Federal Government Agencies: Get the Most Out of Shared Service Providers
A while ago, the Office of Management and Budget (OMB) issued Memorandum M-13-08, requiring federal government agencies to use shared service solutions for all accounting or mixed systems modernization efforts. This mandate, coupled with ongoing budget pressures, will further accelerate the need for your agency to evaluate its financial management system requirements against the capabilities and capacities of your shared service providers (SSP).
The goal of the requirement is to drive agency- and government-wide cost savings and operational efficiencies. A second goal is to ensure consistency and quality in shared services delivery to meet requirements of the U.S. Treasury, OMB, Financial Accounting Standards Advisory Board, and others. Your agency must utilize SSPs to the greatest extent possible, while the service providers need to think outside their traditional services and become more wide-ranging, flexible, and dynamic in their offerings.
It is important to understand that working with SSPs does not entirely transfer your agency’s responsibilities to the third party provider. The buck still stops with you. With this in mind, there are a number of measures your agency should consider to get the most from the SSP relationship.
Understand the controls, processes, and capabilities
Before buying into an SSP’s service, be sure to ask for a prior year Statement on Standards for Attestation Engagements No. 16 (SSAE 16) report. This document provides a detailed description of the SSP's controls and an independent assessment of whether the controls are suitably designed, in place, and operating effectively.
Two types of reports are issued under SSAE 16. The Type I report examines the fairness of the SSP management’s description and the suitability of the provider’s control design. The Type II report covers the suitability of the design and the operating effectiveness of the controls. When you review the controls asserted by SSP management in the SSAE 16 report, make sure that the controls described and analyzed are the controls relevant to the services you will be utilizing.
Consider making the Type II report part of your contract with the SSP. Doing so will require the SSP to go through a more rigorous assessment of its controls. Type II may be required by your financial statement auditor if you plan to rely on those controls for your financial reporting.
Consider the SSAE 16 controls as part of a risk assessment
Whatever functional services you decide to outsource, it is critical to perform an end-to-end risk assessment of the new process. This ensures proper internal controls related to the transaction — initiation, authorization, approval, edit checks, post review, and analysis — are established and consistently performed so the resulting data is complete and accurate. This assessment must include your agency’s understanding and implementation of the user controls included in the SSAE 16 report. In addition, you should assess the impact of the SSAE 16 report findings to ensure that the integrity and accuracy of the data is not compromised.
Implement complementary user agency and oversight management controls
Once functional operations are turned over to an SSP, some agencies may become over-reliant on the SSP’s services. Be mindful that the ownership, completeness, integrity, and accuracy of the data resides with your agency. Complementary user controls and oversight procedures should be developed and implemented by agency staff members who are sufficiently competent to carry out those controls. Perform periodic analysis to ensure the data and services received are meeting your expectations.
Stay apprised of the current year SSAE 16 audit status
The SSAE 16 working group should have periodic audit meetings throughout the audit process, and your agency should stay apprised of the current year audit status. When an audit opinion is unfavorable, assess what other controls your agency has in place to address the control deficiencies reported by the SSAE 16 auditors to mitigate the control risks.
Effectively sharing information, maintaining constant communication, and providing timely solutions and service quality feedback to your SSP are all critical to the success of the SSP partnership. Taking an interest in what each party is trying to achieve — and approaching and solving problems together — goes a long way.