`Pamantasan ng Lungsod ng Pasig

College of Business and Accountancy

Alkade Jose St., Kapasigan , Pasig City

Audit of
Business Process Outsourcing
(BPO) Industry

Group 1
Leader:
Francisco, James Cayle
Members:
Campo, Micheriel
Echaque, Shyrell Anne
Estioco, Chadi Tol
Flores, Ruby Rose

Auditing and Assurance:

Specialized Industries
BSA-3A
Submitted to:
Prof. Amor B. Sande

March 2021
 AUDIT OF BPO INDUSTRY
INTRODUCTION
Business process outsourcing (BPO) is defined as the transfer of a company’s
non-core activities to a third party that uses information technology for service delivery.
It involves the transfer of the management and/or day-to-day execution of an entire
business function/process to an external service provider.
Information and communication technology (ICT) innovation together with
increasingly fragmented production processes have encouraged the outsourcing g of
labor-intensive services to countries such as the Philippines. The Philippines serves as
a leading destination for business process outsourcing (BPO). The sector’s economic
influence in the country has tripled in the last ten years. BPO sector growth in the
Philippines is driven by a host of factors, chief among them the following: low labor
costs; a highly skilled and educated workforce; widespread command among the
workforce of a relatively neutrally accented English language; competitive infrastructure;
and government tax incentives. The BPO sector currently employs 1.3 million workers in
the Philippines and, if recent employment growth trends are any indication of future
developments, then the sector is likely to prove an important source of job creation BPO
is expected to expand rapidly in the coming years, further strengthening the country’s
participation in global supply chains (GSCs).
This paper aims to serve as a technical guide that is intended to assist auditors in
carrying out audit of entities operating in the Business Process Outsourcing (BPO)
sector.

TYPES OF BPO

Figure 1. Types of BPO

 BPO companies can be categorized into several types based on their location
where the company is located. Based on the figure above, it can be onshore outsource,
nearshore outsource, and offshore outsource whereas:

 Onshore Outsource - When an organization hires a service provider that is

located in the same country. For example, a company in Seattle,
Washington, could use an onshore outsourcing vendor located in Seattle,
Washington, or in Huntsville, Alabama.
 Nearshore Outsource - When an organization hires a service provider in a
neighboring country. For example, in the United States, a BPO in Mexico
is considered a nearshore vendor.
 Offshore Outsource - When an organization hires a service provider in a
different country. It is also called offshoring. For example, a U.S. company
may use an offshore BPO vendor in the Philippines.

Organizations contract with BPO vendors for two main areas which are: back
office and front office. BPOs can combine these services so that they work together, not
independently

 Back-office services - include internal business processes, such as billing

or purchasing.
 Front-office services - pertain to the contracting company’s customers,
such as marketing and tech support.

The BPO industry is also composed of seven sub-sectors, namely, knowledge

process outsourcing and back offices, animation, call centers, software development,
game development, engineering design, and medical transcription.

Knowledge
process
outsourcing

Medical
Transcription Animation

BPO
Engineering Call
Design Centers

Game Software
Development Development

Figure 2. Sub-sectors of BPO Industry

 TYPICAL PROCESS IN A BPO
INDUSTRY

Figure 3. Typical Process in a BPO Industry

 STATUTORY LAWS APPLICABLE
TO BPO INDUSTRY
INCENTIVE REGIMES FOR BPOs
The Philippines has various incentive programs to encourage foreign companies
to establish their businesses here in the Philippines. Currently there are three principal
incentive regimes in the country. These are the ones established under the Omnibus
Investments Code (OIC), the Special Economic Zone Act of 1995 (PEZA Law), and the
Cagayan Special Economic Zone Act of 1995 (CEZA Law)
1. Omnibus Investments Code (OIC)
The OIC was passed in 1987 to encourage investments in desirable areas
of activities and to provide a cohesive and consolidated investment incentives
law. The Board of Investments (BOI) was created to regulate and promote
investments in priority activities as defined in the annually prepared Investment
Priorities Plan (IPP).
In recent years, BPO activities have been regularly included among the
preferred areas of investment under the IPP. To avail of the incentives under
the OIC, a company must be registered with the BOI. There is a nationality
requirement for certain types of registration.
BOI-registered enterprises may avail of several fiscal incentives subject to
the fulfillment of certain conditions. The most notable incentives are:

 Income Tax Holiday - BOI-registered enterprises shall be fully exempt

from income taxes levied by the national government in the following
instances:
a) new pioneer projects for a period of six years from commercial
operation;
b) new non-pioneer projects for a period of four years from
commercial operation;
c) expansion projects for a period of three years from commercial
operation; and
d) new or expansion projects in less developed areas for six
years.

