Stuck in the SAS 70s

As Sarbanes-Oxley Section 404 meets up with an obscure auditing standard, many companies are thinking hard about offshoring their business processes.
Craig SchneiderFebruary 23, 2004

A little-known and perhaps largely outdated auditing standard for outsourcers could be the next big hurdle for Sarbanes-Oxley compliance. Not only might the standard cause a number of businesses to run afoul of the Section 404 provisions on internal controls, but it might also dissuade other companies from business process outsourcing in India, China, and other emerging nations.

The standard in question is Statement on Auditing Standards No. 70, “Reports on the Processing of Transactions by Service Organizations.” Set up by the American Institute of Certified Public Accountants in 1993, SAS 70 spells out how an external auditor should assess the internal controls of an outsourcing service provider and issue an attestation report to outside parties or to a client.

Auditors and other critics of the standard say SAS 70 is in need of a major overhaul, especially considering the June deadline for Section 404 compliance facing many public companies. (Read more about what companies and their auditors are planning for in “Just What Does Section 404 Entail?” at the end of this article.)

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

Finance would seem to have more at stake than other corporate functions in clarifying the situation, since transferring financial tasks overseas can put material transactions in the hands of outsourcers. That will give finance folks pause, however many cost-cutting sermons they’ve sat through. Stan Lepeak, vice president of the research firm Meta Group, believes that incompatibilities between SAS 70 and Sarbanes-Oxley will “dampen outsourcing, at least in the short run, until outsourcers can show that they have both the adequate controls in place [and] evidence to prove that.”

Tom Eubanks, of IBM business consulting services, isn’t so sure. “On first blush,” he says, “one might think, ‘Why would you outsource in a world where Sarbox is in place…and the magnifying glass is on the finance function?’ ” But what Eubanks and his colleagues are finding, he adds, is that “companies are looking at outsourcing as a valid way to address some [Sarbanes-Oxley] issues.”

All in the Timing

Under SAS 70, an outsourcing-service provider undergoes an annual audit, performed either by its own independent auditor or by the auditors of its outsourcing clients. There are two types of service-auditor reports. Type I includes the service auditor’s opinion on the fairness of the presentation of the provider’s description of its controls and how well they’re designed to meet specified control objectives. Type II reports, generally preferred for their greater depth, include the same data as Type I as well as the auditor’s opinion on the effectiveness of the controls during the period under review.

Even a Type II report, however, doesn’t guarantee airtight compliance with Sarbanes-Oxley. For one thing, the timing of the audit — if it’s performed by the service provider’s auditor — might be out of sync with the client’s reporting period. If the audit is performed in June and the client’s fiscal year ends December 31, for instance, there’s a six-month gap in the attestation of the outsourcer’s internal controls. If the controls slip up during the second half of the year, the accuracy and reliability of the client’s own year-end attestation could be compromised — and fair game for a Securities and Exchange Commission inquiry.

One response to the timing issue is to request that the service provider undergo SAS 70 audits on a quarterly basis or “fill in the gaps” with updates throughout the year. Smaller service providers might bridle at the added cost during contract negotiations — but after all, it’s the client’s attestation that’s on the line.

Another worry for outsourcer auditors concerns just how much of the service provider’s audit is being revealed. A service provider is required to inform its client only about any failures of SAS 70 tests; there’s no requirement to spell out the exact substance or scope of the audit.

Thus, for instance, a client’s own external auditor would be unable tell the client whether a test that unearthed two failures probed 40 processes, or only four. That could lead to some poor assessments of service-provider controls. “We will be dealing completely in the dark as far as the population of that test,” says Lynn Edelson, systems and process assurance leader for PricewaterhouseCoopers. “I think that was one of the biggest flaws in SAS 70 in light of Sarbanes-Oxley.”

That raises another point for clients to bear in mind during contract negotiations, says Edelson: Insist that the service provider disclose the scope of the audit and not only the failures.

Auditor Dependence?

Another thorny area is the possibility of conflicts of interest. That’s particularly worrisome, says Meta Group’s Lepeak, when a company’s external auditor also performs the SAS 70 audit of the service provider.

