Can SOX services be outsourced?

Companies, especially larger ones, have been grappling with Sarbanes-Oxley (SOX) for over a year now. Maturity, say analysts, has set in, and most firms, now over the learning curve, are trying to find ways to reduce the labour and cost it takes to comply. However, the money it will take to comply with SOX in 2006 is still significant. According to John Hagerty, vice-president and research fellow at consulting firm AMR Research, companies will spend some $9 billion dollars to comply with SOX for this year.

So perhaps it's not surprising that firms are hoping to find ways of applying technology to drive down costs, and Hagerty notes that SOX related software has seen an uptick in spending. This year alone, companies will spend $2 billion on technology solutions for SOX. Much of this software, according to Paul Hammerman, vice-president of enterprise applications at Forrester, a technology research firm, promises to provide continuous controls monitoring and automation, as well as applications for documenting and evaluating internal controls and managing the overall SOX compliance and governance processes.

But can the expense of complying be decreased even more? Outsourcing firms believe they can help. Several firms – many of them Indian offshore vendors, or firms with Indian service centres – have been offering SOX related outsourced services, saying that they can lower the cost even further by reducing the price of labour.

These offshore vendors say they are already working on a variety of projects for customers, in audit and consulting services, business process outsourcing (BPO), and in technology services. They have typically done work, such as database management, to store and track the paperwork which SOX now dictates must be kept, often for years; they provide systems integration and testing around new software put in place to better comply with the law, they do redundant testing of controls, and in a small sliver of cases, they help customers think of integrating a SOX technology solution into an integrated company-wide compliance effort.

According to Vic D'Alfonso, senior vice-president in Patni's financial services practice, the vendor offers a "hybrid" of services as SOX can touch on a number of technology systems. Much of the work for their four active client centres is on the portfolio accounting space, where they have upgraded and tested systems to make them SOX compliant. They have also done work in portfolio conversion and reconciliation. "We have done that onshore for clients, so it was not much of a leap to do conversion and reconciliation offshore as a BPO play," says D'Alfonso.

Thorough checks

OPI Global, a finance and accounting outsourcing firm with headquarters in Los Angeles and Indian service centres, has been working with several clients to provide redundant controls. This, says Clarence Schmitz, chief executive and chairman of OPI Global, allows the client to do a thorough check, rather than a sampling of transactions, which is typically done. One client, for example, signs thousands of contracts with consumers across the US. A local manager must sign and initial each page of the document. Previously, the client would take a sample of these contracts to make sure that all the pages were signed, the correct boxes checked and the blanks filled in. Now the client sends the contracts to OPI Global's Indian office where the staff double check all of the documents, kicking back those that aren't properly filled in.

Exl Service, an outsourcing vendor – based in New York but with operations centres in India – provides both consulting and IT services for SOX. They report that companies have been turning to them to offshore and/or automate large parts of their documentation and controls testing efforts.

Infosys, one of India's largest IT outsourcing firms reports that it too has seen an interest in SOX services. Mahesh Makhija, a senior principal at Infosys' consulting practice says that Infosys has a number of clients taking up SOX-related services. In 2005, it struck a sizeable SOX deal with what it called a "market leader" in commercial air conditioners and hardware. Like EXL Service, its first involvement with a client is usually as a consultant. Infosys will assess a client's SOX plan, look at existing control structures, identify gaps and risks, and draw up an "implementation roadmap". They will also suggest specific places to automate the process and provide what Makhija calls the "tech automation muscle".

But despite what vendors claim, analysts remain sceptical for the enthusiasm for outsourced SOX services. They say that while vendors may certainly be able to cite customers, they do not believe that there is a strong trend toward outsourcing SOX-related functions.

"There's no real appetite from buyers in the offshoring area right now," says Hagerty. "It's still a very complex undertaking, and when you outsource you don't give up your responsibility," he adds.

Lack of interest

Forrester's Hammerman reports that he hasn't seen any interest at all, while Guillermo Kopp, vice- president of financial services strategies at the Tower Group believes that the interest is currently confined to vendors. Hagerty says of the outsourcing that most of the work is confined to technology support or low-end BPO work.

