ARTICLE IN PRESS

International Journal of Accounting

Information Systems 51 (2003) 1 – 18

F
Business risk perspectives on information

O
1
systems outsourcing 2

O
Somnath Bhattacharyaa,*, Ravi S. Beharab,1, David E. Gundersenc,2 3

PR
a
School of Accounting, Florida Atlantic University, John D. MacArthur Campus, 5353 Parkside Drive, 4
Jupiter, FL 33458, USA 5
b
Department of Information Technology and Operations Management, Florida Atlantic University, 6
John D. MacArthur Campus, 5353 Parkside Drive, Jupiter, FL 33458, USA 7
c
Department of Marketing, Management and International Business, Stephen A. Austin State University,
D
P.O. Box 9070, Nacogdoches, TX 75962, USA
8
9
10
TE
Received 30 April 2002; received in revised form 31 December 2002; accepted 31 December 2002 11
EC

Abstract 12

Information systems (IS) outsourcing research has continued to evolve over the past decade to 13
reflect changes in its practice and a deeper understanding of its business impact. Typically, the drivers
R

14
of outsourcing decisions are both internal and external to the outsourcing organization and have been 15
the basis for such studies. Since IS essentially represents an organization’s implementation of its
R

16
business processes, this paper approaches IS outsourcing by explicitly integrating issues related to 17
business process outsourcing. The resulting business risk management framework provides a basis for
O

18
effective IS outsourcing. The framework is further discussed within the context of outsourcing in e- 19
business. By adopting a risk management perspective, this paper provides a strategic direction to 20
C

further the field of IS outsourcing research. 21

D 2003 Published by Elsevier Science Inc. 22
N

Keywords: Business risk perspective; Information systems outsourcing; Four-S outsourcing model; Reengineer- 23
U

ing-outsourcing decision matrix 24

25

* Corresponding author. Tel.: +1-561-799-8713; fax: +1-561-799-8535.

E-mail addresses: sbhatt@fau.edu (S. Bhattacharya), rbehara@fau.edu (R.S. Behara), dgundersen@sfasu.edu
(D.E. Gundersen).
1
Tel.: +1-561-799-8513; fax: +1-561-799-8535.
2
Tel.: +1-936-468-1580; fax: +1-936-468-1600.

1467-0895/03/$ – see front matter D 2003 Published by Elsevier Science Inc.

doi:10.1016/S1467-0895(03)00004-6
 ARTICLE IN PRESS
2 S. Bhattacharya et al. / International Journal of Accounting Information Systems 51 (2003) 1–18

1. Introduction 26

Lehman Brothers and Goldman Sachs expect business process outsourcing to grow to 27
$500 Billion by 2004 (Spagat, 2001). In a March 2001 report, Goldman Sachs called business 28
process outsourcing ‘‘the next big wave’’ in information technology services (Spagat, 2001). 29
Companies that focus on providing business process outsourcing services include the likes of 30

F
International Business Machines (IBM), Electronic Data Systems, Computer Sciences 31
Corporation, and a fledgling unit of PricewaterhouseCoopers, that is the smallest but fastest 32

O
growing of that firm’s six business lines3 (Spagat, 2001). The projected growth and ‘‘blue- 33
blood’’ corporate involvement in business process outsourcing, therefore, are indicative of the 34

O
high relevance of the issue in the current economic environment. 35
Despite the recent focus on business process outsourcing in the popular press, identifying 36

PR
the most compatible fit between Information Systems (IS) functions and organizational goals 37
has been a critical IS management issue since the mid-1980s (Brancheau and Wetherbe, 1987; 38
Dixon and John, 1989; Niederman et al., 1991; Watson and Brancheau, 1991; Brown and 39
Magill, 1994). Research interest in IS outsourcing as one of the elements in the larger quest
D 40
for IS and organizational alignment can be traced back to 1989. That year marked Kodak’s 41
landmark shifting of its responsibility for a significant portion of its IS to IBM and other 42
TE
vendors (Smith et al., 1998). Kodak’s new paradigm for IS and organizational alignment also 43
ushered in a body of research that continues to explore the organizational implications of the 44
outsourcing of erstwhile intraorganizational IS functions. 45
Prior studies on IS outsourcing have examined managers’ and investors’ perceptions of 46
EC

outsourcing, what companies typically choose to outsource, and what constitutes good 47
outsourcing practice (Smith et al., 1998; Arnett and Jones, 1994; Lacity and Hirschheim, 48
1993; McFarlan and Nolan, 1995). Some studies have analyzed specific IS outsourcing 49
R

cases (Cross, 1995; Huber, 1993), while others have used publicly available data, such as 50
IS outsourcing announcements in the Wall Street Journal or financial data from the Center 51
R

for Research in Securities Pricing (CRSP) and Compustat (Smith et al., 1998). Some work 52
has indicated that the IS outsourcing decision is motivated more by internal influence (or 53
O

imitative behavior) than by external influence (Loh and Venkatraman, 1992a,b), while 54
others have pointed to a mixture of internal and external influences (Saunders et al., 55
C

1997). 56
Prior research suggests several reasons for firms outsourcing their IS. These key drivers 57
N

include financial reasons such as reducing costs, generating cash, and replacing capital 58
outlays with periodic payments. Firms also outsource their IS in order to simplify their 59
U

management agenda and to renew focus on their core competencies in the organizational 60
value chain. Technical reasons for outsourcing, such as improving the quality of IS, gaining 61
access to new talent and technology, and the easy availability of vendors with expertise and 62
economies of scale have also been proposed. Political reasons for outsourcing include 63
dissatisfaction with the IS department, dissatisfaction with the chief information officer, 64

