THE CHARTERED ACCOUNTANT 1439 MAY 2005

Sarbanes OxleyAct, 2002 – An IndianPerspective

TTHHEEMMEE

“The Sarbanes Oxley Act will bring

the most far reaching reforms of

American business practices since the

time of Franklin Delano Roosevelt” –

said President George W Bush, while

signing of the Sarbanes-Oxley Act of

2002.

In July 2002, the United StatesCongress passed the Sarbanes-Oxley Act (“the Act”/SOX) intolaw. The Act was primarily designedto restore investor confidence fol-lowing well-publicised bankrupt-cies that brought chief executives,audit committees, and the indepen-dent auditors under heavy scrutiny.The Act is applicable to all publiclyregistered companies under thejurisdiction of the Securities and

Exchange Com-mission (SEC).SOX is a farreaching legisla-tion, effectingsignificant chan-ges to laws affect-ing officers, dire-ctors and report-

ing obligations of public companies,and mandating a myriad of new reg-ulations to prevent securities fraudand other abuses.

Overview of the ActThe Sarbanes Oxley Act called forthe formation of a Public CompanyAccounting Oversight Board(PCAOB) and specified severalrequirements (“sections”) thatinclude management’s quarterly cer-tification of the financial results(Section 302) and management’sannual assertion that internal controlsover financial reporting are effective

(Section 404) among others. The Act has largely ignored the

differences in practices and corpo-rate governance regimes betweenthe United States and other coun-tries, and has extended the reach ofthe United States’ laws to manyaspects of the internal affairs andgovernance regimes of foreign com-panies and their auditors. There areof course certain reliefs for ForeignPrivate Issuers (“FPI”) in the act.

Some of the key sections related

to Audit and Financial Reporting

are:

The PCAOB: Sections 101-109 ofthe Act has established a new body,the Public Company AccountingOversight Board (PCAOB), tooversee the auditing of public com-panies. All accounting firms thataudit the financial statements ofThe Securities Exchange Act of1934 (“1934 Act”) ReportingIssuers (Issuers of Securities who

The author is a member of the

Institute as well as AICPA, work-

ing with Lason Systems Inc, MI,

USA. He can be reached at

shrikant_sortur@yahoo.com

Srikant

Sortur

The Sarbanes Oxley Act 2002, which is applicable to all publicly-registered companiesunder the jurisdiction of Securities and Exchange Commission, is a far reaching legisla-tion, effecting significant changes to laws concerning directors and reporting obligationsof public companies, and mandating a myriad of new regulations to prevent securitiesfraud and other abuses. This article primarily looks at the implications of the Act in India– for Companies, Audit Profession and the BPO Industry.

THE CHARTERED ACCOUNTANT 1440 MAY 2005

are mandated to report under the1934 Act) must register with andprovide periodic reports to theBoard. Registered accountingfirms are subject to Board-adoptedaudit, quality control and ethicsstandards, periodic inspections andpossible disciplinary proceedings.It will be illegal for a non-regis-tered accounting firm to “prepareor issue, or to participate in thepreparation or issuance of, anyaudit report” with respect to any1934 Act Reporting Issuer.

Section 106 of the Act specifi-cally provides that it will apply toany foreign public accounting firm(Indian Audit Firm in the contextof this article) that prepares or fur-nishes an audit report with respectto any 1934 Act Reporting Issuer.The Board is also given the author-ity to determine, by rule that a for-eign accounting firm that does notissue an audit report for a 1934 ActReporting Issuer may nonethelessplay such a substantial role in anaudit that it is appropriate that suchfirm should be subject to theBoard’s authority. The Act pro-vides that if a foreign firm issues anaudit opinion for a 1934 ActReporting Issuer or otherwise per-forms material services uponwhich an auditing firm relies, thatforeign firm is deemed to have con-sented to producing its audit workpapers for the Board and to be sub-ject to the jurisdiction of US courtsfor enforcement of requests forproduction of documents. In addi-tion, a domestic auditing firm thatrelies upon the opinion of a foreignaccounting firm in issuing an auditopinion for a 1934 Act ReportingIssuer is deemed (1) to have con-sented to supplying the audit workpapers of the foreign accountingfirm to the Board and (2) to havesecured the agreement of that for-eign firm to the production of the

