Auditing Business Process Outsourcing Industry

INTRODUCTION

Business process outsourcing (BPO) is defined as the transfer of a company’s non-core ac�vi�es
to a third party that uses informa�on technology for service delivery. It involves the transfer of the
management and/or day-to-day execu�on of an en�re business func�on/process to an external service
provider.

Informa�on and communica�on technology (ICT) innova�on together with increasingly

fragmented produc�on processes have encouraged the outsourcing g of labor-intensive services to
countries such as the Philippines. The Philippines serves as a leading des�na�on for business process
outsourcing (BPO). The sector’s economic influence in the country has tripled in the last ten years. BPO
sector growth in the Philippines is driven by a host of factors, chief among them the following: low labor
costs; a highly skilled and educated workforce; widespread command among the workforce of a rela�vely
neutrally accented English language; compe��ve infrastructure; and government tax incen�ves. The BPO
sector currently employs 1.3 million workers in the Philippines and, if recent employment growth trends
are any indica�on of future developments, then the sector is likely to prove an important source of job
crea�on BPO is expected to expand rapidly in the coming years, further strengthening the country’s
par�cipa�on in global supply chains (GSCs).

BPO is o�en divided into two main types of services: back office and front office. Back-office
services include internal business processes, such as billing or purchasing. Front-office services pertain to
the contrac�ng company’s customers, such as marke�ng and tech support. BPOs can combine these
services so that they work together, not independently.

The BPO industry is divided into three categories, based on the loca�on of the vendor. A business
can achieve total process op�miza�on by combining the three categories:

1. Offshore vendors are located outside of the company’s own country. For example, a U.S. company
may use an offshore BPO vendor in the Philippines.
2. Nearshore vendors are located in countries that neighbor the contrac�ng company’s country. For
example, in the United States, a BPO in Mexico is considered a nearshore vendor.
3. Onshore vendors operate within the same country as the contractor, although they may be located
in a different city or state. For example, a company in Seatle, Washington, could use an onshore
outsourcing vendor located in Seatle, Washington, or in Huntsville, Alabama.

Each BPO company will specialize in specific services. They may be grouped as follows:

Customer interac�on services: The BPO company would cover a business’s voicemail services,
appointment schedules, email services, marke�ng program, telemarke�ng, surveys, payment processing,
order processing, quality assurance, customer support, warranty administra�on, and other customer
feedback.

Back-office transac�ons: This includes check, credit, and debit card processing; collec�on; receivables;
direct and indirect procurement; transporta�on administra�on; logis�cs and dispatch; and warehouse
management.

IT and so�ware opera�ons: These technical support func�ons include applica�on development and
tes�ng, implementa�on services, and IT helpdesk. For example, manual data entry can be replaced with
automated data capture, increasing data intake and reducing cycle �me.

Finance and accoun�ng services: These func�ons include billing services, accounts payable, receivables,
general accoun�ng, audi�ng, and regulatory compliance.
Human resource services: BPOs can help address workforce challenges. They can also cover payroll
services, healthcare administra�on, hiring and recruitment, workforce training, insurance processing, and
re�rement benefits.

Knowledge services: These higher-level processes may include data analy�cs, data mining, data and
knowledge management, and internet and web research, as well as developing an informa�on governance
program and providing the voice of customer feedback.

How does BPO work?

Organiza�onal execu�ves arrive at the decision to outsource a business process through a variety
of avenues. Startup companies, for example, o�en need to outsource back-office and front office func�ons
because they do not have the resources to build the staff and suppor�ng func�ons to preform them in-
house. On the other hand, an established company may opt to outsource a task that it had been
performing all along a�er an analysis determined that an outsourced provider could do the job beter and
at a lower cost.

Management experts advise enterprise execu�ves to iden�fy func�ons that can be outsourced
and then evaluate that func�on against the pros and cons of outsourcing to determine if shi�ing that task
to an outsourced provider makes strategic sense for the organiza�on. If so, the organiza�on then must go
through the process of not only iden�fying the best vendor for the work, but also shi�ing the work itself
from in-house to the external provider. This requires a significant amount of change management, as the
move to an outsourced provider generally impacts staff, established processes and exis�ng workflows.

The shi� also impacts the organiza�on's finances -- not only in terms of shi�ing costs from the
internal func�on to the outsourced providers, but o�en also in terms of taxes and repor�ng requirements.

The organiza�on may also have to invest in a technology solu�on to enable the smooth flow of
work from the organiza�on itself to the outsource provider, with the extent and cost of that technology
solu�on dependent on the scope of the func�on being outsourced and the maturity of the technology
infrastructure in place at both enterprises.

Scope of work

As an organiza�on moves a func�on to a new outsourced provider, it must iden�fy the scope of
the work shi�ing from in-house staff to the external partner. Execu�ves should iden�fy the workflows and
processes impacted by this shi� and adjust, if necessary, those workflows and processes to accommodate
the outsourcing of the work.

Execu�ves should also iden�fy the key objec�ves for outsourcing a func�on -- whether it's cost
savings, increased quality, quicker turnaround or some other objec�ve -- and then use that criterion to
determine which provider would be best suited to handle the work. Those objec�ves should also serve as
the basis for contractual obliga�ons that can be used to help assess the performance of the outsourced
provider and success of the func�on once it is outsourced.