In the eyes of the Public Company Accounting Oversight Board, there’s no distinction between Section 404 compliance audits of a company’s internal business processes and its outsourced processes. But in either case, an external auditor — which must attest to the client’s Section 404 compliance — cannot also provide consulting services to the client or to the outsourcing provider on how to perform the SAS 70 audit.

In the area of auditor independence, much remains cloudy. The situation becomes especially unclear when an auditor performs a SAS 70 test on an outsourcing provider to distribute to the outsourcer’s clients. If one of those clients has the same external auditor as the outsourcing provider, must it hire another external auditor to maintain an objective view of the service provider’s audit?

The PCAOB could provide a great deal of clarity on the issue of auditor independence — and many other BPO-related conundrums — by finalizing its guidance for auditors on Section 404. The provision itself makes no mention of outsourcing. Nor have PCAOB officials expressed any intention of updating SAS 70 anytime soon. (Through a spokesperson, PCAOB chief auditor Douglas Carmichael declined to be interviewed for this story.)

With regulatory guidance in scant supply, many companies may well hold off for a while on business process outsourcing in India, China, and other emerging nations. As for companies and auditors already dealing with BPO providers overseas, they may soon find themselves up the Yangtze without a paddle.

Craig Schneider is an assistant editor at

Just What Does Section 404 Entail?

As directed by Section 404 of the Sarbanes-Oxley Act of 2002, in May 2003 the Securities and Exchange Commission (SEC) adopted rules regarding internal controls at public companies. Section 404 also requires that a company’s independent auditors attest to and report on management’s controls assessments, following standards established by the Public Company Accounting Oversight Board (PCAOB).

Under the SEC rules, management’s annual internal-control report must contain:

  • A statement of management’s responsibility for establishing and maintaining adequate internal control over financial reporting for the company.
  • A statement identifying management’s framework for evaluating the effectiveness of internal controls.
  • Management’s assessment of the effectiveness of internal controls as of the end of the company’s most recent fiscal year.
  • A statement that the company’s auditor has issued an attestation report on management’s assessment.

Internal controls, according to the new rule, include assurances of accurate records maintenance, as well as financial reporting that complies with generally accepted accounting principles. The rule also stipulates that managers and directors sign off on receipts and payouts, and that publicly traded companies maintain adequate systems to prevent or detect unauthorized material transactions.

Management must disclose any material weakness in a company’s internal-controls structure. If material weaknesses exist, senior executives “will be unable to conclude that the company’s internal control over financial reporting is effective,” according to the SEC.

The PCAOB, which proposed its standard for auditors in October 2003, must still finalize the standard, after which it must be approved by the SEC before taking effect.

The proposed auditing standard addresses both the work that is required to audit internal control over financial reporting and the relationship of that audit to the audit of the financial statements. The integrated audit results in two audit opinions: one on the internal controls and one on the financial statements.

The proposed standard requires the auditor to communicate in writing to the company’s audit committee all significant deficiencies and material weaknesses of which the auditor is aware. The auditor also is required to communicate in writing to the company’s management all internal control deficiencies, and to notify the audit committee that such communication has been made.

A number of circumstances are defined by the proposed standard as “significant deficiencies” that would be strong indicators of a material weakness. They include:

  • Ineffective oversight of the company’s external financial reporting and of internal control over financial reporting by the company’s audit committee. The proposed standard requires the auditor to evaluate factors related to the effectiveness of the audit committee, including whether committee members act independently from management.
  • Material misstatement in the financial statements not initially identified by the company’s internal controls.
  • Significant deficiencies that have been communicated to management and the audit committee but that remain uncorrected after a reasonable period of time.

Most senior managers will have to report on — and certify — their companies’ internal financial controls starting with fiscal years ending on or after June 15, 2004. That reporting date applies to “accelerated filers” — U.S. companies with a market cap of over $75 million that have filed annual reports with the SEC.

All other issuers, including small businesses and foreign private companies, must comply with the new requirements beginning with fiscal years ending on or after April 15, 2005.