Companies that outsource business processes—such as accounting, finance, and HR—need to verify that their service providers are maintaining adequate and effective internal controls over the processes entrusted to them. CEOs and CFOs are responsible for ensuring that internal controls in outsourced activities—even those moved offshore—have been documented and tested each year. Failing to do so may land them in jail. If those internal controls aren't found to be effective, the CEO and CFO have to expose these problems in corporate Securities and Exchange Commission filings, which may cause investors to lose confidence and lead to plummeting stock prices.

None of this is merely theoretical. Earlier this year, problems in achieving regulatory compliance surfaced. Bay View Capital Corp., when outsourcing its auto installment-loan process, found that two service providers couldn't offer an SAS 70 Type II audit report covering their operations. And Churchill Downs, the operator of the Kentucky Derby, couldn't obtain an SAS 70 Type II report covering the service providers that processed its pari-mutuel gambling activities. Churchill Downs had to disclose this material weakness and outline alternatives to fix the problem, which included switching service providers. Also, Iomega Corp., maker of zip drives and other backup devices, had trouble obtaining an SAS 70 Type II report from its third-party distribution-and-logistics service provider. Both the CEO and CFO had to state that there were material weaknesses in the internal controls performed by their service providers, for which they were accountable.