sox indian prespective 9 pgs
DESCRIPTION
Sarbanes Oxley, SOX, Clause 49 vs SOX, Indian PrespectiveTRANSCRIPT
THE CHARTERED ACCOUNTANT 1439 MAY 2005
Sarbanes OxleyAct, 2002 – An IndianPerspective
TTHHEEMMEE
“The Sarbanes Oxley Act will bring
the most far reaching reforms of
American business practices since the
time of Franklin Delano Roosevelt” –
said President George W Bush, while
signing of the Sarbanes-Oxley Act of
2002.
In July 2002, the United StatesCongress passed the Sarbanes-Oxley Act (“the Act”/SOX) intolaw. The Act was primarily designedto restore investor confidence fol-lowing well-publicised bankrupt-cies that brought chief executives,audit committees, and the indepen-dent auditors under heavy scrutiny.The Act is applicable to all publiclyregistered companies under thejurisdiction of the Securities and
Exchange Com-mission (SEC).SOX is a farreaching legisla-tion, effectingsignificant chan-ges to laws affect-ing officers, dire-ctors and report-
ing obligations of public companies,and mandating a myriad of new reg-ulations to prevent securities fraudand other abuses.
Overview of the ActThe Sarbanes Oxley Act called forthe formation of a Public CompanyAccounting Oversight Board(PCAOB) and specified severalrequirements (“sections”) thatinclude management’s quarterly cer-tification of the financial results(Section 302) and management’sannual assertion that internal controlsover financial reporting are effective
(Section 404) among others. The Act has largely ignored the
differences in practices and corpo-rate governance regimes betweenthe United States and other coun-tries, and has extended the reach ofthe United States’ laws to manyaspects of the internal affairs andgovernance regimes of foreign com-panies and their auditors. There areof course certain reliefs for ForeignPrivate Issuers (“FPI”) in the act.
Some of the key sections related
to Audit and Financial Reporting
are:
The PCAOB: Sections 101-109 ofthe Act has established a new body,the Public Company AccountingOversight Board (PCAOB), tooversee the auditing of public com-panies. All accounting firms thataudit the financial statements ofThe Securities Exchange Act of1934 (“1934 Act”) ReportingIssuers (Issuers of Securities who
The author is a member of the
Institute as well as AICPA, work-
ing with Lason Systems Inc, MI,
USA. He can be reached at
Srikant
Sortur
The Sarbanes Oxley Act 2002, which is applicable to all publicly-registered companiesunder the jurisdiction of Securities and Exchange Commission, is a far reaching legisla-tion, effecting significant changes to laws concerning directors and reporting obligationsof public companies, and mandating a myriad of new regulations to prevent securitiesfraud and other abuses. This article primarily looks at the implications of the Act in India– for Companies, Audit Profession and the BPO Industry.
THE CHARTERED ACCOUNTANT 1440 MAY 2005
are mandated to report under the1934 Act) must register with andprovide periodic reports to theBoard. Registered accountingfirms are subject to Board-adoptedaudit, quality control and ethicsstandards, periodic inspections andpossible disciplinary proceedings.It will be illegal for a non-regis-tered accounting firm to “prepareor issue, or to participate in thepreparation or issuance of, anyaudit report” with respect to any1934 Act Reporting Issuer.