STATUTORY LAWS APPLICABLE TO BPO INDUSTRY

INCENTIVE REGIMES FOR BPOs

The Philippines has various incen�ve programs to encourage foreign companies to establish their
businesses here in the Philippines. Currently there are three principal incen�ve regimes in the country.
These are the ones established under the Omnibus Investments Code (OIC), the Special Economic Zone
Act of 1995 (PEZA Law), and the Cagayan Special Economic Zone Act of 1995 (CEZA Law)

1. Omnibus Investments Code (OIC)

The OIC was passed in 1987 to encourage investments in desirable areas of ac�vi�es and to
provide a cohesive and consolidated investment incen�ves law. The Board of Investments (BOI) was
created to regulate and promote investments in priority ac�vi�es as defined in the annually prepared
Investment Priori�es Plan (IPP).

In recent years, BPO ac�vi�es have been regularly included among the preferred areas of
investment under the IPP. To avail of the incen�ves under the OIC, a company must be registered with the
BOI. There is a na�onality requirement for certain types of registra�on.

BOI-registered enterprises may avail of several fiscal incen�ves subject to the fulfillment of certain
condi�ons. The most notable incen�ves are:

• Income Tax Holiday - BOI-registered enterprises shall be fully exempt from income taxes levied by
the na�onal government in the following instances:
a. new pioneer projects for a period of six years from commercial opera�on;
b. new non-pioneer projects for a period of four years from commercial opera�on;
c. expansion projects for a period of three years from commercial opera�on; and
d. new or expansion projects in less developed areas for six years.

Subject to guidelines as may be prescribed by the BOI, the income tax exemp�on may be extended
for another year. However, in no case shall a registered pioneer firm avail of this incen�ve for a
period exceeding eight years.
• Addi�onal Deduc�ons for Labor Expense - For the first five years from registra�on, a BOI-
registered enterprise shall be allowed an addi�onal deduc�on from the taxable income of 50% of
the wages of addi�onal workers in the direct labor force if the project meets the prescribed ra�o
of capital equipment to number of workers set by the BOI.
• Exemp�on from Import Du�es and Taxes
• Zero-Rate Value-Added Tax (VAT) - A BOI-registered enterprise, which qualifies as an export
enterprise, is en�tled to zero-rate VAT on its sales.

2. Special Economic Zone Act of 1995 (PEZA Law)

The PEZA law was passed in 1995 to encourage economic growth through establishment of
economic zones or “ecozones” that are treated as separate customs territory with minimal government
interven�on. These ecozones are managed and operated by the Philippine Economic Zone Authority
(PEZA).

Similar to OIC, not all business ac�vi�es may register with PEZA. Registrable ac�vi�es are limited to priority
areas of investment. Further, registra�on procedures differ for each par�cular type of ac�vity to be
registered.

PEZA-registered en��es enjoy numerous fiscal incen�ves. Incen�ves which may be applicable are as
follows:
• Income Tax Holiday - A PEZA-registered BPO enjoys the same ITH incen�ve as a BOI registered
outsourcing company.
• Special Income Tax Rate of 5% - Upon expiry of the ITH period, a PEZA-registered en�ty may avail
itself of a special tax rate of 5% of its gross income in lieu of all other na�onal and local taxes.
• Exemp�on from Na�onal and Local Taxes and Licenses - A PEZA-registered en�ty shall be exempt
from payment of all na�onal internal revenue taxes and all local taxes and fees. In lieu thereof, it
shall pay a special 5% final tax on gross income.
• Zero-Rate Value-Added Tax (VAT) - Sales to PEZA-registered en��es are deemed export sales;
hence, such enjoy a preferen�al VAT rate of zero percent (0%).
• Deduc�on for Organiza�on and Pre-Opera�ng Expenses
• Tax and Duty-Free Importa�on of Materials, Capital Equipment, Machineries and Spare Parts
• Addi�onal Deduc�ons from Taxable Income - Similar to a BOI-registered enterprise, a PEZA-
registered BPO can avail of the 50% addi�onal deduc�on for labor expense. In addi�on, it may
also claim an addi�onal deduc�on for its training expenses.

3. Cagayan Special Economic Zone Act of 1995 (CEZA Law)

 The CEZA law established the Cagayan Special Economic Zone and aimed to effec�vely encourage
and atract legi�mate and produc�ve foreign investments. It also created the Cagayan Special Economic
Zone Authority (CEZA) which manages and operates the zone.

Business establishments registered with CEZA and opera�ng within the zone shall be en�tled to
the exis�ng fiscal incen�ves as provided under Presiden�al Decree No. 66, the law crea�ng the Export
Processing Zone Authority (EPZA Law) or those provided under the OIC. Thus, incen�ves applicable to
BPOs are as follows:
• Income Tax Holiday - CEZA-registered enterprises are en�tled to four to six-year ITH provided it
belongs to qualified industries.
• Special Income Tax Rate of 5%
• Other applicable incen�ves under EPZA Law and OIC, such as:
a) tax treatment of merchandise in the Zone;
b) tax and duty-free importa�on of ar�cles, raw materials, and capital goods;
c) exemp�on from local taxes and licenses;
d) addi�onal deduc�on for labor expense;
e) addi�onal deduc�on for labor training expenses; and
f) deduc�on for organiza�on and pre-opera�ng expenses.

