Key advice update No. 1, 2015 Managing outsourced financial services Purpose of this document This key advice update aims to support public sector agencies to comply with the Standing Directions of the Minister for Finance (Directions). It focuses on the requirements of Direction 3.1.5 Managing outsourced financial services, in particular how to obtain assurance over outsourced services. What is outsourcing? Outsourcing is a process by which a specific service or group of services is provided for an agency by a third party through an agreement, e.g. contract. Services are typically outsourced to achieve cost savings, improve quality, and access specialised skills or other efficiencies. Some examples of commonly outsourced services include payroll, investment consulting, debt collection and the maintenance of financial systems. What are the requirements of Direction 3.1.5? Direction 3.1.5 requires agencies to ensure effective management of outsourced financial functions to obtain the required levels of service and maintain compliance with the Financial Management Act 1994 (FMA), the Financial Management Regulations 2004 and the Directions. Why is assurance of outsourced financial services important? Outsourcing does not diminish the responsibilities of the Chief Finance and Accounting Officer (CFAO) and the Accountable Officer – a service can be outsourced, but the risk and responsibilities cannot. An outsourced financial service will impact on the financial management, financial processing or financial statements of an agency. Accordingly, specific assurance on the control procedures of the outsourced service provider is needed to ensure the: • agency continues to meet the requirements of the FMA, the Directions and any other relevant legislation; • agency’s responsibilities and accountabilities for good governance and sound financial management are not negatively impacted by the outsourced activities; • provider is complying with the agreed terms and conditions (e.g. performance measures as outlined in the contract or Service Level Agreement); • controls for activities and processes are effective and result in accurate reporting of financial and other relevant information; • control environment surrounding the outsourced services facilitates complete and accurate processing of underlying transactions and/or data; and • Accountable Officer and CFAO can sign off on their formal annual statement as required by Direction 2.2(d) for public sector agencies and (w) departments, that the: (i) financial reports are presented fairly; (ii) risk management, internal compliance and control framework is sound; and (iii) internal control framework is operating effectively and efficiently. What to consider when determining the type of assurance required? Before engaging an outsourced service provider, an agency should understand the Assurance or Auditing Standard requirements1, and liaise with its internal and/or external auditors to discuss the best approach to obtain assurance. This will assist the agency to ensure that assurance reports received are fit for purpose and provide an accurate reflection of the control environment in the outsourced provider. The type and level of assurance required should be determined in the context of an agency’s individual risk profile (i.e. complexity of operations and size) and be factored in as part of the initial contract negotiation. The service contract should also provide access to the service provider’s information by an agency’s internal and external auditors. Note: If an agency is aware that several agencies are using the same outsourced service provider, it may initiate discussions with those agencies and the provider to obtain a combined assurance report. However, such a report must meet the individual assurance needs of each agency. What are the options for obtaining assurance? The following options for obtaining assurance may be considered: Option 1: Assurance from the outsourced service provider This may be either: A publicly available opinion on internal control (usually this is an opinion in accordance with Australian Auditing Standards that is made available to all customers of the outsourced service provider); or An opinion or report specifically designed (i.e. letter of comfort) for the use of the agency. In these instances, a tailored scope of work will typically be requested by the agency, but the work is performed and report provided by the outsourced service provider’s internal or external auditors. 1 Australian Standard on Assurance Engagements ASAE 3402 Assurance Reports on Controls at a Service Organisation or Auditing Standard AUS 810 Special purpose reports on the effectiveness of control procedures. 2 Option 2: Assurance provided by an independent auditor An agency may arrange for an independent auditor (i.e. the agency’s internal auditor or a third party) to visit the outsourced service provider to obtain assurance. In these instances, the agency will determine the scope of work and results will be reported in a format the agency is familiar with. It is strongly recommended that if using this option, the agency seeks the opinion of its internal and external auditors to interpret the information received. Factors that need to be considered in interpreting the results include, but are not necessarily limited to: What type of opinion or report has been issued? o Is there a reference to an auditing standard? If so, is there an expression of the level of assurance provided and are there any limitations on scope referred to? What period of time is covered by the opinion or report? o Is this consistent with the period of interest to the agency? What locations, specific business processes and/or transactions have been reviewed and reported on? o Do these cover the full scope of the agency’s activities or transactions provided by the outsourced service provider? If not, are the activities or transactions not covered material or significant to the agency? What issues or concerns have been identified? What is their impact? What resolution plans has the provider put in place? Further information on managing outsourced financial services The Financial Management Compliance Framework User Guide provides further information on outsourcing of financial services. This can be accessed via the following link: (http://www.dtf.vic.gov.au/files/be8f6f19-9be94b07-bcfb-a26000b92759/FMCF-User-Guide.docx). Agencies should also consider the Victorian Government Purchasing Board’s policies and guidance material and any other standard procedures relevant to the agency. You are free to re-use this work under a Creative Commons Attribution 3.0 Australia licence, on the condition that you credit the State of Victoria as author. The licence does not apply to any images, photographs or branding. 2