective and economical way to obtain the network administration, computerized billing, payroll, customer service, human resources or other electronic logistical services they need to support mission-critical business processes. (For brevity’s sake, the article will use the term client in contexts applicable to both clients and employers.)

Tasks Banks Love to Delegate
Provided externally Percentage of banks
Transaction processing 25%
Account statement issuance 21
PC support 20
Computer network management 15
Telecommunications management 13

Source: The Cornerstone Report: Benchmarks and Best Practices for Mid-Size Banks, Cornerstone Advisors, www.crnrstone.com , 2003.

The first and most important decision a company must make is whether to outsource one or more of its technology-dependent functions. To help make that decision, the CPA should become familiar with the most common reasons companies consider farming out IT functions (see “ Deciding Whether to Seek Outside IT Help ”). If a client chooses to outsource, the CPA can help evaluate vendors, work with legal counsel to document service terms in a clear and accurate contract and provide tools for measuring vendor performance once a written agreement takes effect. If going outside for IT help doesn’t appear to make economic or business sense for the company, the CPA instead can provide a reasoned analysis showing the advantages of improving in-house systems.

IMPORTANT BECOMES URGENT
Many factors influence companies to outsource IT, but few are as pressing as the financial reporting requirements of the Sarbanes-Oxley Act of 2002. Compliance with these provisions requires computing resources that a growing number of company executives feel are best obtained from vendors with superior systems and skilled personnel.

Some managers worry that the risks of outsourcing IT functions may be too high—approaching financial and organizational catastrophe. It’s not uncommon, for example, for organizations to incur fees higher than originally estimated or for vendors suddenly to be unable to deliver services for protracted periods, putting their client companies at great competitive disadvantage. According to Yigal Rechtman, CPA/CITP, partner at Person & Co. LLP, a five-person New York City firm, “Many vendors focus on the IT functions they can provide and ignore others that are equally important to their customers. That’s why it’s important for clients to have business continuation strategies that reduce their exposure to the risk of vendor service delivery problems.”

The following shows how a CPA who understands both business and technology risks can lead a client through each aspect of the outsourcing decision process.

Deciding Whether to Seek Outside IT Help
It isn’t easy for a company’s managers to determine whether to provide technology services internally or have a vendor supply them. The following are important considerations CPAs should discuss with clients when addressing this issue:

The strength of the company’s technical staff and managers.
The need/cost for a large IT staff to support multiple technology platforms.
The fact that companies often see technology as a cost center rather than as a potential competitive advantage.
Management’s dissatisfaction with internal IT services.
Internal politics’ interference with IT’s role in achieving business objectives.
Deficient customer service systems and support.
Constant changes in technology.
The countering of viruses and other threats to company systems.
Company preference for just-in-time IT staffing.

IS IT NECESSARY?
When internal systems fail to perform as required, company management may consider outsourcing a way to acquire what seems unobtainable in-house. For example, a manufacturer that needs its local area network to be nearly always available instead may have to contend with recurrent periods of downtime that confound the help desk, interrupt customer transactions and decrease revenue.

In such cases a skilled CPA can use cost-benefit analysis to help management decide whether and how the organization can solve its IT problems by making internal improvements such as buying new equipment, hiring more staff and paying for systems training. If the cost of rehabilitating in-house systems appears to be prohibitive, the CPA can assist the organization in issuing a request for proposal (RFP) to provide the required IT support and evaluate vendors’ responses to it. The Financial Services Roundtable, a banking industry trade group, provides a helpful guide to RFP preparation in its BITS Framework for managing IT-service-provider technology risk (see “ Other Resources ”).

The CPA can use the RFP to help his or her client better communicate its service expectations and needs to vendors. He or she then can help the client evaluate whether a vendor’s proposal responds effectively to the various aspects of the RFP. CPAs can raise awareness of, for example, needs not sufficiently addressed by the vendor’s proposal.

Other Resources
Leading Commercial Practices for Outsourcing of Services, GAO, www.gao.gov/cgi-bin/getrpt?GAO-02-214 , 2001.

Information Technology Outsourcing, Canadian Institute of Chartered Accountants, www.cica.ca/multimedia/download_library/research_guidance/ , 2003.

BITS Framework for Managing Technology Risk for Information Technology (IT) Service Provider Relationships (version II), www.bitsinfo.org/bits2003framework.pdf , 2003.

Special Publication 800-35, Guide to Information Technology Security Services: Recommendations of the National Institute of Standards and Technology, http://csrc.nist.gov/publications/nistpubs/ , 2003.

Outsourced Managed Security Services, Carnegie Mellon Software Engineering Institute, www.cert.org/security-improvement/modules/omss , 2003.

EVALUATE THE OFFERING
Many managers do not fully understand the technology services they’re considering outsourcing. They also may have difficulty effectively reviewing proposals from competing vendors and evaluating their service contracts. The client’s attorney, too, may not be aware of certain risks peculiar to outsourcing agreements; but the CPA, whose professional strength includes quantitative analysis, could alert the client to any unacceptable aspects of the vendor’s proposal. For example, a promised service level may be less than the description implies: If a vendor’s proposal guarantees the client access to its system at least 99% of the time, this means the vendor would be in compliance with the contract even if its system was unavailable for nearly a half hour during each 40-hour workweek.