Subject to guidelines as may be prescribed by the BOI, the

income tax exemption may be extended for another year. However, in
no case shall a registered pioneer firm avail of this incentive for a period
exceeding eight years.
  Additional Deductions for Labor Expense - For the first five years
from registration, a BOI-registered enterprise shall be allowed an
additional deduction from the taxable income of 50% of the wages of
additional workers in the direct labor force if the project meets the
prescribed ratio of capital equipment to number of workers set by the
BOI.
 Exemption from Import Duties and Taxes
 Zero-Rate Value-Added Tax (VAT) - A BOI-registered enterprise,
which qualifies as an export enterprise, is entitled to zero-rate VAT on
its sales.

2. Special Economic Zone Act of 1995 (PEZA Law)

The PEZA law was passed in 1995 to encourage economic growth
through establishment of economic zones or “ecozones” that are treated as
separate customs territory with minimal government intervention. These
ecozones are managed and operated by the Philippine Economic Zone
Authority (PEZA).
Similar to OIC, not all business activities may register with PEZA.
Registrable activities are limited to priority areas of investment. Further,
registration procedures differ for each particular type of activity to be
registered.
PEZA-registered entities enjoy numerous fiscal incentives. Incentives
which may be applicable are as follows:

 Income Tax Holiday - A PEZA-registered BPO enjoys the same ITH

incentive as a BOI registered outsourcing company.
 Special Income Tax Rate of 5% - Upon expiry of the ITH period, a
PEZA-registered entity may avail itself of a special tax rate of 5% of its
gross income in lieu of all other national and local taxes.
 Exemption from National and Local Taxes and Licenses - A PEZA-
registered entity shall be exempt from payment of all national internal
revenue taxes and all local taxes and fees. In lieu thereof, it shall pay a
special 5% final tax on gross income.
 Zero-Rate Value-Added Tax (VAT) - Sales to PEZA-registered entities
are deemed export sales; hence, such enjoy a preferential VAT rate of
zero percent (0%).
 Deduction for Organization and Pre-Operating Expenses
 Tax and Duty-Free Importation of Materials, Capital Equipment,
Machineries and Spare Parts
 Additional Deductions from Taxable Income - Similar to a BOI-
registered enterprise, a PEZA-registered BPO can avail of the 50%
additional deduction for labor expense. In addition, it may also claim an
additional deduction for its training expenses.
 3. Cagayan Special Economic Zone Act of 1995 (CEZA Law)
The CEZA law established the Cagayan Special Economic Zone and
aimed to effectively encourage and attract legitimate and productive foreign
investments. It also created the Cagayan Special Economic Zone Authority
(CEZA) which manages and operates the zone.
Business establishments registered with CEZA and operating within the
zone shall be entitled to the existing fiscal incentives as provided under
Presidential Decree No. 66, the law creating the Export Processing Zone
Authority (EPZA Law) or those provided under the OIC. Thus, incentives
applicable to BPOs are as follows:

 Income Tax Holiday - CEZA-registered enterprises are entitled to four to

six-year ITH provided it belongs to qualified industries.
 Special Income Tax Rate of 5%
 Other applicable incentives under EPZA Law and OIC, such as:
a) tax treatment of merchandise in the Zone;
b) tax and duty-free importation of articles, raw materials, and capital
goods;
c) exemption from local taxes and licenses;
d) additional deduction for labor expense;
e) additional deduction for labor training expenses; and
f) deduction for organization and pre-operating expenses.

THE AUDIT ON BPO INDUSTRY

THE NEED FOR AN AUDIT
Considering the nature of the BPO Industry and the pace at which the Industry
has grown over the past decade, need for ensuring proper controls need not be over
emphasized. With the increasing number of frauds in the software field, and considering
the vulnerability of the sector to modification of data, audit becomes significant. Internal
audit also helps in verifying the controls in place within the entity with regard to
sufficiency and effectiveness in the light of overall business. Internal audit also helps in
assessing the risks faced by the entity and provide a method for management of the
same. Internal controls and risk management are extremely important activities in an
entity operating in the BPO Industry.
 Figure 4. Audit Process on BPO Industry

MAJOR AREAS OF AUDIT SIGNIFICANT

ON A BPO INDUSTRY
Audit procedures that apply to any industry also apply to an entity operating in
the BPO Industry. In this technical guide, internal audit procedures pertaining to BPO
Industry have been specified. These audit procedures are an illustrative list which can
be performed in addition to the regular internal audit procedures performed by an
internal auditor.