foreign firm’s work papers.Section 106(c) of the Act

authorises the Securities ExchangeCommission (SEC) and the Boardto exempt foreign accounting firmsfrom any provision of the Act orany rules of the SEC or the Boardissued under the Act (by rule or byorder) as the SEC or the Board“determines necessary or appro-priate in the public interest or forthe protection of investors.” Section 302 (Corporate

Responsibility for Financial

Reports) directs the SEC to adoptrules requiring the principal execu-tive officer and the principal finan-cial officer (or equivalent) of 1934Act Reporting Issuers to providecertifications in each “annual” and“quarterly” report “filed” or “sub-

mitted” under the 1934 Act. Thecertification relates to the contentof the report, internal controls ofthe issuer and disclosure to theaudit committee. Section 906 (Failure of Corporate

Officers to Certify Reports), whichis similar to but separate fromSection 302, is a criminal law pro-vision requiring that each “peri-

odic” report containing financialstatements that is “filed” by a 1934Act Reporting Issuer be accompa-nied by a written statement of the

chief executive officer and chieffinancial officer (or equivalent).The statement must certify that the“periodic report containing thefinancial statements” fully com-plies with the requirements of the1934 Act and also must certify thatthe information contained in theperiodic report “fairly presents, inall material respects, the financialcondition and results of operationsof the issuer.” This Section con-tains no exceptions for ForeignPrivate Issuers, although the SEChas the authority under the 1934Act to determine the “periodic”reports that may be required to be“filed” under the 1934 Act. Section 404 (Management

Assessment of Internal Controls)

requires the SEC to prescribe rulesrequiring each annual reportrequired under the 1934 Act to con-tain an internal control report stat-ing management’s responsibilityfor internal controls and assessingthe effectiveness of internal con-trols. This section also requires theauditors for the issuer to attest to andreport on management’s assess-ment in accordance with standardsto be adopted by the Board.

Section 404 has generatedtremendous interest and debate foraccountants and is by far the mostimportant one from the FinancialReporting perspective.

What Does Section 404Entail? As directed by Section 404 of theSarbanes Oxley Act of 2002, theSecurities and ExchangeCommission (SEC) adopted rulesregarding internal controls at pub-lic companies in May 2003. Section404 also requires that a company’sindependent auditors attest to andreport on management’s controlsassessments, following standards

TTHHEEMMEE

The Sarbanes Oxley Act’sSection 404, which dealswith Management Asses-sment of Internal Controls,has generated tremendousinterest and debate foraccountants and is by farthe most important onefrom the FinancialReporting perspective.

THE CHARTERED ACCOUNTANT 1441 MAY 2005

established by the PCAOB.Under the SEC rules, manage-

ment’s annual internal-controlreport must contain:● A statement of management’s

responsibility for establishingand maintaining adequate inter-nal control over financial report-ing for the company.

● A statement identifying man-agement’s framework for evalu-ating the effectiveness of inter-nal controls.

● Management’s assessment ofthe effectiveness of internal con-trols as of the end of the compa-ny’s most recent fiscal year.

● A statement that the company’sauditor has issued an attestationreport on management’s assess-ment.

Internal controls, according tothe new rule, include assurances ofaccurate records maintenance, aswell as financial reporting thatcomply with generally acceptedaccounting principles. The rulealso stipulates that managers anddirectors sign off on receipts andpayouts, and that publicly tradedcompanies maintain adequate sys-tems to prevent or detect unautho-rized material transactions.

Management must discloseany material weakness in a compa-ny’s internal-controls structure. Ifmaterial weaknesses exist, seniorexecutives “will be unable to con-clude that the company’s internalcontrol over financial reporting iseffective,” according to the SEC.

