Compliance and outsourcing: Oil and water or fine vinaigrette?

John and Stan could not have said it any better....

By John Van Decker and Stan Lepeak
10 May 2004 | Meta Group

One common misperception that still survives in the market is that existing outsourcing audit mechanisms, primarily the SAS 70 audit, are adequate for SOX compliance. The growing consensus is that even an SAS 70 Type 2 audit may not prove enough for SOX. The SAS 70 standard was developed long before SOX regulations and was not designed to focus on the type of controls that SOX addresses. In addition, there have been no requirements for users to request an SAS 70 audit, and many have not. One SAS 70 audit could potentially suffice for multiple clients of an outsourcer, whereas with SOX compliance, this is likely unacceptable. We are seeing more cases where aggressive/thorough clients are demanding additional controls and documentation beyond an SAS 70 Type 2 audit to enable what they estimate is "good enough" SOX compliance. It is not expected that the PCAOB will define requirements above and beyond an SAS 70 for SOX compliance until later this year.

A final challenge to SOX compliance that affects outsourcers is interenterprise compliance. Users must approach process compliance holistically, covering insourced and outsourced processes, as well as intersection points and continuums of processes that span supply and service chains. For example, how can a user's controls account for the breakdown in a supplier's financial controls that could lead to a parts shortage, which could impact revenue/profits that would then require a timely disclosure? Clearly, organizations cannot address SOX compliance in an isolated fashion. Outsourcers have the added dimension of being intertwined in multiple-clients compliance efforts across multiple process areas. This in itself increases the outsourcer's risk and demands greater focus on enabling compliance, for its own sake as much as its clients'.

Bottom Line: Business process and IT outsourcing currently do not mix well with SOX and related compliance requirements. However, outsourcers and their clients cannot wait for regulatory clarification and must define, document, and rationalize interim best-faith efforts for gaining and evidencing SOX compliance for affected outsourced functions and processes.