United States: The Impact of Regulatory Compliance Mandates on Business Process and IT Outsourcing

Regulatory compliance mandates are becoming increasingly pervasive and onerous in western countries (see Figure 1). They have become a driving force in influencing affected organizations investments, areas of attention and activity, and in extreme cases strategic direction (i.e., going private in an attempt to avoid regulatory mandates). Business process regulation has become a new an uglier "BPR".

An affected large company, for example, could easily have total direct and indirect costs for Sarbanes-Oxley (SOX) compliance in excess of $10M annually. AMR Research estimates that affected organizations worldwide will spend $6B+ on SOX related activities in 2005, not counting actual audit fees, and will spend $80B+ over the next five years on compliance as a whole. On top of these costs, it is not uncommon for organizations to experience a doubling in the fees they pay their external auditors. And these numbers do not take into account the opportunity cost of compliance and the distraction it creates from other critical activities.

DoD 5015.2, UK PRO: National standards on records management in the US and UK.

• EU95/46, EU02/58: European Union privacy legislation.
• Gramm-Leach Bliley Act (GLBA): Privacy of financial information.
• Health Insurance Portability and Accountability Act (HIPAA): Privacy of patient information and healthcare records.
• National Association of Security Dealers/NASD 3110: Written policies and procedures for review of correspondence with the public.
• New Basel Capital Accord (Basel II): Capital assessment and reporting standards for global banking.
• Sarbanes-Oxley Act: fiscal accountability and control environment integrity; various Europe versions are in place on a country by country basis.
• SEC Rules 17a-3, 17a-4: Securities related records retention.
• USA PATRIOT Act: Various anti-terrorism, surveillance and anti-money laundering dictates.

While organizations can debate the collective merit of these regulations, most are here to stay. While some, for example SOX, could potentially be scaled back – somewhat - the overall regulatory environment is not going to loosen significantly in the near term. Affected organizations must address these regulations as efficiently and effectively as possible.

Even more importantly, organizations must determine how to leverage the investments they are making to meet regulatory demands into gaining greater competitive gain. This could mean, for example, leveraging the greater visibility and transparency into financial processes that SOX investments deliver to focus more on financial analysis vs. transaction processing. Or a bank could become more aggressive with is loan policies based on insights into its risk profile derived from Basel II calculations. In this way, compliance investments also enable process and performance improvements efforts and are not just sunk cost of doing business.

One area where regulatory mandates are already having a major impact is around IT and business process outsourcing (ITO/BPO). Regulations, particularly SOX and various privacy regulations, complicate the outsourcing process. In the short term this has slowed and curtailed deals, particular finance and accounting BPO. Longer term, however, compliance requirements and burdens will drive more outsourcing as organizations seek third party support to better manage compliance costs and requirements.

The major problem relative to outsourcer and SOX is that while U.S. regulators (e.g., SEC, PCAOB/Public Company Accounting Oversight Board) have clarified that SOX requirements apply equally and as stringently to outsourced functions processes and well as those maintained internally, they have not clarified what organizations must to do show compliance. It is typically a case of – "it depends":

• what has been outsourced,

This is not surprising given that SOX is a concept, not a rules, based regulation. Just as there is no standard checklist for overall SOX compliance, there are no exact guidance for how to address outsourced processes. While precedence and defined best practices will develop over time, organizations are struggling to initially define a SOX strategy and process to support outsourcing.

The result is that organizations are taking widely divergent approach to applying compliance requirements against outsourced processes and engagements. For example, two separate META Group studies conducted in 2004 found that nearly 25% of organizations were ignoring outsourced functions and processes in first year SOX efforts, a recipe for potential audit failures. Other organizations are much more aggressive.

One common misperception in the market is that existing outsourcing audit mechanisms, primarily the SAS 70 audit (see Figure 2), are always adequate for SOX compliance. The reality is that even a SAS 70 Type 2 audit may not prove enough for SOX in all cases. The SAS 70 standard was developed long before SOX regulations existed and was not designed to focus on the type of controls that SOX addresses. In addition, there have been no requirements for users to request an SAS 70 audit, and many have not. Also, one SAS 70 audit that historically could suffice for multiple clients of an outsourcer also may not be enough for SOX compliance.

The result is that there are more cases where aggressive/thorough clients are demanding additional controls and documentation beyond an SAS 70 Type 2 audit to enable what they estimate is "good enough" SOX compliance. In some cases, however, SAS 70 Type II audits are enough – it depends.