PCAOB Issued AuditingStandard No. 2: “An Audit ofInternal Control Over FinancialReporting Conducted inConjunction With an Audit ofFinancial Statements” This stan-dard was approved by theSecurities and ExchangeCommission on June 17, 2004, andis effective for audits of internal

control over financial reportingrequired by Section 404 (b) of theSarbanes Oxley Act of 2002. It is avery detailed standard. PCAOBalso issued Auditing Standard No.3: “Audit Documentation” Thisstandard was approved by theSecurities and ExchangeCommission on August 25, 2004,and is effective for audits of finan-cial statements with respect to fis-cal years ending on or afterNovember 15, 2004.

The auditing standardaddresses both the work that isrequired to audit internal controlover financial reporting and therelationship of that audit to theaudit of the financial statements.The integrated audit results in twoaudit opinions: one on the internalcontrols and the other on the finan-cial statements.

The standard also requires theauditor to communicate in writingto the company’s audit committeeall significant deficiencies andmaterial weaknesses of which theauditor is aware. The auditor also isrequired to communicate in writingto the company’s management allinternal control deficiencies, and tonotify the audit committee thatsuch communication has beenmade.

Section 404 draws attention tothe significant processes that feedand comprise the financial report-ing for an organization. In order formanagement to make its annualassertion on the effectiveness of itsinternal control, management will

be required to document and evalu-ate all controls that are deemed sig-nificant to the financial reportingprocess.

Implications for Indian Com-panies issuing securities inUS marketsMost of the SOX titles are directedtowards “Issuers” of securities,whether US or non–US, there is nodistinction.

An ‘Issuer’ has been defined asany issuer that:— has securities registered under

section 12 of the SecuritiesExchange Act of 1934(Exchange Act) ; or

— is required to file reports with theSEC under section 15(d) of theExchange Act; or

— has filed a registration statementunder the securities Act of 1933(Securities Act), which has notbecome effective or been with-drawn

Some provisions apply to ‘Persons’(whether or not issuers)— Securities, mail and wire fraud

(various sections of Titles IXand XI)

— Obstruction of justice (varioussections of Titles VIII and XI)

— Retaliation against whistle-blowers (various sections ofTitles VIII and XI)

Law contains no specific exemp-tion for non-US companies. Non-US companies are bound by theSOX by the following definition:“Foreign Private Issuer” is a com-pany that is incorporated outsidethe US. and in which:✎ US residents do not hold a

majority of the shares; or✎ If US residents do hold a major-

ity of the shares, then ☞ A majority of its directors and

officers are not US. citizensor residents,

TTHHEEMMEE

☞ Its business is administeredfrom outside the US. and

☞ A majority of its assets arelocated outside the US.

Implications for Indian Company:

Any Indian company that has itssecurities listed on NYSE (NewYork Stock Exchange), AMEX(American Stock Exchange) orNASDAQ (National Association ofSecurities Dealers AutomatedQuotations), either directly orthrough Levels II or III ADR’s,Filing Form 20-F’s (Registration ofsecurities of foreign private issuerspursuant to section 12(b) or (g),Registration of securities pursuantto section 12(b) or 12(g)) and Form6-K’s (Report of foreign issuer pur-suant to Rules 13a-16 and 15d-16)and those who have filed a registra-tion statement with SEC need to‘Fully’ comply with SOX.Implications include –Extraterritorial reach beyond theUS; criminal sanctions for seniormanagement in breach of certainclauses; enhanced disclosure basedon rigorous internal controls report-ing; certification by senior manage-ment; and independence require-ments for audit committee members– just to name a few.

Implications for the Auditors of the

FPI (Indian Company)☞ Audit Firm / Auditor to be

registered with PCAOB.☞ Audit Firm / Auditor to be

regulated / monitored byPCAOB.

☞ Mandatory Audit partner (butnot audit firm) rotation.

☞ Stringent limitations on non-audit services.

