VideoBeware a false sense of security: Even though the SEC has pushed back the deadline for compliance with Section 404 of the Sarbanes-Oxley Act of 2002, a little-known and perhaps largely outdated auditing standard for outsourcers could hamstring companies that are rushing to send their business processes offshore.
The standard in question is Statement on Auditing Standards No. 70, "Reports on the Processing of Transactions by Service Organizations." Set up by the American Institute of Certified Public Accountants in 1993, SAS 70 spells out how an external auditor should assess the internal controls of an outsourcing service provider and issue an attestation report to outside parties or to a client.
Auditors and other critics of the standard say SAS 70 is in need of a major overhaul, especially considering the November deadline for Section 404 compliance facing many public companies (see "Just What Does Section 404 Entail?").
Finance would seem to have more at stake than other corporate functions in clarifying the situation, since transferring financial tasks overseas can put material transactions in the hands of outsourcers. That will give finance folks pause regardless of how many cost-cutting sermons they've sat through. Stan Lepeak, a vice president at research firm Meta Group Inc., believes that incompatibilities between SAS 70 and Sarbox will "dampen outsourcing, at least in the short run, until outsourcers can show that they have both the adequate controls in place [and] evidence to prove that."
Tom Eubanks, global leader for finance and accounting outsourcing with IBM Business Consulting Services, isn't so sure. "At first blush," he says, "one might think, 'Why would you outsource in a world where Sarbox is in place...and the magnifying glass is on the finance function?'" But Eubanks turns that around and says that "companies are looking at outsourcing as a valid way to address some [Sarbanes-Oxley] issues."
All in the Timing
Under SAS 70, an outsourcing-service provider undergoes an annual audit, performed either by its own independent auditor or by the auditors of its outsourcing clients. There are two types of service-auditor reports. Type I includes the service auditor's opinion on the fairness of the presentation of the provider's description of its controls and how well they're designed to meet specified control objectives. Type II reports, generally preferred for their greater depth, include the same data as Type I as well as the auditor's opinion on the effectiveness of the controls during the period under review.
Even a Type II report, however, doesn't guarantee airtight compliance with Sarbox. For one thing, the timing of the audit—if it's performed by the service provider's auditor—might be out of sync with the client's reporting period. If the audit is performed in June and the client's fiscal year ends December 31, for instance, there's a six-month gap in the attestation of the outsourcer's internal controls. If the controls slip up during the second half of the year, the accuracy and reliability of the client's own year-end attestation could be compromised—and fair game for a Securities and Exchange Commission inquiry.
One response to the timing issue is to request that the service provider undergo SAS 70 audits on a quarterly basis or "fill in the gaps" with updates throughout the year. Smaller service providers might bridle at the added cost during contract negotiations—but after all, it's the client's attestation that's on the line.
Another concern centers on just how much of the service provider's audit will be revealed. A service provider is required to inform its clients only about any failures of SAS 70 tests; there's no requirement to spell out the exact substance or scope of the audit. Thus, for instance, a client's own external auditor would be unable to tell the client whether a test that unearthed two failures probed 40 processes, or only 4. That could lead to some poor assessments of service-provider controls. "We will be dealing completely in the dark as far as the population of that test," says Lynn Edelson, systems and process assurance leader for PricewaterhouseCoopers. "I think that was one of the biggest flaws in SAS 70 in light of Sarbanes-Oxley."
That's something for clients to bear in mind during contract negotiations, says Edelson: insist that the service provider disclose the scope of the audit and not only the failures.
Auditor Dependence
Another thorny area is the possibility of conflicts of interest. That's particularly worrisome, says Meta Group's Lepeak, when a company's external auditor also performs the SAS 70 audit of the service provider.
In the eyes of the Public Company Accounting Oversight Board (PCAOB), there's no distinction between Section 404 compliance audits of a company's internal business processes and its outsourced processes. But in either case, an external auditor—which must attest to the client's Section 404 compliance—cannot also provide consulting services to the client or to the outsourcing provider on how to perform the SAS 70 audit.
Speaking in New York last month, Douglas Carmichael, the PCAOB's chief auditor and director of professional standards, said he did not see SAS 70 as a barrier to business-process outsourcing and added that the PCAOB has addressed many questions regarding SAS 70 in an appendix to its proposed Section 404 guidance. But he also conceded that many questions remain unanswered, particularly regarding implementation issues. And he indicated that such clarifications may have to wait. "We can't stop to answer all [these questions] now," he said, "but our efforts will continue after we issue the standard."
Reader Comments» Post a comment