Section 106 of the Act specifi-cally provides that it will apply toany foreign public accounting firm(Indian Audit Firm in the contextof this article) that prepares or fur-nishes an audit report with respectto any 1934 Act Reporting Issuer.The Board is also given the author-ity to determine, by rule that a for-eign accounting firm that does notissue an audit report for a 1934 ActReporting Issuer may nonethelessplay such a substantial role in anaudit that it is appropriate that suchfirm should be subject to theBoard’s authority. The Act pro-vides that if a foreign firm issues anaudit opinion for a 1934 ActReporting Issuer or otherwise per-forms material services uponwhich an auditing firm relies, thatforeign firm is deemed to have con-sented to producing its audit workpapers for the Board and to be sub-ject to the jurisdiction of US courtsfor enforcement of requests forproduction of documents. In addi-tion, a domestic auditing firm thatrelies upon the opinion of a foreignaccounting firm in issuing an auditopinion for a 1934 Act ReportingIssuer is deemed (1) to have con-sented to supplying the audit workpapers of the foreign accountingfirm to the Board and (2) to havesecured the agreement of that for-eign firm to the production of the
foreign firm’s work papers.Section 106(c) of the Act
authorises the Securities ExchangeCommission (SEC) and the Boardto exempt foreign accounting firmsfrom any provision of the Act orany rules of the SEC or the Boardissued under the Act (by rule or byorder) as the SEC or the Board“determines necessary or appro-priate in the public interest or forthe protection of investors.” Section 302 (Corporate
Responsibility for Financial
Reports) directs the SEC to adoptrules requiring the principal execu-tive officer and the principal finan-cial officer (or equivalent) of 1934Act Reporting Issuers to providecertifications in each “annual” and“quarterly” report “filed” or “sub-
mitted” under the 1934 Act. Thecertification relates to the contentof the report, internal controls ofthe issuer and disclosure to theaudit committee. Section 906 (Failure of Corporate
Officers to Certify Reports), whichis similar to but separate fromSection 302, is a criminal law pro-vision requiring that each “peri-
odic” report containing financialstatements that is “filed” by a 1934Act Reporting Issuer be accompa-nied by a written statement of the
chief executive officer and chieffinancial officer (or equivalent).The statement must certify that the“periodic report containing thefinancial statements” fully com-plies with the requirements of the1934 Act and also must certify thatthe information contained in theperiodic report “fairly presents, inall material respects, the financialcondition and results of operationsof the issuer.” This Section con-tains no exceptions for ForeignPrivate Issuers, although the SEChas the authority under the 1934Act to determine the “periodic”reports that may be required to be“filed” under the 1934 Act. Section 404 (Management
Assessment of Internal Controls)
requires the SEC to prescribe rulesrequiring each annual reportrequired under the 1934 Act to con-tain an internal control report stat-ing management’s responsibilityfor internal controls and assessingthe effectiveness of internal con-trols. This section also requires theauditors for the issuer to attest to andreport on management’s assess-ment in accordance with standardsto be adopted by the Board.
Section 404 has generatedtremendous interest and debate foraccountants and is by far the mostimportant one from the FinancialReporting perspective.
What Does Section 404Entail? As directed by Section 404 of theSarbanes Oxley Act of 2002, theSecurities and ExchangeCommission (SEC) adopted rulesregarding internal controls at pub-lic companies in May 2003. Section404 also requires that a company’sindependent auditors attest to andreport on management’s controlsassessments, following standards
TTHHEEMMEE
The Sarbanes Oxley Act’sSection 404, which dealswith Management Asses-sment of Internal Controls,has generated tremendousinterest and debate foraccountants and is by farthe most important onefrom the FinancialReporting perspective.
THE CHARTERED ACCOUNTANT 1441 MAY 2005
established by the PCAOB.Under the SEC rules, manage-
ment’s annual internal-controlreport must contain:● A statement of management’s
responsibility for establishingand maintaining adequate inter-nal control over financial report-ing for the company.
● A statement identifying man-agement’s framework for evalu-ating the effectiveness of inter-nal controls.
● Management’s assessment ofthe effectiveness of internal con-trols as of the end of the compa-ny’s most recent fiscal year.
● A statement that the company’sauditor has issued an attestationreport on management’s assess-ment.
Internal controls, according tothe new rule, include assurances ofaccurate records maintenance, aswell as financial reporting thatcomply with generally acceptedaccounting principles. The rulealso stipulates that managers anddirectors sign off on receipts andpayouts, and that publicly tradedcompanies maintain adequate sys-tems to prevent or detect unautho-rized material transactions.
Management must discloseany material weakness in a compa-ny’s internal-controls structure. Ifmaterial weaknesses exist, seniorexecutives “will be unable to con-clude that the company’s internalcontrol over financial reporting iseffective,” according to the SEC.
