The SOX Act and outsourcing

While on the face of it, the cost of implementing SOX may appear to be an insurmountable barrier for Indian ITeS players, there’s more to SOX and outsourcing than meets the eye, says Milan Sheth

The primary objective of the Sarbanes-Oxley Act is to restore investor confidence. To do so, the act requires CEOs and CFOs of listed companies to certify that the reports they periodically file with the Securities and Exchange Commission correctly portray the company’s financial condition. Section 404(a) further requires that the management assess the effectiveness of the company’s internal controls over financial reporting, and then state in its annual report to shareholders whether these controls are operating effectively. Basically, it means that the management must look closely and regularly at all the steps taken to ensure the integrity and reliability of the company’s financial accounts, and tell the public if there are material weaknesses in the design or operation of these steps, thereby hopefully avoiding Enron-like surprises.

Listed companies are spending substantial sums on Sarbanes-Oxley compliance. However, a large section of companies believe that the process of complying with SOX has not yielded significant internal benefits for their company and that the benefits of compliance do not outweigh costs. The concern over the costs of complying with Sarbanes-Oxley appears to be growing. It may increase even more as the intersection between Sarbanes-Oxley and outsourcing comes into better focus, particularly around the requirements of Section 404, which are now beginning to be fully appreciated. Though many factors drive outsourcing, cost savings are a major impetus. Key questions from the Indian service provider perspective are whether Sarbanes-Oxley adds to the cost of outsourcing, will outsourcing diminish on account of it, or will it impact certain types of outsourcing but not others.

Let us deliberate on these points.

In order to ensure increased integrity and reliability of financial statements, SOX requires the management to assess the effectiveness of the company’s internal controls over financial reporting, and the external auditor to evaluate this assessment and then render an independent report. The body that oversees the audit of public companies, the Public Company Accounting Oversight Board (PCAOB) has laid down what is expected from this report. PCAOB instructs the auditors to address two inter-related questions.

Milan Sheth Senior Manager Ernst & Young

First, is the management’s assessment fairly stated, in all material respects? Second, does the company in fact maintain, in all material respects, effective internal control over financial reporting? Section 404(b) requires the company’s auditor to attest and report on the assessment made by the company’s management. The PCAOB soon recognised that auditors cannot attest something without conducting their own independent investigation. An attestation engagement to examine a management’s assessment of internal controls requires the same level of work as an audit of internal control over financial reporting. The auditor needs to test the effectiveness of internal control to be satisfied that the management’s conclusion is correct and, therefore, fairly stated. It is recognised that internal control does not follow ‘one-size-fits-all’. Large companies may require extensive and sophisticated internal control systems; smaller companies, where senior management is more directly involved in daily interactions with both internal and external parties, need less elaborate systems.

In determining whether any particular system is effective, the auditor is instructed to exercise reasonable professional judgement in determining the extent of the audit of internal control, and perform only those tests that are necessary to ascertain the effectiveness of the company’s internal control. More precisely, the PCAOB endorsed the use of the same framework that the management is encouraged to use in its own assessment of internal controls. The Internal Control-Integrated Framework is published by the Committee of Sponsoring Organisations.

Auditing Standard No. 2 contains detailed guidance about what is supposed to happen next. The auditor, states the PCAOB, should begin by looking at the assessment of the management. The auditor should then take steps to understand how the company’s system of internal control is designed and operates, like doing walkthroughs of the more significant processes.

Tests should be conducted as to both the design of the controls and their operation. After the conclusion of all relevant tests, the auditor must evaluate the results. In this phase, the auditor has to identify any control deficiencies. A control deficiency is any fault in the design or operation of an internal control that may prevent a company’s managers or employees, in the normal course of performing their assigned functions, from detecting mis-statements on a timely basis. All significant deficiencies and material weaknesses must be immediately communicated to the company’s audit committee. An auditor’s report must contain two opinions: one, on management’s assessment; the other on the effectiveness of the company’s internal control on financial reporting.

Implications for service organisations

Auditing Standard No. 2 provides guidance on how the auditor should conduct its Section 404(b) attestation. On the whole, the guidance focuses on how the auditor should go about evaluating the internal control over financial reporting in place at the public company. In the event that the company has outsourced an activity that may impact its financial reporting, the standard defines service organisation requirements in the act. This section refers extensively to the AU sec. 324 on service organisations, a professional standard issued by the American Institute of Certified Public Accountants (AICPA). AU sec. 324, in turn, is based on a number of the AICPA’s Statements on Auditing Standards (SAS), including SAS No. 70. AU sec. 324 contains various concepts that an auditor could apply to audit a service organisation.

