The Third Wave--The Tsunami Effect of Sarbanes-OxleyKelly Frey MS, JD
June 6, 2006 — 1,312 views
Sections 302 and 404 of SOX set forth the requirements for senior management of public companies in the U.S. to attest to their organizations' internal controls including the integrity of their financial information). However, these specific legislative mandates are merely reflective of a general requirement for internal controls to provide reasonable assurance regarding (i) the effectiveness and efficiency of operations, (ii) the reliability of financial reporting and (iii) compliance with applicable laws and regulations.4
While a SOX-regulated company can implement its own internal controls, such internal control systems are insufficient if non-regulated trading partners have access to either the regulated company’s automated systems or premises, or are performing core functions that are auditable under SOX.
For example, a key component of maintaining the integrity of information is an organization's information technology security controls. Such controls can be expressed within frameworks such as the Control Objectives for Information and Related Technology (“COBIT”), used in conjunction with internal control frameworks of major auditing associations.5 The common aim of all such frameworks is to provide a practical toolset that allows managers to bridge the gap between internal control requirements, technical issues, and business risks. However, non-regulated companies have not traditionally focused on such toolsets, viewing these control functions more as a cost element than a leveragable component for revenue generation.
In an attempt to provide some objective compliance standards consistent with their own internal controls, SOX-regulated companies have begun to include within their trading partner contracts objective standards for trading partner information security control. The most visible of such standards is a requirement by SOX-regulated companies that their trading partners commit to a SAS 70 Type II audit.6 Such audits are not prescriptive with respect to the exact control systems that the trading partner must utilize, however such audits assure compliance with the SOX-regulated company’s external financial audit requirements (the result of a Type II audit being a certification that sufficient trading partner control systems are in place and have been independentlytested). Most recently, requirements for ISO 17799 certification7 have also begun to appear in regulated-industry agreements with trading partners, the reference to ISO being an attempt to bridge the gap between the customized trading partner solutions certifiable through a SAS-70 audit and a single, standard reference point for the wide range of controls needed for most situations where information technology is used in SOX-regulated industry, commerce, and communication.
Similarly, when core functions such as initiating transactions that would typically be auditable within a SOX-regulated company are outsourced, the same audit standards required for internal control may be required through contract with the non-regulated trading partner. Many times such standards are articulated in a contract with a non-regulated trading partner by reference to common standards that are generally applicable to the type of transaction being outsourced (for example, a reference in the trading partner contract to an affirmative contract obligation for the trading partner to comply with the The Payment Card Industry (“PCI”) Data Security Standard regarding theprotection of credit and debit card information).8 However, some regulated industries may articulate such standards with reference to their own unique regulatory schema (such as a financial services company requiring a trading partner, by contract, to conform to the BITS Framework for Managing Technology Risk for IT Service ProviderRelationships).9 In some instances, such industry-specific requirements may be the appropriate compliance framework. However, in most instances, the type of goods/services provided by trading partners are not the type of transactions encompassed within the schema required by contract (for example, BITS compliance may not be the appropriate compliance standard where the trading partner is simply providing software and customization services to a financial services company, rather than actually processing financial transactions). In such cases, the responsibility rests with the trading partner to describe, succinctly and convincingly, why (or which portions of) the specific regulatory framework included within the contract is (are) not applicable.
Many trading partners view such intrusive compliance, audit and oversight requirements as over-reaching by their SOX-regulated customers. After some initial disbelief and reticence, however, savvy trading partners are now using their compliance strategies as a competitive advantage – building compliance into their product and service offerings.
One small, but significant compliance element being adopted by trading partners to SOX-regulated companies relates to contract compliance (one of the material events reportable under Section 404 of SOX). For example, termination of contract with atrading partner, whether through inadvertence or the passage of time, can become a critical reporting factor to a SOX-regulated company. To avoid issues with respect to such terminations, trading partners are implementing significant “ever-green” and “business continuity” provisions within their contracts. These provisions either provide for (i) automatic continuation of the contractual relationship with the regulated entity, unless notice is given of termination, or (ii) continuation of contract services for a defined period after contract termination (such that there would be sufficient time for theregulated entity to obtain alternative contract services, without degrading the regulated entity’s operations). Such provisions not only support compliance requirements for the SOX-regulated company, but also support continuity of the basic business relationship between the trading partner and the SOX-regulated company (that can produce substantial long term economic benefits for the trading partner).
Similarly, trading partners to financial services companies that are contractually requiring BITS-level compliance are addressing such regulated-companies’ demand for background checks and drug-testing by segregating their employee populations into “conforming” and “non-conforming” subsets. The conforming subsets of trading partner employees can then be either (i) priced at a premium (to account for the increased cost of compliance) or (ii) used as a value-add or a critical distinguishing factor during responses to requests for trading partner proposals. Other trading partners are explicitly articulating their own PCI-level merchant credit card processing as a distinctive component of any outsourcing arrangement with a regulated customer (thereby affirmatively assuming, by contract, a regulated customer standard without substantially increasing the complianceexpense beyond the internal control requirements of the trading partner).
The net effect of incorporating affirmative SOX compliance requirements into contracts with trading partners has been a gradual intrusion of regulations that were never designed for non-regulated trading partners into the normal business relationships between SOX-regulated companies and their non-regulated trading partners (along with the coincidental costs of such compliance). While such trading partners may not be subject to the same direct Securities and Exchange Commission reporting or PCAOB audit requirements as SOX-regulated companies, the intrusion of SOX-related compliance requirements by contract has created a business environment in which (i) non-regulated trading partners must tacitly comply with SOX (or at least those elements most critical for their relationship with their SOX-regulated customers) and (ii) SOX-compliant companies may have inadvertently, by contract, taken on an oversight responsibility for their trading partners that such regulated companies have traditionally reserved for their outside auditors. Eventually, such migration of compliance to nonregulated trading partners may provide the same type of leverage and economies to effected trading partners as SOX-regulated entities have experienced over the last two years. However, until such economies are clearly visible within the trading partner community, the battle over the inclusion, and wording, of compliance requirements in trading partner contracts with SOX-regulated companies will continue.
This article first appeared in Financier Worldwide magazine’s May 2006 issue. ©2006 Financier Worldwide Ltd.1 Pub. L. 107-204, 116 Stat. 746 (July 30, 2002).2 The implementing audit regulations for SOX are issued through entities such as the Public Company Accounting Oversight Board ("PCAOB"). See http://www.pcaobus.org .3 Stephen Wagner & Lee Dittmar, The Unexpected Benefits of Sarbanes-Oxley, 84 Harvard Business Review 4, page 133 (April, 2006).4 See the Internal Control Framework of the Committee of Sponsoring Organizations of the Treadway Commission ("COSO"), at http://www.coso.org.5 COBIT is a framework from the Information Systems Audit and Control Association, used in conjunction with the COSO Internal Control framework . See www.isaca.org.6 Describing the trading partner's controls at a specific point in time and including a detailed testing of the trading partner’s controls over a minimum six month period. See www.sas70.com.7 See http://www.iso.org/iso/en/prods-services/popstds/informationsecurity.html.8 The PCI standard may be accessed at http://www.visa.com.9 See http://www.bitsinfo.org. This standard is derived through an affiliate of the Financial Services Roundtable, a non-profit consortium of 100 of the largest financial services institutions in the U.S. See http://www.fsround.org.
Kelly Frey MS, JD