Sarbanes-Oxley and Outsourcing

The Sarbanes-Oxley Act of 2002 (SOX) impacts on both user and service organizations. In this article, Luc Klein of LogicaCMG describes the options firms have for compliance, the specific issues they must be aware of, and why time is running out for non-U.S. companies that are listed in the United States.

As companies choose to devote key resources to core business activities, it is increasingly common for supporting functions to be outsourced. These often include IT-intensive activities such as information processing, claims management, and payroll. Drivers for outsourcing include more efficient and effective cost and risk management, as well as, improved service delivery and greater speed to market.

Under SOX (Section 404), organizations are responsible for ensuring that the service providers of any outsourced functions have documented their financial processes, carried out a risk assessment, and have in place adequate controls over financial reporting, which have been thoroughly tested for their effectiveness This responsibility can never be delegated to the service provider by the user organization.

In addressing SOX requirements, companies (particularly user organizations) must ask:

  1. What outsourced processes may affect our financial statements?
  2. How do we know our service providers have conducted proper risk assessments focusing on processes, systems, and people?
  3. How do we know our service providers have effective controls in place to mitigate, eliminate, or avoid risks?
  4. How do we know that changes to outsourced processes or systems will not have a material affect on our financial information?

There are two approaches to answering these questions:

  1. The user may have its internal or external auditor conduct an audit of its service provider.
  2. The service provider may have its own external auditor provide audit reports to the user.

Auditing Your Service Provider
If a user organization has large control over its outsourced activities, then it may need to be involved in performing risk and control assessments of the service provider, as well as, testing that the controls are effective. The user organization may ultimately use internal or external audits to evaluate its service provider’s control environment as an extension of normal audit procedures. It is important to determine contractual provisions for financial control auditing and to agree to the audit process between the user and service provider.

In some cases, it may not be practical to audit service providers from a service providers’ standpoint. This may be particularly true when multiple clients seek audits that may place burdens on the service provider’s resources, each looking for a range of assurances about internal controls.

Reliance on Service Provider Audits
Service providers may opt for a Statement on Auditing Standards (SAS) No. 70, Service Organizations. This is an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA).

SAS 70 is accepted under SOX in relation to section 404. A SAS 70 audit involves an external, independent evaluation of service provider controls, their execution, and effectiveness. The audit, which is typically conducted by the service provider’s external auditor, addresses critical benchmarks, including completeness, accuracy, and timeliness of the control activities and processes.

There are two types of SAS 70 audit reports. Type I describes the service provider’s internal controls at a specific point in time, for example, at fiscal year-end. Type II not only includes the service provider’s description of internal controls, but also detailed testing of them over a minimum six-month period. With a SAS 70 report, user firms will not have to conduct their own audit of the service provider’s controls. Service providers may use a SAS 70 report for commercial purposes as well. SOX compliance and provision of a SAS 70 report as a standard can offer competitive advantage.

Under SOX, companies are not only responsible for having their internal processes in order, but they also remain responsible for controls of any outsourced activities. User and service providers have various options open to them. Users can ensure service provider compliance by conducting an audit themselves (by either their own internal or external auditor). Or, they can rely on audits provided by their service provider by means of a SAS 70 (or similar) statement by the service provider’s auditor. There are also specific issues organizations must know, such as timing of a SAS 70 statement; or the possibility of using an alternative standard. As non-U.S. companies must comply with SOX requirements from July 15, 2006, time is running out, especially for those at the early stages of planning, or worse, have yet to start. They may have to employ additional capability and resources in order to meet the SOX deadline.

About the Author
Luc Klein, MBA, is a senior business consultant in LogicaCMG’s finance business consulting unit. Contact at Reprinted with permission.