Beware a false sense of security: Even though the SEC has pushed back the deadline for compliance with Section 404 of the Sarbanes-Oxley Act of 2002, a little-known and perhaps largely outdated auditing standard for outsourcers could hamstring companies that are rushing to send their business processes offshore.
The standard in question is Statement on Auditing Standards No. 70, “Reports on the Processing of Transactions by Service Organizations.” Set up by the American Institute of Certified Public Accountants in 1993, SAS 70 spells out how an external auditor should assess the internal controls of an outsourcing service provider and issue an attestation report to outside parties or to a client.
Auditors and other critics of the standard say SAS 70 is in need of a major overhaul, especially considering the November deadline for Section 404 compliance facing many public companies (see “Just What Does Section 404 Entail?”).
Finance would seem to have more at stake than other corporate functions in clarifying the situation, since transferring financial tasks overseas can put material transactions in the hands of outsourcers. That will give finance folks pause regardless of how many cost-cutting sermons they’ve sat through. Stan Lepeak, a vice president at research firm Meta Group Inc., believes that incompatibilities between SAS 70 and Sarbox will “dampen outsourcing, at least in the short run, until outsourcers can show that they have both the adequate controls in place [and] evidence to prove that.”
Tom Eubanks, global leader for finance and accounting outsourcing with IBM Business Consulting Services, isn’t so sure. “At first blush,” he says, “one might think, ‘Why would you outsource in a world where Sarbox is in place…and the magnifying glass is on the finance function?'” But Eubanks turns that around and says that “companies are looking at outsourcing as a valid way to address some [Sarbanes-Oxley] issues.”
All in the Timing
Under SAS 70, an outsourcing-service provider undergoes an annual audit, performed either by its own independent auditor or by the auditors of its outsourcing clients. There are two types of service-auditor reports. Type I includes the service auditor’s opinion on the fairness of the presentation of the provider’s description of its controls and how well they’re designed to meet specified control objectives. Type II reports, generally preferred for their greater depth, include the same data as Type I as well as the auditor’s opinion on the effectiveness of the controls during the period under review.
Even a Type II report, however, doesn’t guarantee airtight compliance with Sarbox. For one thing, the timing of the audit—if it’s performed by the service provider’s auditor—might be out of sync with the client’s reporting period. If the audit is performed in June and the client’s fiscal year ends December 31, for instance, there’s a six-month gap in the attestation of the outsourcer’s internal controls. If the controls slip up during the second half of the year, the accuracy and reliability of the client’s own year-end attestation could be compromised—and fair game for a Securities and Exchange Commission inquiry.
One response to the timing issue is to request that the service provider undergo SAS 70 audits on a quarterly basis or “fill in the gaps” with updates throughout the year. Smaller service providers might bridle at the added cost during contract negotiations—but after all, it’s the client’s attestation that’s on the line.
Another concern centers on just how much of the service provider’s audit will be revealed. A service provider is required to inform its clients only about any failures of SAS 70 tests; there’s no requirement to spell out the exact substance or scope of the audit. Thus, for instance, a client’s own external auditor would be unable to tell the client whether a test that unearthed two failures probed 40 processes, or only 4. That could lead to some poor assessments of service-provider controls. “We will be dealing completely in the dark as far as the population of that test,” says Lynn Edelson, systems and process assurance leader for PricewaterhouseCoopers. “I think that was one of the biggest flaws in SAS 70 in light of Sarbanes-Oxley.”
That’s something for clients to bear in mind during contract negotiations, says Edelson: insist that the service provider disclose the scope of the audit and not only the failures.
Auditor Dependence
Another thorny area is the possibility of conflicts of interest. That’s particularly worrisome, says Meta Group’s Lepeak, when a company’s external auditor also performs the SAS 70 audit of the service provider.
In the eyes of the Public Company Accounting Oversight Board (PCAOB), there’s no distinction between Section 404 compliance audits of a company’s internal business processes and its outsourced processes. But in either case, an external auditor—which must attest to the client’s Section 404 compliance—cannot also provide consulting services to the client or to the outsourcing provider on how to perform the SAS 70 audit.
Speaking in New York last month, Douglas Carmichael, the PCAOB’s chief auditor and director of professional standards, said he did not see SAS 70 as a barrier to business-process outsourcing and added that the PCAOB has addressed many questions regarding SAS 70 in an appendix to its proposed Section 404 guidance. But he also conceded that many questions remain unanswered, particularly regarding implementation issues. And he indicated that such clarifications may have to wait. “We can’t stop to answer all [these questions] now,” he said, “but our efforts will continue after we issue the standard.”
In the area of auditor independence, much remains cloudy. The situation becomes especially unclear when an auditor performs an SAS 70 test on an outsourcing provider to distribute to the outsourcer’s clients. If one of those clients has the same external auditor as the outsourcing provider, must it hire another external auditor to maintain an objective view of the service provider’s audit?
Many in the finance community are looking to the PCAOB to provide more clarity on this and a host of related BPO conundrums. At press time, the organization had established March 9 as the date it would meet and finalize its standard for Section 404 implementation. The standard was expected to be posted on the organization’s Website (www.pcaob.com) sometime between March 10 and 12, with a short comment period to follow. After that, the SEC is expected to issue its final ruling. One bright note: the implementation date for Section 404 has been pushed back, to November 15.
