Home
Who is Archway WFC
Services
Topics of Interest
What is a Contingent Worker?
Use A Consultant for CWM?
Consulting on Vendor Choice
An Effective Assessment
SOX and CWM
Contact
 

Although written in 2005, this article is still relevant in today's business/legislative environment.






Issue Date: March, 2005

Best Practices: Auditing Your Suppliers
Sarbanes-Oxley compliance may require your company to monitor your contingent workforce service providers

Brian Korsmeier

Publicly held companies know they must comply with the Sarbanes-Oxley Act of 2002 by taking responsibility for the effectiveness of internal controls over financial reporting. This means certifying an annual, integrated audit of financial statements and internal controls.

Section 404 of the act deals in part with certifying the sufficiency of controls for detecting fraudulent, questionable or unauthorized activities that could impact company financial statements. It focuses on a company's internal controls, but it also requires close scrutiny of the internal controls of the company's service providers. In fact, not only service providers to public companies but other service providers they in turn rely on may fall under this regulatory authority.

The Public Company Accounting Oversight Board (PCAOB), created to oversee Sarbanes-Oxley (SOX) compliance, has made it clear that accountability extends to the controls of third-party service providers whose services directly impact the internal control environment or financial reporting of a company. Financial Executive magazine summarized the effect of this provision in its December 2003 issue: "As far as Section 404 is concerned, an outsourced business process is no different from one handled internally. In other words, if it impacts your financials, you are responsible for ensuring that the controls are effective."

That said, if your company is subject to SOX, your responsibilities extend to third parties involved in providing contingent workers for you. Let's examine who is included in this category.


Which Third Parties?

Complying with SOX requirements inevitably requires grappling with some of the details of financial responsibilities. It involves both scrutinizing the accounts or business processes that relate significantly to financial reporting and looking at how third parties are being used. The former activity sets the scope of the internal controls to be assessed. The latter narrows the field of service providers to those whose services are actually related to the gathering or processing of financial data.

In looking at processes and their related controls, it is useful to take a deep breath and consider the definition given in PCAOB AU section 324. It says that internal control functions (whether outsourced or not) include those that affect either procedures by which transactions are initiated, recorded, processed and reported, from their occurrence to their inclusion in the financial statements, or related accounting records that support information and specific accounts in the company's financial statements. Many of the processes involved in acquiring and managing your temporary workforce may fit these criteria.

The key to your approach to meeting the compliance requirement is who is doing the activities. If any part of the process is done for you by a third party, even a sibling company of yours, there is a good chance that you are responsible for confirming its internal controls. In this context, a staffing company providing you with staff augmentation, while certainly a candidate for periodic audits to confirm invoice accuracy or contract compliance, probably does not fall under the "service provider" requirements of Sarbanes-Oxley because the internal controls are yours, not theirs. (For details, see the sidebar "Who and How.")

You have a range of available options, used separately or in combination, for determining compliance by the service provider. Your company may test internal controls at the service organization. You may obtain a report from an independent auditor that analyzes specific controls. You may evaluate your own controls over the activities of the service organization. You may test your controls over data/information flow to and from the service organization. You may obtain from the service organization an SAS 70 Type II report prepared by an independent auditor and paid for by the service organization.

Which option to use typically is the auditor's decision and depends on the nature and complexity of the third-party services and the level of interaction between your company and the service provider. For example, if your company is actively involved in creating a cost accounting transaction from an approved time sheet, which is then passed to your service provider to create a consolidated invoice or payment, it is likely that only selected service provider controls must be assessed. On the other hand, if the service provider manages the time-sheet approval, initiates the cost accounting transaction, passes a consolidated invoice directly to your accounts payable system and then pays the staffing suppliers on your behalf, it is reasonable to expect a comprehensive assessment of controls from the service organization.


What is SAS 70?

As noted above, an SAS 70 Type II report is one way to obtain compliance. In June 2004 the Securities and Exchange Commission (SEC) recognized it as an acceptable method for obtaining an auditor's opinion for SOX Section 404.

Created by the American Institute of Certified Public Accountants (AICPA) in 1993, Statement on Auditing Standard 70 has received new attention since passage of the Sarbanes-Oxley Act. It was established to tell an independent auditor how to assess the internal controls of a company providing services to another company and afterward how to issue an official auditor's opinion. The standard focused on services that could have an impact on the user organization's financial reporting, among them payroll services, benefits and claims processing, outsourced IT operations or data centers, and vendor management services or software.

