Business Process Outsourcing under Sarbanes-Oxley -- Challenges and Complexities
By Robert Gareis & Michael S. Mensik, Baker & McKenzie
Perhaps the most significant (and certainly the most costly) of the corporate governance provisions contained in the Sarbanes-Oxley Act of 2002 ("SOX") is the requirement imposed on public company managements to evaluate the effectiveness of the company's internal controls and procedures over financial reporting and the related requirement for auditors to attest to management's evaluation.1 The internal controls requirements will become effective for public companies with fiscal years ending on or after June 15, 2004.
Over the past year, various public company issuers have outsourced financial and accounting business process functions (e.g., accounts receivable, accounts payable, cash treasury, fixed asset accounting) to third party service organizations; yet other issuers are considering doing so this year. Some of these arrangements involve offshoring certain activities to operational sites outside of the U.S. There are a multitude of complex issues associated with outsourcing these functions that require analysis from a legal, regulatory, liability and contract perspective. This article highlights some of the more critical of the issues under SOX.
Internal Control Report
Section 404 of SOX requires the Securities and Exchange Commission ("SEC") to prescribe rules requiring each annual report of a public company issuer to have an internal control report containing: (1) a statement of management's responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) an assessment by management at the end of the company's most recent fiscal year of the effectiveness of the company's internal control structure and procedures for financial reporting.
Section 404 also requires every registered public accounting firm that prepares or issues an audit report on a company's annual financial statement to attest to, and report on, the assessment made by management. The attestation must be made in accordance with standards for attestation engagements issued or adopted by the Public Company Accounting Oversight Board ("PCAOB").
The SEC rules implementing section 404 of SOX provide that controls subject to assessment by management include, but are not limited to:
• controls over initiating, recording, processing and reconciling account balances;
• classes of transactions and disclosure and related assertions included in the financial statements;
• controls related to the initiation and processing of nonroutine and non-systematic transactions;
• controls related to the selection and application of appropriate accounting policies; and
• controls related to the prevention, identification and detection of fraud.
1 Cost estimates for large companies to implement the internal controls provisions range from $500,000 to several million dollars.
There may be cost-savings and other benefits for a public company issuer by outsourcing and/or offshoring financing and accounting business process functions. Nonetheless, it is clear that the responsibility to maintain effective internal control over financial reporting is not delegable by management.2 Exposure to shareholder lawsuits, however, for material weaknesses and any resulting restatement expense attributable to the acts or failures to act of the service organization may be shared by the public company issuer and the service organization. Conceptually, this could increase the number of defendants in a lawsuit to include not only the public company issuer, management of the public company issuer, and the public company auditor, but also the service organization, management of the service organization, and the service auditor.
PCAOB Proposed Attestation Standard
The proposed PCAOB attestation standard also makes clear that a service organization is considered part of the company's internal control over financial reporting when it provides services that affect:
• how the company initiates its transaction;
• how the company's transactions are processed and reported in its accounting records, supporting information, and specific financial statement accounts;
• how the company's transactions are processed from the initiation of the transaction to its inclusion in the financial statements; or
• how the financial reporting process is used to prepare the client's financial statements.
In these circumstances, the management and auditor of the public company issuer are expected to evaluate the activities of the service organization in determining the nature, timing and extent of evidence required to support their opinion on internal control. 3
A service organization might do several things to assist the public company auditor, e.g., engage its own auditor (service auditor) to review and report on the systems it uses to process the company's transactions or engage a service auditor to test the effectiveness of the controls applied to the Company's transaction to enable the auditor to evaluate controls of the service organization. It should be anticipated that these volitional safeguards may become regularly negotiated terms of an outsourcing agreement.
The tensions generated by SOX, the SEC implementing rules, and the proposed PCAOB attestation standards become exacerbated where the public company issuer and the service organization are both public companies with the same audit firm.To the extent a service auditor's report is mandated by the outsourcing agreement, the service organization may be required to retain a second auditor to prepare to service auditor's report.
2 The proposed PCAOB attestation standard states unequivocally that "the use of a service organization does not reduce management's responsibility". See Appendix B25.
3 See Appendix B27 and paragraph .07 of AU sec. 325. The latter describes the procedures that management and the auditor should perform with respect to theactivities performed by the service organization.
There are a number of areas in which the public company auditor should not use the results of testing performed by the service organization, including:
• controls that are part of the control environment, including controls specifically established to prevent and detect fraud that are reasonably likely to result in material misstatement of the financial statements;
• controls over the period-end financial reporting process, including controls over procedures used to enter transaction totals into the general ledger; to initiate record, and process journal entries in the general ledger; and to record recurring and non-recurring adjustments to the financial statements (for example, consolidating adjustment, report combinations, and reclassifications); and
• controls that have a pervasive effect on the financial statements, such as certain information technology
general controls on which the operating effectiveness of other controls depend.
As noted, there are significant issues to be resolved in circumstances where a public company issuer outsources its financing and accounting business process functions to a third party service organization. These issues involve not only managements of both the issuer and the service organization, but also the auditors for both entities. At this stage, various questions remain to be answered. The answers are likely to be gotten only through issue identification and focused negotiations, as well as the finalization of the PCAOB attestation standard.
For further information, please contact Robert Gareis, Corporate & Securities, Chicago office (312/861-2892,
firstname.lastname@example.org), or Michael S. Mensik,
Information Technology & Outsourcing, Chicago office (312/861-