“Another opportunity for the CPA,” says Maria Michaelson, CPA and senior vice-president and auditor at Suffolk County National Bank in New York, “is to maximize the client’s knowledge of the technology function being outsourced. This will enable it to manage the vendor relationship effectively and maintain customer service at levels that distinguish the organization from its competitors.”

CPAs also can help a client evaluate whether the vendor’s performance satisfies expectations. Unless there is a financial incentive to do otherwise, IT vendors generally meet but do not exceed performance goals specified in the service contract, often referred to as a service-level agreement. For example, a client may contract for hardware replacement within a 24-hour-period without specifying the quality of the components.

Mark Fajfar, special counsel at Fried, Frank, Harris, Shriver & Jacobson LLP, a law firm that advises on outsourcing matters, says attorneys and CPAs can work closely together to determine whether

Systems and procedures specified in the contract are robust enough to meet the company’s needs.

The client has a pertinent, relevant and concise description of the functions being outsourced.

The cost of risks that are inherent in the contract—such as limitations of the vendor’s liability—are clear to the client, which thus can make more informed decisions during contract negotiations.

Based on their dialogue with the client, it is fully aware of the risk of fraud and other improprieties.

PRACTICAL TIPS TO REMEMBER

CPAs should carefully explore their clients’ or employers’ views of how IT can address their corporate needs. By doing so they can ensure managers understand whether and how changing hardware or software or adding IT staff could resolve systems problems and help achieve business goals.

If the CPA and the client or employer conclude that new or additional IT resources would resolve processing deficiencies or help attain corporate objectives, they can compare the cost and benefits of augmenting the organization’s technological resources to those of outsourcing certain IT functions.

In cases where the cost or difficulty of improving in-house systems is prohibitive, the CPA can help the company prepare and distribute to vendors a request for proposal (RFP) that clearly identifies the required IT support and specifies the time frames and other conditions under which they are required.

When outsourcing vendors respond, the CPA should guide the organization in evaluating the offerings to determine how well they meet the RFP requirements in terms of scope, quality and timeliness. At the same time, the client’s lawyer should evaluate the extent to which the provisions in each vendor’s service contract protect the client’s interests.

Once a vendor is selected, the CPA should help the entity monitor its performance on an ongoing basis to ensure services are reliably delivered at appropriate levels.

The CPA can help the client identify cost-effective service levels and, working with legal counsel, can help ensure relevant descriptions of such levels are specified in a contract that protects the client’s interests. Although they can’t render legal advice, CPAs can use questionnaires, checklists and other traditional audit tools to ensure the client and its attorney adequately consider all significant contract issues. Examples include

Right-to-audit clauses that enable the client to examine aspects of the vendor’s operations, such as the nature and method of delivering services and the computation and submission of bills.

Prohibiting the unreasonable use of clauses that automatically renew the contract if no action is taken by the client to end it.

HELP CLIENTS MANAGE IT VENDOR RISKS
The client’s ability to do business may rely heavily on a vendor’s capacity to deliver contracted services. CPAs can help clients identify risks not previously considered during contract negotiations. Some of the more valuable ways they can do this include

Examining independent-auditor-prepared assessments and reviewing reports such as those prepared by CPAs in a SysTrust or WebTrust engagement or those performed in accordance with SAS no. 70, Service Organizations, as amended. The CPA should focus not only on the controls included in the report but also on relevant controls or risks not addressed. The CPA can use the AICPA and Canadian Institute of Chartered Accountants trust services principles and criteria as a checklist of issues that should be addressed. Missing controls should be discussed with the vendor and an assessment of the impact of the relationship determined. Additional information about assurance services is available at the AICPA Web page ( www.aicpa.org/assurance/trustservices/index.asp ), which describes such services for any defined electronic system or for electronic commerce and discusses related online privacy, security, confidentiality, availability and processing integrity issues.

Evaluating a vendor’s financial stability. The CPA can help the client analyze the vendor’s financial statements to determine whether it has the financial resources and strength to deliver on the contract terms. The CPA can make sense of footnote disclosures and information contained in public filings—such as a Form 10K disclosure of pending litigation or evidence that the contracted services constitute only a very small share of the vendor’s business—that can compromise the vendor’s ability to deliver contracted services.

Assessing whether a vendor’s products and services will facilitate compliance with legal and other regulatory requirements. Although certain industries are subject to numerous regulations, not all vendors will be able to comply with, for example, the security and privacy regulations currently mandated in the banking and health care industries.

Identifying additional risks related to the vendor’s subcontracting activities. CPAs can help clients identify vendors’ reliance on third parties—especially foreign organizations—to process critical or confidential data that, if mishandled, could significantly increase business risk for the client.

CPAs are particularly suited to helping clients manage the risk of IT outsourcing. Bruce Sussman, CPA, general auditor at NYCE Corp., an electronic-payment-services company serving banking and other industries, says: “Increased reliance on outside technology providers is a business reality. CPAs are uniquely qualified to help their clients with related due diligence and monitoring outsourced services. The CPA can leverage experience in auditing vendor-related activities such as performance management, accounts payable and service quality control to help develop and implement IT outsourcer risk-management strategies.”

