North American Outsourcing--U.S. Outsourcing Client Alert from Baker & McKenzie
The Sarbanes-Oxley/Outsourcing Intersection: An Introduction
By Michael S. Mensik, Partner, & Robert Gareis, Of Counsel, Baker & McKenzie
According to CFO Magazine, roughly one half of over 200 public companies responding to a recent email questionnaire indicated that they will spend at least $500,000 on Sarbanes-Oxley compliance. When asked, ”Has going through the Sarbanes-Oxley compliance process yielded any internal benefits for your company?”, 52% of the respondents answered “No”.1 Indeed, 70% believe that the benefits of compliance do not outweigh the costs. Many now criticize Congress for acting in haste, without adequately considering the costs that complying with this law would
entail for publicly traded companies.
The grumbling over the costs of Sarbanes-Oxley appears to be growing. It may increase even more as the intersection between Sarbanes-Oxley and outsourcing comes into better focus, particularly around the requirements of Section 404, which are now beginning to be fully appreciated. Though many factors drive outsourcing, cost savings is a major impetus. Does Sarbanes-Oxley add to the cost of outsourcing? Will outsourcing diminish because of Sarbanes-Oxley? Will Sarbanes-Oxley diminish certain types of outsourcing but not others? Or does outsourcing ultimately reduce the cost of Sarbanes-Oxley compliance? Let the debate begin.
A. Basic Requirements
The primary goal of the Sarbanes-Oxley Act was to restore investor confidence. To do so, the Act requires CEOs and CFOs to certify that the reports that a public company must periodically file with the Securities and Exchange Commission fairly present its financial condition. Section 404(a) further requires that management assess the effectiveness of the company’s internal controls over financial reporting and then state in its annual report to shareholders whether these controls are operating effectively. What does this mean? Basically, it means that management must look closely and regularly at all the steps taken to ensure the integrity and reliability of the company’s
financial accounts and tell the public if there is any “material weakness” in the design or operation of these steps - thereby hopefully avoiding another Enron-like surprise.
Congress added another requirement in order to ensure the integrity and reliability of financial statements: Section 404(b). What does this provision require? In brief, after management has assessed the effectiveness of the company’s internal controls over financial reporting, Section 404(b) requires its outside auditor to evaluate this assessment and then render an independent report. What must this report address?
This question has been answered by the body that oversees the audit of public companies, the Public Company Accounting Oversight Board (.PCAOB.). In its Guidelines issued in March 2004 (Auditing Standard No. 2), the PCAOB basically instructs the auditors to address two inter-related questions. First, was management’s assessment “Fairly stated, in all material respects.” 2 Second, did the company in fact “maintain, in all material respects, effective internal control over financial reporting”?3
Auditing Standard No. 2 was issued only after extensive discussion. In part, this was due to the fact that the Act left open various critical issues for the PCAOB to resolve. For example, Section 404(b) simply requires the company’s auditor to attest to and report on the assessment made by the company’s management. The Act directed the PCAOB to determine exactly how the auditor would do so. The PCAOB soon recognized that auditors cannot attest to something without conducting their own independent investigation. “An attestation engagement to examine management’s assessment of internal controls,” concluded the PCAOB, “requires the same level of work as an audit of internal control over financial reporting,”4 Yes, the auditor needs to
evaluate management’s assessment; to do so, however, the auditor “also needs to test
the effectiveness of internal control to be satisfied that management’s conclusion is
correct and, therefore, fairly stated.”5
It is difficult to argue with the PCAOB’s conclusion that the auditor must undertake its own independent investigation. But this conclusion presented an interesting dilemma. Perhaps mindful of cost considerations, Congress specifically provided that the auditor’s attestation of management’s assessment cannot be the subject of a “separate engagement”.6 In other words, Congress did not want to impose an independent costly exercise on public companies. The PCAOB also recognized that it had to be “sensitive to the costs Section 404…may impose on all companies, particularly some small and medium-sized companies.”7 Consequently, the PCAOB
decided to “integrate” the audit of internal control over financial reporting with the
existing audit of financial statements. In doing so, however, the PCAOB emphasized
that, while interrelated, these two audits serve different goals: the latter addresses
whether the company’s financial statements are fairly stated; the former addresses the
effectiveness of its internal control over financial reporting.
