Corporations face brutal economic conditions these days. To improve business performance, many have cut costs by outsourcing some of their business processes to cheaper labor, often based overseas.
As a budgetary measure, outsourcing business processes isn’t a bad idea. Accounts receivable, accounts payable, payroll, master data, and general accounting are all transaction-based processes, and consequently are ideal for outsourcing. But because those processes are so critical to financial reporting, “finance process outsourcing” (FPO) does bring governance risks a compliance officer needs to monitor. Consider a few:
Timeliness. Financial reporting submissions may not meet the required accounting period-end-close timetables.
Continuity. Business continuity may be disrupted due to hand-offs between the company and the vendor that don’t go according to plan.
Transition. Transfer of knowledge to, and development of intellectual capital at, the vendor’s service center may not be effective.
Performance. Performance may deteriorate because of an emphasis on cost cutting.
Control. Designs and operations of internal controls may become ineffective over time.
Confidentiality. Confidential data related to employees, customers, and products may get in the wrong hands.
Any of the above risks can pose serious governance problems and Sarbanes-Oxley compliance meltdowns if they are allowed to fester. As such, all of them must be carefully assessed and managed during any FPO arrangement.
Where to Begin
Start with training. Both the vendor employees handling your outsourced data and your own employees sending that data to them should be trained on multiple topics. For example, all parties should know your company’s finance policies and procedures, and your company’s guidelines for business conduct (which, of course, you already have). Leverage your existing documentation to create a “Standards of Procedures,” a Statement of Work, and a map of process flows; all will be critical to ensure your FPO project runs smoothly.
Your outsourcing plan should also include Service Level Agreements that define and document a precise understanding of what management expects from the vendor. SLAs act as monitoring controls to prevent deterioration of performance quality. SOX control documentation is also a good resource to understand the current internal control system and the critical controls in the outsourced processes.
And the company should provide training support for a designated period after the outsourcing engagement begins to help build confidence and provide quality assurance and oversight.
Controls Over Business Process
Under the provisions of Section 404 of SOX, management must evaluate the controls over financial reporting risks if the outsourced processes are critical to the company’s internal control over financial reporting. That means your company’s governance group—including the board of directors, internal audit department, and SOX compliance team—should participate in the FPO transition to ensure internal controls are intact, and then continue testing them, regardless of whether those controls are retained in the organization or outsourced to the vendor.
The vendor may agree to deliver a SAS 70 report on its own internal controls effectiveness, as established and done by independent management testing. A SAS 70 report is prepared in accordance with guidance established by the American Institute of Certified Public Accountants Statement on Auditing Standard No. 70. The report is intended to provide interested parties with information about the vendor and its control policies and procedures relative to the processing of transactions applicable to the administration of outsourced processes.
Using a SAS 70 from the vendor requires careful planning and evaluation. Because the scope and coverage of the SAS 70 are determined by the vendor and its auditor, not by the customer, you can’t assume the SAS 70 addresses the controls relevant to your particular needs (or that the controls reviewed in the report are still current and effective as of your outsourcing engagement). It is still your responsibility to evaluate the design and operating effectiveness of the outsourced controls, based on a top-town, risk-based approach, as required by Auditing Standard No. 5.
Even when the SAS 70 report seems satisfactory, your company still has several obligations. Upon receiving a SAS 70 report, the company must: (1) address user control considerations identified in the SAS 70 report; (2) assess any control deficiencies identified in the SAS 70 through the same assessment process applied to all other deficiencies; and (3) consider the implications of the gap between the point in time addressed by the SAS 70 and the company’s own financial statement report date, and finally (4) evaluate the potential risks of control deficiencies to the overall business environment.
Controls Over Business Applications
The evaluation of internal control over business processes is only one part of the task. Evaluating internal control over business applications the company operates or has outsourced is another.
Consider all the IT steps necessary to ensure a secure FPO arrangement. You must establish connectivity and test and maintain access to the business applications, Websites, mailboxes, and shared service drives at the vendor’s location. Segregation of duties and restricted access are critical to ensure proper controls are in place. User roles to access the business application may require a redesign to fit the job descriptions for outsourced processes. To keep all of this running on track, it may be wise to create an infrastructure transition plan, which should then be updated as necessary throughout the life of the engagement.
Monitoring Controls
Effective cross-training between company and vendor is critical during knowledge transfer. A “toll gate” structure can be devised to evaluate readiness on all specific in-scope processes:
Gate 1: contract initiation;
Gate 2: completion of transition planning;
Gate 3: completion of knowledge capture;
Gate 4: completion of knowledge cascade;
Gate 5: service commencement; and
Gate 6: transition exit, to ensure each transition step was completed promptly and effectively.
In addition, hand-offs between company and vendor should be carefully monitored to avoid disruption to business continuity. You may want to use an end-to-end process map to illustrate what’s supposed to happen; leverage your existing process flows to build it.
Don’t stop monitoring your controls once the FPO engagement is up and running, either. The governance group should perform a periodic risk analysis to assess the outsourced process as part of its overall assessment of control risk. In addition, there should be periodic reporting on the performance of significant outsourcing initiatives, comparing what really is happening to management’s original expectations and goals articulated in the Service Level Agreement.
Furthermore, sufficient transparency should exist around the vendor’s governance processes, financial performance, and internal controls environment. If outsourced services fall short of management’s expectations and performance goals, your company should evaluate its options and rectify the situation as necessary.
Escalation Process
Despite all these steps, problems will still arise. You will need to establish an escalation process between the company and vendor, so you can communicate concerns over accounting issues and adjustments, controls updates, critical deadlines, and personnel performance issues at the vendor’s delivery center. Likewise, the vendor needs an efficient channel to clarify any accounting or control questions with the company, and to resolve any exceptions noted during process hand-offs.
Data Privacy
One of the biggest concerns over outsourcing finance processes is information confidentiality. All employees at the vendor’s location should be required to be certified (at least annually) on data privacy. Other best practices:
All documents with employee names or serial numbers with corresponding compensation and benefits data should be marked “CONFIDENTIAL.”
Always password-protect files that contain confidential information.
Release confidential information on a need-to-know basis.
Delete confidential information from the entire e-mail trail before forwarding any e-mail to persons who are not allowed to view confidential info.
E-mail disclaimers may be required for some accounts.
Outsourcing your financial processes is, essentially, sub-contracting an important part of your operations to a third party. That demands a lot of trust, and obviously managing external vendors is more difficult than overseeing employees who work in the same building as you.
If, however, you meet the challenges of internal control and monitoring that present themselves, outsourcing can be highly effective. It enables companies to lower costs, reduce the ongoing investment required in internal infrastructure, and optimize their resources to revenue-generating activities. Good luck!
No comments yet