shared services soxcontrols and compliance processes - Corporate ...

CFO EXECUTIVE BOARD AUGUST 2007www.cfo.executiveboard.comSHARED SERVICES, OUTSOURCING AND OFFSHORING PEER GROUP DISCUSSIONSHARED SERVICES SOX CONTROLS AND COMPLIANCE PROCESSESThe CFO Executive Board is pleased to present the results from the Shared Services, Outsourcing and OffshoringDiscussion Group’s discussions around about finance controls and SOX compliance in finance shared servicescenters.How Peer Groups Work: The Shared Services Discussion Group allows members to pose questions to their peersand gain their peers' insights through a moderated, e-mail-based exchange. For each exchange "thread", memberswill receive the initial question as well as a short series of aggregated responses. All questions and responses areposted anonymously unless the contributor requests otherwise.If you would like to participate in this discussion thread or submit a unique question to your peers in the SharedServices Peer Group, please email cfo_shared_services@updates.executiveboard.comINITIAL REQUEST“We are building the business plan for a new finance and accounting outsoucing arrangement and the AuditCommittee will have to review it. We are getting ready for some tough questions from the Board about financecontrols and SOX compliance.a) To what extent do CFOs retain control and oversight of shared services – including what reporting linesand relationships do they establish to ensure that there’s a proper level of oversight?b) What other landmines do we need to review with the Audit Committee before we pull the trigger?”(Consumer Goods Company)MEMBER RESPONSESResponse 1: Media Company, PrivateWithin the CFO organization we have two peer organizations- The corporate controllers group which includes theSOX control desk and the Shared Services organization which includes the outsourced relationship to India. Thisrelationship, although solely held within the CFO's organization, offers a certain amount of independent oversightfrom the Controllers organization into the SSC.When we first migrated activities to the India provider, the Audit Committee and the Corporate Controller group wasuncomfortable in migrating SOX key controls to India. The provider has, since, proved itself and we have migratedSOX key controls to them. Prior to migrating activities, our Internal Audit group visited the provider and India and weattained a SAS70 Type II certification (although there seems to always be a bit of noise between the Controllershipand the provider on the scope of the certification). Within the SSC, we have our own Internal Control Desk thatkeeps the SSC and the India provider "audit ready all the time". The provider in India has the same ICD focal pointthat does not reside on our account and monitors all the providers clients from a control perspective.Specific to the Audit committee, we focused on SOX Key controls, contract language regarding risk and dataprotection procedures.(more on next page)© 2007 Corporate Executive BoardCFO18TW3QD

CFO EXECUTIVE BOARD PAGE 2SHARED SERVICES SOX CONTROLS AND COMPLIANCE PROCESSESResponse 2: IT Consulting Company, $10 - $20 billionI believe that appropriate leaders in the "home country" would still maintain some level of oversight and responsibilityfor the work done. This means that they would provide a quarterly SOX certification sign-off. They would personally beengaged in the design and implementation of training efforts. New employees attending the classes should be testedwith acceptable grades to be determined for success/failure. In addition, there should be on the job training whichshould also be "graded" with success/failure scores determined. In addition, the leaders of these organizations need tobe certified in a similar fashion.Desk procedures must be documented for all roles prior to them being bestshored. Training process and mitigationplan for high turnover must be clearly thought out.Response 3: Consumer Goods Company, PrivateThe CFO retains full responsibility regardless of his/her title. We typically get questions from the Audit Committeearound security, quality, service, and cost.Response 4: Financial Services, Under $1 BillionThe CFO has to retain full oversight and control has they must sign off on the financial reports in the end regardless ofwhere the finance and accounting is done. This is where SOX comes into the picture.About CFO Executive Peer Discussion Groups:Peer Groups allow members to pose questions to their peers and gain their peers' insights through a moderated, e-mail-basedexchange. For each exchange "thread", members will receive the initial question as well as a short series of aggregated responses.All questions and responses will be posted anonymously unless the contributor requests otherwise.Other finance peer groups administered by the CFO Executive Board can be found on our website at:https://www.cfo.executiveboard.com/Members/PeerGroups/Default.aspxIf you have any Private Equity-related questions, or would like to join the group, please emailcfo_shared_services@updates.executiveboard.comProfessional Services NoteThe CFO Executive Board has worked to ensure the accuracy of the information it provides to itsmembers. This project relies upon data obtained from many sources, however, and the CFOExecutive Board cannot guarantee the accuracy of the information or its analysis in all cases. Further,the CFO Executive Board is not engaged in rendering legal, accounting or other professionalservices. Its projects should not be construed as professional advice on any particular set of facts orcircumstances. Members requiring such services are advised to consult an appropriate professional.Neither Corporate Executive Board nor its programs is responsible for any claims or losses that mayarise from any errors or omissions in their reports, whether caused by Corporate Executive Board orits sources.© 2007 Corporate Executive Board