Subscribe    |    Sponsors    |    About Us   |   Contact Us                

Current Stories
More Stories

The Changing Playing Field of Business Intelligence: A Playbook for CFOs - June 2010

Noiseless Transition: Infosys enables T-Mobile UK to faster realise the benefits of outsourcing its Finance Directorate Functions - February 2010

The search for gold: Helping banks to tap alternative funding sources

The fortune at the bottom of the Fortune...

Billing Strategies for Innovative Business Models: How Boring Old Billing Could Be the Competitive Advantage You Never Knew You Had

Recipes for Bundled Finance and Accounting Outsourcing

Profit Recovery and Finance & Accounting Outsourcing

2008 Market Predictions: FAO, Global Sourcing, HRO, ITO, and PO Markets

Outsourcing Order-to-Cash (O2C) and Procure-to-Pay (P2P)

Finance and Accounting Outsourcing (FAO): Global Sourcing in FAO

Finance & Accounting Outsourcing (FAO) Market Update - Global FAO Supplier Landscape Preview Deck - June 2007

What Buyers Need to Know about Accounting for Outsourcing Implementation Costs

Financial Accounting Outsourcing (FAO) Annual Report - January 2007

FAO Market Update - Everest Research Institute - November 2006

Mellon Treasury Insights

The CFO - Moving from back-office to frontline strategy

Perhaps the most significant (and certainly the most costly) of the corporate governance provisions contained in the Sarbanes-Oxley Act of 2002 ("SOX") is the requirement imposed on public company management to evaluate the effectiveness of the company's internal controls and procedures over financial reporting and the related requirement for auditors to attest to management's evaluation. Major public companies, i.e., accelerated filers, must begin to comply with these requirements for their first fiscal year ending on or after November 15, 2004.

Various public company issuers have outsourced financial and accounting business process functions (e.g., accounts receivable, accounts payable, cash treasury, fixed asset accounting) to third-party service organizations or outsourcing suppliers. Some of these arrangements involve offshoring certain activities to operational sites outside of the U.S. There are a multitude of complex issues associated with outsourcing these functions that require analysis from a legal, regulatory, liability, and contractual perspective. This article highlights some of the more critical of the issues under SOX.

Internal Control Report

Section 404 of SOX requires the Securities and Exchange Commission (SEC) to prescribe rules requiring each annual report of a public company issuer to make an internal control report containing: (1) a statement of management's responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) an assessment by management at the end of the company's most recent fiscal year of the effectiveness of the company's internal control structure and procedures for financial reporting.

Auditor Attestation

Section 404 also requires every registered public accounting firm that prepares or issues an audit report on a company's annual financial statement to attest to, and report on, the assessment made by management. The accounting firm must make this attestation in accordance with standards issued or adopted by the Public Company Accounting Oversight Board (PCAOB).

SEC Rules

The SEC rules implementing section 404 provide that controls subject to assessment by management include, but are not limited to:

• controls over initiating, recording, processing, and reconciling account balances;
• classes of transactions and disclosure and related assertions included in the financial statements;
• controls related to the initiation and processing of non-routine and non-systematic transactions;
• controls related to the selection and application of appropriate accounting policies;
• controls related to the prevention, identification, and detection of fraud.

Legal Exposure

There may be cost-savings and other benefits for a public company issuer by outsourcing and/or offshoring financing and accounting business process functions to outsourcing suppliers. Nonetheless, it is clear that the responsibility to maintain effective internal control over financial reporting is not delegable by public company management. The failure to discharge these responsibilities due to knowing or willful non-compliance is subject to personal fines ranging from $5 million to $10 million and/or imprisonment terms ranging from up to 10 to 20 years. Exposure to shareholder lawsuits, however, for material weaknesses and any resulting restatement expense attributable to the acts or failures to act of the outsourcing supplier may be shared by the public company issuer and the supplier. Conceptually, this could increase the number of defendants in a lawsuit to include not only the public company issuer, management of the public company issuer, and the public company auditor, but also the management of the supplier and the supplier's auditor.

PCAOB Attestation Standard

The PCAOB attestation standard also makes clear that a service organization or outsourcer is considered part of the company's internal control over financial reporting when it provides services that affect:

• how the company initiates its transaction;
• how the company's transactions are processed and reported in its accounting records, supporting information, and specific financial statement accounts;
• how the company's transactions are processed from the initiation of the transaction to its inclusion in the financial statements; or
• how the financial reporting process is used to prepare the client's financial statements.

In these circumstances, the management and auditor of the public company issuer are expected to evaluate the activities of the outsourcing supplier in determining the nature, timing, and extent of evidence required to support its opinion on internal control.

An outsourcing supplier might do several things to assist the public company auditor, e.g., engage its own auditor to review and report on the systems it uses to process the company's transactions or engage an auditor to test the effectiveness of the controls applied to the company's transaction to enable the auditor to evaluate controls of the supplier. Buyers should anticipate that these volitional safeguards may become regularly negotiated terms of an outsourcing agreement.

The tensions generated by SOX, the SEC implementing rules, and the PCAOB attestation standards become exacerbated where the public company issuer and the outsourcing supplier are both public companies with the same audit firm. If a buyer mandates an auditor's report, the supplier may be required to retain a second auditor to prepare that report.

Restrictions

There are a number of areas in which the public company auditor should not use the results of testing performed by the supplier, including:

• controls that are part of the control environment, including controls specifically established to prevent and detect fraud that are reasonably likely to result in material misstatement of the financial statements;
• controls over the period-end financial reporting process, including controls over procedures used to enter transaction totals into the general ledger; to initiate record, and process journal entries in the general ledger; and to record recurring and non-recurring adjustments to the financial statements (for example, consolidating adjustment, report combinations, and reclassifications); and
• controls that have a pervasive effect on the financial statements, such as certain information technology general controls on which the operating effectiveness of other controls depend.

Editor's Note: It's still too early to determine how outsourcing suppliers should deal with SOX. Look for a follow-up article by the authors in the fall.

Lessons from the Outsourcing Journal:

• Public companies that outsource finance and accounting processes and their outsourcers have new requirements under the Sarbanes-Oxley Act. Management at both companies and their auditors need to be involved.
• While various questions regarding these issues remain, the most likely answers will be derived through (i) issue identification; (ii) focused negotiations; and (iii) the final PCAOB attestation standard.
• Although compliance with regulatory requirements under SOX are non-delegable, finance and accounting outsourcing agreements will increasingly contain provisions that seek to establish the roles and responsibilities of the customer and supplier in a manner that facilitates compliance with these requirements.
• The best defense for a CEO or CFO to avoid the penalties for willful non-compliance is deployment of effective due diligence procedures designed to assure the discharge of their regulatory responsibilities including retention of reputable, knowledgeable, and experienced suppliers of reliable financial and accounting outsource services.

Robert J. Gareis is a Partner in Baker & McKenzie (Chicago office) Corporate & Securities Law Practice. He can be reached at Robert.J.Gareis@bakernet.com. Michael S. Mensik is a Partner at Baker & McKenzie (Chicago office) and is the Co-Coordinator of the firm's Global Information Technology Law Practice. He can be reached at Michael.S.Mensik@bakernet.com

Publish Date: April 2004

Related Articles
The Early Impact of Sarbanes-Oxley Act on Finance and Accounting Outsourcing

Copyright © 2004 - Everest Partners, L.P.

[Previous Story] [Next Story]