PCAOB Issued AuditingStandard No. 2: “An Audit ofInternal Control Over FinancialReporting Conducted inConjunction With an Audit ofFinancial Statements” This stan-dard was approved by theSecurities and ExchangeCommission on June 17, 2004, andis effective for audits of internal
control over financial reportingrequired by Section 404 (b) of theSarbanes Oxley Act of 2002. It is avery detailed standard. PCAOBalso issued Auditing Standard No.3: “Audit Documentation” Thisstandard was approved by theSecurities and ExchangeCommission on August 25, 2004,and is effective for audits of finan-cial statements with respect to fis-cal years ending on or afterNovember 15, 2004.
The auditing standardaddresses both the work that isrequired to audit internal controlover financial reporting and therelationship of that audit to theaudit of the financial statements.The integrated audit results in twoaudit opinions: one on the internalcontrols and the other on the finan-cial statements.
The standard also requires theauditor to communicate in writingto the company’s audit committeeall significant deficiencies andmaterial weaknesses of which theauditor is aware. The auditor also isrequired to communicate in writingto the company’s management allinternal control deficiencies, and tonotify the audit committee thatsuch communication has beenmade.
Section 404 draws attention tothe significant processes that feedand comprise the financial report-ing for an organization. In order formanagement to make its annualassertion on the effectiveness of itsinternal control, management will
be required to document and evalu-ate all controls that are deemed sig-nificant to the financial reportingprocess.
Implications for Indian Com-panies issuing securities inUS marketsMost of the SOX titles are directedtowards “Issuers” of securities,whether US or non–US, there is nodistinction.
An ‘Issuer’ has been defined asany issuer that:— has securities registered under
section 12 of the SecuritiesExchange Act of 1934(Exchange Act) ; or
— is required to file reports with theSEC under section 15(d) of theExchange Act; or
— has filed a registration statementunder the securities Act of 1933(Securities Act), which has notbecome effective or been with-drawn
Some provisions apply to ‘Persons’(whether or not issuers)— Securities, mail and wire fraud
(various sections of Titles IXand XI)
— Obstruction of justice (varioussections of Titles VIII and XI)
— Retaliation against whistle-blowers (various sections ofTitles VIII and XI)
Law contains no specific exemp-tion for non-US companies. Non-US companies are bound by theSOX by the following definition:“Foreign Private Issuer” is a com-pany that is incorporated outsidethe US. and in which:✎ US residents do not hold a
majority of the shares; or✎ If US residents do hold a major-
ity of the shares, then ☞ A majority of its directors and
officers are not US. citizensor residents,
TTHHEEMMEE
☞ Its business is administeredfrom outside the US. and
☞ A majority of its assets arelocated outside the US.
Implications for Indian Company:
Any Indian company that has itssecurities listed on NYSE (NewYork Stock Exchange), AMEX(American Stock Exchange) orNASDAQ (National Association ofSecurities Dealers AutomatedQuotations), either directly orthrough Levels II or III ADR’s,Filing Form 20-F’s (Registration ofsecurities of foreign private issuerspursuant to section 12(b) or (g),Registration of securities pursuantto section 12(b) or 12(g)) and Form6-K’s (Report of foreign issuer pur-suant to Rules 13a-16 and 15d-16)and those who have filed a registra-tion statement with SEC need to‘Fully’ comply with SOX.Implications include –Extraterritorial reach beyond theUS; criminal sanctions for seniormanagement in breach of certainclauses; enhanced disclosure basedon rigorous internal controls report-ing; certification by senior manage-ment; and independence require-ments for audit committee members– just to name a few.
Implications for the Auditors of the
FPI (Indian Company)☞ Audit Firm / Auditor to be
registered with PCAOB.☞ Audit Firm / Auditor to be
regulated / monitored byPCAOB.
☞ Mandatory Audit partner (butnot audit firm) rotation.
☞ Stringent limitations on non-audit services.