INVOICING
BPOs, generally, follow the below mentioned billing methods and the method is
built into the contract with the client. It is, therefore, important that the internal auditor
studies client contract carefully. In, general, most BPOs bill the client for the services
rendered at the end of the month. As part of the internal audit process, the internal
auditor should understand the billing cycle for each of the client and the process
followed by the entity to ensure cut-off on a periodic basis. This section is only intended
to provide an idea of the various billing methods and is not intended to be exhaustive. A
BPO may use complex billing methods or combination of methods.
 A few common types of billing include:

 Per Call – Generally, voice-based support service providers bill on this

basis. The billing can be done on the basis of no. of calls attended or on
the basis of time per call on an average.
 Per Transaction – This type of billing is done in the case of data entry,
insurance, medical processing, etc., where the base is the no. of
transactions handled. There may be requirements as to the minimum no.
of transactions that need to be handled, the quality of work performed and
nature of work handled. The cost per transaction varies due to these
factors.
 Per Time – The billing is done for the no. of minutes/ hours/ days the
entity has provided service to the client. In general, the client places a no.
of ceiling caps to ensure good performance and to prevent intentional
excessive billing. Moreover, there are a no. Of service criteria as
stipulated in the Service Level Agreement (SLA) that needs to be met. If
these service criteria are not completely met, penalties are charged on to
the entity.
 Full Time Equivalent – Where services in the nature of research are
provided by the entity, the billing is done on the basis of Full Time
Equivalent (FTE). The entity bills the client for every person employed
along with the costs incurred by the person on a flat charge as mutually
agreed between the parties on a periodic basis. Some entities also
provide onsite services to its clients. In general, for such services
rendered too, the billing is based on this model.
 Cost plus Basis – In cases of Captive Service Provider or Wholly Owned
Subsidiary, a mark-up is agreed between the holding company and its
subsidiary. The billing is done on the cost-plus mark-up. Clients usually
reimburse additional costs incurred by the BPO in the nature of recreation/
gifts to employees working on their project or bonus incentives additionally
paid to these employees for motivating them to perform better or even
leased line charge. These are either specifically communicated or
mutually accepted at the time of entering into the contract.
Certain contracts may act as an embedded derivative, wherein the client may
agree to bear the loss on account of wide appreciation in the value of foreign currency,
provided the foreign exchange rate moves below a particular base rate.
The internal auditor needs to verify all these clauses as a part of performance of
internal audit procedures. The internal auditor may also perform certain analytical
procedures such as computation of following:
a) Operational Margins Period
Wise The internal auditor may compute the operational margins such
as, gross profit margin, period to period and ascertain the variance
between the different periods compared with. For e.g., the internal
auditor compares the gross margin for the month of February with that
of January or February of the preceding year, he might observe huge
variances in the margins. The internal auditor is required to seek
explanations from the management for such significant fluctuations
and understand the reason for such fluctuations. This might provide an
insight on the effectiveness of the management in operations apart
from ensuring that there has not been any fraud during the period.

b) Significant fluctuations in Revenue from a Contract

Most contracts in a BPO industry are for a long tenure, say 2 to 3
years. In such a scenario, if there are significant fluctuations from a
contract between periods, the internal auditor needs to understand the
reason for such fluctuations. This will provide a deeper insight of the
risks faced by the internal auditor and also a deeper understanding of
the client’s business apart from identifying irregularities.

c) Revenue per Employee Project-wise

The internal auditor can compute the revenue generated by a contract
during a period per employee and compare the same with a different
period. This would help the internal auditor to assess the change in
revenue per employee and the effectiveness of an employee on a
project over a period of time.

d) Operating Costs to Revenue Ratio

The internal auditor can assess the ratio between operating costs and
revenue per project and through comparison between different periods
and different projects, understand the project’s performance in relation
to other projects.

e) Revenue Earned per Hour (Project-wise)

The internal auditor can compute the revenue per project per person
per hour, especially, in the case of time-based billing and map it with
the total billed amount. This would help the internal auditor analyses
the effectiveness of controls related to the billing cycle.

f) Total Calls Handled to Total Calls Received, Calls Resolved to Calls

Handled
Ratios such as, total calls handled to total calls received are
particularly applicable to a call center. The management, generally,
have data pertaining to the total calls received and total calls handled.
 In such cases, the internal auditor is required to ensure that the calls
handled is not significantly low as compared to the calls received.

g) Project-wise Profitability and Budgeted Profit Margins Comparison

Project-wise profitability ratio helps the internal auditor to verify as to
whether there is a significant fluctuation in profitability between
projects. In cases of significant fluctuations, the internal auditor needs
to verify whether profitability ratio is in accordance with the budgeted
profitability ratio. Deviations should be noted and proper explanations
for deviations need to be obtained

h) Delays in Raising Invoices to Total Invoices

The frequency of raising invoices on a delayed basis might help the
internal auditor to verify the internal controls related to raising the
invoice. Reasons for such delays could throw light to inherent
weaknesses in control.

