See our Outsourcing Provider Directory here

Business Process Outsourcing Under Sarbanes-Oxley: Challenges and Complexities

Perhaps the most significant (and certainly the most costly) of the corporate governance provisions contained in the Sarbanes-Oxley Act (“SOX”) is the requirement imposed on public company management to evaluate the effectiveness of the company’s internal controls and procedures over financial reporting and the related requirement for auditors to attest to management’s evaluation. Major public companies, i.e., accelerated filers, must comply with these requirements.

Various public company issuers have outsourced financial and accounting business process functions (e.g., accounts receivable, accounts payable, cash treasury, fixed asset accounting) to third-party service organizations or outsourcing suppliers. Some of these arrangements involve offshoring certain activities to operational sites outside of the U.S. There are a multitude of complex issues associated with outsourcing these functions that require analysis from a legal, regulatory, liability, and contractual perspective. This article highlights some of the more critical of the issues under SOX.

Internal Control Report

Section 404 of the Sarbanes-Oxley Act requires the Securities and Exchange Commission (SEC) to prescribe rules requiring each annual report of a public company issuer to make an internal control report containing: (1) a statement of management’s responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) an assessment by management at the end of the company’s most recent fiscal year of the effectiveness of the company’s internal control structure and procedures for financial reporting.

Auditor Attestation

Section 404 also requires every registered public accounting firm that prepares or issues an audit report on a company’s annual financial statement to attest to, and report on, the assessment made by management. The accounting firm must make this attestation in accordance with standards issued or adopted by the Public Company Accounting Oversight Board (PCAOB).

SEC Rules

The SEC rules implementing section 404 provide that controls subject to assessment by management include, but are not limited to:

  • controls over initiating, recording, processing, and reconciling account balances;
  • classes of transactions and disclosure and related assertions included in the financial statements;
  • controls related to the initiation and processing of non-routine and non-systematic transactions;
  • controls related to the selection and application of appropriate accounting policies;
  • controls related to the prevention, identification, and detection of fraud.

Legal Exposure

There may be cost-savings and other benefits for a public company issuer by outsourcing and/or offshoring financing and accounting business process functions to outsourcing suppliers. Nonetheless, it is clear that the responsibility to maintain effective internal control over financial reporting is not delegable by public company management.

The failure to discharge these responsibilities due to knowing or willful non-compliance is subject to personal fines ranging from $5 million to $10 million and/or imprisonment terms ranging from up to 10 to 20 years. Exposure to shareholder lawsuits, however, for material weaknesses and any resulting restatement expense attributable to the acts or failures to act of the outsourcing supplier may be shared by the public company issuer and the supplier.

Conceptually, this could increase the number of defendants in a lawsuit to include not only the public company issuer, management of the public company issuer, and the public company auditor, but also the management of the supplier and the supplier’s auditor.

PCAOB Attestation Standard

The PCAOB attestation standard also makes clear that a service organization or outsourcer is considered part of the company’s internal control over financial reporting when it provides services that affect:

  • how the company initiates its transaction;
  • how the company’s transactions are processed and reported in its accounting records, supporting information, and specific financial statement accounts;
  • how the company’s transactions are processed from the initiation of the transaction to its inclusion in the financial statements; or
  • how the financial reporting process is used to prepare the client’s financial statements.

In these circumstances, the management and auditor of the public company issuer are expected to evaluate the activities of the outsourcing supplier in determining the nature, timing, and extent of evidence required to support its opinion on internal control.

An outsourcing supplier might do several things to assist the public company auditor, e.g., engage its own auditor to review and report on the systems it uses to process the company’s transactions or engage an auditor to test the effectiveness of the controls applied to the company’s transaction to enable the auditor to evaluate controls of the supplier. Buyers should anticipate that these volitional safeguards may become regularly negotiated terms of an outsourcing agreement.

The tensions generated by the Sarbanes-Oxley Act, the SEC implementing rules, and the PCAOB attestation standards become exacerbated where the public company issuer and the outsourcing supplier are both public companies with the same audit firm. If a buyer mandates an auditor’s report, the supplier may be required to retain a second auditor to prepare that report.