Note on the above implications:
SOX rule-making is evolving and ithas an extraterritorial reach beyondthe US. There have been concerns byFPI’s & auditors on various counts.This could relate to conflict of laws
and business practices in the foreigncountry vis-à-vis US and the relatedimplications. It has been observedthat SEC has been taking a stand onthese aspects on a case-to-case basis.
One recent example is theSEC’s rule regarding the composi-tion of audit committees of listedissuers. Sarbanes-Oxley requiredthe SEC to pass a rule mandatingthat all members of audit commit-tees be independent directors. Butthe corporate governance laws andregulations in Germany forinstance, and a few other countrieswith dual board systems, requiredcorporate audit committees toinclude a labour representative.SEC rules do not, however, con-sider employees of an issuer “inde-pendent” for fear that an unscrupu-lous corporate officer could appointemployees to the board who wereobliged to the company’s manage-ment. Following a dialogue withthe European Union and others, theSEC was reassured that in thosejurisdictions with dual boards, themandatory labour representativeson issuer audit committees werefirmly independent of the compa-ny’s management. The resultingfinal rule relating to audit commit-tees contained an exception forthese jurisdictions that would allowemployees who are not officers of acompany to sit on the audit commit-
tee. This enables the affectedissuers to comply with both sets oflaw. And it preserves the intent ofSarbanes-Oxley - to ensure thatindependent directors can commu-nicate directly with auditors with-out management interference.
Another example of the SECseeking to accommodate the spe-cial circumstances of foreignissuers came with the rules relatedto the publication of financial infor-mation presented in ways notstrictly in compliance with USGenerally Accepted AccountingPrinciples or GAAP. In this area, anexemption was given for non-GAAP communications outside theUS, even where those communica-tions reach the US.
A third example of accommo-dation was when the PCAOB ironedout some issues regarding oversightof foreign audit firms. Under theSarbanes-Oxley Act, all audit firms,including non-US audit firms, pro-viding significant audit services forissuers listed in the United States,are required to be registered andinspected by the PCAOB. Becauseof potential conflicts with foreignprivacy laws and blocking statutes,the PCAOB has made some adjust-ments in the information requestedof foreign firms during the registra-tion process. In addition, thePCAOB is seeking a collaborativeapproach to developing its over-sight role vis-à-vis non-US. auditfirms, working with counterparts inEurope and elsewhere.
Implications for Subsidiariesof US companies in IndiaSubsidiaries or business units of USIssuer companies who need to com-ply with SOX in full could be sub-ject to compliance in variousaspects, most of which would beplanned and taken care of the US
THE CHARTERED ACCOUNTANT 1442 MAY 2005
TTHHEEMMEE
Indian Audit profession iswidely appreciated aroundthe world for its high stan-dards and as such manage-ments of US companies gen-erally can’t have any issueswith accepting SAS 70 certi-fications by Indian Auditfirms.
Issuer. Probably the most importantwould be the compliance of Section404 – Management assessment ofinternal controls. The parent woulddetermine the multiple locationsthat need to be covered for Internalcontrol testing. This is usuallybased on the Significant accountsand the impact that the numbers ofthe subsidiary/business unit has onthe overall company’s financialreports.
PCAOB has not establishedspecific percentages to determinecoverage. Often the goal of the par-ent company would be to determinewhich locations are individuallyimportant (financially significant)and thus yield sufficient coverageusing meaningful quantitative met-rics. The usual benchmark seen inpractice is to cover at least 60 to 70per cent of the company’s opera-tions and financial position. Themetrics could possibly be to coverany location that has more than 5%of annual revenues or pre taxincome or total assets or equity (ifapplicable).
Once a location is determinedto be important, the planned proce-dures would include a detailedevaluation and tests of controlsover significant (or ‘specific risk’)accounts and disclosures at thatlocation and testing of companylevel controls.
Implications for the Indian
Subsidiary/Business Unit— Need to work closely with the
parent to ensure proper controls,risk management, disclosures,and various other aspects.
