The Sarbanes-Oxley Act has been on the books for nearly three years, but the fun is only beginning. As U.S. attorneys begin to prosecute companies—and corporate officers—for noncompliance, well learn a lot more about just what this landmark law is made of, including what impact it will have on outsourcing relationships.
If youve inked an outsourcing deal since the law took effect, youve probably seen contract language that delineates the outsourcers responsibility with regard to ensuring that the client company is in compliance with SarbOx mandates. A client might want the outsourcing provider to take on significant responsibility for the clients compliance, even going so far as to indemnify the client for noncompliance relating to outsourcing. However, such a step is seldom in an outsourcing providers interest.
"Its an ongoing quagmire," said William Bierce, a partner at Bierce & Kenerson, a New York law firm specializing in outsourcing. "The outsourcer becomes a surrogate insurance company if it indemnifies for [SarbOx] compliance."
Although an outsourcer might be tempted to go to that length to get or keep a customer, doing so might create a material risk for the outsourcer—which should raise a red flag for company officers, board members and stockholders. "Its not prudent for them [service providers] to assume too much liability—it could lead to catastrophic loss," Bierce warned.
While a customer might think it smart to extract that kind of commitment from an outsourcer, it will probably come at a price. "In getting the indemnity, the enterprise customer has to worry about losing some flexibility in its business model," said Bierce. If the client has to change its business model, both parties have to agree on the impact of the change on the covenant that applies to SarbOx, the attorney said.
Further, leaning too much on the outsourcer might create the illusion on the part of the client that its executives and staff dont have to be concerned with compliance, Bierce said. This is an unhealthy perception because its corporate officers who must sign the compliance statements.
Another expert, Robert Newmann, managing director and general counsel at Burwood Group, a Chicago-based technology consulting company specializing in compliance and risk matters and network design, stressed the importance of contract language. "The contract has to be very firm around requirements for access to information and retention for information. If theyre not capable of complying, they cant be an outsourcer," said Newmann. There has always been liability associated with outsourcing because key functions are being performed by another party, he said, but with SarbOx the stakes have been raised significantly. "The liability for the consulting firm is huge," he said.
In one of the highest-profile outsourcing contracts, Procter & Gambles deal with Hewlett-Packard for IT infrastructure, HPs role in enabling SarbOx compliance was written into the contract, P&G IT staff told me in a conversation last year.
In crafting deals, Bierce said its important to emphasize that the enterprise client remains in control of the business processes, even though an outsourcer is performing the work. But that doesnt mean the service provider can never be on the hook. "A service provider could be liable for noncompliance should it breach the process so as to expose the enterprise to a claim of securities fraud," Bierce said. But, he cautioned, to the extent that SarbOx indemnification is included in contracts, it should come with a cap on SarbOx liability.
Each contract will be different; there are no easy answers. "Its a complicating factor that requires a great deal of attention," said Bierce, adding, "[SarbOx] forces the partner and the customer to have an ongoing dialogue about the business."
Out and about
CSC inked an it infrastructure services pact with French carmaker Renault worth $236 million. The deal includes network, midrange and mainframe support to Renault sites in France and Spain. In a statement CSC CEO Van Honeycutt credited his companys presence in those countries as a critical factor in securing the deal.
Executive Editor Stan Gibson can be reached at firstname.lastname@example.org.