Next, the PCAOB had to explain more precisely what framework the auditor should use to determine the effectiveness of the company’ internal control over financial reporting. It began by recognizing that “[i]nternal control is not ‘one-size-fits-all'.”8 Large companies may require “extensive and sophisticated” internal control systems; smaller companies, where senior management is more directly involved in daily interactions with both internal and external parties, may need less elaborate systems.9 In determining whether any particular system is effective, the auditor is instructed to “exercise reasonable professional judgment in determining the extent of the audit of internal control and perform only those tests that are necessary to ascertain the
effectiveness of the company’s internal control.”10 More precisely, the PCAOB endorsed the use of the same framework that management is encouraged to use in its own assessment of internal controls: The Internal Control - Integrated Framework, published by the Committee of Sponsoring Organizations (“COSO”).
Auditing Standard No. 2 contains detailed guidance about what is supposed to happen
next. The auditor, states the PCAOB, should naturally begin by looking at management’s assessment. The auditor should then take steps to understand how the company’s system of internal control is designed and operates, like doing “walkthroughs” of the more significant processes.11 The auditor should focus on .significant accounts. and .relevant assertions..12 Tests should be conducted as to both the design of the controls and their operation. While these tests “should vary from year to year,” the auditor must obtain evidence of the effectiveness of controls .for all relevant assertions for all significant accounts and disclosures every year. (emphasis
added).13 Although the tests may be conducted “at different times throughout the year,” the auditor must update the tests or .obtain other evidence that the controls still operated effectively at the end of the company’s fiscal year.”14 The auditor may .use the work of others. (e.g., the internal auditors), but “the auditor’s own work must provide the principal evidence for the audit opinion.”15
After concluding all relevant tests, the auditor must evaluate the results. In this phase, the auditor has to identify any .control deficiencies..16 A “control deficiency” is any fault in the design or operation of an internal control that may prevent the company’s managers or employees, “in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis”.17 If a control deficiency has been detected, the auditor must then determine whether, by itself or in combination with other control deficiencies, it is “significant”. And if it is “significant,” the auditor must then determine whether the control deficiency, by itself or in combination with other control deficiencies, amounts to a “material weakness”. Auditing Standard No. 2 defines both .significant deficiency.18 and “material weakness.”19 All “significant
Deficiencies” and “material weaknesses” must be immediately communicated to the
Company’s audit committee. All “significant deficiencies” must be immediately communicated to the company’s management.
The last step in the process is formulating the auditor’s report. As indicated above,
this report must contain two opinions: one on management’s assessment; the other on
the effectiveness of the company’s internal control over financial reporting. Here, things get somewhat confusing for the uninitiated. As implemented by the SEC,Section 404(a) requires that the company’s management disclose only material weaknesses, and not significant deficiencies. If management finds a material weakness, moreover, it must issue a negative assessment as to the effectiveness of the company’s internal control. The PCAOB imposes the same reporting model on the auditor. Thus, if the company’s management and auditor have both found a material weakness, the auditor should affirm management’s negative assessment and issue a concurring
negative opinion as to the effectiveness of internal control. On the other hand, if the auditor found a material weakness that management has not identified as such, the auditor should refute management’s positive assessment and issue a dissenting negative opinion as to the effectiveness of internal control.
B. Use of Service Organization
Auditing Standard No. 2 is over 150 pages long. As discussed above, it mainly provides
guidance on how the auditor should conduct its Section 404(b) attestation. On the whole, the guidance focuses on how the auditor should go about evaluating the internal control over financial reporting in place at the public company. But what if the company has outsourced an activity that may impact its financial reporting? What then? Is the auditor then obligated to evaluate what controls, if any, have been placed on these activities, and investigate whether they are adequately designed and operate effectively? If so, how? More fundamentally, what is the scope of this obligation - when exactly does it apply? Does it apply whenever a public company outsources an activity, or only if certain activities are outsourced? What standard does the PCAOB propose be used to draw this line?