THE AUDIT ON BPO INDUSTRY

THE NEED FOR AN AUDIT

Considering the nature of the BPO Industry and the pace at which the Industry has grown over
the past decade, need for ensuring proper controls need not be over emphasized. With the increasing
number of frauds in the so�ware field, and considering the vulnerability of the sector to modifica�on of
data, audit becomes significant. Internal audit also helps in verifying the controls in place within the en�ty
with regard to sufficiency and effec�veness in the light of overall business. Internal audit also helps in
assessing the risks faced by the en�ty and provide a method for management of the same. Internal
controls and risk management are extremely important ac�vi�es in an en�ty opera�ng in the BPO
Industry.

MAJOR AREAS OF AUDIT SIGNIFICANT ON A BPO INDUSTRY

Audit procedures that apply to any industry also apply to an en�ty opera�ng in the BPO Industry.
In this technical guide, internal audit procedures pertaining to BPO Industry have been specified. These
audit procedures are an illustra�ve list which can be performed in addi�on to the regular internal audit
procedures performed by an internal auditor.
INVOICING

BPOs, generally, follow the below men�oned billing methods and the method is built into the
contract with the client. It is, therefore, important that the internal auditor studies client contract carefully.
In, general, most BPOs bill the client for the services rendered at the end of the month. As part of the
internal audit process, the internal auditor should understand the billing cycle for each of the client and
the process followed by the en�ty to ensure cut-off on a periodic basis. This sec�on is only intended to
provide an idea of the various billing methods and is not intended to be exhaus�ve. A BPO may use
complex billing methods or combina�on of methods.

A few common types of billing include:

• Per Call – Generally, voice-based support service providers bill on this basis. The billing can be
done on the basis of no. of calls atended or on the basis of �me per call on an average.
• Per Transac�on – This type of billing is done in the case of data entry, insurance, medical
processing, etc., where the base is the no. of transac�ons handled. There may be requirements as
to the minimum no. of transac�ons that need to be handled, the quality of work performed and
nature of work handled. The cost per transac�on varies due to these factors.
• Per Time – The billing is done for the no. of minutes/ hours/ days the en�ty has provided service
to the client. In general, the client places a no. of ceiling caps to ensure good performance and to
prevent inten�onal excessive billing. Moreover, there are a no. Of service criteria as s�pulated in
the Service Level Agreement (SLA) that needs to be met. If these service criteria are not completely
met, penal�es are charged on to the en�ty.
• Full Time Equivalent – Where services in the nature of research are provided by the en�ty, the
billing is done on the basis of Full Time Equivalent (FTE). The en�ty bills the client for every person
employed along with the costs incurred by the person on a flat charge as mutually agreed between
the par�es on a periodic basis. Some en��es also provide onsite services to its clients. In general,
for such services rendered too, the billing is based on this model.
• Cost plus Basis – In cases of Cap�ve Service Provider or Wholly Owned Subsidiary, a mark-up is
agreed between the holding company and its subsidiary. The billing is done on the cost-plus mark-
up. Clients usually reimburse addi�onal costs incurred by the BPO in the nature of recrea�on/ gi�s
to employees working on their project or bonus incen�ves addi�onally paid to these employees
for mo�va�ng them to perform beter or even leased line charge. These are either specifically
communicated or mutually accepted at the �me of entering into the contract.

Certain contracts may act as an embedded deriva�ve, wherein the client may agree to bear the loss
on account of wide apprecia�on in the value of foreign currency, provided the foreign exchange rate moves
below a par�cular base rate.

The internal auditor needs to verify all these clauses as a part of performance of internal audit
procedures. The internal auditor may also perform certain analy�cal procedures such as computa�on of
following:

• Opera�onal Margins Period

Wise The internal auditor may compute the opera�onal margins such as, gross profit margin,
period to period and ascertain the variance between the different periods compared with. For e.g.,
the internal auditor compares the gross margin for the month of February with that of January or
February of the preceding year, he might observe huge variances in the margins. The internal auditor
is required to seek explana�ons from the management for such significant fluctua�ons and
understand the reason for such fluctua�ons. This might provide an insight on the effec�veness of the
management in opera�ons apart from ensuring that there has not been any fraud during the period.

• Significant fluctua�ons in Revenue from a Contract

Most contracts in a BPO industry are for a long tenure, say 2 to 3 years. In such a scenario, if
there are significant fluctua�ons from a contract between periods, the internal auditor needs to
understand the reason for such fluctua�ons. This will provide a deeper insight of the risks faced by the
 internal auditor and also a deeper understanding of the client’s business apart from iden�fying
irregulari�es.

• Revenue per Employee Project-wise

The internal auditor can compute the revenue generated by a contract during a period per
employee and compare the same with a different period. This would help the internal auditor to assess
the change in revenue per employee and the effec�veness of an employee on a project over a period
of �me.

• Opera�ng Costs to Revenue Ra�o

The internal auditor can assess the ra�o between opera�ng costs and revenue per project and
through comparison between different periods and different projects, understand the project’s
performance in rela�on to other projects.