Note on the above implications:

SOX rule-making is evolving and ithas an extraterritorial reach beyondthe US. There have been concerns byFPI’s & auditors on various counts.This could relate to conflict of laws

and business practices in the foreigncountry vis-à-vis US and the relatedimplications. It has been observedthat SEC has been taking a stand onthese aspects on a case-to-case basis.

One recent example is theSEC’s rule regarding the composi-tion of audit committees of listedissuers. Sarbanes-Oxley requiredthe SEC to pass a rule mandatingthat all members of audit commit-tees be independent directors. Butthe corporate governance laws andregulations in Germany forinstance, and a few other countrieswith dual board systems, requiredcorporate audit committees toinclude a labour representative.SEC rules do not, however, con-sider employees of an issuer “inde-pendent” for fear that an unscrupu-lous corporate officer could appointemployees to the board who wereobliged to the company’s manage-ment. Following a dialogue withthe European Union and others, theSEC was reassured that in thosejurisdictions with dual boards, themandatory labour representativeson issuer audit committees werefirmly independent of the compa-ny’s management. The resultingfinal rule relating to audit commit-tees contained an exception forthese jurisdictions that would allowemployees who are not officers of acompany to sit on the audit commit-

tee. This enables the affectedissuers to comply with both sets oflaw. And it preserves the intent ofSarbanes-Oxley - to ensure thatindependent directors can commu-nicate directly with auditors with-out management interference.

Another example of the SECseeking to accommodate the spe-cial circumstances of foreignissuers came with the rules relatedto the publication of financial infor-mation presented in ways notstrictly in compliance with USGenerally Accepted AccountingPrinciples or GAAP. In this area, anexemption was given for non-GAAP communications outside theUS, even where those communica-tions reach the US.

A third example of accommo-dation was when the PCAOB ironedout some issues regarding oversightof foreign audit firms. Under theSarbanes-Oxley Act, all audit firms,including non-US audit firms, pro-viding significant audit services forissuers listed in the United States,are required to be registered andinspected by the PCAOB. Becauseof potential conflicts with foreignprivacy laws and blocking statutes,the PCAOB has made some adjust-ments in the information requestedof foreign firms during the registra-tion process. In addition, thePCAOB is seeking a collaborativeapproach to developing its over-sight role vis-à-vis non-US. auditfirms, working with counterparts inEurope and elsewhere.

Implications for Subsidiariesof US companies in IndiaSubsidiaries or business units of USIssuer companies who need to com-ply with SOX in full could be sub-ject to compliance in variousaspects, most of which would beplanned and taken care of the US

THE CHARTERED ACCOUNTANT 1442 MAY 2005

TTHHEEMMEE

Indian Audit profession iswidely appreciated aroundthe world for its high stan-dards and as such manage-ments of US companies gen-erally can’t have any issueswith accepting SAS 70 certi-fications by Indian Auditfirms.

Issuer. Probably the most importantwould be the compliance of Section404 – Management assessment ofinternal controls. The parent woulddetermine the multiple locationsthat need to be covered for Internalcontrol testing. This is usuallybased on the Significant accountsand the impact that the numbers ofthe subsidiary/business unit has onthe overall company’s financialreports.

PCAOB has not establishedspecific percentages to determinecoverage. Often the goal of the par-ent company would be to determinewhich locations are individuallyimportant (financially significant)and thus yield sufficient coverageusing meaningful quantitative met-rics. The usual benchmark seen inpractice is to cover at least 60 to 70per cent of the company’s opera-tions and financial position. Themetrics could possibly be to coverany location that has more than 5%of annual revenues or pre taxincome or total assets or equity (ifapplicable).

Once a location is determinedto be important, the planned proce-dures would include a detailedevaluation and tests of controlsover significant (or ‘specific risk’)accounts and disclosures at thatlocation and testing of companylevel controls.

Implications for the Indian

Subsidiary/Business Unit— Need to work closely with the

parent to ensure proper controls,risk management, disclosures,and various other aspects.

Implications for the Auditors of

the Indian Subsidiary— Mandatory Audit partner rota-

tion will apply to partners thatserve the client at the parentlevel. Partners serving a compa-

ny’s subsidiary will be subject torotation only if they are leadpartners and the subsidiary’srevenues constitute 20% or moreof the consolidated assets or rev-enues of the parent.