SAS (Statement on Auditing Standards) 70 is an international auditing standard developed by the American Institute of Certified Public Accountants for service organizations. An SAS 70 audit is the means through which an auditor examines a service organization’s or outsourcer’s control activities, particularly around IT and related processes. SAS 70 is based on SAS 55, "Consideration of Internal Control in a Financial Statement Audit," and on the COSO framework. There are Type 1 and Type 2 audits. Type 1 is a point-in-time/snapshot audit that focuses on general and application controls but does not include testing by auditors. A Type 2 audit occurs over a period of time (e.g., 6-12 months), focusing on general and operational controls during a life cycle, with auditors typically performing actual testing. A Type 2 is obviously more expensive as well as burdensome for the outsourcer. Only a CPA firm can perform an SAS 70 audit, and the Big Four audit firms, as well as the specialist firm SAS 70 Solutions (formerly part of Andersen), perform the bulk of the audits for G2000 organizations.

An added challenge organizations, particular finance and accounting operations, face with compliance requirements is that they are occurring in an era of aggressive and ongoing cost cutting. The goal of many organizations is to reduce F&A expenses to less than 1% of overall revenue. This goal is challenged by compliance requirements. A recent EquaTerra study found that improving the controls environment was the number one goal for organizations pursuing F&A transformation efforts. The number one goal in pursuing F&A BPO was cost reduction. While reducing costs and improving compliance and control capabilities may seem at odds, they are not if an organization can undertake BPO successfully.

BPO can help address an organization’s compliance needs in several ways.

• Outsourcers may possess more efficient processes that require less controls and hence have a lower compliance costs.

• Processes that have more automated and less manual controls are easier and cheaper to manage from a compliance standpoint.

• Outsourcing service providers can perform much of the compliance legwork (e.g., control’s testing, documentation) and spread the cost of the resources to perform that work over multiple clients

• Outsourcers with "best practice" process model can possess stronger embedded process controls.

• Outsourcers can dedicate more compliance expertise & experience against controls management and optimization and spread those costs across multiple clients.

• Outsourcers can gain more experience and capabilities with standardized (i.e., SAS 70) reporting.

Most outsourcers, however, are still struggling to get their compliance capabilities adequately in place along the lines defined above. Long term compliance efficiency and effectiveness will become a factor to help define BPO market leaders and will drive market consolidation. Organizations considering BPO or in existing arrangements must thoroughly vet their outsourcer’s compliance capabilities.

The following is a sample (and far from exhaustive) compliance checklist for organizations to use as a starting point in assessing compliance readiness and requirements in an outsourcing situation.

• Compliance organization and internal audit represented on the buyer sourcing team

• Corporate governance and risk management frameworks employed address and account for outsourcing requirements

• Ownership assigned to address outsourcing governance and relationship management

• Short-listed service provider’s Sarbanes capabilities and position understood

• Service provider’s operations undergone SAS 70 audits

• Geographic locations of potential service delivery centers known and compliance implications understood

• Who covers the cost associated with compliance testing and SAS 70 audits agreed upon

• Proposed contract calls out means to review, assess and account for future changes in the regulatory environment

Organizations must always remember, though, that they are ultimately liable for compliance requirements. This does not mean when the inevitable compliance meltdown involving outsourced processes occurs that the outsourcer won’t find itself in court. Organizations, however, must focus on the segmentation of compliance duties with an outsourcer to ensure they maintain ultimate control. This collaborative effort could divide the responsibilities along the following lines.

Ultimately, successful BPO efforts can become a strong tool for organizations to improve compliance efforts efficiency and effectiveness. Outsourcing has the potential to improve the overall control’s environment and make compliance more sustainable. Most importantly, organizations can work with qualified outsourcer to leverage compliance investments for greater competitive gain. The process to marry compliance and outsourcing best practices is not an easy one, but one that it worth the effort.

Mr. Lepeak is a Managing Director at EquaTerra, the outsourcing and insourcing advisory firm. He leads EquaTerra’s EQuation Research, Training and Education practice area focused on global Information Technology and Business Process Outsourcing. He has followed the business and IT services and IT marketplaces for more than 15 years. He is a noted commentator and frequent speaker on business and IT professional services, business process outsourcing and transformation, organizational change, risk management, compliance, and underlying supporting technologies. Mr. Lepeak was also a Vice President and Research Lead at the META Group, a market research and advisory services firm. He led coverage of the business and IT services marketplaces and compliance research practice area, as was also Vice President of the Electronic Business Strategies service. He was also an executive at Elance, an enterprise software firm developing enterprise applications for sourcing and managing business and IT services, and Senior Vice President and Chief Research Officer at Ajunto, an IT software, services, and research firm. Mr. Lepeak has held various management positions in finance & accounting, operations and IT across several industries. He holds a degree from the University of Michigan.

EquaTerra is focused solely on providing global corporations with outsourcing and insourcing advisory, research and governance services that enable them to achieve service delivery excellence for their SG&A processes. EquaTerra's advisors average more than 20 years of industry, service provider and process experience with functional leadership in Finance & Accounting, Human Resources, Information Technology and Procurement. Our advisors have been involved in over 600 global business transformation, outsourcing and outsourcing governance projects.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.