 |
|||
|
|||
|
As CEOs and CFOs sign their first Section 404 reports under the Sarbanes-Oxley Act, many may wonder whether outsourcing will ultimately increase, rather than decrease, complexity and cost. If planned and executed correctly, outsourcing certainly can make compliance under Sarbanes-Oxley easier and less expensive. But there are many pitfalls that those responsible for managing service providers must avoid.
Companies that outsource business processes—such as accounting, finance, and HR—need to verify that their service providers are maintaining adequate and effective internal controls over the processes entrusted to them. CEOs and CFOs are responsible for ensuring that internal controls in outsourced activities—even those moved offshore—have been documented and tested each year. Failing to do so may land them in jail. If those internal controls aren't found to be effective, the CEO and CFO have to expose these problems in corporate Securities and Exchange Commission filings, which may cause investors to lose confidence and lead to plummeting stock prices.
None of this is merely theoretical. Earlier this year, problems in achieving regulatory compliance surfaced. Bay View Capital Corp., when outsourcing its auto installment-loan process, found that two service providers couldn't offer an SAS 70 Type II audit report covering their operations. And Churchill Downs, the operator of the Kentucky Derby, couldn't obtain an SAS 70 Type II report covering the service providers that processed its pari-mutuel gambling activities. Churchill Downs had to disclose this material weakness and outline alternatives to fix the problem, which included switching service providers. Also, Iomega Corp., maker of zip drives and other backup devices, had trouble obtaining an SAS 70 Type II report from its third-party distribution-and-logistics service provider. Both the CEO and CFO had to state that there were material weaknesses in the internal controls performed by their service providers, for which they were accountable. Sarbanes-Oxley is no mystery to public companies in the United States, but many offshore service providers would benefit from understanding it better. Global sourcing managers are expected to develop robust compliance plans using a range of corporate functions and experts. It's clear, however, that how you manage your service providers can directly impact the success or failure of your company's compliance efforts. Here are the specifics you need to know:
Under Sarbanes-Oxley, when a company outsources processes to a third-party service provider, the company is still responsible for the proper functioning of internal controls by that third party. The Public Company Accounting Oversight Board (PCAOB), a new body that establishes auditing standards and regulates and inspects auditors, wrote a new requirement into Auditing Standard No. 2: "The use of a service organization does not reduce management's responsibility to maintain effective internal control over financial reporting."
That means management at public companies that use outsourcers must assess whether the outsourced activities are included in the company's internal controls over its financial reporting. Such controls may include functions in which transactions are initiated, authorized, recorded, processed, and ultimately reported in the financial statements. For example, taking orders for sales and payment information, such as credit-card details, and entering that data into an information system may include internal controls that the CEO and CFO have to certify. And remember, regulators consider the third-party service provider to be an extension of your enterprise, whether it's in Bangor, Maine, or Bangalore, India. The service provider's internal controls must be documented and tested by management because they're subject to the CEO's and CFO's certification under Section 404.
Identifying and assessing activities performed by third parties and included in your company's internal controls are critical because your auditors will give an opinion on your judgment in their report. A wrong assessment could result in delays and last-minute scrambles, higher compliance costs, and even an adverse opinion. Unfortunately, auditors' opinions don't remain locked in file cabinets or E-mail in-boxes; they're included in the SEC filings at www.sec.gov for the world to see.
Some service providers have come to grips with their role in this complex process. "All of our fulfillment customers rely on internal controls that we operate," says Paul Stone, CFO of ClientLogic Corp., a call-center service provider. He defines fulfillment as customer interactions that include transactions. "On the other hand, all of our contact-center customers have us use their own information systems, so ClientLogic is not considered part of those customers' internal controls and [our procedures are] not subject to verification under Sarbanes-Oxley."
Knowing that public companies rely on third parties for a wide variety of tasks, the PCAOB simplified compliance by relying on an auditing standard established in 1992 by the American Institute of Certified Public Accountants—the SAS 70 Type II report. When a public company uses a service provider and it's considered part of the internal control over financial reporting, management may obtain an unqualified SAS 70 Type II report from an independent auditor covering the activities performed. This is the easiest way for a public company that uses outsourcers to comply with Section 404.
In theory, it seems simple, but the reality is that these reports need to cover the internal controls that you've outsourced, cover most of the time corresponding to your financial statements, and be available to you quickly. Of course, the auditors have to issue a clean opinion on the effectiveness of the internal controls or these expensive reports are worthless. Any problems will receive scrutiny and be visible at the board level, and that will certainly reflect poorly on your outsourcing governance.
How do you make service providers focus on your compliance needs? Generally, companies that outsource business activities to a third party have the right to audit that provider. The right to audit is stated explicitly in most outsourcing agreements. Often this right is consistent with the records-retention policy that, in many cases, is two years after the termination or expiration of the outsourcing agreement, whichever is later.
