United States: The Impact of Regulatory Compliance Mandates on Business Process and IT Outsourcing

Last Updated: September 5 2005
Article by Stan Lepeak

Regulatory compliance mandates are becoming increasingly pervasive and onerous in western countries (see Figure 1). They have become a driving force in influencing affected organizations investments, areas of attention and activity, and in extreme cases strategic direction (i.e., going private in an attempt to avoid regulatory mandates). Business process regulation has become a new an uglier "BPR".

An affected large company, for example, could easily have total direct and indirect costs for Sarbanes-Oxley (SOX) compliance in excess of $10M annually. AMR Research estimates that affected organizations worldwide will spend $6B+ on SOX related activities in 2005, not counting actual audit fees, and will spend $80B+ over the next five years on compliance as a whole. On top of these costs, it is not uncommon for organizations to experience a doubling in the fees they pay their external auditors. And these numbers do not take into account the opportunity cost of compliance and the distraction it creates from other critical activities.

Figure 1 – Major Regulatory Mandates

DoD 5015.2, UK PRO: National standards on records management in the US and UK.

  • EU95/46, EU02/58: European Union privacy legislation.
  • Gramm-Leach Bliley Act (GLBA): Privacy of financial information.
  • Health Insurance Portability and Accountability Act (HIPAA): Privacy of patient information and healthcare records.
  • National Association of Security Dealers/NASD 3110: Written policies and procedures for review of correspondence with the public.
  • New Basel Capital Accord (Basel II): Capital assessment and reporting standards for global banking.
  • Sarbanes-Oxley Act: fiscal accountability and control environment integrity; various Europe versions are in place on a country by country basis.
  • SEC Rules 17a-3, 17a-4: Securities related records retention.
  • USA PATRIOT Act: Various anti-terrorism, surveillance and anti-money laundering dictates.

While organizations can debate the collective merit of these regulations, most are here to stay. While some, for example SOX, could potentially be scaled back – somewhat - the overall regulatory environment is not going to loosen significantly in the near term. Affected organizations must address these regulations as efficiently and effectively as possible.

Even more importantly, organizations must determine how to leverage the investments they are making to meet regulatory demands into gaining greater competitive gain. This could mean, for example, leveraging the greater visibility and transparency into financial processes that SOX investments deliver to focus more on financial analysis vs. transaction processing. Or a bank could become more aggressive with is loan policies based on insights into its risk profile derived from Basel II calculations. In this way, compliance investments also enable process and performance improvements efforts and are not just sunk cost of doing business.

One area where regulatory mandates are already having a major impact is around IT and business process outsourcing (ITO/BPO). Regulations, particularly SOX and various privacy regulations, complicate the outsourcing process. In the short term this has slowed and curtailed deals, particular finance and accounting BPO. Longer term, however, compliance requirements and burdens will drive more outsourcing as organizations seek third party support to better manage compliance costs and requirements.

The major problem relative to outsourcer and SOX is that while U.S. regulators (e.g., SEC, PCAOB/Public Company Accounting Oversight Board) have clarified that SOX requirements apply equally and as stringently to outsourced functions processes and well as those maintained internally, they have not clarified what organizations must to do show compliance. It is typically a case of – "it depends":

  • what has been outsourced,
  • where is the outsourcing being performed
  • what are the existing control environments
  • how affected are the involved processes by SOX stipulations.

This is not surprising given that SOX is a concept, not a rules, based regulation. Just as there is no standard checklist for overall SOX compliance, there are no exact guidance for how to address outsourced processes. While precedence and defined best practices will develop over time, organizations are struggling to initially define a SOX strategy and process to support outsourcing.

The result is that organizations are taking widely divergent approach to applying compliance requirements against outsourced processes and engagements. For example, two separate META Group studies conducted in 2004 found that nearly 25% of organizations were ignoring outsourced functions and processes in first year SOX efforts, a recipe for potential audit failures. Other organizations are much more aggressive.

One common misperception in the market is that existing outsourcing audit mechanisms, primarily the SAS 70 audit (see Figure 2), are always adequate for SOX compliance. The reality is that even a SAS 70 Type 2 audit may not prove enough for SOX in all cases. The SAS 70 standard was developed long before SOX regulations existed and was not designed to focus on the type of controls that SOX addresses. In addition, there have been no requirements for users to request an SAS 70 audit, and many have not. Also, one SAS 70 audit that historically could suffice for multiple clients of an outsourcer also may not be enough for SOX compliance.

The result is that there are more cases where aggressive/thorough clients are demanding additional controls and documentation beyond an SAS 70 Type 2 audit to enable what they estimate is "good enough" SOX compliance. In some cases, however, SAS 70 Type II audits are enough – it depends.

Figure 2 – SAS 70 and SOX Compliance

SAS (Statement on Auditing Standards) 70 is an international auditing standard developed by the American Institute of Certified Public Accountants for service organizations. An SAS 70 audit is the means through which an auditor examines a service organization’s or outsourcer’s control activities, particularly around IT and related processes. SAS 70 is based on SAS 55, "Consideration of Internal Control in a Financial Statement Audit," and on the COSO framework. There are Type 1 and Type 2 audits. Type 1 is a point-in-time/snapshot audit that focuses on general and application controls but does not include testing by auditors. A Type 2 audit occurs over a period of time (e.g., 6-12 months), focusing on general and operational controls during a life cycle, with auditors typically performing actual testing. A Type 2 is obviously more expensive as well as burdensome for the outsourcer. Only a CPA firm can perform an SAS 70 audit, and the Big Four audit firms, as well as the specialist firm SAS 70 Solutions (formerly part of Andersen), perform the bulk of the audits for G2000 organizations.

