THE BUSINESS REVIEW FOR PROCUREMENT LEADERS
by Arlene Power
The Sarbanes-Oxley Act of 2002 (Sox) applies to US public companies and foreign-owned companies listed in the US and is designed to bring greater transparency to their business operations and cut fraud. Under section 404(a), a company’s management is required to include in its annual report an assessment of the effectiveness of its internal controls.
The recent announcement by the US Securities and Exchange Commission that foreign companies would be granted an extra year – to their first reporting date after15 July 2006 – to comply with section 404 gives them some breathing space to improve the quality of their Sox projects, and to embed Sox compliance on a sustainable basis. One of the ways companies may do this is to review their arrangements with business process outsourcing (BPO) providers.
What is meant by 'internal controls'?
Activities that must be considered as part of the company’s internal controls, and which directly affect procurement, include:
How can outsourced activities materially impact our internal controls?
Under Sox, internal controls over financial reporting relate not only to those processes that reside within the company, but may also relate to processes performed by or outsourced to third-party providers. Some examples include IT processes, finance function processing, warehouse management, logistics and customer care.
How should procurement manage Sox compliance for third-party suppliers?
A register of third-party suppliers, channel distributors and joint ventures should be prepared and a business owner identified for each. It is important to set up a process between procurement, legal, finance, internal audit and the users of third-party services. This process should ensure that the need to support the company in its Sox compliance efforts is a prerequisite for suppliers whose services may impact the company’s financial statements.
From the RFP stage, through contract to negotiation, a defined process involving key stakeholders helps to ensure that an appropriate level of assurance can be obtained during the life of the contract.
Not all third-party services will have a Sox impact, so procurement should work with finance to determine which third-party relationships need to be considered.
How should contracts reflect our need to comply with Sox legislation?
For contracts predating Sox, general audit access rights should be deemed sufficient. For more recent contracts, ideally they should include the right to request a SAS 70 Type II report (an internationally recognised standard developed by the American Institute of Certified Public Accountants in relation to specific services supplied. The SAS Type I report predates Sox and is not deemed to give sufficient coverage for compliance purposes.)
A SAS 70 Type II report provides information about the controls in place at a specific point in time, as well as detailed testing of their operating effectiveness over a period of at least six months. For contracts where a SAS 70 Type II report is not deemed appropriate, the approach to obtaining assurance over internal controls should be stipulated in the contract.
What if our outsourced provider sub-contracts work?
You will also need to consider “sub-service” organisations (providers sub-contracted by the outsourcing service provider) for the purposes of Sox compliance. Your contract should allow you to be informed of any sub-contracting relationships and, where appropriate, give you audit access rights to sub-contractor organisations.
If we have to micro-manage outsourcing partners to comply with Sox, doesn’t that diminish the benefits of outsourcing?
Not necessarily. Many see the legislation as a positive framework under which they can balance the risk of losing control with the benefits of not having to do it in house. Greater visibility of what happens in the “black box” means that the company can provide input to improving the design and operational effectiveness of those controls, which are carried out on its behalf by the service provider.
Sox may also provide a framework under which to strengthen boundary controls that the company is operating at the point of receipt of information from third parties and which impact its financial position.
Arlene Power is a senior manager at KPMG in London (arlene.power@kpmg.co.uk)
