Being in compliance isn’t just about making sure your accounting entries are on the right side of Sarbanes-Oxley. Now, sound ethics and compliance practices have to permeate the fabric of your company, from the C-suite on down to your third-party providers’ overseas location.

by Peggy Cope

If your company doesn’t have a bullet-proof compliance culture already, it should seriously contemplate creating one, and fast. That’s the advice from analysts and advisors, compliance officers, and the C-suite. It’s not just about staying out of jail and avoiding exorbitant fines. It’s about your reputation, brand building, and the bottom line.

“How does your company want to be seen as doing business?” asked Marjorie Doyle, former chief ethics and compliance officer at Vetco (where she helped that poster child for ethics and compliance violations in the oil and gas industry straighten out its act for an IPO) and DuPont and currently a practice leader at ethics and compliance solutions provider LRN . “Laws deal with the lowest level when it comes to ethics and compliance. But it goes to your business persona, your business advantage—it’s the thing that you are judged by. It’s your brand.” The bottom line is why should people trust your company? “It takes everybody in your ecosystem (within the company, as well as suppliers, vendors, shareholders, etc.)” she said.

Compliance goes to the core of outsourcing, whether it’s the making of widgets or handling of accounts payable and accounts receivable. When DuPont outsourced a number of functions, Doyle recognized that it created a whole area of risk that those who outsource and their supplier partners needed to focus on more.

“We used to think outsourcing would get rid of all the problems of the processes, as well as ethics and compliance. That was the naïve view,” she said. “Even though you outsource, they carry your reputation in your hands.”

Ethics and compliance are essential in these days of WorldCom, Enron, and Sarbanes-Oxley. “Sarbanes-Oxley was the wake-up call that changed the compliance environment completely,” said Randall S. Parks, partner and co-chair of global technology and the outsourcing practice group at law firm Hunton Williams.

“Companies now have entire departments devoted to it. We find our clients are extremely active in compliance areas,” said Parks. Companies are focusing on compliance program development and training to ensure that a compliance culture permeates from the corner offices to the front lines. “The sentencing guidelines put a premium on written programs and having things in place to demonstrate your focus, as an organization, on compliance. Creating a paper trail has become critical, and you have to spend a lot of time doing it.”

Cynthia Cooper, the former WorldCom vice president who brought the world’s attention to that company’s creative accounting entries, noted in her book, Extraordinary Circumstance: The Journey of a Corporate Whistleblower, that the principles behind compliance go deeper than a person’s professional life.

“In many ways, this story is about human nature, about people and choices. It shows how power and money can change people, and how easy it is to rationalize, give in to fear, and cave under pressure and intimidation. It speaks of the importance of living a life of integrity and making decisions we can look back on without regret,” she wrote. “It illuminates the value of developing strong boundaries, keeping our paths straight, and guarding against the temptations and trappings of material success.” Cooper is inculcating the learnings from WorldCom into her teaching efforts with her own daughters, now 18 and 6 (and who recently graduated from high school and first grade) to ensure they know how to recognize an ethical dilemma and make the right choices.

But how does a corporate officer ensure that everyone on his staff and his outsourcing partners’ teams understand what his company’s values are and how to avoid any compliance conundrums when they are working for a company based in Bangor, ME, but the outsourced functions are done in Bangalore, India?

It’s essential to build in failsafes to double check on a supplier’s reporting. Julio Ramirez, managing director at The Hackett Group , noted that provider companies must get their client auditors involved in the process early on. “Don’t just issue a SAS 70 Level II report without speaking to the auditors and asking them what’s important to testing.” There must be dialog with the auditors who are doing the SAS 70 and the firms’s auditors to ensure the letter addresses the controls that the client’s auditors consider important to their attestation.

Another important element is the timeframe of testing. According to Ramirez, there is no specific guidance to auditors of BPO providers on timeframes. “You could test transactions for three months or do random testing throughout the year,” he said. “The extent of testing and the periods of coverage are of key concern to auditors of a BPO client. This needs to be articulated before the beginning of the year. That’s the key; If a year has elapsed and the auditors of the client get an SAS 70 report that doesn’t have the right amount of time or coverage, and if that report is rejected, the only option left to the auditors of the client is to do detailed testing throughout the year.”

The point of the exercise is to reduce or eliminate the need for a client’s auditors to do detailed testing, which means more fuss and interruption. To avoid this necessity and reduce attendant costs, the secret is to communicate and coordinate efforts before the start of the year that’s being audited.
In general, controls at BPOs provide access to the facilities doing the work and segregation of duties that require access to a client’s data and proprietary information. It is important to make sure controls that are specific to the work of a client are coordinated with the client’s auditors as to what they want tested and attested to, to reduce the amount of work they have to do. The auditors of the client need to be satisfied that the controls were operating effectively before they can issue an opinion to that effect.

Said Ramirez, “Auditors are getting smarter about the use of SAS 70 letters. The amount of testing being done by auditors is limited, so as not to become a prohibitive cost with outsourcing.”

For global companies, the cost of compliance related to outsourcing is significant. If the company has highly distributed work decentralized to a country level, or multiple business units within countries with their own processes and technology platforms, the cost of compliance is astronomical. Any work that is designed differently or carried out in different locations must be documented and tested on a regular basis as part of the attestation process under Sarbanes-Oxley. “But where work is outsourced, the documentation and testing requirements move to the BPO provider. You outsource the execution and the day-to-day SOX-related work that has to take place,” said Ramirez, saving your company time and money.