i) Percentage of Errors and Rejections

The internal auditor can verify the quality of work performed through
measurement of ratios of total errors and rejections as against the total
volume of work handled. This would help the internal auditor to assess
legal and compliance risk, entity’s effectiveness in handling projects
apart from obtaining a deeper understanding about the management’s
initiative.
These ratios should be prepared and compared over a period of time. If these
ratios are inconsistent over that period, proper explanations need to be obtained,
thereby helping the internal auditor in assessing effectiveness, sufficiency,
appropriateness of controls and also to highlight the risk environment the business is
under. It should also be verified whether the entity monitors such ratios on a regular
basis.

SLA ADHERENCE
The entity needs to ensure compliance with Service Level Agreement/SOW/PO
as the case may be for the Service Level specified in the agreement. The Service Level
may be in relation to the minimum level of service, maximum billable time per
transaction, maximum permissible errors, percentage of unsolved/unanswered queries,
etc.
Compliance with Service Level Agreement is extremely important for the entity
with regards to ensuring that the quality of work performed is in accordance with that
required by the agreement. In case the entity is unable to meet its SLA, then it is
important for the entity to ensure compliance with SLA through providing of incentives
for employees, training and other methods. The compliance with SLA requirements
gains importance considering that it helps in brand building and client satisfaction.
For example, if the Service Level Agreement requires an agent to resolve 40
queries in a week, the internal auditor can verify if the agent is efficient in providing
service as per the Service Level Agreement.
The internal auditor can also verify the procedures of the management towards
quality checks and controls. The procedures can be through external consultants or
through the internal quality assurance team. An effectively defined quality assurance
framework can be termed as a prerequisite, but it should not be confused with a fail-
safe and comprehensive solution. There is still the implementation part and if that is not
carried out properly, delivering quality assurance would always pose a big challenge for
outsourcing service providers.
A step-by-step procedure that outsourcing service providers can use for ensuring
the quality of service deliverables is given below:
(i) Test viability of service deliverables
(ii) Tweaking the processes, if required
(iii) Deploying quality management systems
(iv)Tracking project progress and providing feedback

The internal auditor can verify the compliance of SLA on a month-to-month basis;
verify whether the Service Level is sufficiently higher than that prescribed by the client
to ensure compliance with the terms of the agreement and also continuity of service.

PAYROLL
The highest cost for any entity operating in the BPO Industry would be the payroll
cost, therefore, importance of proper controls for processing payroll need not be over-
emphasized. The entity needs to maintain adequate records, documents, policies,
processes for all aspects of payroll.
Most BPO companies process payroll for the month, based on the records of a
different period. For example, when payroll for the month of December is processed,
then the leave records, performance record for the period 21st November to 20th
December would be considered. The main reason for such processing is to ensure
disbursement of payroll by the specified day of the month.
The internal auditor needs to ensure that proper, adequate and appropriate cut-
off procedures are in place to ensure proper computation and disbursement of salary to
the employees. The procedures for computation of amount to be deducted on various
heads also need to be verified in accordance with organizational policies and
procedures. The internal auditor needs to verify the policies and procedures and
compliance of the same on a sample basis.
Computation of incentives is a complex area in any entity operating in a BPO
Industry. The reason for such complexity owes to the variety of schemes offered to the
employees by the entity. The entity, generally, provides incentives in accordance with
the nature of job, level of employee in the entity, client for whom the employee provides
service and the offer letter given to the employee. Compliance with various regulations
too is a tedious job considering the volume of work to be performed. The entity,
generally, has protocols for ensuring compliance with regulations.
Certain entities operating in the BPO Industry provide an opportunity for
employees to take ownership in the company through issue of stocks. It could be in the
nature of any one of the following:
 Stock Awards;
 Employee Stock Option Plan;
 Employee Stock Purchase Plan.
The auditor through his internal audit procedures is required to find out whether
any fictitious employees are employed in the organization. The procedures performed
could be in the form of inquiries and discussions with the management, verification of
employee records, verification of bank records for testing disbursement, etc.
A time sheet is a method for recording the amount of a worker's time spent on
each job. Time sheet places a very important role in estimation of the cost incurred for
every project by the entity and also in some cases billing is based on the number of
hours an employee works on the project. Therefore, the internal auditor should verify
the entity’s effectiveness in recording and maintenance of the time sheet.
The auditor may also perform additional analytical procedures over a period of
time and compare them for ascertaining any inconsistency such as following:
(i) Productive Hours Ratio
Productive hour’s estimation is a measure of the efficiency of the work
force during a particular period. In other words, it is the ratio between
hours an employee works effectively to the total hours he works. By
analyzing this ratio, the internal auditor can understand the motivation
level of employees, steps taken by the management towards maintaining
efficiency and to some extent the trend of attrition.