A service organisation is one that provides any classes of transactions, accounting procedures, record-keeping functions, information systems, or reporting processes in a manner that may impact a company’s financial statements.

The extent to which the auditor needs to investigate controls in place at the service organisation will depend in part on the degree to which the company controls its outsourced activities. Where the degree of interaction is high, the company may be able to implement sufficient controls within its own organisation. Where there is less interaction, the auditor may have no alternative but to investigate what controls the service organisation has implemented.

Most business process outsourcing (human resource, administration, finance & accounting, and other transactions processing) involves services that may affect the customer’s financial statements. Similarly, an outsourced call centre may handle inquiries that, if not properly processed and recorded, could produce a mis-statement. Even information technology outsourcing may involve services that could constitute part of the customer’s information system. AU sec. 324 specifically cites application service providers who provide packaged software applications and a technology environment that enables customers to process financial and operational transactions. For example, where a public company has contracted for hosting services, the service organisation’s system and other controls may need to be evaluated to determine whether they ensure integrity and reliability of the customer’s data.

Service organisations that provide such services include, for example, bank trust departments that invest and service assets for employee benefit plans or for others; mortgage bankers that service mortgages for others; and application service providers The guidance in this section may also be relevant to situations in which an organisation develops, provides and maintains the software used by clients.

Standard 2 directs the company’s management and auditor to take three steps with respect to service organisations: (i) obtain an understanding of the controls in place at the company over the activities of the service organisation; (ii) obtain an understanding of the controls in place at the service organisation that are relevant to the company’s internal controls; and (iii) obtain evidence that the controls that are relevant to the management’s assessment and the auditor’s opinion are operating effectively. The PCAOB specifically states that the evidence of effective controls may include a report from the service organisation’s auditor. AU sec. 324 distinguishes between two types of service auditor reports, commonly referred to as Type I and Type II.

Type I is a report which describes the relevant controls at the service organisation as of a specific date, but does not indicate whether they were operating effectively. Type II is a report on controls placed in operation and its operative effectiveness. Both describe the service organisation’s relevant controls and indicate whether they were operating effectively over a specified period. To issue this report, the auditor must perform tests of the service organisation’s controls. A service auditor’s report that does not include tests of controls, states the PCAOB, does not provide evidence of operating effectiveness. In short, a Type I report has little evidentiary value, if any, for purposes of Section 404.

Although the PCAOB endorses the use of Type II reports, Auditing Standard No. 2 underscores that even these reports may not constitute sufficient evidence to support the assessment.

Uncharted territory

As noted above, the primary goal of the Sarbanes-Oxley Act was to restore investor confidence. But public companies are already grumbling about the costs of complying with the act’s requirements. Anecdotal evidence suggests that much of this grumbling results from the effort to comply with Section 404’s requirements as they apply within the four corners of the company. The impact of Section 404 on a public company which has outsourced significant activities that may impact its financial statements still seems relatively unexplored in many sectors.

To date, open discussion of the intersection between the Sarbanes-Oxley Act and outsourcing appears limited. Although the PCAOB created a framework that can be used to think about this intersection, this framework leaves many questions unanswered. Answering these questions leaves much to the judgement of the company’s management and its auditor. Perhaps the only conclusion that can be drawn at this stage is that public companies must take adequate steps to ensure the integrity and reliability of their financial accounts, regardless of whether they have engaged in outsourcing. Outsourcing, if done correctly, normally involves, among other things, defining and implementing specific service-level commitments, reporting procedures, and change control processes.

In other words, outsourcing normally results in greater, not less, scrutiny of the activity. In the near-term, the Sarbanes-Oxley Act may indeed add to the cost of at least certain types of outsourcing. Some public companies and service organisations will need to have discussions regarding who bears these additional costs. Outsourcing may actually reduce the cost of complying with the Act, at least if public companies and service organisations think clearly and creatively about how to facilitate the compliance effort. Evidence of such thinking is already appearing on the scene.

The author is Senior Manager, Ernst & Young. He can be reached at milan.sheth@in.ey.com