This spring, the initial wave of Sarbanes-Oxley compliance problems began to surface. Here are some recent examples disclosed in March and April by public companies relating to service providers and SAS 70 Type II reports. These examples are not meant to be critical of the companies, rather to illustrate situations that can be avoided by careful planning and follow-up.

Material Weakness - Failure To Obtain An SAS 70 Report

By its filing deadline of March 31, 2005, Bay View Capital Corp. (BVCC) could not obtain an SAS 70 Type II report to evidence the effectiveness of controls at two of its third-party service organizations. The service organizations’ processes were an integral part of its automobile finance subsidiary’s (BVAC) auto installment loan process, which was considered part of BVCC’s internal control over financial reporting, specifically as to the existence and valuation of auto installment contracts, interest and fee income.

Although this did not result in a misstatement, the CEO and CFO had to state that material weaknesses were evident in their internal controls and that these internal controls could not be relied on. Included in the remediation is management’s commitment to “... continue our efforts to have BVAC’s outside service organizations obtain SAS 70 Type II reports.”

Remediation Alternatives for Churchill Downs

As of December 31, 2004, Churchill Downs did not maintain control over the effectiveness of internal controls at two third-party service providers. These service providers processed all pari-mutuel wagering activities and were considered part of the company’s internal control over financial reporting. Management was unable to obtain evidence about the effectiveness of controls at the service providers, so this represented a control deficiency.

Although this control deficiency did not result in a misstatement to Churchill Downs’ financial statements, it could have resulted in a misstatement of pari-mutuel wagering revenue that would garner a material misstatement that would not be prevented or detected. Accordingly, management had no choice but to conclude that this control deficiency constituted a material weakness.

Churchill Downs’ stated alternatives to fix this situation included:

The last alternative indicates that a service providers’ failing to maintain effective internal controls throughout the year may create a breach of the outsourcing agreement.

Delay and Deficiency in SAS 70 Report for Iomega Corp.

During 2004, Iomega spent considerable time and resources analyzing, documenting, and testing its system of internal controls, which included the internal controls of third parties to whom Iomega had outsourced certain operations. Iomega had planned to rely on an SAS 70 Type II report covering internal controls at its third-party distribution and logistics service provider. As the 75-day deadline approached for filing Iomega’s Form 10-K was nearing, the service provider had not come forth with the SAS 70 report.

On March 4, 2005, the SAS 70 report that was finally provided to Iomega revealed that the service provider had certain deficiencies in its internal controls. Iomega and its auditors reviewed the SAS 70 report to evaluate if Iomega’s compensating and redundant controls were sufficient to minimize, and potentially eliminate, Iomega’s reliance on the service provider’s internal control environment.

When Iomega filed its initial Form 10-K by the March 16 deadline, Iomega stated that it would utilize the SEC’s one-time 45-day extension to verify that there were no problems with its internal controls. Although they flagged the potential problem, the CEO and CFO stated that the disclosure controls were effective.

Subsequently, on March 29, Iomega filed an amended Form 10-K stating that, “the company’s CEO and CFO concluded that as of December 31, 2004, the company’s disclosure controls and procedures were not effective because of the material weakness described below...” Both the CEO and CFO changed their opinions because of the problems at its service provider.

Not pretty at all.