>A number of U.S. companies may postpone efforts to outsource business and IT processes because of uncertainty about the impact of Sarbanes-Oxley (SOX) on third-party relationships, according to META Group.

"Outsourced organizations will be held just as accountable for SOX compliance as those managed internally, but regulators have not yet clarified how outsourcers will be required to demonstrate compliance," said Stan Lepeak, vice president with Professional Services Strategies at META Group. "Companies negotiating business and IT outsourcing deals must consider the impact SOX can have on these arrangements and plan accordingly, and in some cases it may make more sense to wait."

A recent survey conducted by META Group of more than 200 business and IT managers and executives demonstrates that most are perplexed about the implications of SOX compliance on their outsourcing initiatives. About 40 percent said they either did not expect to address outsourcing processes or are not addressing them at all. In addition, more than 20 percent said they had already certified SOX compliance for outsourced processes, which is impossible considering regulators have not yet defined how to certify them.

"Business and IT managers are very confused about whether to proceed with outsourcing plans, and those that do plan to move forward should do so with caution," said Lepeak. "Given the comprehensive nature of these regulations, there is no one-stop solution for SOX compliance. This becomes even more pronounced in an outsourced situation where processes are far removed from those tasked with compliance oversight and when regulators have yet to finalize guidelines."

META Group research finds that many organizations assume a Type I or Type II SAS 70 Audit will suffice for SOX compliance for outsourced processes. However, regulators have not clarified this point, and many organizations are unable to obtain a basic Type I audit from their outsourcers.

META Group is working closely with numerous leading IT organizations to provide actionable recommendations about outsourcing initiatives and SOX compliance. For companies seeking to ensure regulatory compliance among internal and external programs as quickly as possible, these recommendations include gaining consensus among auditors, relevant business and IT units, executives, and board members about how to define what constitutes an adequate controls assessment for outsourced processes until regulator clarification is provided.


 

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access