In response to Enron, WorldCom, and other corporate accounting scandals, the United States Congress enacted the Sarbanes-Oxley Act of 2002. While the implementing rules are still being promulgated by the Securities and Exchange Commission, this far-reaching legislation is already having an impact on business process outsourcing in general and finance and accounting outsourcing in particular.

The Sarbanes-Oxley Act, as implemented by the Securities and Exchange Commission, imposes new obligations on publicly traded companies that file reports with the SEC under Section 13(a) or 15(d) of the Securities Exchange Act of 1934, including companies domiciled outside the United States. Under the Sarbanes-Oxley Act, the chief executive officer and chief financial officer of each public company must certify under oath that the company’s financial statements fully comply with the requirements of the Securities Exchange Act and that the reported financial information fairly presents, in all material respects, the financial condition and results of the company. In addition, the chief executive officer and chief financial officer must certify that they are responsible for establishing, maintaining, and regularly evaluating the effectiveness of the company’s disclosure controls and procedures; that they have made certain disclosures to the company’s auditors and the audit committee of the board of directors about the company’s internal controls; and that they have included information in the company’s quarterly and annual reports about their evaluation and whether there have been significant changes in the company’s internal controls. Violations of these provisions can subject not only the company, but also the chief executive officer and chief financial officer, to civil and criminal penalties.

Faced with the possibility of civil and criminal penalties, it is hardly surprising that the chief executive officers, chief financial officers, and boards of directors of public companies are proceeding cautiously. In this highly charged environment, some are reluctant to put their fate and the fate of their companies in the hands of third-party providers. Others, however, view business process outsourcing as an opportunity to put their corporate house in order.

In the wake of Sarbanes-Oxley, public companies contemplating business process outsourcing are demanding greater visibility, flexibility, and control. To use an analogy, it is not sufficient for a hand to appear magically from behind a curtain at the end of each reporting period with an envelope containing the company’s latest financial results. Corporate executives must be able to pull back the curtain and satisfy themselves not only as to the accuracy of the reported financial results, but also as to the adequacy of the service provider’s internal controls.

Accordingly, in structuring and negotiating BPO contracts, especially those involving the outsourcing of sophisticated finance and accounting functions, knowledgeable companies are defining in detail: (i) the services, reports, and deliverables for which the service provider will be responsible; (ii) the disclosure controls and procedures, including internal controls, to be implemented and maintained by the provider; (iii) the way in which such controls and procedures fit into the company’s broader disclosure controls and procedures; (iv) the company’s right to control the standards, policies, and procedures employed by the provider; (v) the company’s right to modify such standards, policies, and procedures; (vi) the flow of information to and from the provider; (vii) the audit and inspection rights available to the company; and (viii) the end-to-end service levels (and financial credits) associated with critical functions.

The challenge to BPO providers in general, and finance and accounting BPO providers in particular, is to develop service offerings and service delivery methodologies that facilitate compliance with the Sarbanes-Oxley requirements. To overcome the lingering doubts of prospective customers, providers should not only possess a detailed understanding of such requirements, but also make recommendations as to how to meet them. Too often, however, providers have responded reactively, rather than proactively, to these issues.

Public company management must carefully consider business process outsourcing in the context of the Sarbanes-Oxley Act and subsequent rulemaking. Determining the steps to take in an outsourcing transaction will depend on which business processes are being outsourced and the specific disclosure controls and procedures and internal controls a company chooses to use. In the end, public companies must develop these disclosure controls and procedures and internal controls whether or not they choose to outsource a given function. Outsourcing provides a challenge to the development of these processes but also an opportunity to outsource and further formalize some of these compliance tasks.

Copyright © 2007, Mayer, Brown, Rowe & Maw LLP. and/or Mayer Brown International LLP. This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.

Mayer Brown is a combination of two limited liability partnerships: one named Mayer Brown LLP, established in Illinois, USA; and one named Mayer Brown International LLP, incorporated in England.