New Year, new audit rules

“Can you write about the new changes in outsourcing audit requirements?” they said.  “But make it interesting”.

I like a challenge but this could be tough: “interesting” and “audit standards” don’t often get used in the same sentence.  But that may change from mid-2011 when new rules come into play that will require companies’ managements to provide a written assertion about the controls in place in their service organisation.

While directors will still look to auditors to report on the effectiveness of controls, the onus will shift to the companies’ boards to satisfy themselves about the controls in place, especially in outsourced operations.  Whether the burden will lie on the CIO, CFO or other directors will depend on the type of control and nature of outsourced operations.

But it’s safe to say that responsibility for effective assessment of service management controls should be moving up companies’ governance agendas.

Over recent years, it has been increasingly common among public companies to require an audit of their service organisation.  Sarbanes-Oxley raised this to a must-have level for companies subject to the U.S. regulatory authorities where outsourcing touched on financial systems and reporting.

SAS70 became that rare thing: an accounting standard that many people had actually heard of.  SAS 70 reports evidenced greater due diligence and compliance checks on service providers.  Many service providers also took the lead and sought to demonstrate good practice by way of a third party assurance report.

From 2011, SAS70 (a U.S. audit standard) is being updated and the International Auditing and Assurance Standards Board is also issuing a new, similar international standard ISAE 3402 requiring reporting on controls in service organisations.

SAS 70 contained guidance for user auditors (that is, auditors who audit the financial statements of organisations who use service providers) and auditors reporting on a service provider’s controls (service auditors).  Under the new regime, the requirements for user and service auditors are being split.

The main material change is that, under the new regime, the management of a service organisation will now be required to provide a written assertion attesting either to the fair presentation and design of controls or the fair presentation, design and operating effectiveness of controls.  Previously, auditors reported directly on controls and a company’s management was merely required to report that controls were suitably designed and/or operating effectively.

What this means in practice is that, in the future, a company’s management will need to have a reasonable basis for assessing the effectiveness of controls on the management of their service organisations – and may need to develop their own processes to do so.

The problem gets bigger if key services are sub-contracted by an outsourcer.  If the service provider relies on controls at a “subservice” organisation, the ultimate client, outsourcer and subcontractor will all need to be involved in discussions about how the right checks will be made to enable the client’s management to give the required assertion.

And all this will need to be paid for, of course.  Audits in this area will continue to fall into two types (so-called Type 1 and Type 2 audits – depending on whether the audit is a snapshot or a view of the operation of controls over a period of time).  For outsourced servicesin the finance and accounting area, the simpler Type 1 audits are unlikely to be acceptable and the burden of implementing and paying for the more effective Type 2 audits required to support the new assertion requirements may well fall even more on to service providers.

Alistair Maughan is a partner at Morrison & Foerster, an international law firm. Follow him on twitter at https://twitter.com/ICToutsourcelaw