Professional Documents
Culture Documents
g3 Audit of Bpo Industry - Complete PDF
g3 Audit of Bpo Industry - Complete PDF
Audit of
Business Process Outsourcing
(BPO) Industry
Group 1
Leader:
Francisco, James Cayle
Members:
Campo, Micheriel
Echaque, Shyrell Anne
Estioco, Chadi Tol
Flores, Ruby Rose
March 2021
AUDIT OF BPO INDUSTRY
INTRODUCTION
Business process outsourcing (BPO) is defined as the transfer of a company’s
non-core activities to a third party that uses information technology for service delivery.
It involves the transfer of the management and/or day-to-day execution of an entire
business function/process to an external service provider.
Information and communication technology (ICT) innovation together with
increasingly fragmented production processes have encouraged the outsourcing g of
labor-intensive services to countries such as the Philippines. The Philippines serves as
a leading destination for business process outsourcing (BPO). The sector’s economic
influence in the country has tripled in the last ten years. BPO sector growth in the
Philippines is driven by a host of factors, chief among them the following: low labor
costs; a highly skilled and educated workforce; widespread command among the
workforce of a relatively neutrally accented English language; competitive infrastructure;
and government tax incentives. The BPO sector currently employs 1.3 million workers in
the Philippines and, if recent employment growth trends are any indication of future
developments, then the sector is likely to prove an important source of job creation BPO
is expected to expand rapidly in the coming years, further strengthening the country’s
participation in global supply chains (GSCs).
This paper aims to serve as a technical guide that is intended to assist auditors in
carrying out audit of entities operating in the Business Process Outsourcing (BPO)
sector.
TYPES OF BPO
Organizations contract with BPO vendors for two main areas which are: back
office and front office. BPOs can combine these services so that they work together, not
independently
Knowledge
process
outsourcing
Medical
Transcription Animation
BPO
Engineering Call
Design Centers
Game Software
Development Development
INVOICING
BPOs, generally, follow the below mentioned billing methods and the method is
built into the contract with the client. It is, therefore, important that the internal auditor
studies client contract carefully. In, general, most BPOs bill the client for the services
rendered at the end of the month. As part of the internal audit process, the internal
auditor should understand the billing cycle for each of the client and the process
followed by the entity to ensure cut-off on a periodic basis. This section is only intended
to provide an idea of the various billing methods and is not intended to be exhaustive. A
BPO may use complex billing methods or combination of methods.
A few common types of billing include:
SLA ADHERENCE
The entity needs to ensure compliance with Service Level Agreement/SOW/PO
as the case may be for the Service Level specified in the agreement. The Service Level
may be in relation to the minimum level of service, maximum billable time per
transaction, maximum permissible errors, percentage of unsolved/unanswered queries,
etc.
Compliance with Service Level Agreement is extremely important for the entity
with regards to ensuring that the quality of work performed is in accordance with that
required by the agreement. In case the entity is unable to meet its SLA, then it is
important for the entity to ensure compliance with SLA through providing of incentives
for employees, training and other methods. The compliance with SLA requirements
gains importance considering that it helps in brand building and client satisfaction.
For example, if the Service Level Agreement requires an agent to resolve 40
queries in a week, the internal auditor can verify if the agent is efficient in providing
service as per the Service Level Agreement.
The internal auditor can also verify the procedures of the management towards
quality checks and controls. The procedures can be through external consultants or
through the internal quality assurance team. An effectively defined quality assurance
framework can be termed as a prerequisite, but it should not be confused with a fail-
safe and comprehensive solution. There is still the implementation part and if that is not
carried out properly, delivering quality assurance would always pose a big challenge for
outsourcing service providers.
A step-by-step procedure that outsourcing service providers can use for ensuring
the quality of service deliverables is given below:
(i) Test viability of service deliverables
(ii) Tweaking the processes, if required
(iii) Deploying quality management systems
(iv)Tracking project progress and providing feedback
The internal auditor can verify the compliance of SLA on a month-to-month basis;
verify whether the Service Level is sufficiently higher than that prescribed by the client
to ensure compliance with the terms of the agreement and also continuity of service.
PAYROLL
The highest cost for any entity operating in the BPO Industry would be the payroll
cost, therefore, importance of proper controls for processing payroll need not be over-
emphasized. The entity needs to maintain adequate records, documents, policies,
processes for all aspects of payroll.
