The BPO/ITES industry has been in India for over 20 years now and globally the shared service concept is even older. However there is not that much guidance or literature on how to approach this business from an Internal Audit point of view.
The Institute of Chartered Accountants of India had published a guidance of auditing shared service centres or back offices in 2010. The guidance has some very good insights for an internal auditor to consider and also overall regulatory framework within which the BPO’s work. However, this has become a little outdated now with the evolution of telecom and automation higher end work is being done in India and one needs to start re-looking at the approach for auditing back officers.
I think its time Audit functions consider the need for specialists in the field of back office reviews. Someone, who can tailor the audit approach for this industry and not try and apply a standard which will not meet the challenges faced by the peculiar nature of processing part of a transaction in India for a customer sitting in Kansas.
The ICAI guidance address the traditional risks that impact a manufacturing company i.e. revenue, procurement, payroll, fixed assets. However, when it comes to BPO especially a captive center the overall focus on these in internal audit plans is very low because in the bigger scheme of things revenue of the back office entity is not important, procurement and fixed asset costs are not material when you compare their cost with the bigger global entity being serviced from India.
So what should be the focus of internal audit when looking at a captive unit?
Controls over tasks and process being done in India is the obvious answer, but as you know a lot times the office in India is only doing data entry for very specific tasks and the only real control one can check is the maker and checker control to ensure data entry is accurate.
You may come across, a minority of functions/processes where the full task is being done in India and there are other controls like checking transaction authenticity or account reconciliations. However, in my experience the majority of internal audits of back offices check if the process was followed as per manual or not. Going back to the age old way of doing audit.
Well some audit teams have started to look at the end of end process across geographies, but that means very little testing work to be done in India as majority of the key controls don’t sit in the back office for understandable reasons. So this means very little actual audit oversight of the Indian operations even then there is a large audit team sitting in India. I guess at the regulators are happy to have the staff in India.
If not this than what?
I think the time has come to re-look at how one looks at the captive entity. With the captives now handling larger volumes and companies loosing legacy knowledge back home the risk profiles of the captive units is changing and they are slowly carrying more risk as an entity than is recognized by audit functions.
One should look at the value provided by the unit to the group and then understand the risks associated with that value proposition. As an audit function one should understand how the organisation is managing these risks and audit the processes around them.
Key risk areas like BCP, quality assessment processes, hiring etc. should be given additional focus and a back office perspective. Also, compliance with local regulations cannot be ignored. Indian laws are evolving fairly quickly now and someone with good knowledge of these should be engaged.
In the support functions, the hire to retire process from my point of view is single most important component which requires detailed oversight almost annually. Payroll and related costs are normally over 65% of the total cost of the captive unit and having adequate controls in this area is essential to ensure the operations are being run effectively.
In addition to looking at payroll costs one should also look at the remuneration policies in a country as these may point to other issues like in ineffective operational planning resulting in high overtime/holiday pay, uneven hiring, large pay variations and misdirected incentive plans.
Not enough time is spent looking at these components due to lack of time, however in the captive operations looking at incentives programs and hiring practices is crucial as people are the most important part of a captive and a lack of controls in this area could impact how the captive delivers.
Audit functions can automated a lot of the oversight in these areas including payroll, thereby reducing effort required and increasing effectiveness of the function.