3
PWC Consulting is now a division of IBM.
 ARTICLE IN PRESS
S. Bhattacharya et al. / International Journal of Accounting Information Systems 51 (2003) 1–18 3

viewing IS as a support function, pressure from vendors, and a desire to follow trends that 65
have received wide acclaim in trade journals and in the popular press (Smith et al., 1998). To 66
a large extent, IS outsourcing appears to owe its popularity to the trend of telecommunica- 67
tions management becoming an IS responsibility, and both computer and telecommunications 68
operations becoming widely regarded as utility functions. From this utilitarian perspective, IS 69
outsourcing is seen to offer unique conveniences to user organizations with regard to software 70

F
currency, hardware obsolescence, computer capacity utilization, etc. Hence, the economies of 71
scale and connectivity benefits of these utility functions have become dominant concerns for 72

O
organizations (Cash et al., 1988; Dixon and John, 1989; McNurlin and Sprague, 1989; Loh, 73
1993, 1994; Teng et al., 1995). 74

O
Third party participation in a company’s business also appears to have evolved from 75
providing auxiliary services outside core business functions to ‘‘mission critical’’ activities. 76

PR
For instance, smaller organizations traditionally used outsourcing when the costs of systems 77
were prohibitive and suppliers were available. Similarly, larger firms made outsourcing 78
decisions when well-understood labor-intensive back-office support applications were more 79
cost effectively managed by third-party providers (Zahler, 1992). Beginning in the early
D 80
1990s, however, precedence was established for outsourcing strategic IS applications. At that 81
time, forecasts suggested that most Fortune 500 companies would outsource at least some of 82
TE
their core needs to third-party providers by the turn of the century (Lacity and Hirschheim, 83
1993). 84
As corporate structures have decomposed and as the IS outsourcing phenomenon has 85
accelerated, the loss of control of the IS function to external parties has become the focal
EC

86
point of discussion (Behara et al., 1995). Today, larger corporations are outsourcing a wider 87
variety of components and services and increasingly relying on smaller firms to supply 88
them. More attention is also being devoted to organizational structure issues and especially 89
R

to structures that enhance innovation (Conklin and Tapp, 2000). In keeping with these 90
trends, this paper departs from prior IS outsourcing research in a significant manner. It 91
R

moves the focus from the mere sourcing of technologies to the sourcing of business 92
processes. The next section of the paper proposes three managerial frameworks for IS 93
O

outsourcing. The section following the managerial frameworks addresses IS outsourcing 94

from both generalized business risk management and specific e-business risk management 95
C

perspectives. The concluding section of the paper presents a business-risk-oriented research 96

framework for the examination and understanding of organizational adoption and use of IS 97
N

outsourcing. 98
U

2. Managerial models of IS outsourcing 99

Prior literature suggests three models that can be used to understand managerial 100
motivations for IS outsourcing. These models are (1) the antecedent firm characteristics of 101
IS outsourcing proposed by Smith et al. (1998); (2) the Four-S Outsourcing Model (Zucchini, 102
1992); and (3) the Reengineering-Outsourcing Decision Matrix (Behara et al., 1995). We 103
discuss each in turn. 104
 ARTICLE IN PRESS
4 S. Bhattacharya et al. / International Journal of Accounting Information Systems 51 (2003) 1–18

2.1. The antecedent firm characteristics for IS outsourcing 106

105

Smith et al. (1998) investigate outsourcing firms’ financial characteristics and explicitly 107
classify firm-specific drivers of IS outsourcing into five categories: (1) cost reduction; (2) 108
focus on core competence; (3) liquidity needs; (4) IS capability factors; and (5) environmental 109
factors. We discuss these below. 110

F
Cost reduction and control are often offered as internal reasons for outsourcing IS (Smith et 111
al., 1998; Alpar and Saharia, 1995; Arnett and Jones, 1994; Lacity et al., 1994; Loh, 1994; 112

O
Loh and Venkatraman, 1992a,b; McFarlan and Nolan, 1995; Palvia, 1995). It is commonly 113
believed that an outside vendor can provide the same level of service at a lower cost than the 114

O
internal IS department (Weaver et al., 2000; Bhattacharya et al., in press). The rationale is that 115
the vendor has better economies of scale, tighter control over fringe benefits, better access to 116

PR
lower cost labor pools, and more focused expertise in managing IS. 117
Companies may also outsource their IS to streamline the management agenda and focus on 118
the firm’s core business (Cross, 1995; Lacity et al., 1994; McFarlan and Nolan, 1995; Palvia, 119
1995; Slaughter and Ang, 1996). Senior executives often consider the IS function a
D 120
commodity service best managed by a large supplier. Using a value chain analysis, this 121
eliminates/outsources activities that do not provide primary value to the organization. If 122
TE
managers do not see a strategic role for IS then IS outsourcing is often viewed as a means of 123
conserving managerial effort and focusing on areas with greater strategic potential. Also, 124
firms can outsource a significant portion of the IS infrastructure and still retain aspects such as 125
critical applications development that are viewed as strategic (Weaver et al., 2000). 126
EC

Companies often outsource IS to generate cash and enhance liquidity (Lacity et al., 1994; 127
McFarlan and Nolan, 1995). Many IS outsourcing agreements involve an introductory cash 128
payment by the vendor for the tangible and intangible IT assets of the client (Smith et al., 129
R

1998). The vendor then uses this infrastructure and may also hire the IS staff of the client to 130
provide contract services to the client and others. This initial payment is particularly attractive 131
R

to firms burdened with short-term liabilities and high debt. For firms considering divestitures, 132
outsourcing can liquidate an asset that is unlikely to be recognized in the deal (McFarlan and 133
O

Nolan, 1995). On the other hand, firms considering acquisitions often see outsourcing as a 134
means of generating capital to partially fund the acquisition (Smith et al., 1998). 135
C

IS capability factors also motivate outsourcing (Smith et al., 1998; Arnett and Jones, 1994; 136
Lacity et al., 1994; Loh and Venkatraman, 1992a,b; McFarlan and Nolan, 1995; Palvia, 1995; 137
N