Auditing Standard No. 2 addresses these questions in four pages under a section entitled “Use of Service Organizations,” which is tucked back in Appendix B, “Additional Performance Requirements and Directions; Extent-of-Testing Examples.” This section refers extensively to “AU sec. 324, Service Organizations,” a professional standard issued by the American Institute of Certified Accountants (“AICPA”). AU sec. 324, in turn, is based on a number of the AICPA’s “Statements on Auditing Standards” (“SAS”), including SAS No. 70. As the PCAOB acknowledges, AU sec. 324 was originally designed to address “auditor-to-auditor communications as part of the audit of financial statements.”20 Nonetheless, it concluded that AU sec. 324 contains various concepts that an auditor could apply equally in an audit of internal controls over financial reporting. The PCAOB further observed that .it is also appropriate for management to apply the relevant concepts described in that standard to its assessment of internal control over financial reporting.”21
Unfortunately, AU sec. 324 does not draw very bright lines. In auditing the financial statements of a public company, it instructs the auditor to consider an outside service organization whenever the services obtained from such organization may be viewed as “part of [the company’s] information system.”22 When should third party services be viewed as part of the company’s information system? The answer is somewhat opaque: whenever the services “affect” any classes of transactions, accounting procedures, record-keeping functions, information systems, or reporting processes in a manner that may impact the company’s financial statements. 23 AU sec. 324 provides some marginally helpful examples.24 Perhaps more helpful is the observation that the extent to which the auditor needs to investigate controls in place at the service organization will depend in part on the degree to which the company “interacts” with the outsourced activities.25 Where the degree of interaction is high, the company may be able to implement sufficient controls within its own organization; where there is less interaction, the auditor may have no alternative but to investigate what controls the service organization has implemented.
In the absence of a “bright line” standard, public companies should probably assume
that most outsourced activities will require some consideration in the assessment and
attestation exercise under Section 404. Most business process outsourcings (e.g., human resource administration, finance and accounting, and other transactions processing) involve services that may “affect” the customer’s financial statements. Similarly, an outsourced call center may handle inquiries that, if not properly processed and recorded, could produce a misstatement. Even information technology outsourcings may involve services that could constitute “part of the customer’s information system.” AU sec. 324 specifically cites “application service providers that
provide packaged software applications and a technology environment that enables
customers to process financial and operational transactions.”26 Thus, for example,
where a public company has contracted for hosting services, the service organization’s
system and other controls may need to be evaluated to determine whether they ensure integrity and reliability of the customer’s data.
In drafting Auditing Standard No. 2, the PCAOB did not try to clarify the outer bounds of the assessment and attestation requirements beyond what is contained in AU sec. 324. To the contrary, the PCAOB simply asserts that “[i]f the service organization’s services are part of a company’s information system, as described [in AU sec. 324], then they are part of the information and communication component of the company’s internal control over financial reporting.”27 As such, the company’s management needs to consider the service organization’s activities in making its assessment, and the company’s auditor also needs to consider these activities in reaching its opinions as to management’s assessment and the effectiveness of the company’s internal control over financial reporting. The PCAOB then turns its attention to describing how the company’s management and auditor should go about these considerations. Before doing so, however, it emphasizes a critical point: “The use of a service organization does not reduce management’s responsibility to maintain effective internal control over financial reporting.”28 In short, this duty is non- delegable.
Auditing Standard No. 2 basically directs the company’s management and auditor to take three steps with respect to service organizations: (i) obtain an understanding of the controls in place at the company over the activities of the service organization; (ii) obtain an understanding of the controls in place at the service organization that are relevant to the company’s internal controls; and (iii) obtain evidence that the controls that are relevant to management’s assessment and the auditor’s opinion are operating effectively. The PCAOB focuses most of its discussion on the last directive – gathering evidence. How does the company’s management and auditor gather evidence that the relevant controls are operating effectively? The answer is twofold: testing the relevant controls; and obtaining a report from the service organization’s auditor. Some tests may be carried out at the company; for example, “re-perform[ing]” “selected items processed by the service organization” or “testing the [company’s] reconciliation of output reports with source documents.”29 Other tests, however, may need to be carried out at the service organization.
As indicated above, the PCAOB specifically states that the evidence of effective controls may include a report from the service organization’s auditor. This statement sparked considerable angst. AU sec. 324 distinguishes between two types of service auditor reports, commonly referred to as .Type I. and .Type II.. Type I is a .report on controls placed in operation,. which describes the relevant controls at the service organization as of a specific date, but does not indicate whether they were operating effectively.30 Type II is a .report on controls placed in operation and tests of operating effectiveness,. which both describes the service organization’s relevant controls and indicates whether they were operating effectively over a specified period.31 To issue this report, the auditor obviously must perform tests of the service organization’s
controls. This additional step may involve significant cost. Nonetheless, the PCAOB
expressed an overriding preference for Type II reports. “A service auditor’s report
that does not include tests of controls,” states the PCAOB, “does not provide evidence of operating effectiveness.”32 In short, a Type I report has little evidentiary value, if any, for purposes of Section 404.