(ii) Manpower on Client Project to Total Manpower

Manpower per project to total manpower ratio can be helpful to estimate
the importance of a project in terms of manpower requirement. If there is
a decline in the manpower and if there is no consequent decline in
revenue, the internal auditor needs to verify this anomaly
 (iii) Average Employee Cost per Head per Project
Average cost incurred for an employee (cost includes incentives, gifts,
entertainment costs incurred for the project) can be computed by
dividing the total cost incurred for a period on a project to average
number of employees during the period. The internal auditor may
compare this information between different periods, or with other
projects, where the services rendered are of a similar nature.

(iv) Employee Turnover Ratio

Employee turnover ratio helps the internal auditor to verify the attrition
rate and assess the entity’s effectiveness and steps taken towards
prevention of attrition and retention of key employees. In case of
employee turnover ratio being higher than the industry, the internal
auditor must obtain explanations for the reason for such high turnover
ratio.

(v) Revenue Generated by an Employee against Incentive Paid

Generally, incentives are paid to an employee based on his
performance. By comparing the revenue earned through an employee
and the incentive paid to him, the internal auditor can ensure compliance
of the incentive schemes in place within the organization.

(vi) Reconciliation with Respect to Changes in the Number of Employees

The internal auditor can assess the movement in employees for a month
in comparison with another by tracing the additions and deletions due to
additions, terminations, retirements, etc. in a month based on each
grade and obtain an insight on the plans of the management.

OPERATING COSTS
i. Lease Expenses
Lease expenses could be of the nature of leasing of office building for
work space, or leasing of assets for official purpose or accommodation
provided to the employees.
ii. Communication Expenses
It represents expenses in the nature of leased line charges and is
considered significant in comparison to other costs. Moreover, BPOs,
generally, have a contingency plan in case of any failure.
iii. Recruitment and Training Expenses
These expenses are also considered to be high considering the high
attrition and turnover ratio of the industry and its growth over the past
few years. Most entities have contracts with HR Consultants and reputed
trainers to ensure that the costs are controlled.
 iv. Sub-contracting Expenses
Some BPOs sub-contract a part of their operations to an external party.
This can be done so only if agreed to by the parties.
v. Logistics
Considering the labor-Intensive nature of the BPO Industry apart from
odd working hours, logistics plays an extremely important role in the
entity. Most employees use the logistics provided by the entity to
commute to work place. Considering the significance of this department,
usually, entities enter into contracts with logistic providers in order to limit
their liability and manage them professionally. The entity must maintain
sufficient controls for proper usage of vehicles.
The auditor should verify the systems, processes, controls and procedures built
within the system so as enable smooth and proper movement of the employees to and
fro from the work place. There should also be proper controls for usage of logistics for
purpose of business only. The internal auditor can perform various procedures such as,
cross checking logistics records with attendance registers, verification of in time and out
time records with logistic records, cost per employee travelled, etc.
The auditor is also required to verify the procedures and controls for capturing of
specific expenses with regards to its sufficiency, appropriateness and efficiency.
Moreover, the internal auditor needs to ensure that common expenses are allocated
across these undertakings in a justifiable basis. The internal auditor may also perform
additional analytical procedures over a period of time and compare them for
ascertaining any inconsistency such as following:
i. Total Fixed Cost
Significant increases in the total fixed cost signals expansion activity. In
such cases, the internal auditor needs to verify the sufficiency of controls
with respect to the growing entity.
ii. Operating Cost to Revenue (Undertaking-wise)
An entity operates in varied legal environment and different challenges
are faced by the entity operating in each such environment. The internal
auditor can estimate the operating cost (i.e., cost including labour,
communication, lease and all other variable expense to the particular
undertaking) to the revenue generated by it. This would provide a basis
for evaluating the cost effectiveness of operating in each of the
undertakings.
iii. Variable Cost per Man Hour per Undertaking
Variable cost per man hour can be computed by dividing the total cost
incurred in an undertaking divided by man hours for the same period.
This can be compared with different periods to verify whether there has
been a significant increase/ decrease in the expense and identify
reasons for the same.
 iv. Penalty Costs to Total Cost
The internal auditor can estimate the significance of penalty cost in
relation to total cost through this method. Any penalty/non–compliance
must be viewed seriously by the internal auditor
v. Interest Cost to Loans
Interest cost to loans provides a basis for the estimation of the average
cost of borrowed funds in the entity. The internal auditor can estimate
the average cost of borrowing and compare them with the existing rate
to verify whether the interest paid is significantly high.

