| Sarbanes-Oxley and outsourcing : time is running out for non-US companies As companies choose to devote key resources to core business activities, it is increasingly common for supporting functions to be outsourced. These often include IT-intensive activities such as information processing, claims management and payroll. Drivers for outsourcing include more efficient and effective cost and risk management, as well as improved service delivery and greater speed to market. Under SOX (section 404), organisations are responsible for ensuring that the service providers of any outsourced functions have documented their financial processes, carried out a risk assessment and have in place adequate controls over financial reporting, which have been thoroughly tested for their effectiveness. This responsibility can never be delegated to the service provider by the user organisation. Richard Gincel of Infoworld states: “Ultimately, two frameworks are required: one for business and one for IT. The business side needs to develop a management infrastructure to establish and maintain internal controls and repeatable processes that ensure reliable regulatory compliance. IT needs a technology framework that capitalises on existing resources and makes point solutions the exception rather than the rule.” In addressing SOX requirements, companies (particularly user organisations) must ask: • What outsourced processes may affect our financial statements? • How do we know that our service providers have conducted proper risk assessments focussing on processes, systems and people? • How do we know that our service providers have effective controls in place to mitigate, eliminate or avoid risks? • How do we know that changes to outsourced processes or systems will not have a material affect on our financial information? There are two approaches to answering these questions: 1. The user may have its internal or external auditor conduct an audit of its service provider 2. The service provider may have its own external auditor provide audit reports to the user. Auditing your service provider In some cases, it may not be practical to audit service providers from a service providers’ standpoint. This may be particularly true when multiple clients seek audits that may place burdens on the service provider’s resources, each looking for a range of assurances about internal controls. Reliance on service provider audits Service providers may opt for a Statement on Auditing Standards (SAS) No. 70, Service Organisations. This is an internationally recognised auditing standard developed by the American Institute of Certified Public Accountants (AICPA). SAS 70 is accepted under SOX in relation to section 404. A SAS 70 audit involves an external, independent evaluation of service provider controls, their execution and effectiveness. The audit, often conducted by the service provider’s external auditor, addresses critical benchmarks, including completeness, accuracy and timeliness of the control activities and processes. There are two types of SAS 70 audit reports. Type I describes the service provider’s internal controls at a specific point in time, for example at fiscal year-end. Type II not only includes the service provider’s description of internal controls, but also detailed testing of them over a minimum six month period. With a SAS 70 report, user organisations will not have to conduct their own audit of the service provider’s controls. Service providers may use a SAS 70 report for commercial purposes as well. SOX compliance and provision of a SAS 70 report as a standard can offer competitive advantage. Time is running out However, surveys from September 2004 suggest that companies are either only at the very early stages of planning their SOX 404 project (69 percent according to ARC Morgan) or are behind schedule (51 percent according to the 404 Institute/ KPMG). The lack of preparedness of companies was highlighted recently when the deadline was extended by a year, from the previous date of 15th July 2005. Other issues Another issue could arise when both the user organisation and the service provider have the same external auditor, leading to a possible conflict of interest under SOX. The US Securities and Exchange Commission (SEC) states that the user organisation can still rely on the SAS 70 Type II report. However, if the user organisation were to engage its audit firm to prepare the SAS 70 Type II report on the service provider, they would not be able to rely on it for purposes of assessing internal control over financial reporting. Recently, some organisations have required a SAS 70 statement from their suppliers, even though the services provided were not outsourced. It is therefore important to determine (by mutual agreement) whether or not the services provided are considered to be outsourced activities. Definitions vary, with most typically defining outsourced activities as those transferred to a third party that otherwise would have been administered inhouse. The American Institute of Certified Public Accountants (July 2004) states that SAS 70 is applicable only if the service is part of the user organisation's information system. SAS 70 is not relevant to situations in which the services provided are limited to executing client organisation transactions that are specifically authorised by the client, such as cheque account transaction processing by a bank or the execution of securities transactions by a broker. In some cases an alternative standard may be used, provided that it covers (grosso modo) the same grounds as a SAS 70 statement. An example is a FRAG21 statement, ‘reports on internal controls of investment custodians made available to third parties”, issued by the Audit Faculty of the Institute of Chartered Accountants in England and Wales. In case of doubt, auditors can advise on the best standard to meet the relevant situation. Some companies may look at delisting in the US as a rigorous solution to avoiding SOX compliance. However, as long as there are at least 300 US shareholders, it will remain subject to the SEC’s disclosure system and SOX. A delisted non-US company could offer to buy back all shares of US shareholders. However, according to Robert C. Pozen in a March 2004 Harvard Law school discussion paper, “the shareholders would almost certainly reject the offer, because of ownership splitting, price disagreement or pure inertia”. A key objective for outsourcing is effective risk management, passing as much as possible to the service provider. Yet SOX states that the user organisation remains responsible for the service provider’s internal controls, thereby debilitating the initial objective. The impact of SOX on the growth of outsourcing remains to be seen. Conclusion There are also specific issues organisations have to be aware of, such as timing of a SAS 70 statement; or the possibility of using an alternative standard. As non-US companies must comply with SOX requirements from 15 July 2006, time is running out , especially for those at the early stages of planning or worse, have yet to start. They may have to employ additional capability and resources in order to meet the SOX deadline. To discuss risk and compliance in your business, please contact LogicaCMG - The Netherlands: T: +31 (0)20 503 3000 United Kingdom: T: +44 (0)20 7637 9111 Email: risk.solutions@logicacmg.com LogicaCMG provides management and IT consultancy, systems integration and outsourcing services to clients across diverse markets including telecoms, financial services, energy and utilities, industry, distribution and transport and the public sector. Latest information on SOX deadlines
•Date: 11th March 2005 •Region: Various •Type:
Article •Topic: Operational risk |
