Under Sarbanes-Oxley, when a company outsources processes to a third-party service provider, the company is still responsible for the proper functioning of internal controls by that third party. The Public Company Accounting Oversight Board (PCAOB), a new body that establishes auditing standards and regulates and inspects auditors, wrote a new requirement into Auditing Standard No. 2: "The use of a service organization does not reduce management's responsibility to maintain effective internal control over financial reporting."

That means management at public companies that use outsourcers must assess whether the outsourced activities are included in the company's internal controls over its financial reporting. Such controls may include functions in which transactions are initiated, authorized, recorded, processed, and ultimately reported in the financial statements. For example, taking orders for sales and payment information, such as credit-card details, and entering that data into an information system may include internal controls that the CEO and CFO have to certify. And remember, regulators consider the third-party service provider to be an extension of your enterprise, whether it's in Bangor, Maine, or Bangalore, India. The service provider's internal controls must be documented and tested by management because they're subject to the CEO's and CFO's certification under Section 404.

Identifying and assessing activities performed by third parties and included in your company's internal controls are critical because your auditors will give an opinion on your judgment in their report. A wrong assessment could result in delays and last-minute scrambles, higher compliance costs, and even an adverse opinion. Unfortunately, auditors' opinions don't remain locked in file cabinets or E-mail in-boxes; they're included in the SEC filings at www.sec.gov for the world to see.

Some service providers have come to grips with their role in this complex process. "All of our fulfillment customers rely on internal controls that we operate," says Paul Stone, CFO of ClientLogic Corp., a call-center service provider. He defines fulfillment as customer interactions that include transactions. "On the other hand, all of our contact-center customers have us use their own information systems, so ClientLogic is not considered part of those customers' internal controls and [our procedures are] not subject to verification under Sarbanes-Oxley."

Knowing that public companies rely on third parties for a wide variety of tasks, the PCAOB simplified compliance by relying on an auditing standard established in 1992 by the American Institute of Certified Public Accountants—the SAS 70 Type II report. When a public company uses a service provider and it's considered part of the internal control over financial reporting, management may obtain an unqualified SAS 70 Type II report from an independent auditor covering the activities performed. This is the easiest way for a public company that uses outsourcers to comply with Section 404.

In theory, it seems simple, but the reality is that these reports need to cover the internal controls that you've outsourced, cover most of the time corresponding to your financial statements, and be available to you quickly. Of course, the auditors have to issue a clean opinion on the effectiveness of the internal controls or these expensive reports are worthless. Any problems will receive scrutiny and be visible at the board level, and that will certainly reflect poorly on your outsourcing governance.

How do you make service providers focus on your compliance needs? Generally, companies that outsource business activities to a third party have the right to audit that provider. The right to audit is stated explicitly in most outsourcing agreements. Often this right is consistent with the records-retention policy that, in many cases, is two years after the termination or expiration of the outsourcing agreement, whichever is later.

"We've always structured outsourcing agreements to include the right to audit," says Robert Zahler, a partner in the newly merged law firm of Pillsbury Winthrop Shaw Pittman in Washington, D.C. "Initially, it was as basic as verifying invoicing accuracy, and then evolved to include operational practices."

Many outsourcing customers already audit their service providers' physical or logical security, business-continuity plans, hiring practices, and invoices. That's why establishing the auditing relationship from the outset is better than appending it to a deal years later. The provider may not have a choice if it wants to keep your business, but be prepared: Sometimes compliance is an opening for discussions about extending the life of the contract.

If the activities performed by your service provider aren't part of your internal controls for Sarbanes-Oxley, you may still want to exercise your right to audit the provider. Management must decide whether to perform an "elective"—or optional—audit.

What's the business case for invoking your audit rights? The value proposition relates to ensuring compliance with obligations set out in your outsourcing agreement. For the most part, performing an elective audit is a function of the risk inherent in the outsourced activity and your evaluation of that risk. Also consider the risk of not performing an audit when there's truly a problem.

If not an audit, should you have some type of operational review performed? "Absolutely," says Steven DeLaCastro, a CIO partner at Tatum Partners. "It is far better to know in advance how your service provider is doing, rather than to confirm through an audit after the fact that problems have, or could have, occurred. Identifying problems and then working to resolve them is my preferred approach."

DeLaCastro recommends that the frequency of reviews be adjusted to compensate for the maturity of the relationship with your service provider. For example, in a new relationship or a new area, reviews should be more frequent than if there has been an ongoing relationship. Of course, DeLaCastro says, the frequency must at least meet the regulatory requirements.

Business-process transformation heralds important organizational breakthroughs, such as cost savings, faster time to market, and improved product quality. But what are the implications of this process transformation regarding Section 404 compliance and SAS 70 Type II reports?

Transferring processes that include internal controls over financial reporting to a service provider will require an SAS 70 Type II report. Sarbanes-Oxley states that management and the auditors must give opinions on any changes to internal controls. Therefore, any subsequent improvements in the processes by the service provider will, by definition, spur a change in the internal controls.

One public company had planned to switch service providers in the fourth quarter of 2004. After establishing the business case and paying advisers to develop the request for proposals, the company was surprised to learn from its auditors that switching service providers late in the fiscal year would be a change in internal controls that the auditors wouldn't be able to test. Consequently, the company had to wait until 2005 to issue the RFP.

If an audit finds that the service provider isn't performing as required, does that point to a breach of the outsourcing agreement? While some say an adverse opinion related to internal controls caused by the service provider's failing to obtain an SAS 70 Type II report could be construed as a breach, others disagree.

When renegotiating outsourcing agreements or entering into new pacts, consider setting out specific terms related to the requirement to obtain SAS 70 Type II reports and the consequences of failure. You should define failure to include adverse opinions, insufficient scope, late reports, and not providing a report.