“Meeting today’s challenges of service organizations” by Rossana A. Fajardo (January 25, 2010)
SUITS THE C-SUITE By Rossana A. Fajardo
Business World (01/25/2010)
The Philippine business process outsourcing (BPO) industry has seen considerable growth in recent years despite the financial crisis. Oscar Sanez, president and chief executive of the Business Processing Association of the Philippines, commented that while the industry’s growth forecast was adjusted downward to 20%-30% from 26%-30%, he expects that the country will be back to its 26% growth rate by 2011, and hit the $12-billion revenue mark in the same year (from “Philippines BPO Industry Expects Slower Growth in 2009” by Cris Larano at www.nasdaq.com). To help achieve this growth, local service organizations or BPO players must prepare to meet the growing demands of global clients.
One of these demands is compliance with the international standards on Service Organization Reporting (SOR). For many local BPO players, this means having a Statement on Auditing Standards No. 70, Service Organizations (SAS 70) report for its customers, and their auditors.
Issued in April 1992, SAS 70 has served the needs of service organizations (SO), user (customer) entities, and user auditors to report on the effectiveness of SOs internal controls over financial reporting. However, globalization and regulatory changes have prompted the proposal of two new standards that seek to supersede SAS 70.
First is the International Standard on Assurance Engagements (ISAE) 3402, Assurance Reports on Controls at a Service Organization, issued by the International Auditing and Assurance Standards Board (IAASB) and approved last Dec. 18, 2009. This is required on or after June 15, 2011, with early adoption permitted. Second is the Statement on Standards for Attestation Engagements (SSAE), Reporting on Controls at a Service Organization, issued by the American Institute of Certified Public Accountants (AICPA) Auditing Standards Board. It is substantially similar to ISAE 3402, and would supersede SAS 70. The AICPA Auditing Standards Board is expected to approve the SSAE this month.
While similar to SAS 70, the two standards will require changes to SOs’ reporting processes and reports. To determine the impact of these standards and know how best to plan for and implement them, SOs need to understand the following:
»Reasons for the new standards. SAS 70 has worked well for many years but may no longer be sufficient for user entities. BPOs have grown from being regional shared SOs for specific industries, to multinational and local organizations serving a mixture of local, regional and international organizations from different industries.
In addition, while SAS 70 is used globally, it is a US standard. Consequently, current reports may not respond to the needs of users and their auditors outside the US.
Moreover, due to the increasing emphasis of financial statement users on internal controls over reporting, these stakeholders now need a report from and by the SO describing its internal control. This increases the importance of management’s description of its systems. The independent auditor’s opinion remains critical, but its role is to be a provider of assurance and is not the entity responsible for communication.
Changes to SO responsibilities under the new standards:
— Preparing and presenting a complete and accurate description of the SO’s system as designed and implemented. System includes procedures, people, software, data and infrastructure organized to achieve a specific objective.
— Identifying risks that threaten the achievement of the control objectives. Already considered in an SAS 70 report but the new standards shift the responsibility from the service auditor to the SO.
— Providing a written assertion to accompany the description as to the completeness and accuracy of the information provided, and stating the criteria used as a basis for making the assertion. The new standards require SOs to communicate management’s responsibility in describing the system and assert to the achievement of the evaluation criteria used by the service auditor to provide its opinion. There is no such requirement under SAS 70.
»Changes to service auditor responsibilities under the new standards. One notable change is the required disclosure of the test performed by Internal Audit and the procedures to test that work.
»Impact on reports with inclusive subservice organizations. If an SO wishes to include a description of a subservice organization’s role and controls, the subservice organization must prepare a management assertion report similar to that prepared by SOs management.
In general, the most urgent challenge for SOs is to address early on the following items:
»Determine the preliminary implementation date for the adoption of the new standards. For early adoption, consider whether non-US user entities have a preference for reports issued under the international standard; market benefits for early adoption; or benefits for waiting until the required adoption date.
»Determine whether subservice organizations will be treated under the inclusive or exclusive method. Determine if all your subservice organizations have been identified; and if they have existing SAS 70 reports or are willing to provide one to your customers.
»Address the change with your customers. Your sales and client service personnel should understand the change and its impact on your clients. Consult your legal counsel for any required changes in standard contracts, and assess their impact on existing contracts.
»Review your system description, and identify any necessary changes. Identify the criteria to be used in evaluating your systems, current reports and identify required changes.
»Identify assertions regarding suitability of design and operating effectiveness. Your control objectives should focus only on aspects of your services that can affect your clients’ financial statement assertions and Management should assert that the controls addressing the control objectives are operating effectively.
»Develop a project plan. Like any significant project, proper project management is a key enabler in implementing the new standards.
Once these challenges are addressed, your organization can be well-prepared to implement the new standards, and serve your clients with minimal disruption. At the same time, you can control the costs of adoption by understanding the standards’ requirements and preparing for their adoption.
(Rossana A. Fajardo is a partner of SGV & Co.)
This article was originally published in the BusinessWorld newspaper. It is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinion expressed above are those of the author and do not necessarily represent the views of SGV & Co.