FIXED ASSETS
For the BPO Industry, in general, the fixed assets such as, servers, computers,
laptops, EPABX and alike may be that of the entity’s or provided by the client. This is
so, to prevent theft of confidential information of the client which may be subject to
Intellectual Property Rights. It might also include software provided by the client on
which the entity might be working or owned by the entity itself.
The internal auditor may also perform additional analytical procedures over a
period of time and compare them for ascertaining any inconsistency such as following:
(i) Total laptops and desktops to on-field employees
For employees providing on-site services, the internal auditor can verify the
employees on-site and the laptops provided to them (grade-wise). This
would help the internal auditor to verify the controls in laptops given to the
employees.

(ii) Total EPABX to number of on-field employees

Total EPABX to on-field employees provides a ratio between the employees
and the EPABX installed. This would help the internal auditor to verify the
control in laptops given to the employees.

(iii)Asset utilization ratio

Asset utilization ratio is the ratio of total revenue to the total assets. It helps
the internal auditor to assess the effectiveness of assets with respect to the
revenue generated by the entity. The greater the asset utilization ratio, the
higher the efficiency of operations of the entity.
If the internal auditor is required to perform fixed asset verification procedures too
as part of the scope of his work, the auditor can refer to Guidance Note on Audit of
Fixed Assets. Audit techniques which the internal auditor can perform for verification of
assets include procedures such as, verification of laptops at the time of logging on to
the server/network monitored through a special software, verification of software
licenses and validity, number of licenses against number of computer systems used for
specific purpose and so on.
RELATED PARTY TRANSACTIONS
Many BPOs have significant related party transactions. Certain BPOs are captive
service providers which are incorporated to provide services to its holding company.
Hence, sufficient controls should exist within the organization to ensure that all
transactions with related parties are identifiable and monitored. These transactions
could be in the nature of the service provided by the entity to its holding company or in
the nature of other transactions, not related to operations that are transacted on a
routine basis like, deputation of manpower, payment of dividends, reimbursing costs
incurred on behalf of the holding company, etc. The internal auditor is also required to
verify the transfer pricing implications faced by the entity with regards to controls and
processes in the entity to ensure proper estimation of arm’s length price.
Arm’s length price means a price which is applied or proposed to be applied in a
transaction between persons other than associated enterprises, in uncontrolled
conditions

DATA SECURITY
Data security is a major problem in a BPO industry. The various sources of
danger to data can be in the form of following:
(a) Natural Calamity
Fire, flood, earthquake, falling elephants can cause damage to hardware
including server, computers and other physical storage devices.

(b) Theft of Data

Data theft is a growing problem primarily perpetrated by office workers with
access to technology such as, desktop computers and hand-held devices
capable of storing digital information such as, flash drives, iPods and even
digital cameras. Since employees often spend a considerable amount of time
developing contacts and confidential and copyrighted information for the
company they work for, they often feel they have some right to the
information and are inclined to copy and/or delete part of it when they leave
the company, or misuse it while they are still in employment.
While most organizations have implemented firewalls and intrusion
detection systems very few take into account the threat from the average
employee that copies proprietary data for personal gain or use by another
company. A common scenario is where a sales person makes a copy of the
contact database for use in their next job. Typically, this is a clear violation of
their terms of employment.
(c) System Crash
A system crash is a condition where a program (either an application or part
of the operating system) stops performing its expected function and also
stops responding to other parts of the system. Often the offending program
may simply appear to freeze. If this program is a critical part of the operating
system kernel the entire computer may crash.

(d) Computer Fraud

Computer fraud covers a variety of activity that is harmful to people.
Computer fraud is using the computer in some way to commit dishonesty by
obtaining an advantage or causing loss of something of value. This could
take form in a number of ways, including program fraud, hacking, e-mail
hoaxes, auction and retail sales schemes, investment schemes and people
claiming to be experts on subject areas.

(e) System Bugs

A bug is the common term used to describe an error, flaw, mistake, failure,
or fault in a computer program or system that produces an incorrect or
unexpected result, or causes it to behave in unintended ways. Most bugs
arise from mistakes and errors made by people in either a program's source
code or its design, and a few are caused by compilers producing incorrect
code.

(f) Power Failure, Accidental Deletion/ Modification

Power failure and accidental deletion/ modification of files is a common type
of problem faced by many small entities due to lack of sufficient
infrastructure and also training to the employees.

(g) Hacking
Hacking could be in the form of:
 Passwords required to enter or change the PC's BIOS;
 Passwords required to enter a network;
 Passwords required to start the operating system;
 Passwords required to enter major software packages (e.g., payroll); or
 Encrypted (encoded) data files.

