Are you still enjoying the sense of relief that accompanied the end of the first cycle of reporting requirements under the Sarbanes-Oxley Act of 2002 ("SOX")? Are you satisfied knowing that your fully independent audit committee is in place and is overseeing your independent auditor, as required by SOX? Or, like many other executives, are you just waiting for the other shoe to drop?
As it relates to SOX, the other shoe is Section 404, which imposes significant responsibilities on officers and directors of publicly traded companies, including CEOs, CFOs and audit committees, to maintain a broad control environment over a vast array of financial, operations and information technology ("IT") processes, and to evaluate and make regular disclosures regarding the effectiveness of the company's internal controls over financial reporting, operations and assets. As daunting as this task may sound, it may be even more intimidating for those companies that have outsourced or are planning to outsource business and/or IT functions and processes that affect their financial reporting. According to a June 2004 statement issued by the Securities and Exchange Commission ("SEC"), the use of an outsourcing services provider does not reduce a company's responsibility to maintain effective internal controls over financial reporting as required by SOX.
Assessment Of Internal Controls
What are these internal controls that are the focus of Section 404 of SOX? Simply stated, internal controls over financial reporting are procedures implemented by company management that are designed to provide reasonable assurance that transactions are properly authorized, recorded and reported, and assets are protected against improper or unauthorized use.
Under Section 404(a) of SOX and the SEC rules implementing it, the CEO and CFO of a public company must assess the effectiveness of the company's internal controls as of the end of its most recent fiscal year, and state in the company's annual report whether such internal controls are effective. In addition, management must disclose any material weaknesses in the internal controls in the annual report and state that such internal controls are not effective due to the presence of such material weaknesses.
In May 2005, the SEC issued a statement that clarified that, although it is impossible to create a list of the exact IT controls that should be included in an assessment for Section 404 purposes, it is not necessary for management to report on those controls that, although are vital to the efficiency or effectiveness of the operations of the organization generally, are not relevant to financial reporting. In addition, the SEC stressed that a company's finance and IT departments must interact closely to ensure that the proper IT controls are identified. To coin a phrase - the stakes are high, as failure to comply with the disclosure requirements under SOX may result in severe financial penalties and/or the filing of criminal charges against the company's CEO and/or CFO.
Section 404(b) of SOX imposes a second set of responsibilities on a public company's independent auditor. In conjunction with the traditional audit of financial statements, the independent auditor must now evaluate management's assessment process to determine whether management has an appropriate basis for reaching its conclusion concerning the company's internal controls. The auditor's report must state whether management's assessment was fairly stated, in all material respects, and whether the company maintained, in all material respects, effective internal control over financial reporting. If the auditor concludes that the company's internal controls were ineffective, the report must also disclose any material weaknesses that led to this conclusion.
Internal Controls And Outsourcing
As if management's assessment of its own internal controls wasn't complicated enough, if functions or processes that could affect the reliability of the company's financial reporting have been outsourced to a third party service provider, another level of complexity is added to the assessment of the effectiveness of the company's internal controls.
A variety of business process outsourcings ("BPOs") invariably involve the management of financial documentation or the delegation of responsibility for processes that could affect a public company's financial reporting. These include finance and accounting administration, claims processing and human resources and benefits management. For such BPOs, where the service provider's services could affect the reliability of the public company's financial reporting, company management should assess the effectiveness of the provider's internal controls as part of its overall assessment of its internal controls.
Beyond BPOs, companies should examine outsourcing arrangements that involve data processing or management of the company's technology infrastructure. In this respect, the SEC and the Public Company Accounting Oversight Board ("PCAOB") have each directed companies to the Statement of Auditing Standards No. 70 ("SAS 70"), issued by the American Institute of Certified Public Accountants, for guidance as to the types of outsourcing activities that are part of a company's internal controls over financial reporting. SAS 70 states that a service provider's services are part of a company's financial information system if they affect any of the following:
- The classes of transactions in the company's operations that are significant to the company's financial statements;
- The procedures, both automated and manual, by which the company's transactions are initiated, authorized, recorded, processed, and reported from their incurrence to their inclusion in the financial statements;
- The related accounting records, whether electronic or manual, supporting information and specific accounts in the company's financial statements involved in initiating, authorizing, recording, processing and reporting the company's transactions;
- How the company's information system captures other events and conditions that are significant to the financial statements; or
- The financial reporting process used to prepare the company's financial statements, including significant accounting estimates and disclosures.
