The Long Tentacles of Compliance

Companies' relationships with their external partners have deep implications for Sarbanes-Oxley compliance. Misinformation is causing confusion about where responsibilities lie.

Until the first round of Section 404 deadlines arrived on Dec. 31 of last year, Sarbanes-Oxley compliance had been a deeply introspective exercise: Public companies' efforts to document, test and -- frequently -- improve the numerous controls surrounding their financial reporting processes generally extended no farther than their own four walls. But the sudden transformation of Statement of Accounting Standard 70 (SAS 70) audits from a nice-to-have exercise to a newsworthy event among outsourcing service firms and hosted application providers shows that compliance is affecting companies' relationships with these external organizations.

Symantec Corp., the Cupertino, Calif.-based information security company, issued a press release in late March heralding the completion of its second annual SAS 70 report. Gelco Information Network, Salesforce.com, Datastream Systems Inc. and a slew of other technology service providers and business process outsourcing companies have issued similar pronouncements since late last year. And Sarbanes-Oxley's influence on companies' key relationships now reaches far beyond service vendors to encompass external auditors, merger-and-acquisition (M&A) targets, alliance partners, industry analysts, and ratings agencies.

Ladies and gentleman, compliance has left the building.

Exactly how companies' relationships with their external partners are, or should be, shaped by Sarbanes-Oxley remains to be seen, but misinformation is obscuring the view. One software provider's SAS 70 press release states that compliance "requires corporations to audit the internal controls of their suppliers, including those that provide hosting service." It doesn't.

Yet many organizations rely on service providers to conduct transactions and processes that may materially affect their financial statements. That's why it pays to understand how Sarbanes-Oxley compliance affects some -- but certainly not all -- external relationships.