Slaughter and Ang, 1996; Teng et al., 1995). Rapid technological advances may leave firms’ 138
IS departments lacking in current technical expertise and equipment. Outsourcing can also be 139
U

used to create or retool an IS infrastructure without substantial capital investments. 140

Sometimes outsourcing follows the failure of a major system or a breakdown in IS 141
performance, resulting in financial losses for the company. Smith et al. (1998) cite the cases 142
of Massachusetts Blue Cross and Blue Shield, who decided to outsource their IT after the 143
failure of major systems development projects and severe financial losses. Smith et al. (1998) 144
cite internal politics, dissatisfaction with the IS department, lack of trust in the CIO, and 145
inadequate service from the IS department as a few of the other reasons for firms outsourcing 146
their IS. 147
 ARTICLE IN PRESS
S. Bhattacharya et al. / International Journal of Accounting Information Systems 51 (2003) 1–18 5

Finally, environmental factors’ roles in the outsourcing decision (Hu et al., 1997; Lacity 148
and Hirschheim, 1993; Loh and Venkatraman, 1992a,b; McFarlan and Nolan, 1995) include 149
factors that are not specific to the firm, but exist in its industry or in the economy at the time 150
of outsourcing. For instance, the decision to outsource IS may be driven by imitative behavior 151
among firms (Lacity et al., 1994; Venkatraman et al., 1994; McFarlan and Nolan, 1995) or by 152
a mix of external media, vendor pressure, and internal communications at a personal level 153

F
among managers. After the Kodak outsourcing decision, for example, many large firms began 154
to view IS outsourcing as a viable alternative (Smith et al., 1998). The availability of qualified 155

O
vendors willing to provide the service at a reasonable price, pressure from vendors, positive 156
stock market reaction to the phenomenon (Loh and Venkatraman, 1992a,b), and extensive 157

O
coverage in the popular press are other factors that also influence the decision. 158
159

PR
2.2. The Four-S Outsourcing Model 160

The Four-S Outsourcing Model by Zucchini (1992) provides a second framework to help 161
guide a firm’s outsourcing decision in a managerial context. The model (see Fig. 1) is
D 162
comprised of four quadrants, varied along two dimensions where one addresses the 163
organization’s objective in making the decision (Economics/Expertise) and the other indicates 164
TE
the utility of the decision (Functional/Dysfunctional). The resulting quadrants represent 165
application types and are identified as Scale, Specialty, Sale, and Surrender. 166
The scale factor comes into play when an IS outsourcer is able to provide the same service at 167
a cost that is lower than the outsourcing company could achieve through in-house operations.
EC

168
Outsourcing decisions based on scale are usually viewed as a rational decision. According to 169
this model, sound outsourcing decisions are also made when the rationale for decision making is 170
based on taking advantage of the outsourcer’s specialized technological or operational expertise 171
R

(Weaver et al., 2000). In addition, firms also outsource certain specializations in order to be able 172
to concentrate on higher value-added areas of specialization. Both scale and specialization are 173
R

therefore considered to be functional decisions. On the other hand, the model considers the sale 174
of IS resources in order to achieve either short-term earnings or balance sheet improvements to 175
O

be a dysfunctional approach to outsourcing. While exceptions to this dysfunctional viewpoint 176

C
N
U

Fig. 1. The Four-S Outsourcing Model (Zucchini, 1992).

 ARTICLE IN PRESS
6 S. Bhattacharya et al. / International Journal of Accounting Information Systems 51 (2003) 1–18

may be made when the revenues generated by such sales are reinvested in the core business in 177
accordance with strategic initiative, the sale of IS resources generally results in the loss of 178
valuable human resources and the associated knowledge base and organizational memory. 179
While outsourcers may initially maintain personnel whose skills have been outsourced within 180
the organization, such personnel are soon reassigned to other projects once the outsourcing 181
engagement takes effect. Similarly, the outsourcing decision that is solely motivated by the 182

F
difficulties of managing the IS function is also dysfunctional. A rapidly advancing technolo- 183
gical environment often forces organizations to consider outsourcing whereby they effectively 184

O
surrender control of the IS function to external suppliers. However, such surrenders are usually 185
motivated by short-term considerations where the organization providing the outsourced 186

O
services does not have any incentive to become a ‘‘partner’’ in the business process. This 187
leads to the surrender of mission-critical IS functions to external parties. Furthermore, the 188

PR
recovery of such critical IS functions once surrendered to outside providers often proves far 189
more difficult once the in-house expertise has left the organization (Weaver et al., 2000). While 190
the model’s dimensions are not absolute and must be considered in the context of specific 191
organizational situations, the model does provide an initial structure for understanding the
D 192
motivations behind outsourcing decisions and their business consequences. 193
194
TE
2.3. The Reengineering-Outsourcing Decision Matrix 195

The Reengineering-Outsourcing Decision Matrix (Behara et al., 1995) provides a third 196
framework when considering the outsourcing decision within a business process engineering 197
EC

environment (see Fig. 2). Reengineering is broadly defined here as IS-based process redesign, 198
and includes the myriad of issues related to the design and implementation of change along 199
the technological, human, and organizational dimensions. The model addresses the out- 200
R

sourcing decision within this context by developing a framework based on the nature of IS 201
applications and the organizational areas in which they exist. Dispersion or the organizational 202
R

footprint is used to represent the organizational areas in which IS are implemented, while the 203
extent of innovativeness of the applications is used to reflect the nature of IS applications. 204
O
C
N
U

Fig. 2. The Reengineering-Outsourcing Decision Matrix (Behara et al., 1995, pp. 46 – 51).
 ARTICLE IN PRESS
S. Bhattacharya et al. / International Journal of Accounting Information Systems 51 (2003) 1–18 7

