Corporate and external IT auditors in the US are growing
increasingly concerned about the ability of IT outsourcing
suppliers to document the internal controls they have in place to
support their clients' regulatory compliance efforts.
Ken Vander Wal, a partner in the technology security and risk
services practice at Ernst & Young in Chicago, noted that the
Public Company Accounting Oversight Board issued a statement last
month saying that the use of service providers does not reduce the
responsibility of corporate executives for maintaining effective
internal controls.
Many IT services firms annually send their clients what are
known as SAS 70 reports describing the accounting, IT and other
controls they have put in place. However, not all suppliers produce
the documents, and some of the reports are not detailed enough or
are delivered too late to be included in year-end financial
reports, said Vander Wal.
An IT auditor who works at a Midwestern bank and requested
anonymity said he discovered as part of auditing work related to
Sarbanes-Oxley that the bank has contracts with multiple
application service providers that do not provide SAS 70 reports or
other measures of their internal controls. "This could be a big
problem as we get closer to our compliance deadlines," he
said.
"Not all service organisations have a SAS 70. If not, chances
are they don't have the controls that you need," said Paul
Zonneveld, who works as a senior manager at Deloitte & Touche's
enterprise risk services practice.
Jose L Carrera, enterprise risk management service practice
leader at Singer Lewak Greenbaum & Goldstein, said one of the
Los Angeles-based accounting firm's clients recently learned that
it had outsourced software development to an offshore company that
did not have any IT testing or revision controls.
SAS 70 reports generated by outsourcing suppliers also may not
include information about the controls that subcontractors have in
place, Vander Wal warned.
Thomas Hoffman writes for
Computerworld