The very name “internal control” poses a problem for companies when they deal with outsourced providers.
This internal responsibility for external functions has become one of the biggest challenges for companies in the 2013 update of the widely used internal control framework created by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
COSO is a joint initiative of five private-sector organizations dedicated to providing thought leadership on enterprise risk management, internal control, and fraud deterrence. The AICPA is a member of COSO.
Many public companies use the COSO framework as their criteria when attesting to their internal control over financial reporting (ICFR), as required by the Sarbanes-Oxley Act of 2002, P.L. 107-204. And the framework clearly states that management is responsible for the design and operation of its ICFR, including the controls that are outsourced to service providers.
“You’re the CEO and the CFO of the company that’s signing that I have a proper control structure and control environment. You have to feel comfortable that you’ve accepted responsibility for what they’re doing,” said Bill Schneider, CPA, CGMA, director of accounting for AT&T and a member of a panel that advised COSO on the framework update.
“You can’t just say, ‘Well, that was something that Capgemini or Accretive or Accenture did for me, and I don’t have responsibility, it’s their problem.’ You are responsible for it.”
Schneider said that smaller companies in particular have been wrestling with this issue in their COSO implementation because they typically have outsourced a greater portion of the finance function than large companies, leaving less financial expertise to oversee those relationships.
A recent PwC report, Present and Functioning: Fine-Tuning Your ICFR Using the COSO Update, describes how leading companies work to understand, evaluate, and test their outsourced service providers’ controls. According to the report, these companies usually have indirect entity-level controls to:
- Inventory existing outsourced providers and service-level arrangements that have a significant impact on the company’s ICFR.
- Evaluate and select vendors with competencies in financial reporting and ICFR, such as the ability to satisfy the service requirements specified in a service-level agreement. Selection of a vendor depends on the completion of an initial assessment of financial reporting risks and determination of what’s necessary to mitigate these risks.
- Periodically evaluate the performance of service providers with respect to service requirements relevant to ICFR. This control also updates financial reporting risk assessments and responses in reporting periods after the initial assessment.
- Review a Service Organization Control (SOC) 1 report and determine whether follow-up actions are necessary.
Leading companies also have control activities, including direct entity-level controls, to verify the reliability of data and information relevant to the company’s ICFR that are sent to and received from service providers, the report says.
Jason Pett, CPA, U.S. internal audit leader for PwC, said internal control over outsourced business providers extends well beyond ICFR to other areas of the business.
“The challenge is, how do you interact with those third parties?” Pett said. “How do you monitor the third parties? And then how do you hold them accountable? When it comes to ICFR, it’s really important that you understand what the third party’s role is in the execution of control activities, because as a company, you can outsource activities, you cannot outsource responsibilities.”
Because companies still have the ultimate responsibility for the accuracy of their financial reporting, Pett suggests that:
- Companies first understand and monitor where third-party service providers are interacting with the system of internal control. Is it at the control activity level or at the overall entity level?
- Service-level agreements, protocols, standards, and expectations are set with regard to how those third parties are going to perform relative to the control environment.
- Companies monitor how the third parties are performing and verify the activities that third parties are undertaking to make sure controls are operating effectively.
The testing in particular can be difficult when the controls are operating outside of the company. So Pett suggests that companies address testing parameters upfront in the contracting for service-level agreements, and then monitor to ensure performance meets the expectations laid out in the agreements.
Performance can be monitored through a right-to-audit clause that gives either the company or an auditor permission to perform testing.
Schneider said the whole procurement process can become part of the control environment, functioning as a kind of tone at the top as service-level agreements are built to support ICFR. It’s also important, Schneider said, for organizations to have enough in-house financial reporting expertise to make sure the outsourced providers are paying proper attention to ICFR.
“You have to have some level of expertise in the financial reporting world because you are responsible for your financial reports if you’re a public company,” Schneider said. “The SEC is very clear on that.”
Companies need to be comfortable with the ethics and business practices of a third-party provider, Schneider said. And verifying those controls is a vital step for companies whose CEOs and CFOs are signing important regulatory statements attesting to the control structure and control environment over their financial reporting.
“These are all elements you have to think through now as you’re reaching those outsourced agreements,” Schneider said. “Or if they are already in place, maybe you ought to go back and revisit them and think, ‘How can I meet these requirements for the responsibility?’ ”
—Ken Tysiac ( ktysiac@aicpa.org ) is a JofA editorial director.