Cross-functional IS applications are becoming the norm with an increased focus on 205
business processes at an enterprise level. Implementing such application requires a greater 206
amount of coordination and cooperation between participating groups within the firm. When 207
dealing with innovative IS applications, there is an added challenge related to the emerging 208
and dynamic nature of the application itself. This compounds the need for effective 209
integration of the various business processes and IS parties involved. Under these circum- 210

F
stances, it may be appropriate to in-source or keep the IS application in-house. This is 211
exemplified by the implementation of Enterprise Systems solutions in organizations. 212

O
However, when dealing with established IS applications, outsourcing may be an appropriate 213
option due to the reduced uncertainty that is experienced when dealing with a known 214

O
application. The tentative approach by some companies to outsource Enterprise Systems 215
through Application Service Providers (ASPs) is an example. When IS applications are 216

PR
limited to specific business functions, outsourcing-established applications is most suitable as 217
it represent the most sustainable approach. However, the ability of the outsourcers to deliver 218
innovative solutions in narrow functional areas should be carefully evaluated before the 219
outsourcing decision is made. D 220
The Reengineering-Outsourcing Decision Matrix model is essentially an early effort to 221
address the risk associated specifically with innovation and cross-functional process change 222
TE
when making the outsourcing decision. These and other outsourcing risks have traditionally 223
been managed through service contracts. Safeguards against poor performance, schedule, and 224
cost controls have been central to such contracts. 225
Some have suggested that with the advent of e-commerce, the old IS outsourcing rules may
EC

226
no longer be applicable. For instance, contracts under the e-commerce paradigm require a 227
shorter time horizon with increased flexibility with an uptime focus (Booker, 2000). Planning 228
horizons for e-commerce firms also have shorter time durations where even three-year 229
R

contractual relationships lose practicality. However, it is this paper’s premise that IS 230
outsourcing under e-commerce continues to subscribe to broader business process redesign 231
R

principles. Therefore, in that sense, business process models of IS outsourcing—especially 232

models that include a business risk perspective on such outsourcing—are just as applicable to 233
O

the new models of e-commerce-oriented IS outsourcing as they are to non-e-commerce- 234

related applications. 235
C
N

3. Managing business risk 236

U

Since this paper adopts a risk-theoretic perspective of IS outsourcing, we define risk as the 237
possibility of an unsatisfactory outcome. Operationalizing this definition leads to a fun- 238
damental concept in the management of risk called risk exposure (RE), which is the product 239
of the probability of an uncertain outcome P(UO) and the loss to the affected parties if the 240
outcome is unsatisfactory L(UO) (Boehm, 1991). 241

243
242
RE ¼ PðUOÞ  LðUOÞ
 ARTICLE IN PRESS
8 S. Bhattacharya et al. / International Journal of Accounting Information Systems 51 (2003) 1–18

In simpler terms, when we consider risk, we should consider both the probability of 244
an event and the economic impact of that event. While risk is typically perceived as a 245
threat to success, a downside-risk perspective that focuses only on the negative impact of 246
events is an incomplete one. This is because risk also bears an upside-potential that 247
reflects the positive impact of events (Chapman and Ward, 1995). And while the 248
management of downside-risk focuses on the reduction of threats, the management of 249

F
upside-potential involves the exploitation (or failure thereof) of opportunities and 250
favorable possibilities. 251

O
252
3.1. Stages of risk management 253

O
The typical stages of the risk management process are risk identification, risk quantifica- 254

PR
tion, risk response development, and risk response control (PMBOK, 2000). In IS out- 255
sourcing, the focus has typically been on trying to minimize the downside-risk of moving IS 256
activity outside the organization. However, with the pace of business and technological 257
change, a different approach has also become necessary. Dealing with both downside-risk and
D 258
the upside-potential of outsourcing are now business realities. 259
The risk exposure of a given organizational characteristic may be defined as the product of 260
TE
the probability of an uncertain outcome due to that characteristic and the economic impact of 261
that outcome. The characteristics of interest in the context of this paper are IS capabilities 262
related to their design, development, implementation, and operation. For instance, a capability 263
may be the ability to develop and manage a company web site. This should be outsourced 264
EC

when the risk exposure of a supplier’s capability to deliver these services is lower than or the 265
same as that of the buying company. Fig. 3 graphically depicts the relationship between risk 266
exposure of suppliers and buying companies. 267
R

In Fig. 3, when the risk exposure of supplier capabilities is low and that of the buying 268
company is high (quadrant 1), then outsourcing the relevant IS is an effective solution. 269
R

Outsourcing is also a valid option when both the supplier and buying company have a low 270
O
C
N
U

Fig. 3. The risk exposure matrix.

 ARTICLE IN PRESS
S. Bhattacharya et al. / International Journal of Accounting Information Systems 51 (2003) 1–18 9

risk exposure of their capabilities, although in that particular scenario, the contracting 271
company is likely to be indifferent between the outsourcing and insourcing choices (quadrant 272
2). Similarly, when the risk exposure of the buying company is low and that of the supplier is 273
high, or higher than that of the buying company, insourcing by the company is the better 274
solution. In some situations, both the company and its suppliers have a high risk exposure of 275
their capabilities. These are typical of emerging technologies and immature business 276

F
processes. In such situations, it may be appropriate for the company to develop the 277
capabilities in-house, support suppliers to develop the capabilities, or develop capabilities 278

O
through an alliance that shares the developmental risk.4 In any case, as the technology and/or 279
business process matures and there is a corresponding reduction in their risk exposure, the 280

O
company may decide to insource or outsource. This migration in sourcing decisions is 281
indicated by the arrows in Fig. 3. 282