Implications for the Auditors of
the Indian Subsidiary— Mandatory Audit partner rota-
tion will apply to partners thatserve the client at the parentlevel. Partners serving a compa-
ny’s subsidiary will be subject torotation only if they are leadpartners and the subsidiary’srevenues constitute 20% or moreof the consolidated assets or rev-enues of the parent.
— The Act provides that if a foreignfirm (Indian Audit Firm) issues
an audit opinion for a 1934 ActReporting Issuer or otherwiseperforms material services uponwhich an auditing firm relies,that foreign firm is deemed tohave consented to producing itsaudit work papers for the Boardand to be subject to the jurisdic-tion of US courts for enforce-ment of requests for productionof documents. In addition, adomestic auditing firm (USAudit Firm) that relies upon theopinion of a foreign accountingfirm in issuing an audit opinionfor a 1934 Act Reporting Issueris deemed (1) to have consentedto supplying the audit workpapers of the foreign accountingfirm to the Board and (2) to havesecured the agreement of thatforeign firm to the production ofthe foreign firm’s work papers.
THE CHARTERED ACCOUNTANT 1443 MAY 2005
TTHHEEMMEE
Is the location or business unit Individually important
No
No
No
Are there specific significant risks?
Are there locations or business units that are not important even when aggregated with others?
Are there documented entity-wide controls over this group?
Evaluate documentation and test controls over specific risks
No further action required for such units
Evaluate documentation and test entity wide controls over group
Some testing of controls at individual locations or business units required
Evaluate documentation and test significant controls at each location or business unit
No
Yes
Yes
Yes
Yes
MULTI LOCATION TESTING CONSIDERATIONS
SOX rule-making is evolv-ing and it has an extraterri-torial reach beyond the US.It is imperative that IndianBPO companies have astrong framework ofInternal Controls and aretransparent to their clients.Well-defined processes,proper documentation etc.will be of paramount impo-rtance in view of SarbanesOxley Act, 2002.
Implications for BPO Industryin IndiaThe Business Process Outsourcing
(BPO) industry is witnessing
tremendous growth. According to
NASSCOM, the Financial Services
is poised for tremendous growth.
Indian BPO Industry is going up the
value chain. India is expecting huge
growth in the Finance, Accounting,
Payroll, Accounts Payable and
other financial processes to move to
India from US business houses.
It is interesting to note that
there could be a SOX implication
for an Indian Company that is nei-
ther a FPI nor a Subsidiary of a US
Company. Here is how:
A little-known and perhaps
largely outdated auditing standard
for outsourcers could be the next
big hurdle for Sarbanes-Oxley
compliance. Not only might the
standard cause a number of busi-
nesses to run afoul of the Section
404 provisions on internal controls,
but it might also dissuade other
companies from business process
outsourcing in India, China, and
other emerging nations.
The standard in question is
Statement on Auditing Standards
No. 70, “Reports on the Processing
of Transactions by Service
Organizations.” Set up by the
American Institute of Certified
Public Accountants in 1993, SAS 70
spells out how an external auditor
should assess the internal controls of
an outsourcing service provider and
issue an attestation report to outside
parties or to a client.
When a US Company uses a
Service organisation to process its
financial data, the management is
ultimately responsible for the inter-
nal control over its financial infor-
mation under section 404 of SOX.
Typically the management would
go about doing the following:
■ Determine if a service organisa-
tion is being used.
■ Determine if the outsourced
activities, processes, and func-
tions are significant to the com-
pany’s internal control over
financial reporting.
■ Determine if a Type II SAS 70
report exists and is sufficient in
scope.
■ If a Type II SAS 70 report does
not exist, determine alternative
procedures.
SAS 70 Overview Statement on Auditing Standards(SAS) No. 70, Service Organi-zations, is an auditing standarddeveloped by the AmericanInstitute of Certified PublicAccountants (AICPA). A SAS 70audit or service auditor’s examina-tion is widely recognized, because
it represents that a service organiza-tion has been through an in-depthaudit of their control activities,which generally include controlsover information technology andrelated processes. In today’s globaleconomy, service organizations orservice providers must demonstratethat they have adequate controlsand safeguards when they host orprocess data belonging to their cus-tomers. In addition, the require-ments of Section 404 of theSarbanes-Oxley Act of 2002 makeSAS 70 audit reports even moreimportant to the process of report-ing on effective internal controls atservice organisations.