Although the PCAOB endorses the use of Type II reports,Auditing Standard No. 2 underscores that even these reports may not constitute .sufficient evidence. to support the assessment and attestation required under Section 404. The report may be insufficient for numerous reasons, including the timing, scope, or results of the test of controls or the reputation, competence, or independence of the service auditor. In addition, the company’s auditor needs to consider whether any changes have occurred since the report was prepared that may merit undertaking additional procedures, such as changes in the service organization’s personnel, outsourcing contract, or service level agreements. Based on these considerations, among others, the auditor may decide that it needs additional evidence about the operating effectiveness of controls at the service organization. In such event, the auditor should consider, among other things, requesting that the service auditor perform additional procedures or visiting the service organization to perform such procedures. At the end of the day, the auditor must have the “reasonable assurance necessary” to issue its Section 404(b) report.33
C. Preliminary Conclusions
As noted above, the primary goal of the Sarbanes-Oxley Act was to restore investor confidence. Public companies are already grumbling about the costs of complying with the Act’s requirements. Anecdotal evidence suggests that much of this grumbling’ results from the effort to comply with the Section 404 requirements as they apply within the four corners of the company. The impact of Section 404 on a public company that has outsourced significant activities that may impact its financial statements still seems relatively unexplored in many sectors.
To date, open discussion of the intersection between the Sarbanes-Oxley Act and outsourcing appears limited. Although the PCAOB created a framework that can be used to think about this intersection, this framework leaves many questions unanswered. Answering these questions presently leaves much to the judgment of the company’s management and its auditor. Perhaps the only conclusion that can be drawn at this stage is that public companies must take adequate steps to ensure the integrity and reliability of their financial accounts, regardless of whether they have engaged in outsourcing. Outsourcing, if done correctly, normally involves, among other things, defining and implementing specific service level commitments, reporting procedures, and change control processes. In other words, outsourcing normally results in greater, not less, scrutiny of the activity.
In the near term, the Sarbanes-Oxley Act may indeed add to the cost of at least certain types of outsourcing. Some public companies and service organizations will need to have difficult discussions regarding who bears these additional costs. What about in the longer run? Outsourcing may actually reduce the cost of complying with the Act, at least if public companies and service organizations think clearly and creatively about how to facilitate the compliance effort. Evidence of such thinking is already appearing on the scene. But that is the topic of another article.
__________________________________________________
1 .Sticker Shock,. Alix Nyberg, CFO Magazine, September 1, 2003, p. 7.
2 Auditing Standard No. 2, par. 167.
3 Ibid.
4 PCAOB Release 2004-001, p. 7.
5 Ibid.
6 Sarbanes-Oxley Act, Section 404(b).
7 PCAOB Release 2004-001, p. 8.
8 Id., p. 9.
9 Ibid.
10 Ibid.
11 Id., p. 12.
12 Id., p.13.
13 Id., p. 15.
14 Id., p.16.
15 Id., p. 18.
16 Id., p. 19.
17 Ibid.
18 A control deficiency is .significant. if, by itself or in combination with other control deficiencies, it
results in more than a remote likelihood that a misstatement of the company.s annual or interim
financial statements that is more than inconsequential will not be prevented or detected. Auditing
Standard No. 2, par. 9.
19 A significant deficiency constitutes a .material weakness. if, by itself or in combination with other
control deficiencies, it results in more than a remote likelihood that a material misstatement in the
company.s annual or interim financial statements will not be prevented or detected. Auditing
Standard No. 2, par. 10.
20 Auditing Standard No. 2, Appendix B, par. B18.
21 Ibid.
22 AU sec. 324.03.
23 Ibid.
24 Service organizations that provide such services include, for example, bank trust departments that invest and service assets for employee benefit plans or for others, mortgage bankers that service mortgages for others, and application service providers that provide packaged software applications in a technology environment that enables customers to process financial and operational transactions. The guidance in this section may also be relevant to situations in which an organization develops, provides, and maintains the software used by client organizations. The provisions of this section are not intended to apply to situations in which the services provided are limited to executing client organizational transactions that are specifically authorized by the client, such as the processing of checking account transactions by a bank or the execution of securities transactions by a broker. Ibid.
25 AU sec. 324.06.
26 Ibid.
27 Auditing Standard No. 2, Appendix B, par. B19.
28 Ibid.
29 Id., par. B21.
30 AU sec. 324.24.
31 Ibid.
32 Auditing Standard No. 2, Appendix B, par. B21
33 Id., par. B28.
Baker & McKenzie International is a Swiss Verein with member law firms around the world. In accordance with the common terminology used in professional service
organizations, reference to a .partner. means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an .office. means an office of any
such law firm.
©2004 Baker & McKenzie
All rights reserved
|
