META Group: Regulatory Compliance Issues Impede Outsourcing

Survey shows Sarbanes-Oxley requirements remain a wild card for outsourcers

Survey shows Sarbanes-Oxley requirements remain a wild card for outsourcers

Stamford, CN — May 25, 2004 — A number of U.S. companies may postpone efforts to outsource business and information technology (IT) processes because of uncertainty about the impact of Sarbanes-Oxley (SOX) on third-party relationships, according to the research and advisory firm META Group.

"Outsourced organizations will be held just as accountable for SOX compliance as those managed internally, but regulators have not yet clarified how outsourcers will be required to demonstrate compliance," said Stan Lepeak, vice president with Professional Services Strategies at META Group. "Companies negotiating business and IT outsourcing deals must consider the impact SOX can have on these arrangements and plan accordingly, and in some cases it may make more sense to wait."

A recent survey conducted by META Group of more than 200 business and IT managers and executives demonstrated that most are perplexed about the implications of SOX compliance on their outsourcing initiatives. About 40 percent said they either did not expect to address outsourcing processes or are not addressing them at all. In addition, more than 20 percent said they had already certified SOX compliance for outsourced processes, which is impossible considering regulators have not yet defined how to certify them.

"Business and IT managers are very confused about whether to proceed with outsourcing plans, and those that do plan to move forward should do so with caution," said Lepeak. "Given the comprehensive nature of these regulations, there is no one-stop solution for SOX compliance. This becomes even more pronounced in an outsourced situation where processes are far removed from those tasked with compliance oversight and when regulators have yet to finalize guidelines."

META Group research found that many organizations assume a Type I or Type II SAS 70 Audit will suffice for SOX compliance for outsourced processes. However, regulators have not clarified this point, and many organizations are unable to obtain a basic Type I audit from their outsourcers.

META Group said it is working closely with numerous IT organizations to provide actionable recommendations about outsourcing initiatives and SOX compliance. For companies seeking to ensure regulatory compliance among internal and external programs as quickly as possible, these recommendations include gaining consensus among auditors, relevant business and IT units, executives and board members about how to define what constitutes an adequate controls assessment for outsourced processes until regulator clarification is provided.