• Revenue Earned per Hour (Project-wise)

The internal auditor can compute the revenue per project per person per hour, especially, in
the case of �me-based billing and map it with the total billed amount. This would help the internal
auditor analyses the effec�veness of controls related to the billing cycle.

• Total Calls Handled to Total Calls Received, Calls Resolved to Calls Handled
Ra�os such as, total calls handled to total calls received are par�cularly applicable to a call
center. The management, generally, have data pertaining to the total calls received and total calls
handled.
In such cases, the internal auditor is required to ensure that the calls handled is not
significantly low as compared to the calls received.

• Project-wise Profitability and Budgeted Profit Margins Comparison

Project-wise profitability ra�o helps the internal auditor to verify as to whether there is a
significant fluctua�on in profitability between projects. In cases of significant fluctua�ons, the internal
auditor needs to verify whether profitability ra�o is in accordance with the budgeted profitability ra�o.
Devia�ons should be noted and proper explana�ons for devia�ons need to be obtained

• Delays in Raising Invoices to Total Invoices

The frequency of raising invoices on a delayed basis might help the internal auditor to verify
the internal controls related to raising the invoice. Reasons for such delays could throw light to
inherent weaknesses in control.

• Percentage of Errors and Rejec�ons

The internal auditor can verify the quality of work performed through measurement of ra�os
of total errors and rejec�ons as against the total volume of work handled. This would help the internal
auditor to assess legal and compliance risk, en�ty’s effec�veness in handling projects apart from
obtaining a deeper understanding about the management’s ini�a�ve.

These ra�os should be prepared and compared over a period of �me. If these ra�os are
inconsistent over that period, proper explana�ons need to be obtained, thereby helping the internal
auditor in assessing effec�veness, sufficiency, appropriateness of controls and also to highlight the risk
environment the business is under. It should also be verified whether the en�ty monitors such ra�os on a
regular basis.

SLA ADHERENCE

The en�ty needs to ensure compliance with Service Level Agreement/SOW/PO as the case may
be for the Service Level specified in the agreement. The Service Level may be in rela�on to the minimum
level of service, maximum billable �me per transac�on, maximum permissible errors, percentage of
unsolved/unanswered queries, etc.
 Compliance with Service Level Agreement is extremely important for the en�ty with regards to
ensuring that the quality of work performed is in accordance with that required by the agreement. In case
the en�ty is unable to meet its SLA, then it is important for the en�ty to ensure compliance with SLA
through providing of incen�ves for employees, training and other methods. The compliance with SLA
requirements gains importance considering that it helps in brand building and client sa�sfac�on.

For example, if the Service Level Agreement requires an agent to resolve 40 queries in a week, the
internal auditor can verify if the agent is efficient in providing service as per the Service Level Agreement.

The internal auditor can also verify the procedures of the management towards quality checks
and controls. The procedures can be through external consultants or through the internal quality
assurance team. An effec�vely defined quality assurance framework can be termed as a prerequisite, but
it should not be confused with a fail-safe and comprehensive solu�on. There is s�ll the implementa�on
part and if that is not carried out properly, delivering quality assurance would always pose a big challenge
for outsourcing service providers.

A step-by-step procedure that outsourcing service providers can use for ensuring the quality of
service deliverables is given below:

(i) Test viability of service deliverables

(ii) Tweaking the processes, if required
(iii) Deploying quality management systems
(iv)Tracking project progress and providing feedback

The internal auditor can verify the compliance of SLA on a month-to-month basis; verify whether
the Service Level is sufficiently higher than that prescribed by the client to ensure compliance with the
terms of the agreement and also con�nuity of service.

PAYROLL

The highest cost for any en�ty opera�ng in the BPO Industry would be the payroll cost, therefore,
importance of proper controls for processing payroll need not be over-emphasized. The en�ty needs to
maintain adequate records, documents, policies, processes for all aspects of payroll.

Most BPO companies process payroll for the month, based on the records of a different period.
For example, when payroll for the month of December is processed, then the leave records, performance
record for the period 21st November to 20th December would be considered. The main reason for such
processing is to ensure disbursement of payroll by the specified day of the month.

The internal auditor needs to ensure that proper, adequate and appropriate cut-off procedures
are in place to ensure proper computa�on and disbursement of salary to the employees. The procedures
for computa�on of amount to be deducted on various heads also need to be verified in accordance with
organiza�onal policies and procedures. The internal auditor needs to verify the policies and procedures
and compliance of the same on a sample basis.

Computa�on of incen�ves is a complex area in any en�ty opera�ng in a BPO Industry. The reason
for such complexity owes to the variety of schemes offered to the employees by the en�ty. The en�ty,
generally, provides incen�ves in accordance with the nature of job, level of employee in the en�ty, client
for whom the employee provides service and the offer leter given to the employee. Compliance with
various regula�ons too is a tedious job considering the volume of work to be performed. The en�ty,
generally, has protocols for ensuring compliance with regula�ons.