Most BPO companies process payroll for the month, based on the records of a
different period. For example, when payroll for the month of December is processed,
then the leave records, performance record for the period 21st November to 20th
December would be considered. The main reason for such processing is to ensure
disbursement of payroll by the specified day of the month.
The internal auditor needs to ensure that proper, adequate and appropriate cut-
off procedures are in place to ensure proper computation and disbursement of salary to
the employees. The procedures for computation of amount to be deducted on various
heads also need to be verified in accordance with organizational policies and
procedures. The internal auditor needs to verify the policies and procedures and
compliance of the same on a sample basis.
Computation of incentives is a complex area in any entity operating in a BPO
Industry. The reason for such complexity owes to the variety of schemes offered to the
employees by the entity. The entity, generally, provides incentives in accordance with
the nature of job, level of employee in the entity, client for whom the employee provides
service and the offer letter given to the employee. Compliance with various regulations
too is a tedious job considering the volume of work to be performed. The entity,
generally, has protocols for ensuring compliance with regulations.
Certain entities operating in the BPO Industry provide an opportunity for
employees to take ownership in the company through issue of stocks. It could be in the
nature of any one of the following:
Stock Awards;
Employee Stock Option Plan;
Employee Stock Purchase Plan.
The auditor through his internal audit procedures is required to find out whether
any fictitious employees are employed in the organization. The procedures performed
could be in the form of inquiries and discussions with the management, verification of
employee records, verification of bank records for testing disbursement, etc.
A time sheet is a method for recording the amount of a worker's time spent on
each job. Time sheet places a very important role in estimation of the cost incurred for
every project by the entity and also in some cases billing is based on the number of
hours an employee works on the project. Therefore, the internal auditor should verify
the entity’s effectiveness in recording and maintenance of the time sheet.
The auditor may also perform additional analytical procedures over a period of
time and compare them for ascertaining any inconsistency such as following:
(i) Productive Hours Ratio
Productive hour’s estimation is a measure of the efficiency of the work
force during a particular period. In other words, it is the ratio between
hours an employee works effectively to the total hours he works. By
analyzing this ratio, the internal auditor can understand the motivation
level of employees, steps taken by the management towards maintaining
efficiency and to some extent the trend of attrition.
OPERATING COSTS
i. Lease Expenses
Lease expenses could be of the nature of leasing of office building for
work space, or leasing of assets for official purpose or accommodation
provided to the employees.
ii. Communication Expenses
It represents expenses in the nature of leased line charges and is
considered significant in comparison to other costs. Moreover, BPOs,
generally, have a contingency plan in case of any failure.
iii. Recruitment and Training Expenses
These expenses are also considered to be high considering the high
attrition and turnover ratio of the industry and its growth over the past
few years. Most entities have contracts with HR Consultants and reputed
trainers to ensure that the costs are controlled.
iv. Sub-contracting Expenses
Some BPOs sub-contract a part of their operations to an external party.
This can be done so only if agreed to by the parties.
v. Logistics
Considering the labor-Intensive nature of the BPO Industry apart from
odd working hours, logistics plays an extremely important role in the
entity. Most employees use the logistics provided by the entity to
commute to work place. Considering the significance of this department,
usually, entities enter into contracts with logistic providers in order to limit
their liability and manage them professionally. The entity must maintain
sufficient controls for proper usage of vehicles.
The auditor should verify the systems, processes, controls and procedures built
within the system so as enable smooth and proper movement of the employees to and
fro from the work place. There should also be proper controls for usage of logistics for
purpose of business only. The internal auditor can perform various procedures such as,
cross checking logistics records with attendance registers, verification of in time and out
time records with logistic records, cost per employee travelled, etc.
The auditor is also required to verify the procedures and controls for capturing of
specific expenses with regards to its sufficiency, appropriateness and efficiency.
Moreover, the internal auditor needs to ensure that common expenses are allocated
across these undertakings in a justifiable basis. The internal auditor may also perform
additional analytical procedures over a period of time and compare them for
ascertaining any inconsistency such as following:
i. Total Fixed Cost
Significant increases in the total fixed cost signals expansion activity. In
such cases, the internal auditor needs to verify the sufficiency of controls
with respect to the growing entity.
ii. Operating Cost to Revenue (Undertaking-wise)
An entity operates in varied legal environment and different challenges
are faced by the entity operating in each such environment. The internal
auditor can estimate the operating cost (i.e., cost including labour,
communication, lease and all other variable expense to the particular
undertaking) to the revenue generated by it. This would provide a basis
for evaluating the cost effectiveness of operating in each of the
undertakings.
iii. Variable Cost per Man Hour per Undertaking
Variable cost per man hour can be computed by dividing the total cost
incurred in an undertaking divided by man hours for the same period.