PR
In most cases of developing technologies, as in e-commerce, the risk exposure of the 283
supplier is not an ‘‘absolute’’ low. It is only lower than the risk exposure of the outsourcing 284
company. This is a significant issue in that there is pressure to outsource, but the company is 285
not entirely (and rightly so) comfortable with the suppliers’ capabilities. Hence, this
D 286
outsourcing relationship must be managed from a risk management perspective. 287
288
TE
3.2. Outsourcing and e-business 289

The extent and pace of change in technology place a significant burden on organizations 290
trying to implement technological solutions to improve competitiveness. While initial
EC

291
motivation to outsource was either simply cost- or capability-based, today, the focus is on 292
managing technological change. In addition, smaller firms that are now able to utilize the 293
Internet either cannot or do not want to focus on technology but instead concentrate on their 294
R

core competencies. This focus on core competencies has led to the need for IS services with 295
increased scope and services that are Internet based, leading to the evolution of the Internet- 296
R

based service-outsourcing industry. With e-business dependence on such critical information 297
services, outsourcing has gone from being necessary for competitive purposes to sometimes 298
O

determining a firm’s right to exist. 299

E-business IS applications and the required IS infrastructure are complex. This complexity 300
C

leads to many challenges. Business growth requires firms to have the ability to deal with 301
rapidly growing online traffic and surges in demand. The need to scale rapidly is crucial to 302
N

managing growth without service interruptions and outages related to inadequate IS 303
infrastructure growth. Also, the very nature of running a business on a public network raises 304
U

security issues. Recent ‘‘denial of service’’5 incidents (see Table 1 for instances of such 305

4
Microsoft, Intel, IBM, and other large IT corporations often fund start-up incubators whose technology, upon
becoming viable, is subsequently absorbed into the parent company.
5
While many different versions of such attacks exist, in general, they attack communication ports and memory
buffers of targeted sites and prevent the sites from receiving legitimate messages and from servicing legitimate
requests for connections.
 ARTICLE IN PRESS
10 S. Bhattacharya et al. / International Journal of Accounting Information Systems 51 (2003) 1–18

Table 1 t1.1
Denial of service attacks in February 2000 (adopted from Applegate et al., p. 226) t1.2
Date Target company Nature and effect of attacks t1.3
February 7 Yahoo . Spike in traffic lasted three hours t1.4
. Network availability dropped from 98% to 0% t1.5
. Attack originated from 50 different locations and was timed to occur
during the middle of the business day t1.6

F
. Stock was down 3.2% for the week in which NASDAQ rose almost 3% t1.7
February 8 Buy.com . Attack occurred within an hour of the company’s IPO t1.8

O
. Stock was down at week’s end more than 20% from IPO price t1.9
February 8 Ebay . Stock was down 7.3% for week in which NASDAQ rose almost 3% t1.10

O
February 8 CNN.com . Service interrupted t1.11
February 9 E*Trade . Attacked during peak trading hours t1.12
. Stock was down 7.6% for week in which NASDAQ rose almost 3% t1.13

PR
February 9 ZDNet . Service interrupted t1.14
February 18 FBI . Website shutdown t1.15
February 24 National Discount . Attacked during peak trading hours t1.16
Brokers Group . Operators accidentally crashed site as they attempted to defend against
the attack t1.17
D
TE
attacks) are a reminder of the need to protect against such vulnerability. These and other key 306
drivers of outsourcing in e-business include: 307
EC

 speed: business solutions are needed in days/weeks as opposed to months/years; 308

 focus: the need to focus on core competencies is a growing challenge demanding more 309
attention of time-constrained executives; 310
R

 flexibility: there is an increasing need for advanced business capabilities ‘‘on tap’’; 311
 scalability: business solutions should have the capacity to expand effectively to meet 312
R

demand growth; 313

 security: data and identity security; 314
O

 cost: total cost of ownership and shorter time-to-benefit; and 315

 manage change: the need to effectively manage technology change. 316
C

317
The last driver listed above—the need to manage technology change—is central to the 318
N

issue of managing risk. E-business is critically dependent on rapidly evolving technology. As 319
technology evolves, the business capabilities that can be delivered to customers are also 320
U

enhanced. In this situation, it is essential for a firm and its outsourcers to have the ability to 321
manage this change effectively. The ability to bring appropriate new technologies on stream 322
and integrate them with existing capabilities with least disruption to business continuance is 323
of utmost importance. 324
The ability to manage the IS ‘‘nervous system’’ of an e-business is fundamental to its 325
existence. The failure to deliver on any or all of the criteria discussed above could lead to 326
decreased financial performance, damaged reputation, and productivity loss. These are the 327
downside-risks of ineffective IS management. 328
 ARTICLE IN PRESS
S. Bhattacharya et al. / International Journal of Accounting Information Systems 51 (2003) 1–18 11

F
O
O
Fig. 4. Types of infrastructure outsourcing.

PR
Outsourcing addresses the issues facing e-businesses discussed above and acts as a 329
business enabler. Outsourcers in the e-business domain can be broadly classified according 330
to their areas of expertise as infrastructure outsourcers and application outsourcers. Infra- 331
structure outsourcers provide hardware, infrastructure integration, network services, security,
D 332
system operations, and support services. These types of outsourcers have been evolving, and 333
three distinct types are identified in Fig. 4.
TE
334
In Fig. 4, the main exception to the services provided by infrastructure outsourcers is the 335
application. E-business firms that use these types of outsourcers provide their own business 336
applications. Application outsourcers, the other category of outsourcers, however, also 337
EC

provide applications to the buying firm. Again, among them, we identify three distinct types 338
of application outsourcers as seen in Fig. 5. 339
The efforts of outsourcing providers to manage client business risk can be clearly seen in 340
the evolution of infrastructure and application outsourcing models. The IS/networking
R

341
infrastructure outsourcers have progressively moved to provide a single centralized integrated 342
solution that eliminates the interface risks of managing separate subcontractors. The
R

343
O
C
N
U

Fig. 5. Types of application outsourcing.

