Full Text

Presumably, what happened in Satyam was a failure of internal controls. That raises the question about whether its SAS 70 reports can be relied on by customers.

– Compliance Week, October, 2009.

1. Introduction

Even though offshoring[1] of business processes has existed for many decades, it has increased substantially during the past decade. According to the Computer Economics report (2014/2015), the median spending on outsourcing in the information technology (IT) budgets of large, medium and small organizations is 7.4, 6.1 and 4.6 per cent, respectively. Forrester Research estimates that by 2015, about 3.3 million jobs will be offshored from the USA, and this trend is continuing at an accelerated pace (Subramanian and Sharma, 2008). Increasingly, companies are offshoring any process that can be digitized to decrease costs and focus on core competencies (Friedman, 2007). Blinder (2009) estimates approximately 22 to 29 per cent of all US jobs are potentially offshorable. For example, accounting processes such as billing services, internal auditing, accounting and auditing functions, tax processing, credit and collections, bank reconciliations, pension accounting, activity-based costing and project accounting are all candidates for offshoring. General Electric (GE), Dresdner Bank, British Telecom, Ford, American Express, HSBC, Citibank, BP, Standard Chartered, EXL (part of Conseco) and Hewlett-Packard are some of the Fortune 500 firms that have already offshored their accounting function (Nicholsan and Aman, 2008).

The increasing trend of offshoring accounting processes places challenges on US firms, particularly in reference to maintenance of their internal controls in the post-Sarbanes Oxley Act 2002 (SOX, hereafter) era. Specifically, SOX Sections 302 and 404 mandate that all public companies establish and maintain efficient and effective internal control over financial reporting (ICFR). After SOX became effective, the Public Company Accounting Oversight Board (PCAOB) requires user organizations (henceforth called onshore-client firms, OCFs)[2] that have outsourced key accounting processes (or underlying IT applications/infrastructure) to obtain assurance as to the design and operating effectiveness of the vendors’ ICFR. To satisfy the regulatory requirements, the client is responsible for making sure the business processes have appropriate internal controls, even when the entire process is offshored. Thus, offshore outsourcing does not absolve the auditor’s client from its responsibilities of maintaining effective ICFR. As pointed out by PCAOB:

Rather user management should evaluate controls at the service...