Sharing the Burden of Compliance

Once upon a time, SOX-induced insomnia was an affliction unique to the public company CIO. Not anymore. Today, they are joined by their IT service providers who are finding themselves caught in the crosshairs of their clients’ compliance efforts.

“Everyone is looking at their relationships, especially if they outsource a business type process like payroll or claims processing,” said Ed Byers, a principal with Delotte & Touche. “If you’re a CIO with an outsourcing service provider, you better be aware of the need to demonstrate internal controls.”

According to the SEC, in situations where management has outsourced certain functions to third-party service providers, it maintains a responsibility to assess the controls over the outsourced operations. That interpretation is echoed by the Public Company Accounting Oversight Board (PCAOB), which states the use of a service organization “does not reduce management’s responsibility to maintain effective internal control over financial reporting.”

Unfortunately, this does little to clear up the confusion surrounding which types of relationships are subject to control assessments. In some cases, such as with payroll or data processing, it’s obvious. Other relationships fall into a grey area, such as data centers, hosting services, software development, remote back-up services and hosted application service providers.

“It becomes an issue when a company outsourcers a specific area of general computer controls; for example, if they outsource software development. Typically, even in this case, the key controls still reside within the (contracting) company; for example, change control and other authorizations. However, if the key controls reside at your outsourcer, you will need to test those controls,” said Byers.

To Require or Not

From the client’s perspective, the ability to rely on third-party service providers to obtain independent assurances of controls was a welcome relief, according to Mary Makal, managing partner of Complyant Solutions, a SOX consulting and project management services firm, and creator of a software application designed to increase efficiencies associated with compliance efforts.

“It means they (the client company) don’t have to deal with certain aspects of compliance; for example the documentation and assessment of certain IT-related processes and controls, and can instead rely on their third-party service providers to obtain independent assurance of their controls,” she said.

Even so, client CIOs are not completely off the hook. They still must determine which, if any, of their service providers need to obtain those independent assurances, and whether they need to conduct their own audit or accept another certification such as the SAS 70 Type II or American Institute of Certified Public Accountants’ (AICPA) Trusted Services Principles & Criteria.

In many cases, companies are resolving that dilemma by simply requiring all their providers to obtain independent assurances, most often in the form of the SAS 70 Type II.

Makal said her general advice to CIOs is to request SAS 70s from all service providers then assess those that don’t have them to determine if it is a “make or break requirement.”

However, “all or nothing” isn’t the best approach in every case.

“If an outsourced IT process or service is significant to an IT shop and the provider does not have a SAS 70, or does not want to obtain one, then that may be a good reason to terminate the relationship,” said Makal. “However, it would be prudent to ask questions and do some further investigation. Is it cost prohibitive? Are there issues with how they perform the service? Why haven’t they been required by other clients to have one?”

If the service provider is integral to your operations and you don’t want to terminate the relationship because of the lack of a SAS 70, it may make sense to ask them to allow your own auditors to do some controls testing rather than forcing them to obtain outside certification.

Taking the Plunge

A growing number of service providers have opted to secure outside certification whether or not their client companies are requesting them.

Messaging services provider Postini, for example, has earned both the AICPA’s WebTrust Seal of Assurance and SAS 70 Type II certification. According to Jocelyn Ding, executive vice president of Worldwide Field Operations, the company pursued the trusted services seal in part to meet the needs of prospective and existing customers for assurance that company’s service complies with a set of objective standards governing availability, security and privacy, as well as to ensure that a framework is in place for compliance on an ongoing basis.

“It’s important to look at certification as a process that will strengthen internal processes around the certification criteria rather than just a process for obtaining a seal or report,” adds Ding. “Compliance with the certification criteria has to become a part of ongoing operations. It is a persistent process.”

For CenterBeam, a San Jose, Calif.-based IT outsourced services company, the decision to pursue SAS 70 Type II certification was an easy one, according to Eric Arnold, vice president of security, engineering and operations.

First, clients expect it and second, it allows them to provide clients with the value-add of taking on the responsibility of a least a portion of their customers’ compliance requirements.

“We had one customer who brought in an army of guys, including their auditors. They were loaded for bear,” said Arnold. “I asked them to show me their SOX (Sarbanes Oxley) criteria for the audit and, after going through it line by line, I came up with a matrix of three things we could do for them” that encompassed consultative, enabling and providing roles. “If you imagine a line with two end points, where one end is empty and the other is full, that’s the SOX criteria. We were able to cover the first third.”

The entire process took CenterBeam about two months and 25 hours a week of Arnold’s time, but he said the ROI is more than worth the effort and expense. For starters, the certification has enabled the company to close deals that were otherwise out of reach, and they realized an improvement in overall productivity.

Finally, said Arnold, who still spends about 15% of his month working with auditors from client companies, the SAS 70 lets him respond quickly to those requests. “Before we had certification … it was a nightmare.”