Certain en��es opera�ng in the BPO Industry provide an opportunity for employees to take
ownership in the company through issue of stocks. It could be in the nature of any one of the following:
• Stock Awards;
• Employee Stock Op�on Plan;
• Employee Stock Purchase Plan.
 The auditor through his internal audit procedures is required to find out whether any fic��ous
employees are employed in the organiza�on. The procedures performed could be in the form of inquiries
and discussions with the management, verifica�on of employee records, verifica�on of bank records for
tes�ng disbursement, etc.

A �me sheet is a method for recording the amount of a worker's �me spent on each job. Time
sheet places a very important role in es�ma�on of the cost incurred for every project by the en�ty and
also in some cases billing is based on the number of hours an employee works on the project. Therefore,
the internal auditor should verify the en�ty’s effec�veness in recording and maintenance of the �me
sheet.

The auditor may also perform addi�onal analy�cal procedures over a period of �me and compare
them for ascertaining any inconsistency such as following:

• Produc�ve Hours Ra�o

Produc�ve hour’s es�ma�on is a measure of the efficiency of the work force during a
par�cular period. In other words, it is the ra�o between hours an employee works effec�vely to the
total hours he works. By analyzing this ra�o, the internal auditor can understand the mo�va�on level
of employees, steps taken by the management towards maintaining efficiency and to some extent the
trend of atri�on.

• Manpower on Client Project to Total Manpower

Manpower per project to total manpower ra�o can be helpful to es�mate the importance of
a project in terms of manpower requirement. If there is a decline in the manpower and if there is no
consequent decline in revenue, the internal auditor needs to verify this anomaly.

• Average Employee Cost per Head per Project

Average cost incurred for an employee (cost includes incen�ves, gi�s, entertainment costs
incurred for the project) can be computed by dividing the total cost incurred for a period on a project
to average number of employees during the period. The internal auditor may compare this
informa�on between different periods, or with other projects, where the services rendered are of a
similar nature.

• Employee Turnover Ra�o

Employee turnover ra�o helps the internal auditor to verify the atri�on rate and assess the
en�ty’s effec�veness and steps taken towards preven�on of atri�on and reten�on of key employees.
In case of employee turnover ra�o being higher than the industry, the internal auditor must obtain
explana�ons for the reason for such high turnover ra�o.

• Revenue Generated by an Employee against Incen�ve Paid

Generally, incen�ves are paid to an employee based on his performance. By comparing the
revenue earned through an employee and the incen�ve paid to him, the internal auditor can ensure
compliance of the incen�ve schemes in place within the organiza�on.

• Reconcilia�on with Respect to Changes in the Number of Employees

The internal auditor can assess the movement in employees for a month in comparison with
another by tracing the addi�ons and dele�ons due to addi�ons, termina�ons, re�rements, etc. in a
month based on each grade and obtain an insight on the plans of the management.

OPERATING COSTS

• Lease Expenses
Lease expenses could be of the nature of leasing of office building for work space, or leasing
of assets for official purpose or accommoda�on provided to the employees.

• Communica�on Expenses
It represents expenses in the nature of leased line charges and is considered significant in
comparison to other costs. Moreover, BPOs, generally, have a con�ngency plan in case of any failure.
 • Recruitment and Training Expenses
These expenses are also considered to be high considering the high atri�on and turnover
ra�o of the industry and its growth over the past few years. Most en��es have contracts with HR
Consultants and reputed trainers to ensure that the costs are controlled.

• Sub-contrac�ng Expenses
Some BPOs sub-contract a part of their opera�ons to an external party. This can be done so
only if agreed to by the par�es.

• Logis�cs
Considering the labor-Intensive nature of the BPO Industry apart from odd working hours,
logis�cs plays an extremely important role in the en�ty. Most employees use the logis�cs provided by
the en�ty to commute to work place. Considering the significance of this department, usually, en��es
enter into contracts with logis�c providers in order to limit their liability and manage them
professionally. The en�ty must maintain sufficient controls for proper usage of vehicles.

The auditor should verify the systems, processes, controls and procedures built within the system so
as enable smooth and proper movement of the employees to and fro from the work place. There should
also be proper controls for usage of logis�cs for purpose of business only. The internal auditor can perform
various procedures such as, cross checking logis�cs records with atendance registers, verifica�on of in
�me and out �me records with logis�c records, cost per employee travelled, etc.

The auditor is also required to verify the procedures and controls for capturing of specific expenses
with regards to its sufficiency, appropriateness and efficiency. Moreover, the internal auditor needs to
ensure that common expenses are allocated across these undertakings in a jus�fiable basis. The internal
auditor may also perform addi�onal analy�cal procedures over a period of �me and compare them for
ascertaining any inconsistency such as following:

• Total Fixed Cost

Significant increases in the total fixed cost signals expansion ac�vity. In such cases, the internal
auditor needs to verify the sufficiency of controls with respect to the growing en�ty.

• Opera�ng Cost to Revenue (Undertaking-wise)

An en�ty operates in varied legal environment and different challenges are faced by the en�ty
opera�ng in each such environment. The internal auditor can es�mate the opera�ng cost (i.e., cost
including labour, communica�on, lease and all other variable expense to the par�cular undertaking)
to the revenue generated by it. This would provide a basis for evalua�ng the cost effec�veness of
opera�ng in each of the undertakings.