— The Act provides that if a foreignfirm (Indian Audit Firm) issues

an audit opinion for a 1934 ActReporting Issuer or otherwiseperforms material services uponwhich an auditing firm relies,that foreign firm is deemed tohave consented to producing itsaudit work papers for the Boardand to be subject to the jurisdic-tion of US courts for enforce-ment of requests for productionof documents. In addition, adomestic auditing firm (USAudit Firm) that relies upon theopinion of a foreign accountingfirm in issuing an audit opinionfor a 1934 Act Reporting Issueris deemed (1) to have consentedto supplying the audit workpapers of the foreign accountingfirm to the Board and (2) to havesecured the agreement of thatforeign firm to the production ofthe foreign firm’s work papers.

THE CHARTERED ACCOUNTANT 1443 MAY 2005

TTHHEEMMEE

Is the location or business unit Individually important

No

No

No

Are there specific significant risks?

Are there locations or business units that are not important even when aggregated with others?

Are there documented entity-wide controls over this group?

Evaluate documentation and test controls over specific risks

No further action required for such units

Evaluate documentation and test entity wide controls over group

Some testing of controls at individual locations or business units required

Evaluate documentation and test significant controls at each location or business unit

No

Yes

Yes

Yes

Yes

MULTI LOCATION TESTING CONSIDERATIONS

SOX rule-making is evolv-ing and it has an extraterri-torial reach beyond the US.It is imperative that IndianBPO companies have astrong framework ofInternal Controls and aretransparent to their clients.Well-defined processes,proper documentation etc.will be of paramount impo-rtance in view of SarbanesOxley Act, 2002.

Implications for BPO Industryin IndiaThe Business Process Outsourcing

(BPO) industry is witnessing

tremendous growth. According to

NASSCOM, the Financial Services

is poised for tremendous growth.

Indian BPO Industry is going up the

value chain. India is expecting huge

growth in the Finance, Accounting,

Payroll, Accounts Payable and

other financial processes to move to

India from US business houses.

It is interesting to note that

there could be a SOX implication

for an Indian Company that is nei-

ther a FPI nor a Subsidiary of a US

Company. Here is how:

A little-known and perhaps

largely outdated auditing standard

for outsourcers could be the next

big hurdle for Sarbanes-Oxley

compliance. Not only might the

standard cause a number of busi-

nesses to run afoul of the Section

404 provisions on internal controls,

but it might also dissuade other

companies from business process

outsourcing in India, China, and

other emerging nations.

The standard in question is

Statement on Auditing Standards

No. 70, “Reports on the Processing

of Transactions by Service

Organizations.” Set up by the

American Institute of Certified

Public Accountants in 1993, SAS 70

spells out how an external auditor

should assess the internal controls of

an outsourcing service provider and

issue an attestation report to outside

parties or to a client.

When a US Company uses a

Service organisation to process its

financial data, the management is

ultimately responsible for the inter-

nal control over its financial infor-

mation under section 404 of SOX.

Typically the management would

go about doing the following:

■ Determine if a service organisa-

tion is being used.

■ Determine if the outsourced

activities, processes, and func-

tions are significant to the com-

pany’s internal control over

financial reporting.

■ Determine if a Type II SAS 70

report exists and is sufficient in

scope.

■ If a Type II SAS 70 report does

not exist, determine alternative

procedures.

SAS 70 Overview Statement on Auditing Standards(SAS) No. 70, Service Organi-zations, is an auditing standarddeveloped by the AmericanInstitute of Certified PublicAccountants (AICPA). A SAS 70audit or service auditor’s examina-tion is widely recognized, because

it represents that a service organiza-tion has been through an in-depthaudit of their control activities,which generally include controlsover information technology andrelated processes. In today’s globaleconomy, service organizations orservice providers must demonstratethat they have adequate controlsand safeguards when they host orprocess data belonging to their cus-tomers. In addition, the require-ments of Section 404 of theSarbanes-Oxley Act of 2002 makeSAS 70 audit reports even moreimportant to the process of report-ing on effective internal controls atservice organisations.

