Professional Documents
Culture Documents
A report on Sarbanes Oxyley Act and its impact on Indian Outsourcing Industry
Research by: Palak Sharma & Rohit Adlakha - Law Students Panjab University, Chandigarh, INDIA, under the guidance of Nitin Kumar, Sr. Consultant, InterAlliance Group Services
SOX Act came in to force in 2002 with an aim to protect investors and to introduce improvements in Corporate Governance.
conducting the audit. This immediately raised the question regarding the loss of independence on the part of the auditors. In this chaotic environment, engendered. It was conceived in controversy and has remained combative.
Proponents of SOX believe that it was necessary to restore public faith in published financial statements by assuring that accounting records were accurate and could be relied upon. There was a growing perception among the investing public that most of the scandals could have been prevented had there been a governmental agency responsible for monitoring and preventing such accounting irregularities.
Opponents argued that SOX would be prejudicial to the economy; that the burden would fall too heavily on smaller public firms; that the costs of implementing Sox with all its requirements would far exceed the benefits gained. The fact that there was a spike in the number of public companies that were privately sold, that relocated outside the US and relisted themselves on foreign exchanges lends some credence to the opposing view. The Sarbanes-Oxley Act of 2002 (often shortened to SOX) is legislation enacted in response to the high-profile Enron and WorldCom financial from The (SEC), scandals to protect and the for shareholders and the general public accounting act is errors by fraudulent practices in the enterprise. administered sets Securities and Exchange Commission which deadlines compliance and publishes rules on requirements. Sarbanes-Oxley is not a set of business practices and does not specify how a business should store records; rather, it defines which records are to be stored and for how long. The legislation not only affects the financial side of corporations, it also affects job the it IT is departments to store a whose
corporation's electronic records. The Sarbanes-Oxley Act states that all business records, including electronic records and electronic messages, must be saved for "not less than five years." The consequences for noncompliance are fines, imprisonment, or both.
Some of the key sections of SOX related to Audit and Financial Reporting are the following: Sections 101-109 of the Act has established a new body, the Public Accounting Oversight Board (PCAOB), to oversee the auditing of public companies. All accounting firms that audit the financial statements of The Securities Exchange Act of 1934 (1934 Act) Reporting Issuers (Issuers of Securities who are mandated to report under the 1934 Act) must register with and provide periodic reports to the Board. Registered accounting firms are subject to Board-adopted audit, quality control and ethics standards, periodic inspections and possible disciplinary proceedings. Section 106 of the Act specifically provides that it will apply to any foreign public accounting firm (Indian Audit Firm) that prepares or furnishes an audit report with respect to any 1934 Act Reporting Issuer. The Board is also given the authority to determine, by rule that a foreign accounting firm that does not issue an audit report for a 1934 Act Reporting Issuer may nonetheless play such a substantial role in an audit that it is appropriate that such firm should be subject to the Boards authority. Section 302 (Corporate Responsibility for Financial Reports) directs the Security Exchange Commission to adopt rules requiring the principal executive officer and the principal financial officer (or equivalent) of 1934 Act Reporting Issuers to provide certifications in each annual and quarterly report filed or submitted under the 1934 Act. The certification relates to the content of the report, internal controls of the issuer and disclosure to the audit committee. Section 404 - As directed by Section 404 of the Sarbanes Oxley Act of 2002, the Securities and Exchange Commission (SEC) adopted rules regarding internal controls at public companies in May 2003. Section 404 also requires that a companys independent auditors attest to and report on managements controls assessments, following standards established by the PCAOB.
US SEC rules
Under the SEC rules, managements annual internal-control report must contain: A statement of managements responsibility for establishing and maintaining adequate internal control over financial reporting for the company. A statement identifying managements framework for evaluating the effectiveness of internalcontrols. Managements assessment of the effectiveness of internal controls as of the end of the companys most recent fiscal year. A statement that the companys auditor has issued an attestation report on managements assessment. Internal controls, according to the new rule, include assurances of accurate records maintenance, as well as financial reporting that comply with generally accepted accounting principles. The rule also stipulates that managers and directors sign off on receipts and payouts, and that publicly traded companies maintain adequate systems to prevent or detect unauthorized material transactions. Management must disclose any material weakness in a companys internal-controls structure. If material weaknesses exist, senior executives will be unable to conclude that the companys internal control over financial reporting is effective, according to the Security Exchange Commission.
SAS OVERVIEW
Statement on Auditing Standards (SAS) No. 70, for Service Organisations, is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA). A SAS 70 audit or service auditors examination is widely recognised, because it represents that a service organisation has been through an in-depth audit of their control activities, which generally include controls over information technology and related processes. In todays global economy, service organisations or service providers must demonstrate that they have adequate controls and safeguards when they host or process data belonging to their customers. In addition, the requirements of Section 404 of the Sarbanes-Oxley Act of 2002 make SAS 70 audit reports even at more service important to the process of reporting on effective internal controls organisations. SAS No. 70 is the authoritative guidance that allows service organisations to disclose their control activities and processes to 70 their customers and their that customers a service auditors in a uniform reporting format. A SAS examination signifies organisation has had its control objectives and control activities examined by an independent accounting and auditing firm. A formal report including the auditors opinion (Service Auditors Report) is issued to the service organisation at the conclusion of a SAS 70 examination. SAS 70 provides guidance to enable an independent auditor (service auditor) to issue an opinion on a service organisations description of controls through a Service Auditors Report. SAS 70 is not a pre -determined set of control objectives or control activities that service organisations must achieve. Service auditors are required to follow the AICPAs standards for fieldwork, quality control, and reporting. A SAS 70 examination is not a checklist audit. SAS No. 70 is generally applicable when an auditor (user that auditor) obtains is auditing the financial another statements of an entity (user organisation) services from organisation (service organisation). Service organisations that provide such services could be application service providers, bank trust departments, service bureau. claims processing centers, Internet data centers, or other data processing
Factors to be considered by management when a service organisation outsources certain functions to another service organisation:
What is becoming a popular business model for BPOs in India, an interesting situation could come up when an US corporate uses a service organisation (Indian Company) that in turn uses another service organisation (a sub service organisation) to perform the work. In such a scenario the Management of the User organisation needs to consider controls at the sub service organisation. In addition to that, the following also needs to be considered: The nature and materiality of the transactions processed by the sub service organisation The contribution of the sub service organisations processes in the achievement of the user organisations information processing objectives The availability of a sub service organisations SAS 70 report Because a user organisation typically does not have any contractual relationship with the sub service organisation, a user organisation should obtain available reports and information about the sub service organisation from the service organisation.