(h) Telecommunication Failure

Sometimes, the telecommunication network might fail which might result in
freezing of flow of data from and to the computing system. During such time,
the entity might not be able to perform its operations.
 (i) Virus Problem
A computer virus is a computer program that can copy itself and infect a
computer. A computer virus has two major classifications. They have the
ability to replicate itself, and the ability to attach itself to another computer
file. Every file or program that becomes infected can also act as a virus itself,
allowing it to spread to other files and computers.

(j) Unknown Risks

There might be threat to data due to other reasons not included above. The
internal auditor must keep an eye on these too to ensure complete data
security.
The data of both the client and the entity needs protection. There might be
severe penalties imposed by the client on account of fraudulent activities by the entity.
The work area would not be reasonably accessible by an outsider without proper
security check and prior authorization to ensure safety of data and to prevent theft
thereto. Conditions such as, inhibition of use of mobile phones, personal laptops,
cameras, and pen–drives are enforced.
The internal auditor needs to verify the sufficiency of control of data. He should
also obtain explanations for any loss/ damage of data, if any during the reporting period
apart from steps taken to prevent them in the future. He should also verify whether the
policies and procedures are put in place.

RISKS FACED BY A BPO INDUSTRY

The internal auditor should make a risk assessment of the entity under audit.
This is extremely important on account of prevention of any noncompliance or
undesirable event. Given below is a brief of the different risks faced by the entity
operating in the BPO Industry. The internal auditor needs to verify whether sufficient
controls are available in the entity to detect such risks and prevent them from happening
in the light of overall business environment.
The risks faced by a BPO Industry are broadly classified as follows:
 Business risk
 Price risk
 Political risk
 Process risk
 Human capital risk
 Brand/ Reputation risk
 Systemic risk
 Accessibility risk, Business continuity, Security risks
 Technology risk
a. Business Risk
(i) A change in scope of services at the customer’s request.

(ii) A change in the legal environment that imposes new conditions, costs or
restrictions upon the manner of providing the services, the means by which
the services are delivered to the enterprise customer or the right of the
enterprise customer to purchase such services in its home country.
(iii)A change in the volume of the services being consumed, either to :
 Increase (requiring additional hiring and perhaps a change in business
process) or
 Decrease (resulting in sub-optimization of dedicated resources or re-
allocation of resources across multiple enterprise customers without any
decrease in SLA commitments).

(iv)An early termination that occurs before the service provider has earned out
the sunken costs of pursuing and capturing the contract opportunity and paid
the unpaid start-up and transition costs.

(v) There is mergers and acquisition risk that an enterprise or a service provider
might change owners. Enterprise managers need to adapt the sizing and
pricing of their outsourcing transactions to include possible mergers,
acquisitions, divestitures and restructuring activity within the term of the
outsourcing agreement. Service providers need to provide assurances that a
change of control, such as in a merger or restructuring, will not impair the
competitive position of the enterprise customers. Accordingly, “M & A risk”
should be identified by both parties in order to evaluate and negotiate
appropriate contract provisions to manage and mitigate the impact of major
changes in ownership or capital structure.