 ARTICLE IN PRESS
12 S. Bhattacharya et al. / International Journal of Accounting Information Systems 51 (2003) 1–18

application outsourcers recognize that the clients are not just outsourcing technology but their 344
business processes. Applications are only a tool to execute business processes. Therefore, in 345
order to mitigate the risk of business processes being carried out outside the client firms, 346
outsourcers have begun to provide business process expertise to support successful out- 347
sourcing. These two trends can be viewed as the initial phase of a truly value-added 348
outsourcing that goes beyond the realms of technology. As such, they represent the 349

F
beginnings of a networked business environment. 350

O
4. A framework for business risk management in IS outsourcing 351

O
Since accounting information systems are the foundation of information processes of most 352

PR
organizations (McCarthy, 1982), risk management in IS outsourcing naturally defaults to the 353
accounting domain. Therefore, the accountant has to contend with issues that are of particular 354
concern to his/her unique role in the organization. Fig. 6 presents the components that 355
constitute a business risk profile of IS outsourcing. D 356
357
4.1. Service-level agreements (SLAs) 358
TE
The components of Fig. 6 require the IS outsourcing firm to engage in a risk response 359
development effort. Such response often takes the shape of an SLA being contracted 360
EC
R
R
O
C
N
U

Fig. 6. Business risk profile of IS outsourcing.

 ARTICLE IN PRESS
S. Bhattacharya et al. / International Journal of Accounting Information Systems 51 (2003) 1–18 13

between the outsourcing firm and its vendor(s). In general, the SLA is a contract 361
between two parties that specifies performance and quality metrics of an infrastructure/ 362
application service offering and the consequences of what happens when those metrics 363
are not met. 364
The SLA issues provide an example of related outsourcing risk management needs 365
(Torode, 2000) that are best handled by accountants. For example, ASPs’ customers are 366

F
increasingly demanding guarantees for service levels with respect to network and application 367
availability, reliability, and scalability. This is especially true of clients who place mission- 368

O
critical data and processes in the hands of their ASPs. Contracting firms are also beginning to 369
go a step further by requiring their ASPs’ hardware and software vendors to be held 370

O
accountable. Of late accounting has also become somewhat synonymous with Enterprise 371
Systems (Scott, 2001), and it has become the uniform platform for a variety of services that 372

PR
range from online bill payment to presentments. Given that the Big-4 accounting firms until 373
recently provided the lion’s share of Enterprise Systems and ASP implementations around the 374
world, the recognition and measurement of the shared risk element has grown to be a critical 375
element of IS outsourcing relationships. Therefore, the manner in which IS outsourcing
D 376
partners define the boundaries of acceptable risk within this relationship is a rich avenue for 377
future studies. Such studies may range from charting the growing complexity of the SLAs 378
TE
themselves to generating performance measurement metrics that in turn make the SLAs more 379
comprehensive and enforceable. These issues, although similar to financial project manage- 380
ment metrics like return on investment (ROI), net present value (NPV), residual income (RI), 381
etc., require the accountant to enter into a more uncertain domain of decision making. This
EC

382
new domain, being devoid of precedence, official guidance, and pronouncements, provides a 383
rich area for financial project management and performance metric development and 384
evaluation. 385
R

386
4.2. Measuring financial relationships 387
R

The accountant is also best equipped when it comes to the central concern of the nature of 388
O

financial relationships between IS-outsourcing companies and their outsourcing vendors (see 389
Fig. 7). In Fig. 7, incentives for successful innovation must be offered to each member of the 390
C

alliance and it is in the interest of all members that each member feels appropriately 391
compensated for innovative efforts on their parts. One area for further research is to determine 392
N

how the success of a particular member should be evaluated in the context of group success. 393
Research could also be conducted into the development and use of derivative-like instruments 394
U

to link compensation at one moment in time to outcomes that will occur later and most likely 395
stream over a period of time. 396
397
4.3. Assurance and attestation functions 398

In Fig. 6, components 2, 3, 5, and 7 represent the need for assurance regarding the 399
processes involved in the outsourced information services. Similarly, components 1, 4, 5, and 400
6 involve periodic attestation functions that also require accounting involvement (see Fig. 8). 401
 ARTICLE IN PRESS
14 S. Bhattacharya et al. / International Journal of Accounting Information Systems 51 (2003) 1–18

F
O
O
PR
D
TE
EC
R
R

Fig. 7. Measuring financial relationships among IS outsourcing partners (Greenstein and Vasarhelyi, p. 101).
O

While traditionally attestation and assurance functions always defaulted to the accounting 402
C

domain, new questions that need to be answered include: 403

N

 How is data to be electronically collected and transmitted? 404

 From which party did the data originate? 405
U

 What party authentication techniques should be employed? 406

 How should the data be processed and protected once it enters either system? 407
408
For these questions to be answered in real or near-real time, firms will have to investigate 409
continuous process auditing techniques that would allow the auditor to specify the criteria for 410
transaction selection and performance tests. For this to occur, auditors would need to be 411
integrally involved in the IS outsourcing agreements. Investigating the nature of such auditor 412
involvement in IS outsourcing agreements also provides a rich area of future study. 413
 ARTICLE IN PRESS
S. Bhattacharya et al. / International Journal of Accounting Information Systems 51 (2003) 1–18 15

F
O
O
PR
D
TE

Fig. 8. The need for assurance and attestation functions (Greenstein and Vasarhelyi, p. 107).
EC