SAS No. 70 is the authoritativeguidance that allows service organ-isations to disclose their controlactivities and processes to their cus-tomers and their customers’ audi-tors in a uniform reporting format.A SAS 70 examination signifiesthat a service organisation has had

THE CHARTERED ACCOUNTANT 1444 MAY 2005

TTHHEEMMEE

☞☞ Title I – Public Company Accounting Oversight Board (Sections

101-109)

☞☞ Title II – Auditor Independence (Sections 201-209)

☞☞ Title III – Corporate Responsibility (Sections 301-308)

☞☞ Title IV – Enhanced Financial Disclosures (Sections 401-409)

☞☞ Title V – Analyst Conflicts of Interest (Section 501)

☞☞ Title VI – Commission Resources and Authority (Sections 601-604)

☞☞ Title VII – Studies and Reports (Sections 701-705)

☞☞ Title VIII – Corporate and Criminal Fraud Accountability

(Sections 801-807)

☞☞ Title IX – White Collar Crime Penalty Enhancements (Section

901-906)

☞☞ Title X – Corporate Tax Returns (Section 1001)

☞☞ Title XI – Corporate Fraud and Accountability (Sections 1101 to

1107)

SARBANES OXLEY ACT, 2002-LISTING OF TITLES

its control objectives and controlactivities examined by an indepen-dent accounting and auditing firm.A formal report including the audi-tor’s opinion (“Service Auditor’sReport”) is issued to the serviceorganisation at the conclusion of aSAS 70 examination.

SAS 70 provides guidance toenable an independent auditor(“service auditor”) to issue an opin-ion on a service organization’sdescription of controls through aService Auditor’s Report. SAS 70 isnot a pre-determined set of controlobjectives or control activities thatservice organizations mustachieve. Service auditors arerequired to follow the AICPA’s stan-dards for fieldwork, quality control,and reporting. A SAS 70 examina-tion is not a “checklist” audit.

SAS No. 70 is generally applic-able when an auditor (“user audi-tor”) is auditing the financial state-ments of an entity (“user organiza-tion”) that obtains services fromanother organization (“serviceorganization”). Service organiza-tions that provide such servicescould be application serviceproviders, bank trust departments,claims processing centers, Internetdata centers, or other data process-ing service bureaus.

In an audit of a user organiza-tion’s financial statements, the userauditor obtains an understanding ofthe entity’s internal control suffi-cient to plan the audit as required inSAS No. 55, Consideration ofInternal Control in a FinancialStatement Audit. Identifying andevaluating relevant controls is gen-erally an important step in the userauditor’s overall approach. If a ser-vice organization provides transac-tion processing or other data pro-cessing services to the user organi-zation, the user auditor may berequired to gain an understanding

of the controls at the service organi-zation. Service Auditor’s Reports: Oneof the most effective ways a serviceorganisation can communicateinformation about its controls isthrough a Service Auditor’sReport. There are two types ofService Auditor’s Reports: Type Iand Type II.

A Type I report describes theservice organization’s descriptionof controls at a specific point intime (e.g. December 31, 2004). AType II report not only includes theservice organization’s descriptionof controls, but also includesdetailed testing of the service orga-nization’s controls over a minimumsix month period (e.g. July 1, 2004to December 31, 2004). The con-tents of each type of report aredescribed in the following table:

In a Type I report, the service audi-tor will express an opinion on (1)whether the service organization’sdescription of its controls presentsfairly, in all material respects, therelevant aspects of the service orga-nization’s controls that had beenplaced in operation as of a specificdate, and (2) whether the controls

were suitably designed to achievespecified control objectives.

In a Type II report, the serviceauditor will express an opinion onthe same items noted above in aType I report, and (3) whether thecontrols that were tested were oper-ating with sufficient effectivenessto provide reasonable, but notabsolute, assurance that the controlobjectives were achieved duringthe period specified.