SAS No. 70 is the authoritativeguidance that allows service organ-isations to disclose their controlactivities and processes to their cus-tomers and their customers’ audi-tors in a uniform reporting format.A SAS 70 examination signifiesthat a service organisation has had
THE CHARTERED ACCOUNTANT 1444 MAY 2005
TTHHEEMMEE
☞☞ Title I – Public Company Accounting Oversight Board (Sections
101-109)
☞☞ Title II – Auditor Independence (Sections 201-209)
☞☞ Title III – Corporate Responsibility (Sections 301-308)
☞☞ Title IV – Enhanced Financial Disclosures (Sections 401-409)
☞☞ Title V – Analyst Conflicts of Interest (Section 501)
☞☞ Title VI – Commission Resources and Authority (Sections 601-604)
☞☞ Title VII – Studies and Reports (Sections 701-705)
☞☞ Title VIII – Corporate and Criminal Fraud Accountability
(Sections 801-807)
☞☞ Title IX – White Collar Crime Penalty Enhancements (Section
901-906)
☞☞ Title X – Corporate Tax Returns (Section 1001)
☞☞ Title XI – Corporate Fraud and Accountability (Sections 1101 to
1107)
SARBANES OXLEY ACT, 2002-LISTING OF TITLES
its control objectives and controlactivities examined by an indepen-dent accounting and auditing firm.A formal report including the audi-tor’s opinion (“Service Auditor’sReport”) is issued to the serviceorganisation at the conclusion of aSAS 70 examination.
SAS 70 provides guidance toenable an independent auditor(“service auditor”) to issue an opin-ion on a service organization’sdescription of controls through aService Auditor’s Report. SAS 70 isnot a pre-determined set of controlobjectives or control activities thatservice organizations mustachieve. Service auditors arerequired to follow the AICPA’s stan-dards for fieldwork, quality control,and reporting. A SAS 70 examina-tion is not a “checklist” audit.
SAS No. 70 is generally applic-able when an auditor (“user audi-tor”) is auditing the financial state-ments of an entity (“user organiza-tion”) that obtains services fromanother organization (“serviceorganization”). Service organiza-tions that provide such servicescould be application serviceproviders, bank trust departments,claims processing centers, Internetdata centers, or other data process-ing service bureaus.
In an audit of a user organiza-tion’s financial statements, the userauditor obtains an understanding ofthe entity’s internal control suffi-cient to plan the audit as required inSAS No. 55, Consideration ofInternal Control in a FinancialStatement Audit. Identifying andevaluating relevant controls is gen-erally an important step in the userauditor’s overall approach. If a ser-vice organization provides transac-tion processing or other data pro-cessing services to the user organi-zation, the user auditor may berequired to gain an understanding
of the controls at the service organi-zation. Service Auditor’s Reports: Oneof the most effective ways a serviceorganisation can communicateinformation about its controls isthrough a Service Auditor’sReport. There are two types ofService Auditor’s Reports: Type Iand Type II.
A Type I report describes theservice organization’s descriptionof controls at a specific point intime (e.g. December 31, 2004). AType II report not only includes theservice organization’s descriptionof controls, but also includesdetailed testing of the service orga-nization’s controls over a minimumsix month period (e.g. July 1, 2004to December 31, 2004). The con-tents of each type of report aredescribed in the following table:
In a Type I report, the service audi-tor will express an opinion on (1)whether the service organization’sdescription of its controls presentsfairly, in all material respects, therelevant aspects of the service orga-nization’s controls that had beenplaced in operation as of a specificdate, and (2) whether the controls
were suitably designed to achievespecified control objectives.
In a Type II report, the serviceauditor will express an opinion onthe same items noted above in aType I report, and (3) whether thecontrols that were tested were oper-ating with sufficient effectivenessto provide reasonable, but notabsolute, assurance that the controlobjectives were achieved duringthe period specified.
