Outsourcing SOX Compliance for US Corporates

To a public company in the US today, Sarbanes-Oxley (SOX) instills many different emotions. Words such as fear, pressure, compliance, testing and documentation all come to mind. The Sarbanes-Oxley act of 2002 was passed in response to publicly traded companies using misleading financial statements at the direction of senior executives and sometimes with the assistance of outside auditors. The consequence of not being compliant is severe: financial ruin, de-listing the company on the stock exchange and possible imprisonment for executives who are criminally negligent. However, as companies learned the ins and outs of compliance, they discovered that outsourcing, once thought of as a sure way to lose control, could provide an efficient way of controlling internal processes.

This article addresses three areas:

1. How outsourcing can help companies reduce costs, increase efficiency and become more competitive, as well as help with compliance.
2. How one company used outsourcing to achieve mandated SOX compliance.
3. Tips on selecting an outsourcing provider and the caveats to watch for should you decide outsourcing is for you.

Compliance and Outsourcing: An Unexpected Partnership

Outsourcing the finance and accounting (F&A) function has been around for years. Ironically, it wasn’t until SOX – a control focused mandate – that the once shunned business model received widespread acceptance. As companies rushed to meet the deadlines of compliance they discovered that outsourcing providers were already well versed with instituting control points and detailed auditing trails for its clients. Burdened with the impending SOX compliance deadlines, companies began turning to F&A outsourcing providers to help them gain the necessary control required to comply.

Many companies outsource one or more F&A functions to third-party providers and some form their own captive outsource companies. It is predicted that global business process outsourcing (BPO) will reach $173bn by 2007 (according to Gartner). Regardless of the type of outsourcing, insourcing, offshoring or onshoring companies use today, some of the benefits of outsourcing include:

• Reduced costs
• Increased business flexibility in a changing business environment
• Process improvements
• Access to proprietary technologies
• Conversion of fixed costs to variable costs
• Increasing focus on what is core and de-emphasizing what is not core to the business.

Case Study: How One Company Leveraged an Outsourcing Model to Meet SOX Compliance

With $40bn in revenue, getting this company to become SOX compliant was no easy task. Heading up the accounts receivable (AR) portfolio of more than $6bn in more than 150 countries, 16 currencies and 24 languages, the chief credit officer knew that the first task was to assign a dedicated individual who could stay focused on the overall goal of becoming compliant by the end of the calendar year. This person would be responsible for ensuring compliance success across all geographies and would be responsible for the end-to-end process of testing, documentation, remediation and coordination with internal and external auditors.

As the new project manager came up to speed on the company’s processes and policies, they realized the task of getting external auditors to sign off on compliance was going to be challenging. The company had three stages of documentation to create:

1. Narratives had to be written to document and highlight the company’s global and localized processes.
2. Control matrixes had to be drafted.
3. Documents had to be created to visually showcase the company’s processes.

All in all, 800 control documents were written, 10,000 samples were pulled and 850 tests were conducted. During this time, 10 per cent of the control documents had to be remediated and corrected. The sheer size of the project was overwhelming for the existing staff, and despite a dedicated project manager focused on compliance, they still needed help to alleviate the workload. So the company turned to an outsourced provider.

By 2005, the company migrated much of the business in Europe from a full time employee (FTE) organization to an outsourcing model. The primary driver behind the change had to do with a paradigm shift in company’s selling model in Europe (direct vs. indirect). The company was quickly changing from a two-tier distribution model to a direct selling model. As the shift occurred, the touch points (customers) increased dramatically, particularly in Europe. Under the new outsource model, the ‘vendor’ did much of the behind-the-scenes heavy lifting associated with gathering information, coordinating testing, designing visual documents and allowing the existing FTE staff to run the day-to-day business.

In the end, the overall company was deemed compliant, with the global credit and collections organization having the greatest overall success and most comprehensive results in all of the company’s extensive finance organization. The surprising difference between the credit and collections organization and the rest of its financial counterparts was that this department heavily relied on outsourcing.

For the collections and credit department, their tremendous success stemmed from an outsourcer’s ability to easily ramp up during high periods of activity and act as a model for providing control points and detailed auditing trails. The team had the flexibility of either adding or reducing vendor headcount based on SOX deadlines. In addition, the ability for the outsourcer to quickly understand the company’s business model, culture and processes allowed the company to meet or exceed compliance deadlines. The in-depth knowledge the vendor had of the company’s systems and policies allowed the company to hand over time consuming tasks. One of these tasks was the creation of a standard global test template that could be used in any geographic location. External auditors insisted on a uniform test template that did not vary by geographic location.

How to Choose an Outsourcing Provider

While the benefits of using outsourcing to aid in SOX compliance are plentiful, companies can learn lessons from the early adopters of the outsourced model. First, make sure the vendor is SAS 70 certified. This certification warrants the vendor has appropriate internal controls and adheres to GAAP guidelines. This certification is given by a third party accounting firm.

Secondly, if you are contemplating using an outsourced vendor to aid in SOX related work, consider embracing an insourcing model (a vendor that physically resides in the client’s place of business) rather than a true outsource model. The vendor can be managed more efficiently onsite and the client can supervise the level of testing and documentation in house rather than from a remote location.

As with all innovative approaches, there are some caveats to be aware of. Outsourcing can be a huge success story, but it can have its challenges as well.

• Be prepared for increased monitoring of the vendor. Any company contemplating a sourcing strategy will need to have measurable and meaningful metrics to gauge success or failure. These metrics will be tied to key performance indicators (KPIs) and a well documented service level agreement (SLA).
• Perceived loss of control: migrating to an outsource model may result in your superiors believing you have less control over the function than with an FTE model. This is a common misconception. By remembering to educate your team on how outsourcing vendors are better prepared to handle the mandates of SOX, you will be well on your way to combating this challenge.
• Potential disruption of business if you need to change vendors abruptly. This would only happen if you had to terminate the relationship with the vendor and migrate to another outsource partner. This would require an appropriate transition period and during this time, metrics could deteriorate. To help alleviate the challenges of an abrupt vendor change, be sure to conduct due diligence when selecting a provider making sure to not only consider cost-saving measures, but also chemistry between the two companies. In the end, hiring an outsourced provider should be considered a partnership, not just a business transaction.

Conclusion

Mandates such as SOX, while important are simply not critical to your core business. However, given the dire repercussions of non-compliance, many organizations have lost sight of the heart of their business. By turning to outsourced providers to help institute control points and detailed audit trails that will help them continue to meet the requirements of SOX, companies can once again focus on what they do best.