Implications for Indian BPO

Companies: It is imperative thatIndian BPO companies have astrong framework of InternalControls and are transparent to theirclients. Well-defined processes,proper documentation etc. will beof paramount importance in view ofthe Sarbanex Oxley Act, 2002.

Service organizations receivesignificant value from having a

SAS 70 engage-ment performed.A Service Audi-tor’s Report withan unqualifiedopinion that isissued by an Ind-ependent Acc-ounting Firm dif-ferentiates theservice organiza-tion from itspeers by demon-strating the estab-lishment of effec-tively designedcontrol objec-tives and control

activities.Without a current Service

Auditor’s Report, a service organi-zation may have to entertain multi-ple audit requests from its cus-tomers and their respective audi-tors. Multiple visits from user audi-tors can place a strain on the serviceorganization’s resources. AService Auditor’s Report ensures

THE CHARTERED ACCOUNTANT 1445 MAY 2005

Report Contents Type I Type II

Report Report

1. Independent service auditor's report (i.e. opinion). Included Included

2. Service organization's description of controls. Included Included

3. Information provided by the independent service auditor; includes a description of the service auditor's tests of operating effectiveness and the results of those tests. Optional Included

4. Other information provided by the service organization (e.g. glossary of terms). Optional Optional

TTHHEEMMEE

that all user organizations and theirauditors have access to the sameinformation and in many cases thiswill satisfy the user auditor’srequirements.

SAS 70 engagements are gen-erally performed by control ori-ented professionals who have expe-rience in accounting, auditing, andinformation security. A SAS 70engagement allows a service orga-nization to have its control policiesand procedures evaluated andtested (in the case of a Type IIengagement) by an independentparty. Very often this processresults in the identification ofopportunities for improvements inmany operational areas.

Implications for IndianAudit FirmsAssignments to conduct a SAS 70certification can prove to be a newarea of work. Management of UScompanies could rely on SAS 70certification by non-US audit firmsas long as the reports are issuedunder other standards that followthe criteria of SAS 70. Managementwould also need to evaluate thecompetency and qualifications ofthe auditor performing the exami-nation. The Indian Audit professionis widely appreciated around theworld for its high standards.Managements of US companiesshould not have any issues withaccepting SAS 70 certifications byIndian Audit firms.

Factors to be considered byManagement when a service organ-isation outsources certain functionsto another service organisation:

In what is becoming a popularbusiness model for BPO’s in India,an interesting situation could comeup when an US corporate uses a ser-vice organisation (Indian Co-mpany) that in turn uses another

service organisation (a sub serviceorganisation) to perform the work.In such a scenario the Managementof the User organisation needs toconsider controls at the sub serviceorganisation. In addition to that, thefollowing also needs to be consid-ered:☞ The nature and materiality of the

transactions processed by thesub service organisation

☞ The contribution of the sub ser-vice organisations processes inthe achievement of the userorganisations information pro-cessing objectives

☞ The availability of a sub serviceorganisations SAS 70 report

Because a user organisationtypically does not have any con-tractual relationship with the subservice organisation, a user organi-sation should obtain availablereports and information about thesub service organisation from theservice organisation.

Certain Issues related toSAS 70SAS 70 was finalised in March

1993. There is an existing line of

thought that it is outdated in certain

aspects and may not really cater to

the requirements of Section 404 of

SOX. Critics say that a major rehaul

is needed.

Even a Type II report, however,

doesn’t guarantee airtight compli-

ance with Sarbanes-Oxley. For one

thing, the timing of the audit — if

it’s performed by the service

provider’s auditor — might be out

of sync with the client’s reporting

period. If the audit is performed in

June and the client’s fiscal year

ends December 31, for instance,

there’s a six-month gap in the attes-

tation of the outsourcer’s internal

controls. If there are control slip ups

during the second half of the year,

the accuracy and reliability of the

client’s own year-end attestation

could be compromised — and fair

game for a Securities and Exchange

Commission inquiry.