This can be compared with different periods to verify whether there has
been a significant increase/ decrease in the expense and identify
reasons for the same.
iv. Penalty Costs to Total Cost
The internal auditor can estimate the significance of penalty cost in
relation to total cost through this method. Any penalty/non–compliance
must be viewed seriously by the internal auditor
v. Interest Cost to Loans
Interest cost to loans provides a basis for the estimation of the average
cost of borrowed funds in the entity. The internal auditor can estimate
the average cost of borrowing and compare them with the existing rate
to verify whether the interest paid is significantly high.
FIXED ASSETS
For the BPO Industry, in general, the fixed assets such as, servers, computers,
laptops, EPABX and alike may be that of the entity’s or provided by the client. This is
so, to prevent theft of confidential information of the client which may be subject to
Intellectual Property Rights. It might also include software provided by the client on
which the entity might be working or owned by the entity itself.
The internal auditor may also perform additional analytical procedures over a
period of time and compare them for ascertaining any inconsistency such as following:
(i) Total laptops and desktops to on-field employees
For employees providing on-site services, the internal auditor can verify the
employees on-site and the laptops provided to them (grade-wise). This
would help the internal auditor to verify the controls in laptops given to the
employees.
DATA SECURITY
Data security is a major problem in a BPO industry. The various sources of
danger to data can be in the form of following:
(a) Natural Calamity
Fire, flood, earthquake, falling elephants can cause damage to hardware
including server, computers and other physical storage devices.
(g) Hacking
Hacking could be in the form of:
Passwords required to enter or change the PC's BIOS;
Passwords required to enter a network;
Passwords required to start the operating system;
Passwords required to enter major software packages (e.g., payroll); or
Encrypted (encoded) data files.
(ii) A change in the legal environment that imposes new conditions, costs or
restrictions upon the manner of providing the services, the means by which
the services are delivered to the enterprise customer or the right of the
enterprise customer to purchase such services in its home country.
(iii)A change in the volume of the services being consumed, either to :
Increase (requiring additional hiring and perhaps a change in business
process) or
Decrease (resulting in sub-optimization of dedicated resources or re-
allocation of resources across multiple enterprise customers without any
decrease in SLA commitments).
(iv)An early termination that occurs before the service provider has earned out
the sunken costs of pursuing and capturing the contract opportunity and paid
the unpaid start-up and transition costs.
(v) There is mergers and acquisition risk that an enterprise or a service provider
might change owners. Enterprise managers need to adapt the sizing and
pricing of their outsourcing transactions to include possible mergers,
acquisitions, divestitures and restructuring activity within the term of the
outsourcing agreement. Service providers need to provide assurances that a
change of control, such as in a merger or restructuring, will not impair the
competitive position of the enterprise customers. Accordingly, “M & A risk”
should be identified by both parties in order to evaluate and negotiate
appropriate contract provisions to manage and mitigate the impact of major
changes in ownership or capital structure.
b. Price Risk
Pricing risks arise as soon as the parties agree upon the service terms,
conditions and pricing. For the service provider, the “pricing risk” is that the
benchmarking process or other price adjustment will result in a loss or significant
reduction in profitability and an inability to recapture the investment made in
capturing and transitioning an enterprise customer to the outsourced business
process platform. The service provider can never stand still, though, since if it
fails to make ongoing investments in process improvement and cost
containment, upon the expiration of the contract, it will cease to be competitive
for new customers.
The art of outsourcing includes identifying and providing commercially
reasonable solutions for both parties. Commercial and financial transactions
contain pricing risks at many levels. The design of contracts to manage and
mitigate pricing risks is an art form. Multiple techniques are available, each with
its own limitations and additional risks.
c. Political Risk
Political risk represents the degree to which social and governmental
environments may change in the future. This risk may manifest itself in events
over which a government has no control – such as, riots or new elections. Other
events may be caused by a government, such as, an embargo on imports or
exports, increases in tariffs, new prohibitions on transactions with specific
countries.
