The Pitfalls of IT Outsourcing

The Satyam scandal in India was a wake-up call for companies that outsource IT services.  While outsourcing can reduce costs, it can also lead to increased risks of data theft, intellectual property theft and fraud.

Paulo Renato Silva, Sao Paulo

IT outsourcing has long been an accepted solution for companies to streamline processes, reduce costs, and provide flexibility to meet the changing demands of their operations.  With the global economic crisis forcing business leaders to squeeze out additional operational efficiencies to survive, more outsourcing seems inevitable. The decision, however, on what functions to outsource is often made without a thorough assessment of the risks involved in determining what is to be outsourced, and to whom.

In January 2009, India’s Satyam Computer Services, then the fourth largest outsourcing company in the world, shook the sector by admitting that it had systematically inflated revenue and profits for years. The corporation was eventually sold to another Indian firm, Tech Mahindra, to restore confidence in the market and ensure the continuity of its operations.

Satyam’s fraud and lack of internal integrity should serve as a wakeup call for companies intending to use IT outsourcing services. The Satyam case presents a strong reminder that technology companies, including IT outsourcing ones, are vulnerable to the same common frauds – such as internal financial fraud, vendor or procurement fraud, and theft of physical assets – that can occur in any other business.

Moreover, even though IT outsourcing companies, as obvious targets, invest heavily to prevent cyber crime, they can also be victims of fraud typically related to the cyber world, such as information theft and intellectual property theft.  Twenty nine percent of IT, media, and telecommunication firms have suffered from data theft in the last three years, and 16 percent from intellectual property theft, according to the 2009 Kroll Global Fraud Survey. The survey also shows that roughly a fifth of sector companies feel themselves highly vulnerable in these areas.

In February 2008, the Bank of New York Mellon was a victim of data breach while the data was in the custody of an outsourcing firm.  Unencrypted back-up tapes containing personal information of over 12 million customers disappeared during transport to an off-site facility.  Although no misuse of information from the tapes was identified, this incident caused large losses for the bank since it had to take expensive remedial actions, including internal investigations and assistance for those who had personal information stored in the back-up tapes.  Such frauds frequently occur when companies presume that the IT outsourcing business, which they hired, has the same security procedures as their own.  If custody of, or responsibility for, sensitive information is outsourced, the contracting company may be compromised in any subsequent security breach.

Other outsourced services are also subject to frauds. Companies must, therefore, strategically and cautiously decide what will be outsourced, and then carefully select which company will get the contract. Here are some factors that should be considered:

Determine what should or should not be outsourced.  Many companies outsource activities which are not related to their core business, such as management of their IT infrastructure, in order to gain competitive advantage through streamlined processes, increased flexibility, and reduced costs. Companies must be careful when passing crucial information or processes to third parties; the sharing of such information brings information security risks.

Select the appropriate services provider. Consider the capacity of the supplier to handle the volume of services required. Conduct a pre-screening investigation based not only on suppliers’ credentials but also on a thorough understanding of the services offered.  Supplier benchmarking is an effective way to weigh provider options.

Consider multi-sourcing. This model can increase flexibility and reduce risks in the outsourcing project. And, while it does demand greater effort to manage contracts with several suppliers, the selection of choosing a single supplier – full outsourcing – requires more careful selection processes, since that firm will share more heavily in the risks of the company.

Outsourcing can provide great benefits, but it may cause problems when the company loses direct control over the management of outsourced services. The Satyam incident warns us of the risks run when we put all our eggs into one basket. 

The author: Paulo Renato Silva ( psilva@kroll.com  ) is Associate Director of Financial Advisory Services in Kroll’s Brazil  headquarters in Sao Paulo.

Note: A version of this article appears in Kroll’s annual Global Fraud Report. To view or download the full report, visit http://kroll.com/about/library/fraud/