COSO: Internal control a challenge with outsourced providers

The very name “internal control” poses a problem for companies when
they deal with outsourced providers.

This internal responsibility for external functions has become one
of the biggest challenges for companies in the 2013 update of the
widely used internal control framework created by the Committee of
Sponsoring Organizations of the Treadway Commission (COSO).

COSO is a joint initiative of five private-sector organizations
dedicated to providing thought leadership on enterprise risk
management, internal control, and fraud deterrence. The AICPA is a
member of COSO.

Many public companies use the COSO framework as their criteria when
attesting to their internal control over financial reporting (ICFR),
as required by the Sarbanes-Oxley Act of 2002, P.L. 107-204. And the
framework clearly states that management is responsible for the design
and operation of its ICFR, including the controls that are outsourced
to service providers.

“You’re the CEO and the CFO of the company that’s signing that I
have a proper control structure and control environment. You have to
feel comfortable that you’ve accepted responsibility for what they’re
doing,” said Bill Schneider, CPA, CGMA, director of accounting for
AT&T and a member of a panel that advised COSO on the framework update.

“You can’t just say, ‘Well, that was something that Capgemini or
Accretive or Accenture did for me, and I don’t have responsibility,
it’s their problem.’ You are responsible for it.”

Schneider said that smaller companies in particular have been
wrestling with this issue in their COSO implementation because they
typically have outsourced a greater portion of the finance function
than large companies, leaving less financial expertise to oversee
those relationships.

A recent PwC report, Present and Functioning: Fine-Tuning
Your ICFR Using the COSO Update
, describes how leading companies
work to understand, evaluate, and test their outsourced service
providers’ controls. According to the report, these companies usually
have indirect entity-level controls to:

Leading companies also have control activities, including direct
entity-level controls, to verify the reliability of data and
information relevant to the company’s ICFR that are sent to and
received from service providers, the report says.

Jason Pett, CPA, U.S. internal audit leader for PwC, said internal
control over outsourced business providers extends well beyond ICFR to
other areas of the business.

“The challenge is, how do you interact with those third parties?”
Pett said. “How do you monitor the third parties? And then how do you
hold them accountable? When it comes to ICFR, it’s really important
that you understand what the third party’s role is in the execution of
control activities, because as a company, you can outsource
activities, you cannot outsource responsibilities.”

Because companies still have the ultimate responsibility for the
accuracy of their financial reporting, Pett suggests that:

The testing in particular can be difficult when the controls are
operating outside of the company. So Pett suggests that companies
address testing parameters upfront in the contracting for
service-level agreements, and then monitor to ensure performance meets
the expectations laid out in the agreements.

Performance can be monitored through a right-to-audit clause that
gives either the company or an auditor permission to perform testing.

Schneider said the whole procurement process can become part of the
control environment, functioning as a kind of tone at the top as
service-level agreements are built to support ICFR. It’s also
important, Schneider said, for organizations to have enough in-house
financial reporting expertise to make sure the outsourced providers
are paying proper attention to ICFR.

“You have to have some level of expertise in the financial reporting
world because you are responsible for your financial reports if you’re
a public company,” Schneider said. “The SEC is very clear on that.”

Companies need to be comfortable with the ethics and business
practices of a third-party provider, Schneider said. And verifying
those controls is a vital step for companies whose CEOs and CFOs are
signing important regulatory statements attesting to the control
structure and control environment over their financial reporting.

“These are all elements you have to think through now as you’re
reaching those outsourced agreements,” Schneider said. “Or if they are
already in place, maybe you ought to go back and revisit them and
think, ‘How can I meet these requirements for the responsibility?’ ”

Ken Tysiac (
) is a JofA editorial director.

Research & References of COSO: Internal control a challenge with outsourced providers|A&C Accounting And Tax Services