Outsourcing and internal control: know where you stand

Managing the risk of outsourcing arrangements requires diligence; the new regulatory environment demands it

By Nelson Huen and Ted Aslanidis

Risk management is one of the main cornerstones of good corporate governance. Proposed changes to regulatory requirements for Canadian public companies have been developed over the past few years to create a stronger basis for managing potential risk areas. Putting these changes into action will require a consideration of every aspect of a business’s operations, and outsourcing arrangements can’t be overlooked.

New rules in play

Canadian companies listed on U.S. stock exchanges are subject to the Sarbanes-Oxley Act of 2002 (SOX) Section 404, which has required these companies to document and certify their internal controls. Companies listed in Canada have been waiting for the Canadian equivalent of SOX to be implemented.

The March 10, 2006, Canadian Securities Administrators (CSA) Notice 52-313 made it clear that Canadian companies won’t be required to obtain an internal control audit opinion on management’s assessment of the effectiveness of internal control over financial reporting (ICOFR) under Multilateral Instrument 52-111. However, their CEOs and CFOs will be required to certify annually that they have evaluated the effectiveness of the company’s ICOFR, and will need to disclose their conclusions about the effectiveness of ICOFR under the proposed and expanded Multilateral Instrument 52-109.

The extent to which Canadian publicly traded companies subject to the proposed CSA regulations will document and test their internal control environment compared to those working within the SOX framework is currently unclear. However, prudent CEOs and CFOs will insist on sufficient evidence that their controls are in place and working.

Therefore, management must evaluate all significant business processes and systems to identify risks that could materially affect the financial statements and potentially expose chief officers to regulatory action, regardless of which regulatory regime they operate under.

Outsourcing is definitely one of these potential risk areas.

Identifying the risks

When could the activities of an outsourcer affect the financial statements? Some outsourcers are authorized to enter transactions directly into a company’s financial systems, and/or issue company purchase orders. Some are in a position to incur liabilities through environmental accidents or faulty production. Still others are in a position to inadvertently compromise the integrity or security of a company’s private records and sensitive customer information.

Identifying and managing such risks will be a critical part of the new regulatory compliance environment in Canada. There are three major initiatives you should undertake to help manage these risks.

1. Catalogue all outsourcing contracts and develop an outsourcing governance framework

When outsourcing was first established as common practice, there were few concerns about its risks to financial statements. Often, different parts of an organization were permitted to manage their own outsourcing contracts, and arrangements often remained scattered. The challenge is that such a division of responsibilities makes it difficult to catalogue and marshal such arrangements for governance purposes. It may be difficult to evaluate potential risks related to these contracts. In addition, organizations need to consider the aggregate risk, not just the risk on a case-by-case basis.

Therefore, it’s important to find where all these contracts reside, evaluate the impact of them on the company’s ICOFR and develop an effective governance and compliance framework to manage these risks. This exercise is more difficult than it sounds. Many contract managers don’t like to upset the status quo, share control or deal with the budget and resource impacts of such new requirements.

The first impulse may be to centralize the management of outsourcing contracts in one department or office, but this degree of reorganization isn’t always necessary. A committee of existing contract managers may be a workable solution, but they may not understand the risks or the rules of compliance without some expert guidance. In some cases, a hybrid model with partial centralization is more appropriate.

No matter which approach you take, one of the earliest issues to tackle is the difference in provisions between current contracts and future contracts. All current contracts must be evaluated for risk exposure, using a short-term strategy that attempts to move the outsourcer toward the type of control assurance soon to be required. Standard control and “right to audit” terminology should then be developed for future contracts.

Expect push-back from outsourcers that don’t want to spend any extra money or time on items that fall outside the current contract. Some may be quite willing to incorporate changes but at a cost. Nevertheless, the governance body should actively work toward standardization of key contract terms and language to make sure that company-wide governance processes over outsourcing arrangements are as tight, consistent and auditable as they can be.

2. Consider the means of achieving compliance as part of contract negotiation

Outsourcing contract managers will need a different mindset toward negotiations in the new regulatory environment. It’s not enough to just cut a good business deal with an outsourcer. From now on, compliance must be an important criterion. Every outsourcer must be willing to negotiate a contract that offers sufficient control assurance. What’s more, the degree of protection should match the risk — too much is a needless expense, and too little is inadequate coverage. Also, be aware of renewal dates for existing contracts and get started now, so you won’t have to alter the terms of the new contract later.

Contract compliance is a complicated area, and the best advice is to involve the right members of your management team and advisers as early as possible. They will help you understand your company’s controls requirements, develop a negotiation strategy and address compliance requirements with your vendor.

During negotiations, be clear on the types of contract terms and rights you need. One size doesn’t fit all. What you require in principle is the ability for management or its advisors to verify procedures, processes and transactions in your outsourcer’s operations. Some outsourcers will consider this intrusive, because additional work or disruption threatens their already tight profit margins. On the other hand, you will require the understanding and visibility of procedures performed by your outsourcers, including internal controls over IT operations. The extent of audit access and coverage required will depend on the degree to which key financial reporting processes, controls and systems are handled by the outsourcer, as well as the level of comfort management and the Board of Directors of the company requires to satisfy themselves that MI52-109 requirements are met.

The cost of compliance will always be a consideration in these negotiations. These costs can be substantial. For example, new initiatives to outsource offshore for cost savings may not seem as attractive when costs for necessary risk management and regulatory compliance activities are included.

3. Develop a rigorous compliance review and monitoring program

The distinction between an outsourced partner and an ordinary supplier isn’t always immediately clear. One of the mistakes made is assuming some relationships don’t apply. All contracts should have tests of materiality and potential liability applied to measure the risks.

There are three basic ways to evaluate outsourcing arrangements in the context of ICOFR:

1. Rely on existing controls and potentially create additional controls within your organization. This will involve identifying and documenting input/output controls, or reviewing and verifying all transactions internally to ensure all handoff points between your organization and the outsourcer are sufficiently controlled to mitigate risks.

2. Perform physical inspection and documentation of controls at your outsourcer using your own resources. While this approach may be less expensive than the audit report approach below, it’s important that your internal resources are given the appropriate level of training, guidance and tools to conduct the assessment in an efficient and effective manner.

3. Request evidence of compliance from the outsourcers. This is done with a Section 5970 (Canada) or a SAS 70 (US) auditors’ report on controls that reside at the outsourcers.

Which option is best for you depends on various factors, such as effectiveness, cost, time and resource constraints. Sometimes the independence of a Section 5970 opinion can be helpful, especially when a physical inspection of the outsourcer may strain relations. But that is much more expensive than input/output controls, and who will pay? Can input/output controls sufficiently mitigate risks associated with certain outsourcing arrangements? Multiple inspections and on-site audits (option 2 above) may appear necessary to evaluate control effectiveness as a compromise but does the company have sufficient resources, qualified staff and tools to support and conduct these audits? How will you ensure the outsourcer will implement the required changes to mitigate risks you have identified?

It’s important to remember that only the terms of a properly negotiated contract can give you audit rights in the first place. Under the heightened disclosure and reporting requirements, outsourcing contracts represent an area of risk that needs to be managed, and having the right contracts and control processes in place will help the relationship work more smoothly.

Ted Aslanidis and Nelson Huen are members of KPMG’s Canadian Advisory practice.

TOP