Perhaps the most significant (and certainly the most costly) of the corporate governance provisions contained in the Sarbanes-Oxley Act of 2002 ("SOX") is the requirement imposed on public company management to evaluate the effectiveness of the company's internal controls and procedures over financial reporting and the related requirement for auditors to attest to management's evaluation. Major public companies, i.e., accelerated filers, must begin to comply with these requirements for their first fiscal year ending on or after November 15, 2004.
Various public company issuers have outsourced financial and accounting business process functions (e.g., accounts receivable, accounts payable, cash treasury, fixed asset accounting) to third-party service organizations or outsourcing suppliers. Some of these arrangements involve offshoring certain activities to operational sites outside of the U.S. There are a multitude of complex issues associated with outsourcing these functions that require analysis from a legal, regulatory, liability, and contractual perspective. This article highlights some of the more critical of the issues under SOX.
Internal Control Report
Section 404 of SOX requires the Securities and Exchange Commission (SEC) to prescribe rules requiring each annual report of a public company issuer to make an internal control report containing: (1) a statement of management's responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) an assessment by management at the end of the company's most recent fiscal year of the effectiveness of the company's internal control structure and procedures for financial reporting.
Section 404 also requires every registered public accounting firm that prepares or issues an audit report on a company's annual financial statement to attest to, and report on, the assessment made by management. The accounting firm must make this attestation in accordance with standards issued or adopted by the Public Company Accounting Oversight Board (PCAOB).
The SEC rules implementing section 404 provide that controls subject to assessment by management include, but are not limited to:
- controls over initiating, recording, processing, and reconciling account balances;
- classes of transactions and disclosure and related assertions included in the financial statements;
- controls related to the initiation and processing of non-routine and non-systematic transactions;
- controls related to the selection and application of appropriate accounting policies;
- controls related to the prevention, identification, and detection of fraud.
There may be cost-savings and other benefits for a public company issuer by outsourcing and/or offshoring financing and accounting business process functions to outsourcing suppliers. Nonetheless, it is clear that the responsibility to maintain effective internal control over financial reporting is not delegable by public company management. The failure to discharge these responsibilities due to knowing or willful non-compliance is subject to personal fines ranging from $5 million to $10 million and/or imprisonment terms ranging from up to 10 to 20 years. Exposure to shareholder lawsuits, however, for material weaknesses and any resulting restatement expense attributable to the acts or failures to act of the outsourcing supplier may be shared by the public company issuer and the supplier. Conceptually, this could increase the number of defendants in a lawsuit to include not only the public company issuer, management of the public company issuer, and the public company auditor, but also the management of the supplier and the supplier's auditor.
PCAOB Attestation Standard
The PCAOB attestation standard also makes clear that a service organization or outsourcer is considered part of the company's internal control over financial reporting when it provides services that affect:
- how the company initiates its transaction;
- how the company's transactions are processed and reported in its accounting records, supporting information, and specific financial statement accounts;
- how the company's transactions are processed from the initiation of the transaction to its inclusion in the financial statements; or
- how the financial reporting process is used to prepare the client's financial statements.
In these circumstances, the management and auditor of the public company issuer are expected to evaluate the activities of the outsourcing supplier in determining the nature, timing, and extent of evidence required to support its opinion on internal control.
An outsourcing supplier might do several things to assist the public company auditor, e.g., engage its own auditor to review and report on the systems it uses to process the company's transactions or engage an auditor to test the effectiveness of the controls applied to the company's transaction to enable the auditor to evaluate controls of the supplier. Buyers should anticipate that these volitional safeguards may become regularly negotiated terms of an outsourcing agreement.
The tensions generated by SOX, the SEC implementing rules, and the PCAOB attestation standards become exacerbated where the public company issuer and the outsourcing supplier are both public companies with the same audit firm. If a buyer mandates an auditor's report, the supplier may be required to retain a second auditor to prepare that report.
There are a number of areas in which the public company auditor should not use the results of testing performed by the supplier, including:
- controls that are part of the control environment, including controls specifically established to prevent and detect fraud that are reasonably likely to result in material misstatement of the financial statements;
- controls over the period-end financial reporting process, including controls over procedures used to enter transaction totals into the general ledger; to initiate record, and process journal entries in the general ledger; and to record recurring and non-recurring adjustments to the financial statements (for example, consolidating adjustment, report combinations, and reclassifications); and
- controls that have a pervasive effect on the financial statements, such as certain information technology general controls on which the operating effectiveness of other controls depend.
Editor's Note: It's still too early to determine how outsourcing suppliers should deal with SOX. Look for a follow-up article by the authors in the fall.
Lessons from the Outsourcing Journal:
- Public companies that outsource finance and accounting processes and their outsourcers have new requirements under the Sarbanes-Oxley Act. Management at both companies and their auditors need to be involved.
- While various questions regarding these issues remain, the most likely answers will be derived through (i) issue identification; (ii) focused negotiations; and (iii) the final PCAOB attestation standard.
- Although compliance with regulatory requirements under SOX are non-delegable, finance and accounting outsourcing agreements will increasingly contain provisions that seek to establish the roles and responsibilities of the customer and supplier in a manner that facilitates compliance with these requirements.
- The best defense for a CEO or CFO to avoid the penalties for willful non-compliance is deployment of effective due diligence procedures designed to assure the discharge of their regulatory responsibilities including retention of reputable, knowledgeable, and experienced suppliers of reliable financial and accounting outsource services.
Robert J. Gareis is a Partner in Baker & McKenzie (Chicago office) Corporate & Securities Law Practice. He can be reached at [email protected]. Michael S. Mensik is a Partner at Baker & McKenzie (Chicago office) and is the Co-Coordinator of the firm's Global Information Technology Law Practice. He can be reached at [email protected]