Ambar Singh Roy on the role of consultancy firms in facilitating filers from India to comply with the Sarbanes Oxley Act, 2002.
Ambar Singh Roy
IT IS information technology (IT) on which the global advisory majors PricewaterhouseCoopers, Ernst & Young, et al are leveraging even as they rush to meet the extended deadline, by which time all American and non-American companies listed on the US bourses are required to ensure compliance with the Sarbanes Oxley Act, 2002.
The development assumes significance for India since a large number of Indian companies that are already listed in the US, or those likely to float ADRs, are IT companies.
Besides, compliance with the the Sarbanes Oxley Act becomes all the more important because IT services comprise the largest component of the business that is outsourced to Indian IT companies by US corporations.
While US companies having their financial year closing after November 15, 2004, have to comply with the Act, US companies with turnover below a certain threshold and non-American companies listed on the US bourses, the deadline has been extended to June 30, 2006.
Besides encompassing all business processes and cycles that have an impact on financial reporting, the Sarbanes Oxley Act covers the overall control environment of an organisation. It also aims at establishing a very robust framework of internal controls.
Besides discharging their traditional mandate as auditors, the advisory majors are engaged in providing advisory services with a view to enabling companies to become Sarbanes Oxley (SOX) compliant, especially on the mandatory requirements pertaining to Information Technology General Computer Controls (IT/GCC).
This is in addition to reporting on normal business cycles having financial implications, such as receivables processing, payables processing, general ledger processing, and so on. According to Mr Jaideep Ganguli, Executive Director of PricewaterhouseCoopers Pvt Ltd (PwC), IT/GCC encompasses domains such as logical access, segregation of duties, network security, and so on. Says Mr Ganguli: "A large number of Indian companies that are SEC registrants and are affected by the Sarbanes Oxley Act are IT companies, which include, among others, Infosys, Wipro and Satyam.
Besides, there are several companies who are in the process of floating ADRs.
The big four advisory majors are helping some of these companies to become SOX-compliant". More importantly, several US corporations have outsourced their IT requirements such as application development, maintenance and infrastructure support to third party service providers in India, including leading Indian companies.
"Herein lies the challenge. With their auditors in the US, the internal control environment of the US companies can be SOX-compliant only when the back-office processes outsourced to India have also been covered under the SOX compliance certification process.
Hence the need to put in place appropriate systems by leveraging upon IT," observes Mr Ganguli. This is why IT services outsourced to Indian companies need to be certified under the Statement on Auditing Standards No. 70 (SAS 70).
User auditors in the US, engaged in SOX certification for their US clients, would place reliance on such SAS 70 certificates in respect of outsourced processes.
Says Mr Sunil Chandiramani, Country Leader, Risk & Business Solutions, Ernst & Young India: "We are actively working with companies to identify automated controls within the entire financial reporting process and helping them build robust control processes over these controls so that they can test these controls from an on-going compliance perspective."
According to Mr Chandiramani, Ernst & Young is the "largest provider of SOX compliance assistance" to foreign filers from India, including companies such as ICICI Bank and Infosys.
"Ernst & Young India plays a key role in supporting global companies on on-going Section 302 compliance, by setting up processes and mechanisms based on which they can identify significant changes in the internal control environment and perform on-going test of controls by using appropriate technology tools. We are also providing Indian BPO and ITeS companies with SAS 70 certification, which helps their overseas clients meet SOX requirements", he said.
As such, it is busy times for advisory majors who are deploying IT to the hilt to facilitate companies, especially those in the Indian IT space, comply with the Sarbanes Oxley Act.