• Variable Cost per Man Hour per Undertaking

Variable cost per man hour can be computed by dividing the total cost incurred in an
undertaking divided by man hours for the same period. This can be compared with different periods
to verify whether there has been a significant increase/ decrease in the expense and iden�fy reasons
for the same.

• Penalty Costs to Total Cost

The internal auditor can es�mate the significance of penalty cost in rela�on to total cost
through this method. Any penalty/non–compliance must be viewed seriously by the internal auditor

• Interest Cost to Loans

Interest cost to loans provides a basis for the es�ma�on of the average cost of borrowed funds
in the en�ty. The internal auditor can es�mate the average cost of borrowing and compare them with
the exis�ng rate to verify whether the interest paid is significantly high.

FIXED ASSETS

For the BPO Industry, in general, the fixed assets such as, servers, computers, laptops, EPABX and
alike may be that of the en�ty’s or provided by the client. This is so, to prevent the� of confiden�al
informa�on of the client which may be subject to Intellectual Property Rights. It might also include
so�ware provided by the client on which the en�ty might be working or owned by the en�ty itself.

The internal auditor may also perform addi�onal analy�cal procedures over a period of �me and
compare them for ascertaining any inconsistency such as following:

• Total laptops and desktops to on-field employees

For employees providing on-site services, the internal auditor can verify the employees on-
site and the laptops provided to them (grade-wise). This would help the internal auditor to verify the
controls in laptops given to the employees.

• Total EPABX to number of on-field employees

Total EPABX to on-field employees provides a ra�o between the employees and the EPABX
installed. This would help the internal auditor to verify the control in laptops given to the employees.

• Asset u�liza�on ra�o

Asset u�liza�on ra�o is the ra�o of total revenue to the total assets. It helps the internal
auditor to assess the effec�veness of assets with respect to the revenue generated by the en�ty. The
greater the asset u�liza�on ra�o, the higher the efficiency of opera�ons of the en�ty.

If the internal auditor is required to perform fixed asset verifica�on procedures too as part of the scope
of his work, the auditor can refer to Guidance Note on Audit of Fixed Assets. Audit techniques which the
internal auditor can perform for verifica�on of assets include procedures such as, verifica�on of laptops
at the �me of logging on to the server/network monitored through a special so�ware, verifica�on of
so�ware licenses and validity, number of licenses against number of computer systems used for specific
purpose and so on.

RELATED PARTY TRANSACTIONS

Many BPOs have significant related party transac�ons. Certain BPOs are cap�ve service providers
which are incorporated to provide services to its holding company. Hence, sufficient controls should exist
within the organiza�on to ensure that all transac�ons with related par�es are iden�fiable and monitored.
These transac�ons could be in the nature of the service provided by the en�ty to its holding company or
in the nature of other transac�ons, not related to opera�ons that are transacted on a rou�ne basis like,
deputa�on of manpower, payment of dividends, reimbursing costs incurred on behalf of the holding
company, etc. The internal auditor is also required to verify the transfer pricing implica�ons faced by the
en�ty with regards to controls and processes in the en�ty to ensure proper es�ma�on of arm’s length
price.

Arm’s length price means a price which is applied or proposed to be applied in a transac�on
between persons other than associated enterprises, in uncontrolled condi�ons

DATA SECURITY

Data security is a major problem in a BPO industry. The various sources of danger to data can be
in the form of following:

(a) Natural Calamity

Fire, flood, earthquake, falling elephants can cause damage to hardware including server,
computers and other physical storage devices.

(b) The� of Data

Data the� is a growing problem primarily perpetrated by office workers with access to
technology such as, desktop computers and hand-held devices capable of storing digital
informa�on such as, flash drives, iPods and even digital cameras. Since employees o�en spend a
considerable amount of �me developing contacts and confiden�al and copyrighted informa�on
for the company they work for, they o�en feel they have some right to the informa�on and are
 inclined to copy and/or delete part of it when they leave the company, or misuse it while they are
s�ll in employment.

While most organiza�ons have implemented firewalls and intrusion detec�on systems very few take into
account the threat from the average employee that copies proprietary data for personal gain or use by
another company. A common scenario is where a sales person makes a copy of the contact database for
use in their next job. Typically, this is a clear viola�on of their terms of employment.

(c) System Crash

A system crash is a condi�on where a program (either an applica�on or part of the
opera�ng system) stops performing its expected func�on and also stops responding to other parts
of the system. O�en the offending program may simply appear to freeze. If this program is a cri�cal
part of the opera�ng system kernel the en�re computer may crash.

(d) Computer Fraud

Computer fraud covers a variety of ac�vity that is harmful to people. Computer fraud is
using the computer in some way to commit dishonesty by obtaining an advantage or causing loss
of something of value. This could take form in a number of ways, including program fraud, hacking,
e-mail hoaxes, auc�on and retail sales schemes, investment schemes and people claiming to be
experts on subject areas.

(e) System Bugs

A bug is the common term used to describe an error, flaw, mistake, failure, or fault in a
computer program or system that produces an incorrect or unexpected result, or causes it to
behave in unintended ways. Most bugs arise from mistakes and errors made by people in either a
program's source code or its design, and a few are caused by compilers producing incorrect code.