One response to the timing

issue is to request that the service

provider undergo SAS 70 audits on

a quarterly basis or “fill in the gaps”

with updates throughout the year.

THE CHARTERED ACCOUNTANT 1446 MAY 2005

TTHHEEMMEE

Smaller service providers might bri-

dle at the added cost during contract

negotiations — but after all; it’s the

client’s attestation that’s on the line.

Another concern for outsourcer

auditor is just how much of the ser-

vice provider’s audit is being

revealed. A service provider is

required to inform its client only

about any failures of SAS 70 tests;

there’s no requirement to spell out the

exact substance or scope of the audit.

Thus, for instance, a client’s

own external auditor would be

unable ot tell the client whether a

test that unearthed two failures

probed 40 processes, or only four.

That could lead to some poor assess-

ments of service-provider controls.

ConclusionWe can wrap up this discussion by

quoting from the speech by SEC

Chairman, William H Donaldson

recently on the topic ‘US Capital

Markets in the Post-Sarbanes-

Oxley World: Why Our Markets

Should Matter to Foreign Issuers’

in London. The following words are

relevant to this article:

“Now, two-and-a-half years

later (since SOX became opera-

tional), some critics claim the

Sarbanes-Oxley Act goes too far. In

particular, these critics charge that

requiring certification of internal

controls - the so-called Section 404

provision of Sarbanes-Oxley - is

too expensive and unnecessary.

Section 404 has even led some for-

eign issuers to declare that they may

wish to leave America’s capital

markets altogether rather than have

their internal controls certified.

It is easy for an individual issuer

to look at the cost of compliance with

US federal securities laws and balk.

But the cost of capital also comes

with benefits. US. capital markets

are deep and liquid. Nearly half of all

the world’s equity shares, by market

capitalization, trade in the United

States. And non-US. investors have

approximately $4.5 trillion invested

in US. stock markets.

The requirements of Sarbanes-

Oxley cannot be evaluated in a vac-

uum. They are important because

they have produced, and will pro-

duce, improvements that help to

restore and reinforce investor con-

fidence in our markets, and lower

the cost of capital to issuers.

Section 404, for example, reaffirms

that US. legislators are serious

about internal control require-

ments. It is already clear that

Section 404 is helping to strengthen

the business operations of those

US. and foreign issuers who have

seized the opportunity to use the

internal controls assessment as a

managerial opportunity and not

simply a compliance exercise.

The SEC remains committed to

a level playing field for all its

issuers, foreign and domestic alike.

But we recognize that cross-border

listings frequently entail issuers

having to navigate duplicative or

even contradictory regulations in

different jurisdictions. While the

SEC is unwilling to compromise

where investor protections are con-

cerned, some duplicative or contra-

dictory regulations can compro-

mise those protections and place an

unnecessary burden on issuers,

firms and investors.”

THE CHARTERED ACCOUNTANT 1447 MAY 2005

Description Before Sarbanes Oxley After Sarbanes Oxley

Regulatory Oversight Securities and Exchange Securities and Exchange

Commission (SEC) Commission (SEC)

Public Interest Oversight

Professional organisation and

its associated regulatory role:

-Auditing Standards

- Professional Ethics

-Audit quality control stan-

dards

Peer review of auditing firms

Accounting Standards

Public Oversight Board (POB)

American Institute of CPA's

(AICPA), a professional organisation

with regulatory responsibilities

through its:

- Auditing Standards Board (ASB)

- Ethics Committee

- SEC Practice section (SECPS)

Financial Accounting Standards

Board (FASB)

Public Company Accounting Oversight Board

(PCAOB), a quasi governmental organisation

that will be responsible for establishing and /or

monitoring groups that establish:

-Auditing Standards

-Auditor ethics and independence standards

-Auditing firm quality control standards

- Auditing firm peer review standards

- Investigation of rule violations

- Sanctions of violators

Financial Accounting Standards Board (FASB)

Comparison of US Regulatory Structure Before and After Sarbanes Oxley

TTHHEEMMEE