A little-known and perhaps largely outdated auditing standard for outsourcers could be the next big hurdle for Sarbanes-Oxley compliance. Not only might the standard cause a number of businesses to run afoul of the Section 404 provisions on internal controls, but it might also dissuade other companies from business process outsourcing in India, China, and other emerging nations.
The standard in question is Statement on Auditing Standards No. 70, “Reports on the Processing of Transactions by Service Organizations.” Set up by the American Institute of Certified Public Accountants in 1993, SAS 70 spells out how an external auditor should assess the internal controls of an outsourcing service provider and issue an attestation report to outside parties or to a client.
Auditors and other critics of the standard say SAS 70 is in need of a major overhaul, especially considering the June deadline for Section 404 compliance facing many public companies. (Read more about what companies and their auditors are planning for in “Just What Does Section 404 Entail?” at the end of this article.)
Finance would seem to have more at stake than other corporate functions in clarifying the situation, since transferring financial tasks overseas can put material transactions in the hands of outsourcers. That will give finance folks pause, however many cost-cutting sermons they’ve sat through. Stan Lepeak, vice president of the research firm Meta Group, believes that incompatibilities between SAS 70 and Sarbanes-Oxley will “dampen outsourcing, at least in the short run, until outsourcers can show that they have both the adequate controls in place [and] evidence to prove that.”
Tom Eubanks, of IBM business consulting services, isn’t so sure. “On first blush,” he says, “one might think, ‘Why would you outsource in a world where Sarbox is in place…and the magnifying glass is on the finance function?’ ” But what Eubanks and his colleagues are finding, he adds, is that “companies are looking at outsourcing as a valid way to address some [Sarbanes-Oxley] issues.”
All in the Timing
Under SAS 70, an outsourcing-service provider undergoes an annual audit, performed either by its own independent auditor or by the auditors of its outsourcing clients. There are two types of service-auditor reports. Type I includes the service auditor’s opinion on the fairness of the presentation of the provider’s description of its controls and how well they’re designed to meet specified control objectives. Type II reports, generally preferred for their greater depth, include the same data as Type I as well as the auditor’s opinion on the effectiveness of the controls during the period under review.
Even a Type II report, however, doesn’t guarantee airtight compliance with Sarbanes-Oxley. For one thing, the timing of the audit — if it’s performed by the service provider’s auditor — might be out of sync with the client’s reporting period. If the audit is performed in June and the client’s fiscal year ends December 31, for instance, there’s a six-month gap in the attestation of the outsourcer’s internal controls. If the controls slip up during the second half of the year, the accuracy and reliability of the client’s own year-end attestation could be compromised — and fair game for a Securities and Exchange Commission inquiry.