This article originally appeared on the BeyeNETWORK.
One of the growing trends in all industries, and not just telecommunications, is the outsourcing of software. Whether it is named software as a service (SaaS) or application service provider (ASP), these outsourcing models are offering appealing opportunities to help organizations. For telecommunication service providers, the applications being outsourced can span the gamut from back-office applications such as mediation, rating and billing to more client-facing applications such as call center and customer relationship applications. However, as with anything that claims to solve problems with minimal issues, there can be hidden issues with these outsourced models.
Rent to Own?
Both SaaS and ASP business models provide both large and small telecom service providers with the opportunity to solve issues. Large telecoms, like Verizon or AT&T, can relieve some of the burden on their stretched and overloaded IT departments with outsourced applications. This can take the form of lowering the implementation time frames and moving costs from the capital expenditure column to the operating expenditure column or by lowering the total cost of ownership (TCO) by eliminating the need to install a software client on multiple workstations.
Smaller telecommunication service providers, such as Helios or Amp’d Mobile, can utilize these models to concentrate on starting up their business and devote resources in other areas such as brand awareness and market penetration. A SaaS/ASP implementation can remove the need for capital expenditures for servers and licensed software packages. These models can also allow smaller firms to make a decision as to which application is best for them with “try and buy” scenarios.
However, when you outsource these applications and the associated data to a SaaS/ASP partner, how does this impact a telecommunication service provider’s ability to have control over its data for internal processes for regulatory compliance?
The internal controls associated with Sarbanes-Oxley are generally “flexible” concepts. The “rigid” part of internal controls is that you need to have them and you need to be able to follow them. In addition, the concept of relative risk to the organization, and its financial reporting, is considered the best place to start an audit when an external auditor or an internal risk compliance officer decides to examine/evaluate a particular internal control. For example, if a telecom organization has outsourced the management of PCs, the risk is relatively small (unless you have a significant number of the names, credit card numbers and social security numbers of your customers on a laptop…see TJX). This may not be the best area to start an audit or detail an internal control.
However, if you have outsourced the mediation and billing of your billable events (xDRs), which are core to the company’s revenues, the internal controls associated with that process are going to rise in importance. In this area, the monitoring of the operational process associated with the revenue stream and the efforts to establish and maintain internal controls associated with the financial reporting associated with the revenue stream should not be separated.
Ignorance is not Bliss!
When you cannot separate operation process from internal control, a telecommunication service provider must take seriously the definition of the process/internal control and their efforts to actively monitor those processes/internal controls. However, not all SaaS/ASP partners allow their customers access to the “in-process” data associated with the outsourced application. Some say that the information is proprietary and would compromise the competitive advantage of their outsourcing business. Others may not be mature enough in their own processes to make that data available to their customers because they do not have a suitable avenue to provide the data. Whatever the situation, not being able to access “your own” data will set off those risk “alarms” with both internal risk officers and with external compliance auditors.
The keys for telecommunication service providers are to have visibility not only into the data, but into what is happening with the data. This can be provided in many ways:
- Graphical user interfaces (GUIs) for “self-setting” or monitoring of business rules via the SaaS/ASP application
For example, being able to configure your own business rules without the assistance, or costs associated with, the SaaS/ASP vendor staff
- On-demand access to data at each stage of the SaaS/ASP application
For example, access to view/monitor/download data at each critical point associated with the process being outsourced via the SaaS/ASP vendor
A telecom’s business intelligence organization can help with these efforts by providing insight into the SaaS/ASP partner’s operations. This can be accomplished by setting up the infrastructure to monitor the outsource vendors, not just the performance of the SaaS/ASP applications. Regular and independent reporting on the SaaS/ASP vendor can be a way to “trust but verify” operations with vendors of these types.
The business intelligence organization can also establish business process management or business activity monitoring as a way to document and assure the internal controls associated with regulatory compliance are in place. This can save the overall telecom service provider organization in terms of both the internal risk associated with the outsourcing and the external cost associated with consultants and auditors whose job it is to vouch for the existence of and the quality of the internal control.
- MBA Observation – In keeping with this article’s discussion on SaaS/ASP, I found an interesting article on business intelligence trends in Information Week. This article talks about how 36% of survey respondents indicated that they would be interested in business intelligence as SaaS/ASP and how vendors are starting to look in that direction. I understand how vendors would find this appealing. However, I’m not sure if the risks associated with moving all the BI data “offsite” would make the experience worthwhile. However, Salesforce.com has made a LOT of revenue doing just that….
- Book of the Month – The Joy of SOX: Why Sarbanes-Oxley and Service-Oriented Architecture May Be the Best Thing That Ever Happened to You by Hugh Taylor is not a new book, but it does give a good understanding of how service-oriented architectures (SOAs) ca be used to achieve the level of internal controls over IT that Sarbanes-Oxley mandates.
John has more than 10 years of information technology and consulting experience in positions including business intelligence subject-matter expert, technical architect and systems integrator. Over the past eight years, he has gained a wealth of business and information technology consulting experience in the telecommunications industry. John specializes in business intelligence/data warehousing and systems integration solutions. John may be contacted by email at John.Myers@BlueBuffaloGroup.com.