Third party outsourcing of business functions, and their effective oversight management, is a mainstay of any (at least) medium sized company’s risk register, usually under the Corporate Governance banner. If it’s in the risk register then it will also be in the internal audit team’s IA Universe.
Depending on the risk assessment, Governance and Outsourcing will form part of a risk based internal audit plan as a separate topic, or even as part of each topic audit in the IA Plan. E.g., the outsourcing of Payroll could form part of an HR audit.
What is Outsourcing?
Outsourcing can be defined as an arrangement between a company and a service provider, by which the service provider performs a process, service or activity which would otherwise be performed by the company itself. Common outsourcing arrangements are for investment of assets or portfolio management, payroll processing, claims handling, internal audit, the provision of on-going, day-to-day systems maintenance or support and the provision of data storage.
The Regulator explains the implications for operational resilience for firms using outsourcing and other third-party service providers, and what they expect from them.
From the FCA, there is also ‘SYSC 8.1 General outsourcing requirements’ at https://www.handbook.fca.org.uk/handbook/SYSC/8/1.html.
Lloyd’s Minimum Standards
Lloyd’s Minimum Standards are statements of business conduct which Lloyd’s Managing Agents are expected to comply with to operate at Lloyd’s. LMS can be aligned with the internal control environment and incorporated into an internal audit program. LMS is also a useful tool for company market insurers, and their internal auditors, given its comprehensive reach and contemporaneous character (the current LMS were all updated in January 2021). In summary for the Outsourcing topic, guidance is found at ‘MS4 – Governance and Section 5: Outsourcing’.
The LMS can be viewed in full at https://www.lloyds.com/conducting-business/requirements-and-standards/minimum-standards/.
Managing agents remain fully responsible for meeting all of their obligations when they outsource functions or any insurance or reinsurance activities. Outsourcing of critical or important operational functions or activities shall not be undertaken in such a way as to lead to any of the following:
• materially impairing the quality of the system of governance of the managing agent;
• unduly increasing the operational risk;
• impairing the ability of Lloyd’s to monitor the compliance of the managing agent with its obligations; and
• undermining continuous and satisfactory service to policyholders.
Managing agents shall ensure that the service provider(s) have:
• adequate risk management and internal control systems;
• the necessary financial resources to perform the outsourced tasks;
• sufficiently qualified and reliable staff involved in providing the outsourced functions or activities; and
• adequate contingency plans to deal with emergency situations or business disruptions and periodical testing of back up facilities where necessary.
Key elements of effective Outsourcing management are:
Any managing agent which outsources or proposes to outsource functions or any insurance or reinsurance activity to a service provider shall establish a written outsourcing policy. The outsourcing policy shall take into account: • the impact of outsourcing on the business; and • the reporting and monitoring arrangements to be implemented in cases of outsourcing
Outsource provider selection
When choosing a service provider for any critical or important operational functions or activities, the Board shall ensure that it meets the requirements set out in Solvency II Level 2 Article 274 paragraph 3. Where the managing agent and the outsource provider are members of the same group the managing agent shall, when outsourcing critical or important operational functions or activities, also take into account the extent to which it controls the service provider or has the ability to influence its actions.
Managing agents shall ensure that the terms and conditions of the outsourcing agreement are consistent with the managing agent’s obligations under the Solvency II Framework Directive. The written outsourcing agreement to be concluded between the managing agent and the service provider shall clearly state the requirements set out in Solvency II Level 2 Article 274 paragraph 4.
Chartered Institute of Internal Auditors (CIIA)
The Institute of Internal Auditors (IIA) Standards and other best practice advises internal audit to include governance processes in its scope. Therefore, in order to provide assurance that the organisation can meet its objectives, internal audit should consider including an audit of corporate governance in its risk-based plan. Corporate governance should be included in the audit universe and audits should be planned in accordance with the organisation’s risk-based planning methodology.
When assessing corporate governance in an organisation, the IIA advises that it may be appropriate to undertake a specific review of corporate governance, organisation reviews of specific subject areas and/or incorporate aspects of corporate governance into other reviews which form part of the audit plan.
The CIIA has published very useful guidance ‘Outsourcing and the role of Internal Audit’. In summary, outsourcing the service does not outsource the risk and the CIIA highlights a number of risks which exist for the commissioning organisation including:
Poor visibility of individual contract performance.
• Lack of contract management skills.
• Poor relationship and interaction with contractor.
• Inconsistent approach to day-to-day contract management.
• Third party provider ethical/cultural issues.
• Unclear roles and responsibilities within contract management team.
Internal audit has a key role to play:
• Strategic intent and feasibility: A key area is to provide assurance that managers are using the recognised process to complete a feasibility study to show that there is a clear business case aligned to the strategic objectives of the organisation.
• Implementation and management: Internal audit can review the supplier selection process and assess whether the organisation has adequate and effective policies and procedures for tendering.
• Contract management arrangements: Internal audit can examine the performance management arrangements in place when a contract is in flight.
Institute of Chartered Accountants in England & Wales (ICAEW)
Further useful guidance comes from the ICAEW at https://www.icaew.com/technical/business-and-management/strategy-risk-and-innovation/strategy/icaew-guide-to-outsourcing with an opening summary and caveat “Transferring back office activities to a third-party provider can help you cut costs and improve the efficiency of your business, but the decision to outsource needs careful consideration to ensure that the potential savings are not outweighed by hidden costs”.
Risk & Control Matrix – Extract. An example is shown at ‘Risk & Control Matrix – Board – Outsourcing‘.