Restrictions

There are a number of areas in which the public company auditor should not use the results of testing performed by the supplier, including:

  • controls that are part of the control environment, including controls specifically established to prevent and detect fraud that are reasonably likely to result in material misstatement of the financial statements;
  • controls over the period-end financial reporting process, including controls over procedures used to enter transaction totals into the general ledger; to initiate record, and process journal entries in the general ledger; and to record recurring and non-recurring adjustments to the financial statements (for example, consolidating adjustment, report combinations, and reclassifications); and
  • controls that have a pervasive effect on the financial statements, such as certain information technology general controls on which the operating effectiveness of other controls depend.

Lessons from the Outsourcing Journal:

  • Public companies that outsource finance and accounting processes and their outsourcers have new requirements under the Sarbanes-Oxley Act. Management at both companies and their auditors need to be involved.
  • While various questions regarding these issues remain, the most likely answers will be derived through (i) issue identification; (ii) focused negotiations; and (iii) the final PCAOB attestation standard.
  • Although compliance with regulatory requirements under the Sarbanes-Oxley Act are non-delegable, finance and accounting outsourcing agreements will increasingly contain provisions that seek to establish the roles and responsibilities of the customer and supplier in a manner that facilitates compliance with these requirements.
  • The best defense for a CEO or CFO to avoid the penalties for willful non-compliance is deployment of effective due diligence procedures designed to assure the discharge of their regulatory responsibilities including retention of reputable, knowledgeable, and experienced suppliers of reliable financial and accounting outsource services.

Robert J. Gareis is a Partner in Baker & McKenzie (Chicago office) Corporate & Securities Law Practice. He can be reached at [email protected]. Michael S. Mensik is a Partner at Baker & McKenzie (Chicago office) and is the Co-Coordinator of the firm’s Global Information Technology Law Practice. He can be reached at [email protected]

Get 3 Free Quotes Logo

  • Save 70%
  • Unrivaled expertise
  • Verified leading firms
  • Transparent, safe, secure

Get Started

Small Teams Call Logo

Start your Outsourcing Journey in 15 seconds.

Get Started

Enterprise & Large
Teams Call
Logo

Explore with an Enterprise Expert

  • Independent
  • Trusted
  • Transparent
Outsourcing

Dive into “Outsourcing”

A Guide to … Selecting the Correct Business Unit … Negotiating the Contract … Maintaining Control of the Process

Order now

Outsourcing Articles

Start your
outsourcing
journey here

"*" indicates required fields

Start your outsourcing journey.

Book a call with an outsourcing expert now

This field is for validation purposes and should be left unchanged.

"*" indicates required fields

This guide will walk you through some areas most important when outsourcing, such as
  • Identifying Your Outsourcing Needs Intelligently
  • Research & Selection
  • The Bidding Process
  • Contracts & Agreements
  • Implementation & Onboarding
  • Ongoing Management
  • Evaluating Success
  • Additional Resources

Book a call with an outsourcing expert now

This field is for validation purposes and should be left unchanged.

"*" indicates required fields

Become an OC Partner
This field is for validation purposes and should be left unchanged.

"*" indicates required fields

Media Inquiries for OC
This field is for validation purposes and should be left unchanged.

"*" indicates required fields

Subscribe to our Newsletter
This field is for validation purposes and should be left unchanged.

"*" indicates required fields

Submit Press Release
Accepted file types: pdf, doc, docx, Max. file size: 8 MB.
This field is for validation purposes and should be left unchanged.

"*" indicates required fields

Submit an Article
Accepted file types: pdf, doc, docx, Max. file size: 8 MB.
This field is for validation purposes and should be left unchanged.

"*" indicates required fields

Request Ben Trowbridge as a Keynote Speaker
This field is for validation purposes and should be left unchanged.

Go to standard quote

Exclusive Enterprise Assistance

  • Independent
  • Trusted
  • Transparent

Offshore staffing solutions for enterprise. Independent expertise, advice & implementation

  • 200+ Firms, Global Reach
  • Offshore, Nearshore, Onshore, Rightshore
  • Managed Request for Proposal (RFP)
  • Assisted Procurement Processes
  • Vendor Management
  • Unique Build Operate Transfer model
  • Captive & Shared Services
  • Champion-Challenger
  • Multi-site, multi-vendor, multi-source
  • Managed Solutions

For Enterprise and large teams only

  • Book 20-minute consult, obligation free

You will get:

  • Needs Analysis & Report
  • Salary Guidance & Indicative Pricing
  • Process Map

Only takes 1 minute to complete the form

Get Started

Not an enterprise?

Go to standard quote