4.4. Third-party assurance 414

415
R

Accounting involvement in the provision and evaluation of third-party assurance measures 416
in e-commerce is already a reality. While both the AICPA and other bodies have begun to 417
R

provide third-party assurance regarding transaction security, data security, privacy, business 418
policies, and transaction processing integrity in both business to business (B2B) and business- 419
O

to-consumers (B2C) e-commerce platforms, such seals are also beginning to find use for 420
outsourcing partner choice and verification issues as well. Future research will have to 421
C

investigate issues such as: 422

N

 need for third-party assurance; 423

 choice of third-party assurance; 424
U

 CPA’s competitive advantage over other providers in delivering such assurance; and 425
 legal liability associated with the provision of such assurance. 426
427
The evaluation and attestation of outsourcing partners requires a significant expansion of 428
the accountant’s role in the organization. This is because each firm must decide which alliance 429
to join, and whether it should join more than one. The decision to join is similar to an 430
investment decision in the sense that there will be a commitment of resources to make sure that 431
the new organizational structure is a success. Similarly, an important set of issues concern the 432
 ARTICLE IN PRESS
16 S. Bhattacharya et al. / International Journal of Accounting Information Systems 51 (2003) 1–18

criteria and terms and conditions for leaving a particular alliance, or for dismissing a member 433
from a particular alliance. Additionally, the degree to which a partnership should devote 434
resources to itself is crucial for the success of each member of the group. A company’s 435
evaluation of an alliance’s creativity may affect its decision to join one group or another. 436
Conversely, members of an alliance must make decisions about who to accept into the alliance. 437
438

F
4.5. Maximizing value across organizations 439

O
The accountant’s skill set also becomes imperative in the context of allocating global 440
mandates and evaluating the success of profit centers across outsourcing alliances. For 441

O
example, corporate managers often use the economic value-added (EVA) measure to integrate 442
financial planning, capital budgeting, performance measurement, compensation levels, and 443

PR
goal setting within corporations. EVA permits managers to concentrate on generating 444
incremental earnings above capital costs, thereby creating economic profits for a particular 445
firm. However, while the concept of EVA has been developed for use in a single corporate 446
structure, it is important to ask whether evaluation systems such as the EVA can be applied to
D 447
the network of IS-outsourcing firms and their suppliers. The interfirm network, therefore, 448
introduces a second objective related to the maximization of shareholder value within each 449
TE
firm: It requires the accountant to devise some way to include all alliance shareholders to the 450
organization’s group of shareholders as a focus of value maximization. 451
EC

5. Conclusion 452

The magnitude and duration of outsourcing contracts are an indication of the fundamental 453
R

and permanent changes that are beginning to take place in business process outsourcing. The 454
continued growth of business process outsourcing contractors is largely dependent on their 455
R

ability to effectively manage the managerial and business risk of the outsourcing effort. This 456
paper presents an initial framework to understand the risk associated with the capabilities of 457
O

firms and their outsourcers. 458

From the perspective of accounting information systems researchers, the outsourcing of 459
C

IS functions must be reconciled with the outsourcing of business processes. This is 460
because in the final reckoning, business process effectiveness is usually the ultimate 461
N

determinant of IS outsourcing success. A framework for such reconciliation has been 462
proposed here. Our framework extends existing IS outsourcing models by addressing the 463
U

emerging reality of business process outsourcing and risk management to such models. 464
These extensions include issues such as the need for SLAs that guarantee service levels 465
regarding network and application availability, reliability, and scalability. SLAs must also 466
include performance measurement metrics that stretch beyond a single corporate perspect- 467
ive to one that includes a network of organizations. Since financial compensation and 468
relationships are closely tied to performance measures among outsourcers and vendors, 469
there is also the need for derivative-like instruments that measure single-firm success in 470
the context of group success. 471
 ARTICLE IN PRESS
S. Bhattacharya et al. / International Journal of Accounting Information Systems 51 (2003) 1–18 17

Business process outsourcing also opens up new opportunities for assurance and attestation 472
functions. Hence, project risk assessments, the need for timely incidence and internal audit 473
reports, and the need for operational risk assessments provide new opportunities over 474
auditors’ traditional assurance tasks. In the same vein, the demand for fraud reports and 475
legal opinions also add to the traditional mandate of external audit reports for accountants. 476
These new attestation and assurance functions raise issues regarding the veracity of electronic 477

F
data collection and transmission, party origination and authentication, data encryption, and 478
timeliness of processing that, while closely allied to traditional accounting and audit 479

O
functions, are devoid of official pronouncements and guidance, and hence require significant 480
risk exposure on the part of accountants as well. Some of these risk exposures are already 481

O
being debated in the form of questions regarding the efficacy, acceptance, and usefulness of 482
the AICPA’s WebTrust and Systrust initiatives, and its recent focus on ‘‘new commerce.’’ 483

PR
In this paper we have argued the need for the accounting profession to continue to evolve 484
from being attestors of historical and single-firm financial statements to becoming value-added 485
service providers in an increasingly networked world. Business process outsourcing among 486
partner firms may appear to be just IS outsourcing arrangements at first glance but in reality
D 487
represents a global phenomenon whereby organizations today are defined more by the nexus of 488
their partners than by their individual performance alone. We consider that these new 489
TE
dimensions of potential accounting involvement enrich the IS and business process outsourcing 490
debate and provide a fertile area of future research for accounting and IS scholars alike. 491
EC

References 492

Alpar P, Saharia AN. Outsourcing information system functions: an organization economics perspective. J Organ 493
Comput 1995;5(3):197 – 217. 494
R

Applegate LM, Austin RD, McFarlan FW. Creating business advantage in the information age. McGrawHill- 495
Irwin. 496
R

Arnett KP, Jones MC. Firms that choose outsourcing: a profile. Inf Manage 1994;26(4):179 – 88 [April]. 497
Behara RS, Gundersen DE, Capozzoli EA. Trends in information outsourcing. Int J Purch Mater Manage 498
O

1995;31(2):46 – 51. 499

Bhattacharya S, Weaver M, Galup SD. Lemon county embarks on information technology and systems manage- 500
ment. J Account Case Res 2002 [in press]. 501
C