(f) Power Failure, Accidental Dele�on/ Modifica�on

Power failure and accidental dele�on/ modifica�on of files is a common type of problem
faced by many small en��es due to lack of sufficient infrastructure and also training to the
employees.

(g) Hacking
Hacking could be in the form of:
 Passwords required to enter or change the PC's BIOS;
 Passwords required to enter a network;
 Passwords required to start the opera�ng system;
 Passwords required to enter major so�ware packages (e.g., payroll); or
 Encrypted (encoded) data files.

(h) Telecommunica�on Failure

Some�mes, the telecommunica�on network might fail which might result in freezing of
flow of data from and to the compu�ng system. During such �me, the en�ty might not be able to
perform its opera�ons.

(i) Virus Problem

A computer virus is a computer program that can copy itself and infect a computer. A
computer virus has two major classifica�ons. They have the ability to replicate itself, and the ability
to atach itself to another computer file. Every file or program that becomes infected can also act
as a virus itself, allowing it to spread to other files and computers.

(j) Unknown Risks

There might be threat to data due to other reasons not included above. The internal
auditor must keep an eye on these too to ensure complete data security.

The data of both the client and the en�ty needs protec�on. There might be severe penal�es
imposed by the client on account of fraudulent ac�vi�es by the en�ty. The work area would not be
reasonably accessible by an outsider without proper security check and prior authoriza�on to ensure
safety of data and to prevent the� thereto. Condi�ons such as, inhibi�on of use of mobile phones,
personal laptops, cameras, and pen–drives are enforced.

The internal auditor needs to verify the sufficiency of control of data. He should also obtain
explana�ons for any loss/ damage of data, if any during the repor�ng period apart from steps taken to
prevent them in the future. He should also verify whether the policies and procedures are put in place.

RISKS FACED BY A BPO INDUSTRY

The internal auditor should make a risk assessment of the en�ty under audit. This is extremely
important on account of preven�on of any noncompliance or undesirable event. Given below is a brief of
the different risks faced by the en�ty opera�ng in the BPO Industry. The internal auditor needs to verify
whether sufficient controls are available in the en�ty to detect such risks and prevent them from
happening in the light of overall business environment.

The risks faced by a BPO Industry are broadly classified as follows:

 Business risk
 Price risk
 Poli�cal risk
 Process risk
 Human capital risk
 Brand/ Reputa�on risk
 Systemic risk
 Accessibility risk, Business con�nuity, Security risks
 Technology risk

a. Business Risk
(i) A change in scope of services at the customer’s request.

(ii) A change in the legal environment that imposes new condi�ons, costs or restric�ons upon the
manner of providing the services, the means by which the services are delivered to the enterprise
customer or the right of the enterprise customer to purchase such services in its home country.

(iii)A change in the volume of the services being consumed, either to :

 Increase (requiring addi�onal hiring and perhaps a change in business process) or
 Decrease (resul�ng in sub-op�miza�on of dedicated resources or re-alloca�on of
resources across mul�ple enterprise customers without any decrease in SLA commitments).

(iv)An early termina�on that occurs before the service provider has earned out the sunken costs
of pursuing and capturing the contract opportunity and paid the unpaid start-up and transi�on costs.

(v) There is mergers and acquisi�on risk that an enterprise or a service provider might change
owners. Enterprise managers need to adapt the sizing and pricing of their outsourcing transac�ons to
include possible mergers, acquisi�ons, dives�tures and restructuring ac�vity within the term of the
outsourcing agreement. Service providers need to provide assurances that a change of control, such as in
a merger or restructuring, will not impair the compe��ve posi�on of the enterprise customers.
Accordingly, “M & A risk” should be iden�fied by both par�es in order to evaluate and nego�ate
appropriate contract provisions to manage and mi�gate the impact of major changes in ownership or
capital structure.

b. Price Risk
Pricing risks arise as soon as the par�es agree upon the service terms, condi�ons and pricing. For
the service provider, the “pricing risk” is that the benchmarking process or other price adjustment will
result in a loss or significant reduc�on in profitability and an inability to recapture the investment made in
capturing and transi�oning an enterprise customer to the outsourced business process pla�orm. The
service provider can never stand s�ll, though, since if it fails to make ongoing investments in process
improvement and cost containment, upon the expira�on of the contract, it will cease to be compe��ve
for new customers.
 The art of outsourcing includes iden�fying and providing commercially reasonable solu�ons for
both par�es. Commercial and financial transac�ons contain pricing risks at many levels. The design of
contracts to manage and mi�gate pricing risks is an art form. Mul�ple techniques are available, each with
its own limita�ons and addi�onal risks.

c. Poli�cal Risk
Poli�cal risk represents the degree to which social and governmental environments may change
in the future. This risk may manifest itself in events over which a government has no control – such as,
riots or new elec�ons. Other events may be caused by a government, such as, an embargo on imports or
exports, increases in tariffs, new prohibi�ons on transac�ons with specific countries.
Poli�cal risk may arise from ac�ons of the home government of the enterprise. In interna�onal
outsourcing transac�ons, poli�cal risks need special aten�on due to the long-term nature of the
rela�onship. There are a number of techniques that can mi�gate, but not eliminate, such risks. Moreover,
the en�ty is affected by outsourcing policies of the country for which the en�ty provides services. For
example, if outsourcing is not encouraged by a country by imposing addi�onal tax or cut of tax sops, then,
the Indian en��es providing services for clients in that country, may face a botleneck for expansion of
opera�ons.

d. Process Risk
“Process risk” refers to the possibility that the processes used to deliver a service might need to
change drama�cally during the term of a sourcing arrangement. This can be favorable or unfavorable.
Since processes will likely change, the par�es need to iden�fy the significant processes that form the basis
of the bargain and that, if impacted by a change, could jus�fy a renego�a�on, termina�on, repricing or
expansion or contrac�on of the scope of service.

