Beware a false sense of security: Even though the SEC has pushed back the deadline for compliance with Section 404 of the Sarbanes-Oxley Act of 2002, a little-known and perhaps largely outdated auditing standard for outsourcers could hamstring companies that are rushing to send their business processes offshore.
The standard in question is Statement on Auditing Standards No. 70, “Reports on the Processing of Transactions by Service Organizations.” Set up by the American Institute of Certified Public Accountants in 1993, SAS 70 spells out how an external auditor should assess the internal controls of an outsourcing service provider and issue an attestation report to outside parties or to a client.
Auditors and other critics of the standard say SAS 70 is in need of a major overhaul, especially considering the November deadline for Section 404 compliance facing many public companies (see “Just What Does Section 404 Entail?”).
Finance would seem to have more at stake than other corporate functions in clarifying the situation, since transferring financial tasks overseas can put material transactions in the hands of outsourcers. That will give finance folks pause regardless of how many cost-cutting sermons they’ve sat through. Stan Lepeak, a vice president at research firm Meta Group Inc., believes that incompatibilities between SAS 70 and Sarbox will “dampen outsourcing, at least in the short run, until outsourcers can show that they have both the adequate controls in place [and] evidence to prove that.”
Tom Eubanks, global leader for finance and accounting outsourcing with IBM Business Consulting Services, isn’t so sure. “At first blush,” he says, “one might think, ‘Why would you outsource in a world where Sarbox is in place…and the magnifying glass is on the finance function?’” But Eubanks turns that around and says that “companies are looking at outsourcing as a valid way to address some [Sarbanes-Oxley] issues.”
All in the Timing
Under SAS 70, an outsourcing-service provider undergoes an annual audit, performed either by its own independent auditor or by the auditors of its outsourcing clients. There are two types of service-auditor reports. Type I includes the service auditor’s opinion on the fairness of the presentation of the provider’s description of its controls and how well they’re designed to meet specified control objectives. Type II reports, generally preferred for their greater depth, include the same data as Type I as well as the auditor’s opinion on the effectiveness of the controls during the period under review.
Even a Type II report, however, doesn’t guarantee airtight compliance with Sarbox. For one thing, the timing of the audit—if it’s performed by the service provider’s auditor—might be out of sync with the client’s reporting period. If the audit is performed in June and the client’s fiscal year ends December 31, for instance, there’s a six-month gap in the attestation of the outsourcer’s internal controls. If the controls slip up during the second half of the year, the accuracy and reliability of the client’s own year-end attestation could be compromised—and fair game for a Securities and Exchange Commission inquiry.