The very name “internal control” poses a problem for companies when they deal with outsourced providers. This internal responsibility for external functions has become one of the biggest challenges for companies in the 2013 update of the widely used internal control framework created by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). COSO is a joint initiative of five private-sector organizations dedicated to providing thought leadership on enterprise risk management, internal control, and fraud deterrence. The AICPA is a member of COSO. Many public companies use the COSO framework as their criteria when attesting to their internal control over financial reporting (ICFR), as required by the Sarbanes-Oxley Act of 2002, P.L. 107-204. And the framework clearly states that management is responsible for the design and operation of its ICFR, including the controls that are outsourced to service providers. “You’re the CEO and the CFO of the company that’s signing that I have a proper control structure and control environment. You have to feel comfortable that you’ve accepted responsibility for what they’re doing,” said Bill Schneider, CPA, CGMA, director of accounting for AT&T and a member of a panel that advised COSO on the framework update. “You can’t just say, ‘Well, that was something that Capgemini or Accretive or Accenture did for me, and I don’t have responsibility, it’s their problem.’ You are responsible for it.”
Click here to read the rest of the article from the Journal of Accountancy