"We've always structured outsourcing agreements to include the right to audit," says Robert Zahler, a partner in the newly merged law firm of Pillsbury Winthrop Shaw Pittman in Washington, D.C. "Initially, it was as basic as verifying invoicing accuracy, and then evolved to include operational practices."
Many outsourcing customers already audit their service providers' physical or logical security, business-continuity plans, hiring practices, and invoices. That's why establishing the auditing relationship from the outset is better than appending it to a deal years later. The provider may not have a choice if it wants to keep your business, but be prepared: Sometimes compliance is an opening for discussions about extending the life of the contract.
If the activities performed by your service provider aren't part of your internal controls for Sarbanes-Oxley, you may still want to exercise your right to audit the provider. Management must decide whether to perform an "elective"—or optional—audit.
What's the business case for invoking your audit rights? The value proposition relates to ensuring compliance with obligations set out in your outsourcing agreement. For the most part, performing an elective audit is a function of the risk inherent in the outsourced activity and your evaluation of that risk. Also consider the risk of not performing an audit when there's truly a problem.
If not an audit, should you have some type of operational review performed? "Absolutely," says Steven DeLaCastro, a CIO partner at Tatum Partners. "It is far better to know in advance how your service provider is doing, rather than to confirm through an audit after the fact that problems have, or could have, occurred. Identifying problems and then working to resolve them is my preferred approach."
DeLaCastro recommends that the frequency of reviews be adjusted to compensate for the maturity of the relationship with your service provider. For example, in a new relationship or a new area, reviews should be more frequent than if there has been an ongoing relationship. Of course, DeLaCastro says, the frequency must at least meet the regulatory requirements.
Business-process transformation heralds important organizational breakthroughs, such as cost savings, faster time to market, and improved product quality. But what are the implications of this process transformation regarding Section 404 compliance and SAS 70 Type II reports?
Transferring processes that include internal controls over financial reporting to a service provider will require an SAS 70 Type II report. Sarbanes-Oxley states that management and the auditors must give opinions on any changes to internal controls. Therefore, any subsequent improvements in the processes by the service provider will, by definition, spur a change in the internal controls.
One public company had planned to switch service providers in the fourth quarter of 2004. After establishing the business case and paying advisers to develop the request for proposals, the company was surprised to learn from its auditors that switching service providers late in the fiscal year would be a change in internal controls that the auditors wouldn't be able to test. Consequently, the company had to wait until 2005 to issue the RFP.
If an audit finds that the service provider isn't performing as required, does that point to a breach of the outsourcing agreement? While some say an adverse opinion related to internal controls caused by the service provider's failing to obtain an SAS 70 Type II report could be construed as a breach, others disagree.
When renegotiating outsourcing agreements or entering into new pacts, consider setting out specific terms related to the requirement to obtain SAS 70 Type II reports and the consequences of failure. You should define failure to include adverse opinions, insufficient scope, late reports, and not providing a report. Even in late 2004, many executives were hoping that Sarbanes-Oxley would simply go away, become less onerous, or at least be deferred. And many thought it was a one-time event. However, compliance with Section 404 continues every year that a public company is traded on U.S. capital markets. These requirements and the associated costs aren't going away.
Starting in 2006, the SEC has mandated faster filing time lines, and one-time extensions won't be available, thus raising the bar for public companies with sloppy processes. In addition, auditors are becoming more astute regarding Sarbanes-Oxley compliance. Everyone, including auditors, will have gone through the learning experience with the first compliance cycle under Section 404.
Michael Heintz, a principal consultant at PA Consulting Group, expects that auditors of public companies will be "digging deeper, especially with third-party service providers." He predicts that this will increase the required understanding and verification of internal controls "at the fringe," such as internal controls operated by service providers.
This isn't a project you want to complete by yourself. In this increasingly complex and changing regulatory environment, you need a truly cross-functional team involved in the outsourcing negotiation—from every geographic and every functional area. It may even help to have your internal auditors on the team.
Outsourcing lets public companies manage their cost structure, including complying with Section 404. The key to realizing the benefits of outsourcing includes avoiding the pitfalls associated with Sarbanes-Oxley. A version of this article ran in Managing Offshore, also published by CMP Media.
Bryan Mekechuk is a partner in Pacific Crest Consulting Group, San Jose, Calif., and has been a member of the Canadian Institute of Chartered Accountants for almost 20 years.
How are you dealing with compliance demands and deadlines? Share your ideas at optimizeletters@cmp.com.
See Related Articles:
Homegrown Compliance, May 2004 We suggest several courses of action in the scope of negotiation and compliance with service providers, depending on where your company is in the outsourcing process.
Preagreement > Prepare to negotiate specific controls
Post-agreement > Look for possible amendments
| |||