Process risk denotes the risk that the processes adopted by the service provider will not fit the
needs of the enterprise customer. This risk is somewhat complex.

(a) There may be process risks during the transi�on period where the service provider was not
aware of important exis�ng processes that were underlying the general services in the
outsourcing agreement.

(b) Process risk may also arise due to changes, over �me, of the enterprise customer’s needs and
the “best prac�ces” in the relevant business process.

(c) Some processes may become illegal or subject to regula�on, while other processes may
become technologically outdated.

(d) The dura�on of the contract might be so long that the par�es do not clearly understand the
open nature of the commitments, promises and emerging needs of each other.

Process risk can be managed by appropriate due diligence, contract planning, nego�a�on,
transi�oning, integra�on management and rela�onship governance. Legal planning techniques can also
be used, par�cularly those rela�ng to termina�on for convenience and termina�on for failure to manage
the processes in an agreed fashion.

e. Human Capital Risk

Human capital risk arises from the risk that an enterprise’s investment in human resources might
lose value due to the departure of individuals or groups necessary to the future success of the enterprise.
Human capital has its greatest value at the level of senior management, but as execu�ves they can only
achieve the enterprise’s mission through others.
When choosing business models and solu�ons to the sourcing dilemma, execu�ves and managers need
to evaluate the human capital risk and develop plans for con�ngencies. Con�ngency planning should
include the possibility of morphing the current or future sourcing solu�ons into new models that involve
human capital. Thus, planning and implemen�ng outsourcing requires careful aten�on on human capital
management during and a�er the term of any outsourcing agreement.

f. Brand/Reputa�on Risk
 Enterprise viability depends on maintaining the goodwill of the enterprise brand. Damage to
reputa�on might never be recovered, or might only be recovered at great expense and distrac�on. Most
outsourced business processes are essen�al to the enterprise’s opera�ons. Par�cularly in customer
rela�onship management and help desk support services, outsourcers may directly “touch” the
enterprise’s customer without disclosing the existence of the outsourcing rela�onship. Reputa�onal risk
is especially significant in such customer-facing “front office” services. However, even non-voice
interac�ons with customers can have the same impact on an enterprise’s goodwill.
Brand risk management techniques include the use of scripts, supervision, random audits, ongoing training
and customer feedback. Legal issues in reputa�onal risk can arise where the customer wishes to terminate
a service provider, redirect its efforts or adjust the pricing to reflect a loss of goodwill.

g. Systemic Risk
Regulators and governments focus on the risks to the systems that support local and global
economies. A systemic risk affects all par�cipants in an economic sector or industry.

To some degree, outsourcing both increases and reduces systemic risk. Outsourcing permits
individual enterprises to share systemic risks by hiring service providers who understand and invest in risk-
controlling technologies, human capital and other resources. At the same �me, in concentrated industries
with a small number of service providers, such a concentra�on of process management in the hands of a
small number of service providers could pose systemic risks in the form of an�-trust or an�-compe��ve
conduct, the risk of massive losses due to a single loss incident affec�ng mul�ple enterprise customers
and the dependency of the service provider upon a favorable regulatory climate.

When planning any solu�on to the sourcing dilemma, execu�ves and managers need to
understand the nature of systemic risk and adopt appropriate risk planning strategies.

h. Accessibility Risk, Business Con�nuity, Security Risk

Supply chain management requires careful aten�on to the risks of loss of accessibility to the
service provider, loss of the service provider’s services and impairments to the security of confiden�al,
proprietary, trade secret, private and protected informa�on. Any one of these risks could prove fatal or
severely damage to the customer.
During the planning and implementa�on phases of outsourcing and business process management, these
risks need to be iden�fied, allocated, monitored and managed.

i. Technology Risk
Technology risk refers to the risk that an en�ty faces due to change in technology or obsolescence
of exis�ng technology. An en�ty opera�ng in the BPO Industry, in general, invests huge sums of money on
purchase of technology. In the event of change in technology, the investment made by the en�ty becomes
fu�le. Technology could be in the form of purchase/ crea�on of so�ware or hardware.

Maintenance of Books of Accounts and Documents

The internal auditor is required to verify the sufficiency of controls related to maintenance of
books of accounts by the en�ty. The internal auditor is also required to verify the controls for alloca�on of
costs between different project, different undertakings and for DTA and non-DTA are adequate and reliable
in the light of the business opera�ons.

Compliance with Regula�ons

The internal auditor is required to verify the compliance of these statutes and report thereon as
part of his internal audit. The internal auditor also needs to verify registra�on with various statutory
authori�es and renewal of the same as part of his internal audit procedures.