Political risk may arise from actions of the home government of the
enterprise. In international outsourcing transactions, political risks need special
attention due to the long-term nature of the relationship. There are a number of
techniques that can mitigate, but not eliminate, such risks. Moreover, the entity is
affected by outsourcing policies of the country for which the entity provides
services. For example, if outsourcing is not encouraged by a country by imposing
additional tax or cut of tax sops, then, the Indian entities providing services for
clients in that country, may face a bottleneck for expansion of operations.
d. Process Risk
“Process risk” refers to the possibility that the processes used to deliver a
service might need to change dramatically during the term of a sourcing
arrangement. This can be favorable or unfavorable. Since processes will likely
change, the parties need to identify the significant processes that form the basis
of the bargain and that, if impacted by a change, could justify a renegotiation,
termination, repricing or expansion or contraction of the scope of service.
Process risk denotes the risk that the processes adopted by the service
provider will not fit the needs of the enterprise customer. This risk is somewhat
complex.
(a) There may be process risks during the transition period where the
service provider was not aware of important existing processes that
were underlying the general services in the outsourcing agreement.
(b) Process risk may also arise due to changes, over time, of the enterprise
customer’s needs and the “best practices” in the relevant business
process.
(c) Some processes may become illegal or subject to regulation, while
other processes may become technologically outdated.
(d) The duration of the contract might be so long that the parties do not
clearly understand the open nature of the commitments, promises and
emerging needs of each other.
Process risk can be managed by appropriate due diligence, contract
planning, negotiation, transitioning, integration management and relationship
governance. Legal planning techniques can also be used, particularly those
relating to termination for convenience and termination for failure to manage the
processes in an agreed fashion.
e. Human Capital Risk
Human capital risk arises from the risk that an enterprise’s investment in
human resources might lose value due to the departure of individuals or groups
necessary to the future success of the enterprise. Human capital has its greatest
value at the level of senior management, but as executives they can only achieve
the enterprise’s mission through others.
When choosing business models and solutions to the sourcing dilemma,
executives and managers need to evaluate the human capital risk and develop
plans for contingencies. Contingency planning should include the possibility of
morphing the current or future sourcing solutions into new models that involve
human capital. Thus, planning and implementing outsourcing requires careful
attention on human capital management during and after the term of any
outsourcing agreement.
f. Brand/Reputation Risk
Enterprise viability depends on maintaining the goodwill of the enterprise
brand. Damage to reputation might never be recovered, or might only be
recovered at great expense and distraction. Most outsourced business processes
are essential to the enterprise’s operations. Particularly in customer relationship
management and help desk support services, outsourcers may directly “touch”
the enterprise’s customer without disclosing the existence of the outsourcing
relationship. Reputational risk is especially significant in such customer-facing
“front office” services. However, even non-voice interactions with customers can
have the same impact on an enterprise’s goodwill.
Brand risk management techniques include the use of scripts, supervision,
random audits, ongoing training and customer feedback. Legal issues in
reputational risk can arise where the customer wishes to terminate a service
provider, redirect its efforts or adjust the pricing to reflect a loss of goodwill.
g. Systemic Risk
Regulators and governments focus on the risks to the systems that
support local and global economies. A systemic risk affects all participants in an
economic sector or industry.
To some degree, outsourcing both increases and reduces systemic risk.
Outsourcing permits individual enterprises to share systemic risks by hiring
service providers who understand and invest in risk-controlling technologies,
human capital and other resources. At the same time, in concentrated industries
with a small number of service providers, such a concentration of process
management in the hands of a small number of service providers could pose
systemic risks in the form of anti-trust or anti-competitive conduct, the risk of
massive losses due to a single loss incident affecting multiple enterprise
customers and the dependency of the service provider upon a favorable
regulatory climate.
When planning any solution to the sourcing dilemma, executives and
managers need to understand the nature of systemic risk and adopt appropriate
risk planning strategies.
h. Accessibility Risk, Business Continuity, Security Risk
Supply chain management requires careful attention to the risks of loss of
accessibility to the service provider, loss of the service provider’s services and
impairments to the security of confidential, proprietary, trade secret, private and
protected information. Any one of these risks could prove fatal or severely
damage to the customer.
During the planning and implementation phases of outsourcing and
business process management, these risks need to be identified, allocated,
monitored and managed.
i. Technology Risk
Technology risk refers to the risk that an entity faces due to change in
technology or obsolescence of existing technology. An entity operating in the
BPO Industry, in general, invests huge sums of money on purchase of
technology. In the event of change in technology, the investment made by the
entity becomes futile. Technology could be in the form of purchase/ creation of
software or hardware.