Outsourcing Trade-offs: Avoiding the Pitfalls
Action Plan
 |
|
|
|
|
We suggest several courses of action in the scope of negotiation and compliance with service providers, depending on where your company is in the outsourcing process.
Preagreement > Prepare to negotiate specific controls
Establish your audit requirements for Section 404 and SAS 70 Type II reports.
Ensure that your requirements for the scope and timing of SAS 70 Type II reports are spelled out clearly in the outsourcing agreement, including who pays for the report.
Retain the right to tailor the scope of those reviews so they'll meet your requirements, which may change in the future.
Map out your "elective" audit strategy over the term of your agreement.
Consider a master service agreement and independent statements of work that can include updated terms, such as audit and review rights. Note that, subject to your negotiating power, you may pay for this flexibility.
Post-agreement > Look for possible amendments
Review your outsourcing agreement for the right to audit, including who pays for the audit. With older agreements, you may need to negotiate for the ability to audit your service provider.
Develop an audit plan through the term of your outsourcing agreement, including to the point of renegotiating the agreement. Be aware of "elective" auditing, and budget for any offshore trips.
Find out whether your service provider has engaged an independent audit firm to provide an SAS 70 Type II report, and review it prior to going to the auditors. Make sure it's a Type II report—not Type I—and it's sufficient to rely on when your CEO and CFO are certifying their Section 404 reports.
|
