Maintaining Control Over Outsourcing
Utilities can transform the business while managing risk.
new areas of expertise. SLAs should reflect the need for continuous learning and communication to adapt to policy, procedure, and regulation changes at all levels.
Staying in Control
The Sarbanes-Oxley Act of 2002 has heightened the level of attention focused on the integrity of public companies' financial results. Facing increased regulatory burdens, utilities are concerned about maintaining appropriate control over the accuracy and completeness of financial data.
Despite concerns to the contrary, transferring activities to a vendor actually can result in increased control and transparency over operations. To achieve this, it is imperative not only that management receives regular reports of operational and financial status, but that they also trust the accuracy of the information reported by the vendor. Management needs assurance that financial statements are reliable. Clear standards must be established to govern activities that support the integrity of the financial statements, such as the reconciliation of balance sheet accounts and respective subsidiary ledgers.
In addition to regular reporting, utilities and their vendors must agree to policies that outline service definitions, documentation standards, review requirements and escalation procedures. To be truly effective in providing assurance, these controls also must be coupled with sufficient monitoring activities.
Some of the most essential monitoring controls such as reconciliations, sample audits, and management reviews already are conducted as part of a utility's Sarbanes-Oxley 404 compliance activities. However, organizations should extend these controls over outsourced services not only for compliance purposes but to ensure service quality, accuracy, and timeliness. As such, relevant monitoring controls should be linked to contract terms with the vendor, and adherence to these terms measured.
While helping to provide greater effectiveness and cost-savings, outsourcing also can have a significant impact on both ratemaking decisions and regulatory-compliance activities. Utilities should develop a strategy for carefully managing these aspects of an outsourcing initiative.
In addition to calling for greater management transparency into the activities impacting financial statements, Sarbanes-Oxley also intensified requirements governing regulatory controls. Under the law, utilities and their auditors now are required to understand all aspects of financial transactions and control, including processing performed by a third-party vendor. Utilities are presented with the risk of non-compliance if the appropriate "inspection windows" into outsourced services aren't in place.
Utilities must develop a strategy for addressing the inevitable change to their control and auditing environments. Controls should be reassessed and documented to support changes in process and responsibility. In-house monitoring controls often need to be added as well to evaluate the activities and results of outsourced services. Additionally, there must be clear communication between the utility and the vendor regarding control objectives and compliance, and the vendor must cooperate and provide assistance with internal and external audits.
These compliance requirements can present auditing and reporting challenges to the utility, its services providers, and its external auditors. The Statement on Auditing Standard (SAS) 70 is a tool provided by many vendors to ease this burden. The SAS 70 review was designed by the American Institute of Certified Public Accountants (AICPA), and provides customers with evidence of their vendor's control activities, which generally include controls