Implications for Indian BPO
Companies: It is imperative thatIndian BPO companies have astrong framework of InternalControls and are transparent to theirclients. Well-defined processes,proper documentation etc. will beof paramount importance in view ofthe Sarbanex Oxley Act, 2002.
Service organizations receivesignificant value from having a
SAS 70 engage-ment performed.A Service Audi-tor’s Report withan unqualifiedopinion that isissued by an Ind-ependent Acc-ounting Firm dif-ferentiates theservice organiza-tion from itspeers by demon-strating the estab-lishment of effec-tively designedcontrol objec-tives and control
activities.Without a current Service
Auditor’s Report, a service organi-zation may have to entertain multi-ple audit requests from its cus-tomers and their respective audi-tors. Multiple visits from user audi-tors can place a strain on the serviceorganization’s resources. AService Auditor’s Report ensures
THE CHARTERED ACCOUNTANT 1445 MAY 2005
Report Contents Type I Type II
Report Report
1. Independent service auditor's report (i.e. opinion). Included Included
2. Service organization's description of controls. Included Included
3. Information provided by the independent service auditor; includes a description of the service auditor's tests of operating effectiveness and the results of those tests. Optional Included
4. Other information provided by the service organization (e.g. glossary of terms). Optional Optional
TTHHEEMMEE
that all user organizations and theirauditors have access to the sameinformation and in many cases thiswill satisfy the user auditor’srequirements.
SAS 70 engagements are gen-erally performed by control ori-ented professionals who have expe-rience in accounting, auditing, andinformation security. A SAS 70engagement allows a service orga-nization to have its control policiesand procedures evaluated andtested (in the case of a Type IIengagement) by an independentparty. Very often this processresults in the identification ofopportunities for improvements inmany operational areas.
Implications for IndianAudit FirmsAssignments to conduct a SAS 70certification can prove to be a newarea of work. Management of UScompanies could rely on SAS 70certification by non-US audit firmsas long as the reports are issuedunder other standards that followthe criteria of SAS 70. Managementwould also need to evaluate thecompetency and qualifications ofthe auditor performing the exami-nation. The Indian Audit professionis widely appreciated around theworld for its high standards.Managements of US companiesshould not have any issues withaccepting SAS 70 certifications byIndian Audit firms.
Factors to be considered byManagement when a service organ-isation outsources certain functionsto another service organisation:
In what is becoming a popularbusiness model for BPO’s in India,an interesting situation could comeup when an US corporate uses a ser-vice organisation (Indian Co-mpany) that in turn uses another
service organisation (a sub serviceorganisation) to perform the work.In such a scenario the Managementof the User organisation needs toconsider controls at the sub serviceorganisation. In addition to that, thefollowing also needs to be consid-ered:☞ The nature and materiality of the
transactions processed by thesub service organisation
☞ The contribution of the sub ser-vice organisations processes inthe achievement of the userorganisations information pro-cessing objectives
☞ The availability of a sub serviceorganisations SAS 70 report
Because a user organisationtypically does not have any con-tractual relationship with the subservice organisation, a user organi-sation should obtain availablereports and information about thesub service organisation from theservice organisation.
Certain Issues related toSAS 70SAS 70 was finalised in March
1993. There is an existing line of
thought that it is outdated in certain
aspects and may not really cater to
the requirements of Section 404 of
SOX. Critics say that a major rehaul
is needed.
Even a Type II report, however,
doesn’t guarantee airtight compli-
ance with Sarbanes-Oxley. For one
thing, the timing of the audit — if
it’s performed by the service
provider’s auditor — might be out
of sync with the client’s reporting
period. If the audit is performed in
June and the client’s fiscal year
ends December 31, for instance,
there’s a six-month gap in the attes-
tation of the outsourcer’s internal
controls. If there are control slip ups
during the second half of the year,
the accuracy and reliability of the
client’s own year-end attestation
could be compromised — and fair
game for a Securities and Exchange
Commission inquiry.