b. Price Risk
Pricing risks arise as soon as the parties agree upon the service terms,
conditions and pricing. For the service provider, the “pricing risk” is that the
benchmarking process or other price adjustment will result in a loss or significant
reduction in profitability and an inability to recapture the investment made in
capturing and transitioning an enterprise customer to the outsourced business
process platform. The service provider can never stand still, though, since if it
fails to make ongoing investments in process improvement and cost
containment, upon the expiration of the contract, it will cease to be competitive
for new customers.
The art of outsourcing includes identifying and providing commercially
reasonable solutions for both parties. Commercial and financial transactions
 contain pricing risks at many levels. The design of contracts to manage and
mitigate pricing risks is an art form. Multiple techniques are available, each with
its own limitations and additional risks.
c. Political Risk
Political risk represents the degree to which social and governmental
environments may change in the future. This risk may manifest itself in events
over which a government has no control – such as, riots or new elections. Other
events may be caused by a government, such as, an embargo on imports or
exports, increases in tariffs, new prohibitions on transactions with specific
countries.
Political risk may arise from actions of the home government of the
enterprise. In international outsourcing transactions, political risks need special
attention due to the long-term nature of the relationship. There are a number of
techniques that can mitigate, but not eliminate, such risks. Moreover, the entity is
affected by outsourcing policies of the country for which the entity provides
services. For example, if outsourcing is not encouraged by a country by imposing
additional tax or cut of tax sops, then, the Indian entities providing services for
clients in that country, may face a bottleneck for expansion of operations.
d. Process Risk
“Process risk” refers to the possibility that the processes used to deliver a
service might need to change dramatically during the term of a sourcing
arrangement. This can be favorable or unfavorable. Since processes will likely
change, the parties need to identify the significant processes that form the basis
of the bargain and that, if impacted by a change, could justify a renegotiation,
termination, repricing or expansion or contraction of the scope of service.
Process risk denotes the risk that the processes adopted by the service
provider will not fit the needs of the enterprise customer. This risk is somewhat
complex.
(a) There may be process risks during the transition period where the
service provider was not aware of important existing processes that
were underlying the general services in the outsourcing agreement.
(b) Process risk may also arise due to changes, over time, of the enterprise
customer’s needs and the “best practices” in the relevant business
process.
(c) Some processes may become illegal or subject to regulation, while
other processes may become technologically outdated.
(d) The duration of the contract might be so long that the parties do not
clearly understand the open nature of the commitments, promises and
emerging needs of each other.
 Process risk can be managed by appropriate due diligence, contract
planning, negotiation, transitioning, integration management and relationship
governance. Legal planning techniques can also be used, particularly those
relating to termination for convenience and termination for failure to manage the
processes in an agreed fashion.
e. Human Capital Risk
Human capital risk arises from the risk that an enterprise’s investment in
human resources might lose value due to the departure of individuals or groups
necessary to the future success of the enterprise. Human capital has its greatest
value at the level of senior management, but as executives they can only achieve
the enterprise’s mission through others.
When choosing business models and solutions to the sourcing dilemma,
executives and managers need to evaluate the human capital risk and develop
plans for contingencies. Contingency planning should include the possibility of
morphing the current or future sourcing solutions into new models that involve
human capital. Thus, planning and implementing outsourcing requires careful
attention on human capital management during and after the term of any
outsourcing agreement.
f. Brand/Reputation Risk
Enterprise viability depends on maintaining the goodwill of the enterprise
brand. Damage to reputation might never be recovered, or might only be
recovered at great expense and distraction. Most outsourced business processes
are essential to the enterprise’s operations. Particularly in customer relationship
management and help desk support services, outsourcers may directly “touch”
the enterprise’s customer without disclosing the existence of the outsourcing
relationship. Reputational risk is especially significant in such customer-facing
“front office” services. However, even non-voice interactions with customers can
have the same impact on an enterprise’s goodwill.
Brand risk management techniques include the use of scripts, supervision,
random audits, ongoing training and customer feedback. Legal issues in
reputational risk can arise where the customer wishes to terminate a service
provider, redirect its efforts or adjust the pricing to reflect a loss of goodwill.
g. Systemic Risk
Regulators and governments focus on the risks to the systems that
support local and global economies. A systemic risk affects all participants in an
economic sector or industry.
To some degree, outsourcing both increases and reduces systemic risk.
Outsourcing permits individual enterprises to share systemic risks by hiring
service providers who understand and invest in risk-controlling technologies,
human capital and other resources. At the same time, in concentrated industries
 with a small number of service providers, such a concentration of process
management in the hands of a small number of service providers could pose
systemic risks in the form of anti-trust or anti-competitive conduct, the risk of
massive losses due to a single loss incident affecting multiple enterprise
customers and the dependency of the service provider upon a favorable
regulatory climate.
When planning any solution to the sourcing dilemma, executives and
managers need to understand the nature of systemic risk and adopt appropriate
risk planning strategies.
h. Accessibility Risk, Business Continuity, Security Risk
Supply chain management requires careful attention to the risks of loss of
accessibility to the service provider, loss of the service provider’s services and
impairments to the security of confidential, proprietary, trade secret, private and
protected information. Any one of these risks could prove fatal or severely
damage to the customer.
During the planning and implementation phases of outsourcing and
business process management, these risks need to be identified, allocated,
monitored and managed.
i. Technology Risk
Technology risk refers to the risk that an entity faces due to change in
technology or obsolescence of existing technology. An entity operating in the
BPO Industry, in general, invests huge sums of money on purchase of
technology. In the event of change in technology, the investment made by the
entity becomes futile. Technology could be in the form of purchase/ creation of
software or hardware.

Maintenance of Books of Accounts and Documents

The internal auditor is required to verify the sufficiency of controls related to
maintenance of books of accounts by the entity. The internal auditor is also required to
verify the controls for allocation of costs between different project, different undertakings
and for DTA and non-DTA are adequate and reliable in the light of the business
operations.
Compliance with Regulations
The internal auditor is required to verify the compliance of these statutes and
report thereon as part of his internal audit. The internal auditor also needs to verify
registration with various statutory authorities and renewal of the same as part of his
internal audit procedures.