Testing & Attesting
The key mechanisms are the SAS 70 level II reports issued by auditors of the BPO firm. It’s up to the outsourcing company to review the controls, ensure they will work, and test them to ensure they work as designed over a period time. They will have to issue an opinion that those controls are operating. This can be used by the auditors of a client to limit, or in some cases eliminate, their need to do testing themselves, or, if they have to test, take a smaller population.

But if a company is outsourcing a number of functions in various areas under a multi-tower contract, how does this impact controls, testing, and attesting?

“Organizations are looking at how to rationalize things, to integrate the approach so they can have a common set of controls that meets multiple requirements,” said Lee Dittmar, a principal at Deloitte Consulting LLP . “From the auditor’s perspective, you can assess once, test once, but meet many requirements. That’s a huge opportunity— although it’s in the early stages of the work companies are doing—taking a more integrated, enterprisewide approach to compliance. There’s overlap among domains, with specific regulatory requirements or policies, and there’s also tremendous variability in organizations about how they do things in different geographies, functions, etc. For decades now, they have applied reengineering to standardize processes in silos, and they can apply that to compliance now. That’s what’s beginning to happen.”

But Dittmar maintains it’s not just about cutting the cost of compliance. A company with less complexity also faces a lower exposure to risk. Dittmar’s advice for companies trying to wrap their arms around compliance includes taking an integrated approach. Rationalize things to get to common controls, and make sure you are “baking controls into mainstream processes, not trying to inspect them in,” he said.

In addition, bring the cost of an enterprise focus to bear with a commonality of process across geographies, business units, and processes. “If the risk of noncompliance comes back to the enterprise level as opposed to silos you delegated it to, do you have allocation of responsibility out of line with where the risks manifest themselves?” he asked.

Shawn S. McCray, a partner with advisory firm TPI , noted that clients are paying attention when it comes to establishing how compliance will be handled in outsourcing contracts. They are cognizant about security and everything related to data and compliance as outsourcing becomes more prevalent, and they are taking action.

“It’s not the very first thing a client asks about. Their main objectives are quality, speed, cost, and so on, but certainly they follow up with compliance, depending on the business they are outsourcing,” said McCray.

TPI has seen clients get their own houses in order internally, create clear quality statements, and contractually require providers to do certain things and include specific language that addresses regulatory requirements. It also sees clients making sure they put clauses in their contracts to be able to demonstrate compliance to the bodies that want assurance and prove compliance.

“We don’t encourage four hands on the steering wheel in terms of everybody being responsible,” he said, “but watch for regulatory developments. Clients are staying on top of what’s coming down the turnpike to ensure agreement. They don’t abdicate to the provider. Clients should maintain robust involvement to make sure it doesn’t just come back around to them.”

Providers are stepping up to the plate, as well. Although controls and testing have always accompanied certain outsourced functions, they tended to rest in the background. Now, providers are touting their compliance and risk management services as selling features. The spotlight that shines on compliance has revealed opportunities for providers to add value to their services.

Rohit Kapoor, president and CEO of Indian BPO provider EXL Service , said, “The number of requirements is constantly changing, becoming more complex. Organizations need to stay on top of that. The penalty for not being able to comply with requirements is extremely high.”

EXL is responding to clients’ needs regarding compliance. “We stumbled on it by accident. We were pitching to a client on F&A outsourcing, and they came back and said, ‘My real need is in the area of compliance, can you help me?’”

EXL understood the processes, was able to document them, and had knowledge of the kind of risks there might be financially and in operations. The provider now helps clients create programs that support them in adhering to regulatory requirements. It also runs internal audit programs in behalf of its customers as an outsourced function. A core sourcing arrangement enables EXL to work jointly with the customer in terms of compliance and risk mitigation.

“Prevention is better than a cure,” said Kapoor. “An organization that is better prepared and works on compliance and carries out internal audits on a proactive basis is less likely to succumb to an issue.” The critical elements include a culture of risk mitigation with the necessary levels of control in an organization. This needs to be a message driven from the top down. In addition, adequate controls must be in place so no risks are left uncovered—no internal audit issues that can come up to create problems. Finally, effective testing mechanisms must be present to prevent issues that otherwise would build up over time and expose a company to severe regulatory issues.

John Schlueter, head of HP ’s record-to-report service line, focuses on the “Three Cs” of control, compliance, and communication. “Controls are the points of risk or failure in the transaction flow that must be understood and regulated. Compliance is nothing more than the measurement of the success of controls throughout the process. Communication is the formal way controls and compliance measures are evaluated by leadership of a company to inspire corrective action, strategic investment, or revisions to the work,” he said. The Three Cs must be built in on a fundamental level. “When you outsource, you have the option to insert contractual protection. You can build service level agreements, key performance indicators, and demand certain dashboard visibility into the throughput of solutions you would never invest in on your own.”

To cope with today’s emphasis on compliance, the concept of kaizen comes into play through continuous improvement, learning and relearning, said Manish Gundecha, HP’s head of compliance, business controls and business operations. ‘You master a process and pursue clients, but as you do it more, you identify issues and concerns. We look at root causality to see how it happened in the first place. Then we do it all over again, but better the next time.”