Corporate and external IT auditors in the US are growing increasingly concerned about the ability of IT outsourcing suppliers to document the internal controls they have in place to support their clients' regulatory compliance efforts.
Ken Vander Wal, a partner in the technology security and risk services practice at Ernst & Young in Chicago, noted that the Public Company Accounting Oversight Board issued a statement last month saying that the use of service providers does not reduce the responsibility of corporate executives for maintaining effective internal controls.
Many IT services firms annually send their clients what are known as SAS 70 reports describing the accounting, IT and other controls they have put in place. However, not all suppliers produce the documents, and some of the reports are not detailed enough or are delivered too late to be included in year-end financial reports, said Vander Wal.
An IT auditor who works at a Midwestern bank and requested anonymity said he discovered as part of auditing work related to Sarbanes-Oxley that the bank has contracts with multiple application service providers that do not provide SAS 70 reports or other measures of their internal controls. "This could be a big problem as we get closer to our compliance deadlines," he said.
"Not all service organisations have a SAS 70. If not, chances are they don't have the controls that you need," said Paul Zonneveld, who works as a senior manager at Deloitte & Touche's enterprise risk services practice.
Jose L Carrera, enterprise risk management service practice leader at Singer Lewak Greenbaum & Goldstein, said one of the Los Angeles-based accounting firm's clients recently learned that it had outsourced software development to an offshore company that did not have any IT testing or revision controls.
SAS 70 reports generated by outsourcing suppliers also may not include information about the controls that subcontractors have in place, Vander Wal warned.
Thomas Hoffman writes for Computerworld