Part of the difficulty lies in the very procedural nature of the work required by SOX. While companies are looking to automate much of the controls, the truth is the vast majority of firms still do much of their SOX work manually using Excel spreadsheets. Moreover, controls are unique to a firm, and can vary widely from company to company, making it difficult to move beyond very customer-specific work. Schmitz, notes, for example, that OPI Global's work is highly customised for clients.

Firms too are wary about just how they would manage the risk involved with outsourcing what could be very sensitive work. If, for example, there is a problem, a company would want to first handle it privately with the regulators. "The skittishness comes from firms wanting to deal with their dirty laundry behind closed doors," says Kopp. He believes that while offshore services will eventually find some customers, he says the bulk of work comes from existing clients, and the work is low end.

It may also be too early to tell. Firms, say Hagerty, are first looking to use technology to automate, for example, the monitoring of controls, including cataloguing and evaluating them. The next step might be to outsource some of the maintenance of those systems, but not many companies have actually reached this stage. "A number of Indian firms have the full capability to manage the technology on behalf of their clients and support those applications. If you licensed a SOX compliance solution you could certainly get somebody to run it for you."

Some vendors also admit that they are unsure as to where SOX will become a major opportunity for them. Schmitz concedes he is uncertain over whether SOX will help him sell more services. He says, "We are entering the third cycle on SOX. The first was total mayhem; the second reached a certain stability; as for the third, I don't know if companies have reached the point where they have made substantial enough improvements on how they handle SOX compliance in terms of efficiency and productivity. Will getting smarter and more efficient result in more outsourcing of technology? I'm not sure".

Moreover, much of the work vendors have done around SOX, has been for existing clients. Patni's D'Alfonso notes: "If companies haven't had the experience of going offshore, it's a tall order [to outsource SOX-related services]. I don't see this opportunity as a one-off project. The opportunity is within the context of an existing relationship."

Narasimha Kini, vice-president and business leader at EXL Service, is more optimistic. The firm, which also provides consulting services, says that while the overall industry spending on SOX outsourcing will never reach the dizzy heights of 2003 and 2004 – especially in consulting and auditing services – he expects to see a steady increase in revenues from SOX-related services over the coming years.

Infosys's Makhija is even more bullish on SOX. "This is a big opportunity for us," he says. Makhija adds that SOX actually fits into a larger trend that Infosys has noticed amongst its clients. Many of them, and this is especially true of financial services clients, are especially eager to ensure that all of their compliance efforts are integrated. Makhija notes that many of the requirements of SOX and Basel II overlap and it is both more efficient and more cost-effective to re-use the same technology components to tackle both compliance problems. "Companies are becoming increasingly proactive when it comes to staying ahead of the compliance curve, and we are selling SOX as part of that compliance package." OR&C

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact or view our subscription options here:

You are currently unable to copy this content. Please contact to find out more.

Financial crime and compliance50 2024

The detailed analysis for the Financial crime and compliance50 considers firms’ technological advances and strategic direction to provide a complete view of how market leaders are driving transformation in this sector

Investment banks: the future of risk control

This survey report explores the current state of risk controls in investment banks, the challenges of effective engagement across the three lines of defence, and the opportunity to develop a more dynamic approach to first-line risk control

Op risk outlook 2022: the legal perspective

Christoph Kurth, partner of the global financial institutions leadership team at Baker McKenzie, discusses the key themes emerging from’s Top 10 op risks 2022 survey and how financial firms can better manage and mitigate the impact of…

Emerging trends in op risk

Karen Man, partner and member of the global financial institutions leadership team at Baker McKenzie, discusses emerging op risks in the wake of the Covid‑19 pandemic, a rise in cyber attacks, concerns around conduct and culture, and the complexities of…

Moving targets: the new rules of conduct risk

How are capital markets firms adapting their approaches to monitoring and managing conduct risk following the Covid‑19 pandemic? In a webinar in association with NICE Actimize, the panel discusses changing regulatory requirements, the essentials…

You need to sign in to use this feature. If you don’t have a account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here