As with BPOs, if the service provider's services in any other outsourcing arrangement affect any of the foregoing elements from SAS 70, the company should assess the effectiveness of its provider's relevant internal controls.
Contracting For Compliance
Once company management and/or the independent auditor has determined that a service provider's services could affect the company's financial reporting or preparation of financial statements, the design and effectiveness of the provider's applicable controls must be evaluated. Based on guidance from both the SEC and the PCAOB, companies can rely in part on SAS 70 Type II reports prepared by their service provider's auditor to support the required assessment of the provider's controls. As compared to the SAS 70 Type I report, which only describes the service provider's control activities, the Type II report also presents the results of tests of the operating effectiveness of such controls, thereby potentially reducing the nature and scope of the company's own testing of the provider's controls.
Historically, the availability of a service provider's SAS 70 Type II report to an outsourcing customer has been subject to negotiation. However, current market pressures are making the completion of a SAS 70 Type II examination and delivery of the associated report to the customer a virtual necessity for any domestic or foreign service provider with customers or potential customers subject to SOX. To be safe, the outsourcing contract should clearly state that the service provider will timely deliver such Type II reports to the company to support the company's assessment of the effectiveness of its internal controls. A blanket statement in the contract that the service provider's services will comply with SOX and/or any applicable laws and regulations should not be substituted for the clear requirement of a Type II report, as such general statements do not provide company management with the information or comfort necessary to make their required certifications with respect to the relevant service provider controls.
Beyond the SAS 70 Type II report, the individuals at a public company who are directly responsible for the transaction (e.g., the CIO and his/her staff) should conduct thorough due diligence prior to the commencement of any outsourcing transaction to confirm that the service provider's initial internal controls operate effectively and otherwise meet the requirements of SOX. This investigation may include reviewing the provider's relevant processes and systems and performing risk analysis and "stress tests" on those processes and systems. For their part, as the industry experts, service providers should be proactive in providing ongoing recommendations to their customers as to how to meet the reporting requirements of SOX.
In addition, any or all of the following approaches should be considered by the company in its ongoing effort to ensure that its provider's relevant internal controls meet the requirements of SOX:
- Obtaining detailed yet flexible contractual rights that allow the company to monitor and require (where appropriate) modifications to the provider's relevant controls;
- Limiting the provider's ability to subcontract any portion of the outsourced services that could affect the company's financial reporting;
- Requiring the provider to obtain SAS 70 Type II reports from its subcontractors and making those reports available to the customer;
- Requiring periodic certifications from the provider to support management's ability to make the required certifications with respect to the relevant service provider controls; and/or
- Requiring the provider to alert the company to any issue or matter that could give rise to a deficiency in its internal controls.
Clearly, the process for ensuring compliance with SOX in an outsourced environment will require significant efforts by company management to develop consistent, reliable procedures to uncover and evaluate a service provider's controls that could affect the company's financial reporting. This will likely result in companies requiring greater visibility into and control over the services provided than previously seen in the outsourcing industry, which in turn, will inevitably require service providers to consider whether they are prepared to assume a higher degree of risk and/or liability to their customers with respect to the effectiveness of their own controls.
To date, this paradigm shift in the traditional outsourcing risk analysis model has not resulted in any noticeable decrease in the competition among service providers for engagements with companies subject to SOX. And, while this is likely attributable in some measure to the fact that Section 404 of SOX has only recently gone into effect for most public companies, a more plausible explanation is found in the simple fact that SOX is now a way of life for public companies. Just as these companies are learning which new procedures and costs are required to ensure compliance, their service providers are learning that, although SOX does not impose any responsibility or liability on them for their customers' non-compliance, in order to remain competitive they too will likely have to adjust their processes and pricing models to assist with their customers' compliance efforts.
As with any outsourcing relationship, efforts to ensure compliance with SOX will succeed only if the company and its service provider work together to set clear expectations, establish specific processes and policies governing each party's obligations (both legal and financial) and develop a mechanism for the expedient resolution of disputes (e.g., informal internal dispute resolution and escalation procedures). Given SOX's severe consequences for non-compliance, public companies and their service providers should carefully assess the requirements of SOX in relation to internal controls, and cooperate to comply with SOX in a cost-effective and efficient manner.
Published July 1, 2005.
