IT Suppliers! Are Your Services SOX Compliant?

The US Sarbanes-Oxley Act 2002 ("SOX") applies to many UK companies often because they have a US listed parent and so must comply with the "Group’s" requirements.

If you are a supplier of IT software or services or software to such companies, from July 2006 customers may well be asking you if your products and services are SOX compliant.

The rationale of SOX is to ensure that a company’s financial reporting is accurate and, consequently, that the company has systems (including IT systems) and controls which ensure the reliability and integrity of such reporting. Section 404 of SOX requires a company’s management to report on its assessment of the controls it has in place over its financial reporting. Registered external auditors must then attest the management report. These are known in the US as "Section 404" audits.

SOX requires a "traditional" audit report of financial statements and an audit report of the controls in place in respect of financial reporting. An audit trail needs to be established and identified so that the registered external auditor can successfully carry out the audit. The SOX requirement for "controls" applies equally to internal processes and outsourced activities. This responsibility cannot be delegated to the entity providing the outsourced function. This means that a UK company obliged to comply with SOX will need to ensure that any entity providing services to it which affect financial reporting, for example providers of outsourced IT functions, can provide the necessary information to complete the audit trail.

Whilst most IT suppliers will already conduct their operations in compliance with UK corporate governance obligations, for example, data protection obligations, they can expect to see their SOX customers requesting additional steps to be taken to ensure its compliance with SOX. For software providers, this potentially presents new business opportunities, namely, to sell products which assist with Section 404 audits and SOX compliance management. For other IT suppliers already providing services, this could include putting programmes in place to document the controls that exist in relation to financial reporting and performing a risk assessment.

Any additional SOX related obligations may well overlap with existing confidentiality and contractual provisions. However, given that many outsourcing contracts effectively transfer business risk, it is fair to assume that customers required to comply with SOX may seek to pass as much of that risk as possible to the IT service provider.

IT service providers and particularly incumbent outsourcing contractors should consider:

• getting guidance from the customer as to what is required as the customer is likely to have a better practical understanding of the nature and scope of the obligations because it will be putting its internal controls and audit process in place;

• agreeing a specific, exhaustive list of duties as part of the services contract;

• how the increased risk and scope of work will impact on the pricing of the contract.

What the IT service provider really needs to avoid is the inclusion of a general compliance requirement in the services agreement as this could expose it to unverifiable, and therefore unacceptable, business risk and cost.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.