Terry Treadwell, CPA, director of market strategies for credit-union-technology-services provider Summit Information Systems, a division of Fiserv Inc. of Brookfield, Wisconsin, has had experience as a consultant and now as a vendor. “To protect customers’ privacy, company executives must ensure their vendor has a detailed information security plan,” she says. “This is clearly an area where executives should not simply accept the assurances of technical staff or vendors unless they’re satisfied that processes are clearly laid out, documented and aligned with industry standards.”

To obtain that assurance, Treadwell says CPAs should educate the client on appropriate security practices. For added security, in addition to reviewing the vendor’s WebTrust, SysTrust or SAS no. 70 report, Treadwell recommends that, on the client’s behalf, the CPA conduct a security audit of the prospective vendor. (If the contract provides for such an audit, only the client would get the report; the vendor would not.) Information on the specific additional skills a CPA/CITP could apply to such an audit are available at the CITP Web site, www.aicpa.org/infotech/homepage.htm .

CONTINUOUSLY MONITOR VENDOR PERFORMANCE
Even with the best-laid plans, it’s still necessary to oversee the vendor’s work after the contract has been signed. CPAs can help clients establish a vendor performance-monitoring program, or they can perform periodic vendor compliance reviews on the client’s behalf. .

CPAs in industry frequently perform such reviews for their companies. For example, says Maria Michaelson, “internal audit departments can provide significant value to their organizations by using audit skills gained in due diligence exercises, business negotiations and fraud investigations, as well as general knowledge of industry best practices. The CPA’s ability to perform a quick review can be an invaluable asset.” Critical issues such programs should address include

Using a contract abstract (typically a document developed by the client’s attorney that summarizes key contract provisions and responsibilities in laymen’s terms) to develop audit programs or project checklists that can be used to verify compliance. The CPA can train the client’s staff in using such tools or execute the program on behalf of the client.

Reviewing reports produced by the vendor to demonstrate achievement of service-level-agreement objectives. The CPA can help determine the reasonableness and accuracy of information provided as well as recommend changes to the agreement as business events dictate.

Analyzing invoices to ensure they reflect contract terms. The client should approve all unanticipated charges, including cost overruns, in advance of a vendor’s incurring these costs.

Ensuring the vendor includes unique client requirements as part of its overall information and security and business-continuity plans. For example, when the vendor tests its ability to provide ongoing support to its clients, it should confirm that capability for each service specified in the client’s contract.

The CPA should help the client determine whether routine functions such as basic programming should be specified in the contract and subsequently monitored. According to Bruce Nearon, CPA, director of IT security audit at J.H. Cohn LLP: “Contracts often do not require vendors’ programmers to document their software code in accordance with minimum programming standards. Consequently, there often is no documentation of custom applications, which puts the client at risk if it terminates the vendor relationship. In the worst case, the undocumented programs may be supportable only by the vendor’s programmer.”

THE POINT OF IT ALL
Because there’s no sign the IT services companies need will become any easier to choose, implement or manage, a wide span of professional opportunities beckons to knowledgeable CPAs. Practitioners interested in entering or expanding their involvement in this field should stay attuned not only to the latest technological developments but also to one of the primary reasons they’re in practice—to help clients meet their evolving business needs.


RESOURCES

Credential
Certified Information Technology Professional (CITP) designation, www.aicpa.org/infotech/homepage.htm .

Conference
Controllers Workshop
July 22–23, 2004
Caesar’s Palace, Las Vegas

CPE
CPE Direct: “Legal and Ethical Considerations Regarding Outsourcing,” JofA , Mar.04, page 31, and www.aicpa.org/pubs/jofa/mar2004/miller.htm .

Publications
AICPA Audit Guide, Service Organizations: Applying SAS No. 70, as Amended (# 012772JA).

Business Process Outsourcing: Process, Strategies, and Contracts, John Wiley & Sons (# WI34821XP0100DJA).

“The Pros and Cons of IT Outsourcing,” JofA , Jun.98, page 26, and www.aicpa.org/pubs/jofa/jun98/antonuci.htm .

Suitable Trust Services Criteria and Illustrations, AICPA/CICA, 2003, www.cpawebtrust.org/download/final-Trust-Services.pdf .

For more information about any of these resources, to place an order or to register, go to www.cpa2biz.com or call the Institute at 888-777-7077.

SPONSORED REPORT

Year-end tax planning and what’s new for 2016

Practitioners need to consider several tax planning opportunities to review with their clients before the end of the year. This report offers strategies for individuals and businesses, as well as recent federal tax law changes affecting this year’s tax returns.

QUIZ

News quiz: IRS warning on cyberattacks and a change in pension rules

Once again, the IRS sounds the alarm about a threat from cyberthieves. See how much you know about this and other recent news with this short quiz.

CHECKLIST

Bolster your data defenses

As you weather the dog days of summer, it’s a good time to make sure your cybersecurity structure can stand up to the heat of external and internal threats. Here are six steps to help shore up your systems.