The SAS 70 audit's contents are flexible in that the comprehensiveness of the controls to be reviewed is determined by the service vendor, though within some standard categories. The resulting auditor findings are not really "certifications" of compliance to a standard but are the auditor's opinions regarding those controls, presented to the service organization.

The basic Type I report presents the service organization's description of controls at a specific point in time and offers the auditor's opinion as to the fairness of the description and the suitability of the design of the controls for obtaining the specified control objectives. It does not provide an opinion regarding the effectiveness of the operation of the controls. SOX compliance requires a Type II report, which adds to the content of a Type I report a detailed description of the tests of the controls over a minimum period of six months and the auditor's opinion as to the effectiveness of the tested controls.

In a pre-Sarbanes-Oxley era, SAS 70 reports might have been used to satisfy a user organization's RFP or simply required by the client company in order to do business, or the service provider could have used them as a competitive marketing tool. In any case, if designed properly, the reports could provide a sound analysis and the foundation for internal improvement within the service company.

Now that Sarbanes-Oxley regulations are in place, the SAS 70 Type II report, if developed properly, seems to satisfy a new need. The AICPA Audit Guide - Service Organizations was amended in May 2004 to state that "SAS 70, as amended, addresses the effect that a service organization may have on a user organization's financial reporting requirements."


Proceed with Caution

Merely having an SAS 70 Type II report from a service provider, however, is not automatically sufficient for Section 404 compliance. It must be heavily scrutinized for the following four factors:

Timing.
Your company has unique reporting deadlines based on its fiscal year. The time frame of the service organization's audit activity must match your requirements for both when the report is completed and the period being covered.

Scope.
The report must cover all of the Sarbanes-Oxley internal control components: control environment, risk assessment activities, control activities, information and communication systems and monitoring activities. In addition, it should include controls for which your company is responsible as data flows to and from the service provider.

Content.
The report must cover all controls that are critical to your company's financial statements, not just those selected by the service provider. And it must include all controls tested, not just those that tested well.

Auditor independence.
The SEC has determined that there is no conflict if you use the same auditor as your service provider, but that auditor cannot also provide consulting services to the provider on how to perform the SAS 70 audit.

In short, be aware that an SAS 70 report offered by your service provider may not satisfy your company's SOX requirements. It is, after all, that company's report, not yours. It may be both more prudent and more cost-effective to utilize one or more of the other acceptable auditing methods. Your auditing team should make this decision with management input.And remember, regardless of the method chosen, it is still the user organization's responsibility - yours, in other words - to assess the controls properly and potentially to invoke additional internal controls before and after the interaction with the service provider.



What If

Under Sarbanes-Oxley, if your service provider cannot or will not provide an acceptable SAS 70 Type II report or permit access to your auditors, you are the one on the hook. You and your auditors must determine the significance of not having it; you cannot simply leave it out if it should be there. In October 2004, the PCAOB issued additional guidance that essentially says that the auditor must determine, and state in its report to the SEC, whether the deficiency represents a material weakness and whether management has failed to fulfill its responsibilities.

Such a statement can have consequences. Non-compliance potentially can lead to legal action by the SEC. And if there are sufficient "material weaknesses" or it becomes clear that management "has not fulfilled its responsibilities," the investment community may react negatively.

With temporary workforce spend rates increasing, the integrity and effectiveness of internal controls merit scrutiny, no matter who manages the process. If you are handling the entire process and all the underlying technology for acquiring and managing your temporary workforce, the internal controls are your own. If you outsource any part of the process or enabling technology, though, you should monitor the internal controls of the service providers as a sound business practice; you must exercise due diligence as a Sarbanes-Oxley requirement. Therefore it follows that understanding how a service provider approaches and manages its internal control responsibilities should be a key criterion in selecting those service providers and structuring the contractual relationship.

There are volumes of rules, guidelines and standards on this topic, and they are still changing as the Sarbanes-Oxley era matures. Given the complexity and evolution of the statutory requirements, your company ultimately must determine its position regarding Section 404 compliance by relying on the experience and expertise of your auditors.

Copyright 2005 by Staffing Industry Analysts

available from the SIA website:

 
Top