The Winter/Spring 2005 issue of Outsourcing & Technology Transactions Dispatch, published by law firm Kramer Levin, includes an article titled, “Outsourcing In The Sarbanes-Oxley Era,” which explains what decision-makers in public companies should stay on top of in regards to Section 404 of the “Act.” Since the SEC has stated that the use of outsourcing doesn’t negate the client company’s responsibilities to maintain appropriate internal controls, that means somebody in the corporation needs to assess the controls of the service providers as well.
That’s where SAS 70 comes in. The Statement of Auditing Standards No. 70, according to this article, “states that a service provider’s services are part of a company’s financial information system if they affect any of the following”:
The classes of transactions in the company’s operations that are significant to the company’s financial statements;
- The procedures, both automated and manual, by which the company’s transactions are initiated, authorized, recorded, processed, and reported from their incurrence to their inclusion in the financial statements;
- The related accounting records, whether electronic or manual, supporting information and specific accounts in the company’s financial statements involved in initiating, authorizing, recording, processing and reporting the company’s transactions;
- How the company’s information system captures other events and conditions that are significant to the financial statements; or
- The financial reporting process used to prepare the company’s financial statements, including significant accounting estimates and disclosures.
To learn more about the mechanisms for monitoring the controls in place at your service provider, read the article.
If it all just wears you out, remember that you’re still the customer and you still have options. As the story says:
To date, this paradigm shift in the traditional outsourcing risk analysis model has not resulted in any noticeable decrease in the competition among service providers for engagements with companies subject to the Act. And, while this is likely attributable in some measure to the fact that Section 404 of the Act has only recently gone into effect for most public companies, a more plausible explanation is found in the simple fact that the Act is now a way of life for public companies. Just as these companies are learning which new procedures and costs are required to ensure compliance, their service providers are learning that in order to remain competitive they too will likely have to adjust their processes and pricing models to assist with their customers’ compliance efforts.