As CEOs and CFOs sign their first Section 404 reports under Sarbanes-Oxley, many of them may wonder if outsourcing will ultimately increase rather than decrease complexity and cost. If planned correctly and executed according to the plan, outsourcing certainly can make compliance under Sarbanes-Oxley easier and less expensive. But there are many pitfalls that those responsible for managing service providers must avoid.
Companies that outsource business processes such as HR and finance and accounting need to verify that their service providers are maintaining adequate and effective internal controls over the processes entrusted to them. CEOs and CFOs are responsible for ensuring that internal controls in outsourced activities, even those moved offshore, have been documented and tested each year. Failing to do so may land them in jail. If those internal controls are not found to be effective, then the CEO and CFO have to expose these problems in corporate SEC filings, which may cause investors to lose confidence and lead to plummeting stock prices.
None of this is merely theoretical. In March and April, problems of achieving regulatory compliance surfaced. Let’s start with Bay View Capital Corp., which has a subsidiary that outsourced its auto installment loan process to two service providers. Neither service provider could offer an SAS 70 Type II report covering their operations. Although the auditors gave Bay View Capital a clean opinion on its financial statements, the CEO and CFO had to disclose the details of the weaknesses caused by their service providers and state how those material weaknesses could have resulted in errors in their financial statements.
Another company, Churchill Downs, operator of the annual Kentucky Derby, couldn’t even obtain an SAS 70 Type II report covering the service providers that processed its pari-mutuel gambling activities. Churchill Downs had to disclose this material weakness and outline its alternatives to fix this problem, which included switching service providers.
Then there’s Iomega Corp., maker of Zip drives and other backup devices, which had trouble obtaining an SAS 70 Type II report from its third-party distribution and logistics service provider. When the report arrived past its due date, it revealed material internal control deficiencies. Consequently, Iomega utilized the one-time 45-day extension for filing its Form 10-K. In the initial filing, Iomega’s CEO and CFO stated that internal controls were operating effectively. Thirteen days later, both the CEO and CFO reversed their opinion, stating that there were material weaknesses in the internal controls performed by their service providers, over which they were accountable.
Sarbanes-Oxley is no secret to public companies in the U.S., but it could be better understood by many offshore service providers. Global sourcing managers are expected to develop robust compliance plans utilizing a range of corporate functions and experts. It is clear, however, that how you manage your service providers can have a direct impact on the success or failure of your company’s compliance efforts. Managing Offshore’s study of compliance and outsourcing reveals that while some offshore service providers are responding adequately to the needs of U.S. public companies, many others have chosen to “wait and see”--steering some complacent customers a little closer to trouble.
Establishing Accountability
The Sarbanes-Oxley Act of 2002 was enacted in response to massive investor losses attributable to greedy executives at corporations such as Enron and Worldcom. Executive greed was not limited to the U.S., as evidenced by Parmalat in Italy. The SEC was determined to restore investor confidence in U.S. capital markets and Sarbanes-Oxley is one result of that. Consequently, compliance with Sarbanes-Oxley is now a fact of life for companies that want access to U.S. capital markets. It may seem like a stretch that these controls also encompass outsourcing, but here’s what’s happening and what you need to know:
* Section 302 requires that the CEO and CFO certify they have reviewed the quarterly and annual reports; the financial statements are presented fairly with no untrue statements or omission of material facts; they are responsible for disclosure controls and procedures, and internal controls over financial reporting; and they have evaluated the disclosure controls as of the period end and disclosed any material changes in internal controls during the period. Finally, the CEO and CFO must disclose any control deficiencies or fraud to the audit committee and auditors.
* Section 404 goes further, as it requires the CEO and CFO to assess the actual operating effectiveness of internal control over financial reporting and state their opinion on whether those internal controls can be relied upon. This is where the rubber hits the road.
* An SAS 70 Type II report is vital for public companies that use service providers. The 70 to100 page document includes a description of the internal controls that management wants to be tested along with the independent auditor’s tests and findings.
Auditors Opine
Under Sarbanes-Oxley, auditors must now opine on management’s report on the effectiveness of internal controls as well as opine on the financial statements. Several scenarios are possible.
If the auditors identified errors in the financial statements and management corrected those errors, then the auditors may give a “clean” opinion on the financial statements and an adverse opinion on the internal controls over the financial statements (as the internal controls allowed errors into the financial statements).
In other cases, the company or the auditors may find errors in previously released financial statements, which requires restating those financial statements and results in a corresponding adverse opinion on the effectiveness of internal controls.
A third condition may arise where management or the auditors find that, while there are a number of weaknesses with internal controls, the financial statements do not contain any errors and no adjustments are required. In this situation, management and the auditors assess the significance of the weaknesses (are they material or immaterial?) and on the likelihood of errors occurring in the financial statements (is the likelihood probable or remote?). At a minimum, these weaknesses must be reported to the audit committee and possibly disclosed to investors.
Sourcing
This report on auditing your service provider was prepared after interviewing more than 20 executives, legal experts, outsourcing advisers, outsourcing service providers (both onshore and offshore), and auditors. To assess the potential effects on a company’s stock price, Bryan Mekechuk interviewed three securities analysts. In addition, several major outsourcing agreements that were entered into prior to 2004 were reviewed to identify how changing laws and regulations, such as Sarbanes-Oxley, could impact an outsourcing relationship, including the responsibility to pay for an audit. Mekechuk, a chartered accountant and experienced consultant, analyzed the opinions, scope, procedures, and test results in five SAS 70 reports.
|
The other scenario is where the financial statements are presented fairly and the internal controls operated effectively. This is the best scenario, because it yields clean opinions by management and the auditors.
Failure to have adequate internal controls and filing delays may contribute in triggering class-action shareholder lawsuits. For example, a recent class-action complaint regarding BearingPoint stated “...the company lacked adequate internal controls and was therefore unable to ascertain the true financial condition of the company.” Prior to Sarbanes-Oxley, BearingPoint would not have disclosed the problems with its internal controls.
Srbanes-Oxley is the manifestation of the SEC’s belief that “sunlight is often the best disinfectant.”