Boehm BW. Software risk management: principles and practices. IEEE Softw 1991;1:32 – 41 [January]. 502
Booker E. E-biz revises outsourcing rules—contracts must be shorter term, more flexible and more focused on 503
N

uptime, experts say. InternetWeek, March 2000;10. 504

Brancheau JC, Wetherbe JC. Issues in information systems management. Manage Inf Syst Q 1987;11(1):23 – 45 505
U

[March]. 506
Brown CV, Magill SA. Alignment of the IS functions with the enterprise: toward a model of antecedents. Manage 507
Inf Syst Q 1994;18(4):371 – 403 [December]. 508
Cash Jr JL, McFarlan FW, McKenney JL, Vitale MR. Corporate information systems management. 2nd ed. 509
Homewood, IL: Irwin; 1988. 510
Chapman C, Ward S. Project risk management: processes, techniques and insights. Chichester: Wiley; 1995. 511
Conklin DW, Tapp L. The creative web: a new model for managing innovation. Ivey Bus J 2000;64(5):60 – 8 512
[May – June]. 513
Cross J. IT outsourcing: British petroleum’s competitive approach. Harvard Bus Rev 1995;73(3):94 – 103 [May – 514
June]. 515
 ARTICLE IN PRESS
18 S. Bhattacharya et al. / International Journal of Accounting Information Systems 51 (2003) 1–18

Dixon PJ, John DA. Technology issues facing corporate management in the 1990s. Manage Inf Syst Q 1989; 516
13(3):247 – 55 [September]. 517
Greenstein M, Vasarhelyi M. Electronic commerce: security, risk management, and control. 2nd ed. McGrawHill- 518
Irwin. 519
Hu Q, Saunders C, Gebelt M. Research report: diffusion of information systems outsourcing: a reevaluation of 520
influence sources. Inf Syst Res 1997;8(3):288 – 301 [September]. 521
Huber RL. How continental bank outsourced its ‘‘crown jewels’’. Harvard Bus Rev 1993;71(1):121 – 29 [Janu- 522

F
ary – February]. 523
Lacity MC, Hirschheim R. The information systems outsourcing bandwagon. Sloan Manage Rev 1993;35(1): 524

O
73 – 86 [Fall]. 525
Lacity MC, Hirschheim R, Willcocks LP. Realizing outsourcing expectations. Inf Syst Manage 1994;4:7 – 18. 526
Loh L. The economics and organization of information technology governance: sourcing strategies for corporate 527

O
information infrastructure. Ph.D. Dissertation, Massachusetts Institute of Technology; 1993. 528
Loh L. An organizational – economic blueprint for information technology outsourcing: concepts and evidence. 529

PR
Proceedings of the Fifteenth International Conference on Information Systems, Vancouver, Canada, December; 530
1994. 531
Loh L, Venkatraman N. Diffusion of information technology outsourcing: influence sources and the Kodak effect. 532
Inf Syst Res 1992;3(4):334 – 58 [December]. 533
Loh L, Venkatraman N. Determinants of information technology outsourcing: a cross-sectional analysis. J Manage
D 534
Inf Syst 1992;9(1):7 – 24 [Summer]. 535
McCarthy WE. The REA accounting model: a generalized framework for accounting systems in a shared data 536
environment. Account Rev 1982;57(3):554 – 79 [July]. 537
TE
McFarlan FW, Nolan RL. How to manage an IT outsourcing alliance. Sloan Manage Rev 1995;36(2):9 – 23 [Winter]. 538
McNurlin BC, Sprague RH. Information systems management in practice. 2nd ed. Englewood Cliffs, NJ: Prentice 539
Hall; 1989. 540
Niederman F, Brancheau JC, Wetherbe JC. Information systems management issues for the 1990s. Manage Inf 541
EC

Syst Q 1991;15(4):475 – 95 [December]. 542

Palvia PC. A dialectic view of information systems outsourcing: pros and cons. Inf Manage 1995;29:265 – 75 543
[November]. 544
PMBOK. The Project Management Book of Knowledge. Project Management Institute; 2000. http://www.pmi.org. 545
R

Saunders C, Gebelt M, Hu Q. Achieving success in information systems outsourcing. Calif Manage Rev 546
1997;39(2):63 – 79 [Winter]. 547
R

Scott RW. Microsoft jumps in the app pool. Account Technol 2001;17(2):6 [March]. 548
Slaughter S, Ang S. Employment outsourcing in information systems. Commun ACM 1996;39(7):47 – 54 [July]. 549
O

Smith MA, Mitra S, Narasimhan S. Information systems outsourcing: a study of pre-event firm characteristics. 550
J Manage Inf Syst 1998;15(2):61 – 93. 551
Spagat E. PricewaterhouseCoopers weighs selling its business-process unit. Wall Street J 2001;B12 [April 9]. 552
C

Teng JTC, Cheon MJ, Grover V. Decisions to outsource information systems functions: testing a strategy-theoretic 553
discrepancy model. Decis Sci 1995;26(1):75 – 103. 554
N

Torode C. Seeking guarantees: application hosting providers are demanding service-level agreements from vendor 555
partners. Comput Resell News 2000;27:14 [November]. 556
U

Venkatraman N, Loh L, Koh J. The adoption of corporate governance mechanisms: a test of competing diffusion 557
models. Manage Sci 1994;40(4):496 – 507 [April]. 558
Watson RT, Brancheau JC. Key issues in information systems management: an international perspective. 559
Inf Manage 1991;20:213 – 223. 560
Weaver M, Bhattacharya S, Galup SD. Effective software management: its time has come in internal auditing. 561
Intern Audit 2000;13(3):3 – 13 [May – June]. 562
Zahler RE. Ensuring value in outsourcing relationships. Resource 1992;18 – 20 [November]. 563
Zucchini M. The Four-S Outsourcing Model. Fleet/Nostar; 1992. 564