IT outsourcing: is it worth the risk?

• Author: Silva, Paulo R.
• Position: Reprint

The following article first appeared in the Kroll Global Fraud Report 2009/2010.

IT outsourcing has long been an accepted solution for companies to streamline processes, reduce costs, and provide flexibility to meet the changing demands of their operations. With the global economic crisis forcing business leaders to squeeze out additional operational efficiencies to survive, more outsourcing seems inevitable. The decision, however, on which functions to outsource is often made without a thorough assessment of the risks involved in determining what is to be outsourced, and to whom.

In January 2009, India's Satyam Computer Services, then the fourth largest outsourcing company in the world, shook the sector by admitting that it had systematically inflated revenue and profits for years. The corporation was eventually sold to another Indian firm, Tech Mahindra, to restore confidence in the market and ensure the continuity of its operations.

Satyam's fraud and lack of internal integrity should serve as a wake-up call for companies intending to use IT outsourcing services. The Satyam case presents a strong reminder that technology companies, including IT outsourcing ones, are vulnerable to the same common frauds--such as internal financial fraud, vendor or procurement fraud, and theft of physical assets--that can occur in any other business.

Moreover, even though IT outsourcing companies, as obvious targets, invest heavily to prevent cyber crime, they can also be victims of fraud typically related to the cyber world, such as information theft and intellectual property theft. Twenty-nine percent of IT, media, and telecommunications firms suffered from information theft in the last 3 years, and 16 percent from intellectual property theft, according to the 2009 Kroll Global Fraud Survey. The survey also shows that roughly one-fifth of sector companies feel themselves highly vulnerable in these areas.

In February 2008, the Bank of New York Mellon Corporation was a victim of breach of data under the responsibility of an outsourced company. Unencrypted backup tapes containing personal information of more than 12 million customers disappeared during transport to an offsite facility. Although no misuse of information from the tapes was identified, this incident caused large losses for the bank because it had to perform internal investigations and provide assistance for those who had personal information stored in the backup tapes. Such frauds frequently...