An added challenge organizations, particular finance and accounting operations, face with compliance requirements is that they are occurring in an era of aggressive and ongoing cost cutting. The goal of many organizations is to reduce F&A expenses to less than 1% of overall revenue. This goal is challenged by compliance requirements. A recent EquaTerra study found that improving the controls environment was the number one goal for organizations pursuing F&A transformation efforts. The number one goal in pursuing F&A BPO was cost reduction. While reducing costs and improving compliance and control capabilities may seem at odds, they are not if an organization can undertake BPO successfully.

BPO can help address an organization’s compliance needs in several ways.

  • Outsourcers may possess more efficient processes that require less controls and hence have a lower compliance costs.
  • Processes that have more automated and less manual controls are easier and cheaper to manage from a compliance standpoint.
  • Outsourcing service providers can perform much of the compliance legwork (e.g., control’s testing, documentation) and spread the cost of the resources to perform that work over multiple clients
  • Outsourcers with "best practice" process model can possess stronger embedded process controls.
  • Outsourcers can dedicate more compliance expertise & experience against controls management and optimization and spread those costs across multiple clients.
  • Outsourcers can gain more experience and capabilities with standardized (i.e., SAS 70) reporting.

Most outsourcers, however, are still struggling to get their compliance capabilities adequately in place along the lines defined above. Long term compliance efficiency and effectiveness will become a factor to help define BPO market leaders and will drive market consolidation. Organizations considering BPO or in existing arrangements must thoroughly vet their outsourcer’s compliance capabilities.

The following is a sample (and far from exhaustive) compliance checklist for organizations to use as a starting point in assessing compliance readiness and requirements in an outsourcing situation.

  • Compliance organization and internal audit represented on the buyer sourcing team
  • Corporate governance and risk management frameworks employed address and account for outsourcing requirements
  • Ownership assigned to address outsourcing governance and relationship management
  • Short-listed service provider’s Sarbanes capabilities and position understood
  • Service provider’s operations undergone SAS 70 audits
  • Geographic locations of potential service delivery centers known and compliance implications understood
  • Who covers the cost associated with compliance testing and SAS 70 audits agreed upon
  • Proposed contract calls out means to review, assess and account for future changes in the regulatory environment

Organizations must always remember, though, that they are ultimately liable for compliance requirements. This does not mean when the inevitable compliance meltdown involving outsourced processes occurs that the outsourcer won’t find itself in court. Organizations, however, must focus on the segmentation of compliance duties with an outsourcer to ensure they maintain ultimate control. This collaborative effort could divide the responsibilities along the following lines.

  • Document controls


Service Provider

  • Test controls and review control designs


Client/Service Provider

  • Design controls testing program


Client/Service Provider

  • Sign-off on controls testing results



  • Suggest process improvement to improve compliance


Service Provider

  • Approve process improvements



  • Define compliance, F&A policies & procedures



  • Define/own/manage risk assessment processes



  • Review/interpret responses to audit qualifications



  • Assist in performing remediation for audit qualifications


Service Provider


Ultimately, successful BPO efforts can become a strong tool for organizations to improve compliance efforts efficiency and effectiveness. Outsourcing has the potential to improve the overall control’s environment and make compliance more sustainable. Most importantly, organizations can work with qualified outsourcer to leverage compliance investments for greater competitive gain. The process to marry compliance and outsourcing best practices is not an easy one, but one that it worth the effort.

About Stan Lepeak

Mr. Lepeak is a Managing Director at EquaTerra, the outsourcing and insourcing advisory firm. He leads EquaTerra’s EQuation Research, Training and Education practice area focused on global Information Technology and Business Process Outsourcing. He has followed the business and IT services and IT marketplaces for more than 15 years. He is a noted commentator and frequent speaker on business and IT professional services, business process outsourcing and transformation, organizational change, risk management, compliance, and underlying supporting technologies. Mr. Lepeak was also a Vice President and Research Lead at the META Group, a market research and advisory services firm. He led coverage of the business and IT services marketplaces and compliance research practice area, as was also Vice President of the Electronic Business Strategies service. He was also an executive at Elance, an enterprise software firm developing enterprise applications for sourcing and managing business and IT services, and Senior Vice President and Chief Research Officer at Ajunto, an IT software, services, and research firm. Mr. Lepeak has held various management positions in finance & accounting, operations and IT across several industries. He holds a degree from the University of Michigan.

About EquaTerra

EquaTerra is focused solely on providing global corporations with outsourcing and insourcing advisory, research and governance services that enable them to achieve service delivery excellence for their SG&A processes. EquaTerra's advisors average more than 20 years of industry, service provider and process experience with functional leadership in Finance & Accounting, Human Resources, Information Technology and Procurement. Our advisors have been involved in over 600 global business transformation, outsourcing and outsourcing governance projects.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

In association with
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


From time to time Mondaq may send you emails promoting Mondaq services including new services. You may opt out of receiving such emails by clicking below.

*** If you do not wish to receive any future announcements of services offered by Mondaq you may opt out by clicking here .


This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at enquiries@mondaq.com.

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.