One response to the timing
issue is to request that the service
provider undergo SAS 70 audits on
a quarterly basis or “fill in the gaps”
with updates throughout the year.
THE CHARTERED ACCOUNTANT 1446 MAY 2005
TTHHEEMMEE
Smaller service providers might bri-
dle at the added cost during contract
negotiations — but after all; it’s the
client’s attestation that’s on the line.
Another concern for outsourcer
auditor is just how much of the ser-
vice provider’s audit is being
revealed. A service provider is
required to inform its client only
about any failures of SAS 70 tests;
there’s no requirement to spell out the
exact substance or scope of the audit.
Thus, for instance, a client’s
own external auditor would be
unable ot tell the client whether a
test that unearthed two failures
probed 40 processes, or only four.
That could lead to some poor assess-
ments of service-provider controls.
ConclusionWe can wrap up this discussion by
quoting from the speech by SEC
Chairman, William H Donaldson
recently on the topic ‘US Capital
Markets in the Post-Sarbanes-
Oxley World: Why Our Markets
Should Matter to Foreign Issuers’
in London. The following words are
relevant to this article:
“Now, two-and-a-half years
later (since SOX became opera-
tional), some critics claim the
Sarbanes-Oxley Act goes too far. In
particular, these critics charge that
requiring certification of internal
controls - the so-called Section 404
provision of Sarbanes-Oxley - is
too expensive and unnecessary.
Section 404 has even led some for-
eign issuers to declare that they may
wish to leave America’s capital
markets altogether rather than have
their internal controls certified.
It is easy for an individual issuer
to look at the cost of compliance with
US federal securities laws and balk.
But the cost of capital also comes
with benefits. US. capital markets
are deep and liquid. Nearly half of all
the world’s equity shares, by market
capitalization, trade in the United
States. And non-US. investors have
approximately $4.5 trillion invested
in US. stock markets.
The requirements of Sarbanes-
Oxley cannot be evaluated in a vac-
uum. They are important because
they have produced, and will pro-
duce, improvements that help to
restore and reinforce investor con-
fidence in our markets, and lower
the cost of capital to issuers.
Section 404, for example, reaffirms
that US. legislators are serious
about internal control require-
ments. It is already clear that
Section 404 is helping to strengthen
the business operations of those
US. and foreign issuers who have
seized the opportunity to use the
internal controls assessment as a
managerial opportunity and not
simply a compliance exercise.
The SEC remains committed to
a level playing field for all its
issuers, foreign and domestic alike.
But we recognize that cross-border
listings frequently entail issuers
having to navigate duplicative or
even contradictory regulations in
different jurisdictions. While the
SEC is unwilling to compromise
where investor protections are con-
cerned, some duplicative or contra-
dictory regulations can compro-
mise those protections and place an
unnecessary burden on issuers,
firms and investors.”
THE CHARTERED ACCOUNTANT 1447 MAY 2005
Description Before Sarbanes Oxley After Sarbanes Oxley
Regulatory Oversight Securities and Exchange Securities and Exchange
Commission (SEC) Commission (SEC)
Public Interest Oversight
Professional organisation and
its associated regulatory role:
-Auditing Standards
- Professional Ethics
-Audit quality control stan-
dards
Peer review of auditing firms
Accounting Standards
Public Oversight Board (POB)
American Institute of CPA's
(AICPA), a professional organisation
with regulatory responsibilities
through its:
- Auditing Standards Board (ASB)
- Ethics Committee
- SEC Practice section (SECPS)
Financial Accounting Standards
Board (FASB)
Public Company Accounting Oversight Board
(PCAOB), a quasi governmental organisation
that will be responsible for establishing and /or
monitoring groups that establish:
-Auditing Standards
-Auditor ethics and independence standards
-Auditing firm quality control standards
- Auditing firm peer review standards
- Investigation of rule violations
- Sanctions of violators
Financial Accounting Standards Board (FASB)
Comparison of US Regulatory Structure Before and After Sarbanes Oxley
TTHHEEMMEE