Outsourcing sparks concerns over IT controls to meet Sarbanes-Oxley

IT auditors worry that outsourcers may not provide the documentation needed to comply with Sarbanes-Oxley

ROSEMONT, Ill. -- Corporate and external IT auditors who attended a conference on the Sarbanes-Oxley Act here this week said they're growing increasingly concerned about the ability of IT outsourcing vendors to effectively document the internal controls they have in place to support their clients' regulatory compliance efforts.
Ken Vander Wal, a partner in the technology security and risk services practice at Ernst & Young LLP in Chicago, noted that the Public Company Accounting Oversight Board issued a statement on March 9 saying that the use of service providers doesn't reduce the responsibility of corporate executives for maintaining effective internal controls.
Many IT services firms annually send their clients what are known as SAS 70 reports describing the accounting, IT and other controls they have put in place. However, not all vendors produce the documents, and some SAS 70 reports aren't detailed enough or are delivered too late to be included in year-end financial reports, said Vander Wal and other attendees at the conference, which was sponsored by the Information Systems Audit and Control Association.
An IT auditor who works at a Midwestern bank and requested anonymity said he discovered as part of auditing work related to Sarbanes-Oxley that the bank has contracts with multiple application service providers that don't provide SAS 70 reports or other measures of their internal controls. "This could be a big problem as we get closer to our [compliance] deadlines," he said.
"Not all service organizations have a SAS 70. If not, chances are they don't have the controls that you need," said Paul Zonneveld, who works as a senior manager at Deloitte & Touche LLP's enterprise risk services practice in Calgary, Alberta.
Jose L. Carrera Jr., enterprise risk management service practice leader at Singer Lewak Greenbaum & Goldstein LLP, said one of the Los Angeles-based accounting firm's clients recently learned that it had outsourced software development to an offshore company that doesn't have any IT testing or revision controls.
SAS 70 reports generated by outsourcing vendors also may not include information about the controls that subcontractors have in place, Vander Wal said.
For more information, see Computerworld's special coverage page on the Sarbanes-Oxley Act.

Copyright © 2004 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon