The Sarbanes-Oxley Act of 2002 (SOX) was enacted to address the plummeting confidence of both institutional and individual investors triggered by business failures, accounting restatements, and large financial frauds (such as Enron, WorldCom, and Adelphia). SOX is applicable to all publicly registered companies under the jurisdiction of the Securities and Exchange Commission.
While much has been written about how SOX affects corporate CEOs and their external auditors, little attention has focused on its potential effect on corporate IT departments. Consequently, the full implications of SOX for IT are not well understood. One survey  reported "an astounding 93% of chief information officers and other senior IT executives were unaware of their information technology control assessment responsibilities under SOX."
This confusion has led to uncertainty and inconsistency regarding the use of IT outsourcing to address SOX challenges. A survey  of 261 corporate decision makers by the consulting firm Meta Group found that 25% had no way of determining the appropriate IT sourcing response to SOX; 21% intended to outsource more in response to SOX; and 19% intended to outsource less. The same survey found an additional 17% didn't expect SOX to have any effect, positive or negative, on current IT outsourcing levels . Other independent surveys have yielded similar mixed responses, highlighting the confusion of many IT managers and corporate executives regarding the potential effects of IT outsourcing on SOX compliance.
Here, we analyze the potential of these effects on corporate management's responsibilities regarding firm oversight, internal control, financial reporting, and shareholder protection. We conclude that SOX exacerbates several preexisting risks of large-scale IT outsourcing and generates substantial new concerns. CIOs, CEOs, boards of directors, and other firm stakeholders must understand and communicate these risks when evaluating current or proposed IT outsourcing relationships.
The overriding purpose of SOX is increased public confidence in capital markets through improved corporate governance, financial reporting, internal controls, and external audit quality (see the sidebar "Key Provisions of the Sarbanes-Oxley Act"). Two sections of SOX are especially important to corporate IT departments:
Section 404. Called "Management Assessment of Internal Controls," it mandates that corporate CEOs implement internal controls over their financial reporting systems, physically test these controls, and certify in writing that they function correctly. As a practical matter, the vast majority of controls are embedded in computer technologies that involve virtually all of an organization's financial transaction processing systems; and
Section 302. Called "Corporate Responsibility for Incident Reports," it requires senior financial executives to disclose deficiencies in internal controls and fraud (whether material or not). Also, public accounting firms must attest in their audit opinions to the adequacy and function of their client firms' internal controls. Prior to SOX, auditing standards required auditors only to be "familiar" with internal controls.
As a result of SOX, business organizations and public accounting firms throughout the U.S. have sought to hire employees with a rare combination of computer skills and business training. Corporate CEOs need them to bring their organizations into compliance with SOX, and CPA firms need them to conduct new forms of audits, now required by law. People with the skills needed to function at the intersection of computer science and business are in great demand along four main career paths: forensic accounting; risk management; computer auditing; and IT-controls consulting.
Capable people have always been in demand, but SOX has turned finding them into a business imperative. Unfortunately, this demand has dramatically raised in-house IT costs for all U.S. corporations, driving up audit costs by as much as $1.4 billion, along with the cost of SOX-mandated external audits of corporate information systems. Frustrated by increasing IT budgets and the inability to attract competent IT professionals, firms are seeking solutions.
Some executives view continued or increased large-scale IT outsourcing as the logical and imminent solution to the burden imposed by SOX . Recent examples of companies that subscribe to this viewpoint include Capital Automotive (www.capitalautomotive.com), a specialty finance company, whose SOX initiatives include the outsourcing all IT activities, including server and network management, security, and support for SOX compliance . Similarly, Sallie Mae (www.salliemae.com), the largest U.S. provider of education funding, was influenced by SOX in its decision to outsource the management of its entire IT application infrastructure . Reports of anonymous executive interviews in The Economist  provide additional examples of firms that have signed substantial IT outsourcing contracts as a direct response to SOX, as well as to similar new regulations outside the U.S.
Obtaining and disseminating internal control information in compliance with SOX can turn into an expensive and frustrating exercise for all parties involved in an outsourcing arrangement.
The potential benefits of large-scale IT outsourcing are well known, thanks largely to vendors aggressively marketing the proposition that they, unlike their clients, have the time, internal resources, and expertise to handle complex SOX demands. If successful, IT outsourcing allows client-firm management to focus on core business competencies, while the vendor manages the many non-core IT support and compliance functions. Benefits include improved core performance, improved IT performance (due to the vendor's expertise), and reduced IT costs (assuming the vendor achieves economies of scale). Furthermore, large-scale IT outsourcing arrangements often involve the sale of the client firm's IT assets, both human and technological, to the vendor (the client firm then leases back), resulting in a significant one-time cash infusion to the firm.
Less appreciated are the substantial negative implications of SOX for IT outsourcing. While large-scale IT outsourcing may appear to be a way to address the costs of SOX compliance, outsourcing contracts can actually increase the likelihood that a firm will fail to comply with both the detail and the spirit of SOX. Specifically, large-scale IT outsourcing increases the risk that top management and boards of directors will be unable to fulfill their oversight duties; that firms will employ ineffective internal controls over financial statements; that financial reports will be inaccurate and/or misleading; and that firms will fail to protect shareholder wealth.
Oversight. As noted earlier, SOX requires that top management certify that internal system controls are effective and that financial statements "fairly present" their firms' financial condition and results of operations. Certification requires evidence obtained through monitoring and tests of controls. The board of directors is mandated to also oversee top management. However, the ability of top management and directors to monitor the financial reporting system is diminished to the extent that a firm distances itself physically and intellectually from IT operations through large-scale IT outsourcing relationships.
Lost IT skills. Management tends to lose its ability to understand technology and IT strategy under large-scale IT outsourcing and cannot effectively oversee operations, procedures, and controls they do not understand. Furthermore, achieving the necessary close working relationship needed for oversight is difficult with a vendor whose leadership is off-site. Key decisions will, of necessity, be made independently and far from the purview of management. Communications between clients and vendors regarding important business strategy and IT issues will naturally diminish to a perfunctory level. This reduced ability to provide oversight can itself be a reportable internal control problem under SOX, increasing the likelihood that other internal control failures will go undetected. On the other hand, management and directors of firms that retain strategic IT capability in-house maintain an understanding of technology and internal controls, and thus can better control their organizations' IT futures.
Costs of oversight. Even if perfect oversight were possible, the costs of high-level oversight of vendors can be prohibitive. On average, firms already spend roughly 8% of annual contract amounts to manage and monitor vendors. Indeed, one U.S. tire manufacturer paid as much as 35% of its yearly contract amount on such activities . Under SOX, such contract management expenses are likely to escalate due to management's responsibility for certifying controls annually. Furthermore, whenever weaknesses are identified, firms may need to contract for new or incremental services. When IT assets are highly unique to the client organization, that organization will have little choice but to contract with the same vendor (at a premium) for the additional services. Additionally, depending on the contract and the nature of the inadequacies, the client firm may need to pay large termination fees to discontinue inadequate aspects of contracted IT services.
Internal control. SOX requires that management certify its financial statements quarterly and assert annually that its internal controls are effective (Section 404). To comply, management must document and evaluate the significant controls related to financial reporting systems. In addition, the client firm's independent auditor must examine management's assertion and express a formal opinion regarding the effectiveness of the internal controls. Auditors must render this new internal control opinion, along with their traditional financial statement opinion.
Internal control and security. The potential for control problems increases with the outsourcing of systems, internal controls, and sensitive data. The health care industry, for instance, is concerned that offshore IT vendors will fail to comply with the privacy rules in the Health Insurance Portability and Accountability Act of 1996. In addition to privacy concerns, risks from acts of terrorism, identity theft, and credit card fraud are spawning legislation that prohibits the outsourcing of sensitive data to offshore vendors. So, when corporate financial systems are developed and hosted remotely, and program code is developed through interfaces with the host firms' networks, outsourcing clients risk losing control of their information.
Despite these risks, both domestic and offshore IT outsourcing remain commonplace. Indeed, the Wall Street Journal reported that SOX drove a dramatic increase of IT outsourcing to Indian IT vendors during 2005 . Furthermore, the 2005 Computer Security Institute/FBI Computer Crime and Security Survey found that a small but significant percentage of U.S. firms even outsource large portions of their IT security function, with 10% of them outsourcing over 20% of it, and several outsourcing over 60% . SOX magnifies the potential consequences of such activity, because executives have increased responsibility for internal controls and security for all financial systems, including those that have been outsourced. Moreover, given the great difficulty in assessing the exact nature of security risks, auditors (who, due to SOX, are subject to greater scrutiny), may be especially conservative in their evaluations of internal controls, as required under SOX.
Auditing the vendor. A client firm largely relies on its outsourcing vendor's internal controls and security measures to protect it from these threats. To comply with SOX, the client firm also relies on the vendor for information about the design and operating effectiveness of the controls. The client firm's auditors must either conduct an evaluation of the vendor's controls or obtain a SAS No. 70 Service Auditor's Report1 from the vendor (assuming the system is audited). In turn, this assumes the vendor organization provides such informationnot always the case, particularly when outsourcing is offshore. Obtaining and disseminating internal control information in compliance with SOX can turn into an expensive and frustrating exercise for all parties involved in an outsourcing arrangement.
The oversight and internal control problems discussed earlier can affect the accuracy of financial reports. For example, failure to uncover significant breaches of information security implies that a firm will not adequately disclose them or their financial implications to investors. In addition to such indirect effects, large-scale IT outsourcing directly raises numerous challenges for financial reporting:
Off-balance sheet financing. Under typical contract agreements, firms sell IT assets to vendors in exchange for significant, up-front cash payments. Firms can then use the cash received to eliminate debt associated with the transferred IT assets. Not surprisingly, large-scale IT outsourcing customers report higher debt than their competitors prior to the decision to outsource . Furthermore, the removal of assets from firm balance sheets improves common profitability measures, including return on assets.
While debt elimination may seem ideal, the effect is superficial, since client firms must borrow back their own equipment and pay interest in the form of high future lease and service payments to the vendor. Hence, debt reduction through large-scale IT outsourcing clearly fits the definition of an "off-balance-sheet" transaction that firms must now disclose under SOX. Given that SOX does not specifically identify "IT outsourcing" as a reportable transaction, and the exact definition of "disclose" is still evolving within the accounting profession, executives may be tempted to obscure the illusory nature of balance sheet improvements so financial markets will respond favorably to them. The ability to hide these effects is enhanced by the fact that IT outsourcing has a legitimate business purpose. This purpose is in contrast to many of the off-balance-sheet transactions at Enron and other firms that were more clearly manipulative, given that they served no obvious business function.
Large-scale IT outsourcing contracts also can yield deceptive short-term increases in reported profitability. Indeed, IT vendors understand the financial pressure faced by top executives and use financial incentives to attract clients. For instance, vendors commonly charge less for services in early contract years in return for charging significantly more in later years. Typical contracts thus allow management of client firms to trade higher short-term reported profits for reduced future reported profits. Even contracts that charge the same amount each year can have a profit-shifting effect, since the per-unit cost of providing many IT services decreases over time. Amplifying this short-term profitability effect, the sale of an IT department to an outsourcing vendor likely will result in a significant accounting gain, since the sales price for IT assets generally exceeds conservative accounting book values .
Debt reduction through large-scale IT outsourcing clearly fits the definition of an "off-balance-sheet" transaction that firms must now disclose under SOX.
While such arrangements are legal and potentially serve important client needs, they can also cloud financial reports. For example, by reporting additional accounting profits as "operating income," management can create the misleading public perception that firm performance has improved. Investors, who commonly use current profits to predict future profits, might assume that the profit increases are expected to persist. While such reporting activities are misleading and run afoul of the spirit of SOX, they do not technically violate any accounting standard and thus are difficult to deter. Indeed, firms desperate to meet earnings targets or avoid reporting losses may find IT outsourcing more attractive than ever, since alternative methods for manipulating reported earnings are less feasible in the post-Enron, post-SOX environment to the extent they are not backed by substantive transactions.
SOX also increases pressure on firms to provide full disclosure of significant financial risks. Large-scale IT outsourcing raises many such risks, some of which could ultimately result in firm failure. These risks are difficult to understand and assess, and firms likely will continue to leave them undisclosed.
Protecting investors is the main SOX goal. Large-scale IT outsourcing can, however, run contrary to it by reducing oversight, weakening internal controls, and reducing the accuracy and clarity of financial reports. In addition, large-scale IT outsourcing involves significant strategic business risks for client organizations (such as vendor exploitation, the potential loss of strategic advantage, and vendor failure to perform).
The executive interviews conducted by The Economist revealed that several U.S. firms have signed substantial IT outsourcing contracts as a short-term solution to SOX (and similar regulations outside the U.S.), expecting to reestablish in-house IT governance as compliance becomes more routine . However, backsourcing can be problematic, especially when a firm transfers highly customized IT equipment, personnel, or functions to outsourcing vendors. In such cases, the firm may be unable to quickly replace the unique resources and thus may become completely dependent upon its vendors. Vendors can then exploit this dependency by raising service rates to exorbitant levels. Furthermore, as the client's IT needs develop over time beyond the original contract terms, vendors can negotiate incremental services at a premium. Dependency can increase over time, threatening the client firm's long-term operational flexibility, agility, and competitiveness.
While such concerns have always existed, SOX greatly exacerbates the potential for client dependency on outsourcing vendors. First, by creating a shortage of qualified personnel, SOX has decreased the feasibility of reestablishing in-house IT governance. Furthermore, the transfer of critical, unique IT functions to in-house departments or alternate vendors almost certainly involves substantial transition pains, as employees gain experience and system flaws are discovered and corrected. In one reported case involving the Montreal Urban Community, the organization's IT functions were "paralyzed" for two months during the transition from one outsourcing vendor to another outsourcing vendor . Due to the annual internal control certifications now required by SOX, firms no longer have room for such failure, given that negative auditor opinions are likely to have dramatic repercussions in the financial markets.
Perhaps most important are the strategic implications of SOX for IT outsourcing. All public companies must incorporate SOX compliance into their business strategies. Indeed, successful compliance is a key competitive differentiator for business entities. This strategic goal may, however, conflict with a firm's previous and future strategic decisions involving large-scale IT outsourcing.
The need for congruence between a firm's business strategy and its IT strategy is a widely held IS precept. Misalignment results in decreased business performance. To promote congruence, firms must develop business and IT strategies concurrently, rather than try to link separately developed strategies after the fact. Proactive strategic congruence necessitates a close working relationship between corporate and IT management. The business knowledge of IT executives is particularly important for achieving strategic congruence .
Isolating IT planning from business planning is a natural consequence of large-scale IT outsourcing, since it involves the transfer of the client organization's top IT management to the vendor. Important IT decisions will necessarily be made off-site by vendors that may not fully understand their clients' businesses. In such cases, research suggests that several areas of core business knowledge are at risk of misinterpretation and misalignment, including development and program change activities over esoteric mission-critical systems. By definition, such systems contribute to the profitability of the organization and directly or indirectly affect financial reporting. Controls over both the systems and the processes through which they are developed and maintained are SOX-compliance imperatives specifically addressed by Auditing Standard No. 2 of the Public Company Accounting Oversight Board established as part of SOX, as outlined in the sidebar.
These and other essential control procedures need to be designed, implemented, and assessed in close collaboration with the people developing business strategy. However, large-scale IT outsourcing impedes such collaboration. Moreover, conflicts can arise between a client's competitive needs and a vendor's incentive to minimize costs. For instance, rather than tailoring solutions to the specific strategic objectives of the individual client, the outsourcing vendor may tend toward a one-size-fits-all strategy for its many competing client organizations.
Finally, we note that an outsourcing client's competitive success depends on the vendor's ability to perform. Electronic Data Systems Corp. (EDS) has demonstrated the potential for vendor failures to have drastic, perhaps unforeseeable, financial repercussions. EDS has struggled due to a variety of factors, including its own financial reporting failures and the bankruptcies of two of its largest customersWorldCom and US Airways. In order to cut costs, EDS terminated 7,000 employees, which affected its ability to serve its clients. Following an 11-year low in share prices in 2002, EDS stockholders filed a class-action lawsuit against the company. Vendors experiencing such serious financial and legal problems clearly threaten the viability of their strategic partners, as well as their ability to maintain internal controls and completely and accurately present financial information.
Given their importance, large-scale IT outsourcing decisions themselves should be a matter of corporate governance and subject to internal audit and board-of-directors oversight. Due to the risks we've described here, IT outsourcing should not be a default response to SOX. To the extent that many large-scale IT contracts are irreversible and the full implications of SOX are still uncertain, we recommend that firms maintain IT assets in-house until they are certain that the outsourcing response is appropriate. Similarly, preexisting IT outsourcing contracts may no longer be optimal in light of SOX and thus should be reevaluated.
Establishing enhanced internal control and the means to perform frequent assessments are challenges IT departments may not be equipped to handle in the short term. However, top management must realize that vendors with the same desperate need for qualified personnel are also struggling to meet the demands of SOX. For many firms that view SOX as a threat, SOX is indeed also an opportunity to invest in their own IT departments, ensuring they have the necessary strategic IT assets in-house to compete effectively in the marketplace.
3. BusinessWire. Opsware wins Sallie Mae contract for IT automation: Fortune 500 provider of educational funding to use Opsware automation software to increase IT efficiency and enable compliance (Apr. 13, 2005).
6. Gordon, L., Loeb, M., Lucyshyn, W., and Richardson, R. Tenth Annual CSI/FBI Computer Crime and Security Survey. Computer Security Institute, San Francisco, 2005; www.gocsi.com/forms/fbi/csi_fbi_survey.jhtml.
7. Hall, J. and Liedtka, S. Financial performance, CEO compensation, and large-scale information technology outsourcing decisions. Journal of Management Information Systems 22, 1 (Summer 2005), 193221.
12. Vitale, M., Ives, B., and Beath, C. Linking information technology and corporate strategy: An organizational view. In Proceedings of the Seventh International Conference on Information Systems (Atlanta, Dec. 1517). ACM Press, New York, 1986, 265276.
1A SAS 70 audit is an in-depth audit (conducted by an independent accounting and auditing firm) of a vendor's control activities and generally includes controls over information technology and related processes.
Contributing to this article were Parveen Gupta, Jeanne Liedtka, and Stephen Tompkins of Lehigh University and Stan Lepeak of EquaTerra.
©2007 ACM 0001-0782/07/0300 $5.00
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.
The Digital Library is published by the Association for Computing Machinery. Copyright © 2007 ACM, Inc.
No entries found