Carmichael says the Section 404 guidance issued thus far should make “fairly clear” how to address the SAS 70 issues posed by the intersection of offshoring and Sarbox requirements, even though Section 404 makes no mention of outsourcing. Nor have PCAOB officials expressed any intention of updating SAS 70 anytime soon. With regulatory guidance lagging business practice, companies may hesitate to send business-process outsourcing to India, China, and other popular offshoring havens. As for companies and auditors already dealing with BPO providers overseas, they can only hope that they don’t find themselves up the Ganges without a paddle.
Craig Schneider is an assistant editor at CFO.com
Just What Does Section 404 Entail?
As directed by Section 404 of the Sarbanes-Oxley Act of 2002, in May 2003 the Securities and Exchange Commission adopted rules regarding internal controls at public companies. Section 404 also requires that a company’s independent auditors attest to and report on management’s controls assessments, following standards established by the Public Company Accounting Oversight Board (PCAOB).
Under the SEC rules, management’s annual internal-control report must contain:
- a statement of management’s responsibility for establishing and maintaining adequate internal controls over financial reporting for the company;
- a statement identifying management’s framework for evaluating the effectiveness of internal controls;
- management’s assessment of the effectiveness of internal controls as of the end of the company’s most recent fiscal year;
- a statement that the company’s auditor has issued an attestation report on management’s assessment.
Internal controls, according to the new rule, include assurances of accurate records maintenance, as well as financial reporting that complies with generally accepted accounting principles. The rule also stipulates that managers and directors sign off on receipts and payouts, and that publicly traded companies maintain adequate systems to prevent or detect unauthorized material transactions.
Management must disclose any material weakness in a company’s internal-controls structure. If material weaknesses exist, senior executives “will be unable to conclude that the company’s internal control over financial reporting is effective,” according to the SEC.
The PCAOB, which proposed its standard for auditors in October 2003, must still finalize the standard, after which it must be approved by the SEC before taking effect.
The proposed auditing standard addresses both the work that is required to audit internal control over financial reporting and the relationship of that audit to the audit of the financial statements. The integrated audit results in two audit opinions: one on the internal controls and one on the financial statements.
The proposed standard requires the auditor to communicate in writing to the company’s audit committee all significant deficiencies and material weaknesses of which the auditor is aware. The auditor also is required to communicate in writing to the company’s management all internal-control deficiencies, and to notify the audit committee that such communication has been made.
A number of circumstances are defined by the proposed standard as “significant deficiencies” that would be strong indicators of a material weakness. They include:
- Ineffective oversight of the company’s external financial reporting and of internal control over financial reporting by the company’s audit committee. The proposed standard requires the auditor to evaluate factors related to the effectiveness of the audit committee, including whether committee members act independently from management.
- Material misstatement in the financial statements not initially identified by the company’s internal controls.
- Significant deficiencies that have been communicated to management and the audit committee but that remain uncorrected after a reasonable period of time.
Most senior managers will have to certify their companies’ internal controls starting with fiscal years ending on or after November 15, 2004 (a deadline established by the SEC on February 25, superceding the previous June 15, 2004, deadline). That reporting date applies to “accelerated filers”—U.S. companies with a market cap of more than $75 million that have filed annual reports with the SEC. All other issuers must comply beginning with fiscal years ending on or after July 15, 2005.
Home is Where the Cash is
Don’t ask John Cox to outsource his treasury function offshore. It’s just not going to happen…ever.
As chief financial officer of BMC Software, he has been more than willing to outsource other areas of his finance department, including worldwide collections of accounts receivables. BMC has also offshored its document storage, quality-assurance testing, and maintenance-renewal effort, which includes telephonic support, bug fixes, and sales.
Cox cites business fundamentals, not regulatory concerns, as the reason to nix any treasury outsourcing initiatives overseas. “The tradeoff in what I could save is not at all worth the risk that I would bear personally and also for our shareholders,” he says about outsourcing treasury. “If something went wrong, they would be mad and I’d have another job. It’s just not worth it.”
Indeed, the sticking point is in the cost-benefit analysis: more than 60 percent of BMC’s balance sheet is in cash and marketable securities, and so handing over such a significant amount of value to save a couple dollars would be too risky, says Cox. And BMC now manages the function with a small team, so the potential to slash overhead isn’t there.
Not that the company is xenophobic, or averse to savings. It recently completed an effort in its European operations to consolidate accounts payable, payroll, travel and expense, and billing, but has decided not to move those functions offshore further, to India or elsewhere. “We now have less head count and a better control of process, from a risk-mitigation standpoint,” says Cox. “I’m not sure outsourcing or offshoring is a cure-all.”
When the company does offshore a business process, Cox determines how standardized that process is (the more the better) and adds a variety of risk factors into the risk analysis it conducts for all control areas, from the capabilities and reputation of the potential provider to whether a given country has “loose business ethics.”
Another issue is whether the process in question is a revenue-generating activity or a cost center. “The latter would have a lower risk profile from a software company perspective,” Cox says. “We try to use our judgment.”
Cox says BMC’s external auditor firm, Ernst & Young, has yet to approach him about SAS 70, the standard used on a voluntary basis to audit the internal controls of outsourcers. “I’m not specifically testing the outsourcer [on SAS 70 compliance],” he says, “but I have specific controls in place to [sufficiently] manage the risk.”
This article was originally published on CFO.com, in slightly different form, under the title “Stuck in the SAS 70s.”