Make sure your outsourcing agreement has teeth to protect your interests.

by Akiba Stern

The Sarbanes-Oxley Act (SOX), which became law on July 30, 2002, was enacted in the wake of a series of corporate accounting scandals. It seeks to protect investors by improving the accuracy and reliability of corporate filings and other disclosures made by companies required to file reports with the U.S. Securities and Exchange Commission (SEC). SOX established new rules of corporate governance and accountability for those companies.

Among the most important of the corporate governance provisions is the requirement that company management assesses and reports upon the effectiveness of its internal controls over financial reporting and obtain an attestation of management’s evaluation by independent auditors.

Two sections of SOX that concern corporate executives and accountants the most are: sections 302 and 404(a). These sections require that the CEO and CFO
certify that for each of the company’s quarterly and annual reports reviewed:
• Based on their knowledge, the company’s report contains no untrue statement of material fact and does not omit any material fact that would cause any statement to be misleading;
• Based on their knowledge, the financial statements and other financial information in the company’s report fairly present, in all material aspects, the company’s financial position, results of operations, and cash flows;
• They are responsible for the company’s disclosure controls and procedures and internal controls over financial reporting;
• They have evaluated the disclosure controls as of the end of the period covered by the report and have disclosed any significant changes in internal controls during that period; and
• They have disclosed any control deficiencies or fraud to the audit committee and auditors.
Section 404 also requires the company’s independent auditor to attest to, and report on, the assessment made by company management.

By requiring the personal certification of the CEO and CFO and prescribing onerous penalties (including possible jail time) for their failures, and by requiring companies to publicly expose their failings in SEC filings (which can lead to negative capital market consequences), Congress has made corporate America take SOX compliance seriously. CEOs and CFOs have imposed strict SOX compliance processes on their companies.

For the Outsourcing Customer
When a company contracts with another party to perform services which, in effect, insert that service provider (or its subcontractors) into the company’s system of internal control over financial reporting, the company must assess the service provider’s (and that of its subcontractors, if applicable) controls as part of its assessment of its internal control over financial reporting. Because the obligations created by section 404 are non-delegable—i.e., the company’s management retains responsibility for ensuring that the requirements of section 404 are satisfied—it cannot simply rely on the service provider’s word that it is performing according to contractual terms. Both the Public Company Accounting Oversight Board and the SEC have made it clear that outsourcing does not reduce management’s responsibility to maintain effective internal control over financial reporting, and it must assess the controls over the outsourced operations.

How does the company go about assessing the controls at the service provider (and its subcontractors)? Clearly, in its agreement with the service provider (with appropriate “flow-down” provisions to cover subcontractors), the company needs to secure the right to assess controls and the ability to obtain information from and command the assistance of the provider. The right to assess control may also include the right to dictate certain controls.

Most well-drafted-post-SOX outsourcing contracts provide all or most of these rights and abilities in their audit and related sections. Nevertheless, prudence dictates that the company’s rights and the service provider’s obligations to SOX are specifically spelled out even if redundant rights are granted in other provisions. Those rights and obligations should be spelled out in broad “constitutional” terms, not only as a limited set of specific obligations. SOX is relatively new, and best practices for ensuring compliance will continue to change.

One of the requirements should be to provide to the client an unqualified SAS 70 Type II report from an independent auditor covering all of the services that are part of the company’s internal control over financial reporting. An SAS 70 Type II audit describes the provider’s internal controls being tested and the results showing the effectiveness of those controls for no less than six months. The agreement should deal with the company’s audit parameters, scope and frequency, and the consequences of failing to perform or meet the standards required by SOX.

How does the company put teeth into its agreement with the service provider to ensure that the financial reporting and internal controls do not cause a failure to comply with SOX? Similar to how a company deals with other risk issues such as confidentiality and privacy, the client should not cap financial liability, which may be covered by indemnification provisions.

For the Outsourcing Supplier
Service providers are receiving demands from all of their customers to provide SAS 70 Type II reports and related assistance as described above. Our experience has been that some providers are not prepared to offer the amount or scope of assistance set out in the request for proposal. Sometimes, service providers require customers to pay in full for all such reports and assistance.

While each outsourcing technical and commercial solution is different (e.g., one might be a custom implementation and the other a pure, shared-services model), and while the service providers have many customers that are not subject to SOX, the regulation’s demands are likely to increase in the coming years as many aspects of corporate compliance continue to be incorporated into outsourcing agreements. Nevertheless, many service providers have a good understanding of the costs that they must absorb to provide the SOX assistance their customers are demanding—not only from helping their customers comply but also from their own corporate compliance efforts.

Service providers should develop, draft, and price a solid set of expansive services offerings for SOX. Presumably, that would generate the money they need to provide full and complete SOX assistance to their customers. At the same time, providers can be comforted in knowing that they can accept liability from failure to comply with SOX. The service providers should be prepared to embed those costs into the price of their outsourcing offerings or leave them transparent, as required by the specific transaction.