A - Answer:
To answer the question, we must consider two key terms:
1. Outsourcing; and
2. Internal Controls
1. In business, Outsourcing refers to the practice of engaging a party outside a company to perform services and create goods that were previously performed internally by the company's employees and staff.
This business move is usually undertaken by organisations who are looking to reduce costs. One of its side effects is that it affects a lot of jobs, ranging from customer support to manufacturing to the back office.
2. Internal Controls refer to systematic measures (such as reviews, checks and balances, methods and procedures) created by a business entity to conduct its operations in an orderly and efficient manner, safeguard its assets and resources, deter and detect errors, fraud, and theft, ensure accuracy and completeness of its accounting data, produce reliable and timely financial and management information, and ensure adherence to its policies and objectives.
In business, the outsourcing service provider will usually report to the Internal Control Unit of the company outsourcing its service.
The problems that arise include but are not limited to the following:
• Vicarious Liability
• Quality of Service
• Security Threats
A - Explanation:
i) <em>Vicarious Liability:</em> There are liabilities associated with Spotless, Inc.,'s activities. Ifs such a liability engage, it can be vicariously transferred to Time Treasures Company.
Vicarious Liability is a concept which holds that there can be a person responsible for the actions of another because of a special relationship the parties maintain, like employee/employer and parent/child. Outsourcing is one of such relationships.
Even though there is a legal agreement backed up by consideration between Time Treasures Company and Spotless Inc., should a visitor slip and fall within the premises from a wet or slippery ground that was just cleaned, they most likely would hold Time Treasure Liable.
<em>ii) Quality of Service Delivery</em>
Internal control, because of the reason stated above, will still bear the responsibility of supervising the Janitorial company to ensure that their work lines up with its standards, policies, goals and objectives. The challenge, therefore, is how does Time Treasures' internal control interact with Spotless Inc.?
How will it ensure accountability?
It is often said that one can outsource an activity but not the responsibility that comes with executing the activity or getting the work done to specification.
So how does one ensure responsibility and accountability with a third party?
<em>iii) Security Threats </em>
With new entities accessing Time Treasures' system, there is a new level of security threat.
This is because cleaners usually are given access to every part of the company. Given that the recruitment process of Time Treasures' most likely will be different from those of Spotless Inc. There might have been loopholes in their recruitment process (for instance, overlooking background checks) which could lead to the existence of a bad hire with a potential to commit fraud or theft.
B - Answer:
Some of the recommendations to control risk after reading the contract include but are not limited to:
1. Understand and Monitor Point of Interaction with the system
2. Clarify expectations using Service-level agreements containing protocols, standards, and expectations
3. Monitoring of Spotless Inc. to ensure that her (that is Time Treasure) controls are working
B - Explanation
<em>1. Understand and Monitor Point of Interaction with the system</em>
Monitoring the performance or activities Spotless Inc. staff would be a necessary function of Internal Control. Time Treasure would have to determine if the interactions are at the control activity or enterprise level. This helps to highlight high risky security point in the system.
<em>2. Clarifying expectation using Service Level Agreements</em>
Getting the Spotless Inc. to sign a service level agreement itemizing expectations concerning protocols, standards, about how those third parties are going to perform relative to the control environment is a great way to mitigate the risks of irresponsibility.
<em>3. </em>Companies monitor how the third parties are performing and verify the activities that third parties are undertaking to make sure controls are operating effectively.
Performance monitoring can be executed through a right-to-audit clause in the Service Level AGreement that gives either the company or auditor permission to perform testing.
Cheers!
