Auditing and Internal Controls for Offshored ...

Auditing and Internal Controls for Offshored Accounting Processes: A Research Agenda

Partha Mohapatra* Texas Tech University Email: [email protected] Dina El-Mahdy Morgan State University United States Email: [email protected] Li Xu Washington State University, United States Email: [email protected]

*Correspondence Author. We would like to thank Mr. Sanjoy Sen (former Partner, PriceWaterhouseCoopers), Mr. Brian Geffert (former Partner, Deloitte), Curtis Stewart (Partner, Deloitte and Touche), A. Sivakumar (Manager, Deloitte and Touche), S R Sidhu (Manager, Deloitte and Touche) and Rahaju Pal (Director, PricewaterhouseCoopers) for their valuable input into this paper. We also thank participants of the 2009 American Accounting Association's Mid-Atlantic Region for their feedback and suggestions. An earlier version was accepted at the Annual meeting of American Accounting Association, 2010.

Electronic copy available at: http://ssrn.com/abstract=2695622

Auditing and Internal Controls for Offshored Accounting Processes: A Research Agenda Abstract Offshoring of accounting processes has become a common business practice, pursued by firms to reduce costs and focus on core competencies. However, our understanding about internal controls of these offshored processes is limited. Grounded in theory that is supported by prior literature and interviews with practitioners, this paper attempts to develop a research agenda on internal controls for offshored accounting processes. It further develops a linkage between internal controls of offshored accounting processes and auditing of the organization. This paper has implications for academicians as well as practitioners in terms of understanding the determinants and consequences of internal controls for offshored processes.

Keywords: Offshoring, Internal Controls, SSAE 16.

2

Electronic copy available at: http://ssrn.com/abstract=2695622

Auditing and Internal Controls for offshored accounting processes: A Research Agenda "Presumably, what happened in Satyam was a failure of internal controls. That raises the question about whether its SAS 70 reports can be relied on by customers." – Compliance Week, October, 2009. Section 1. Introduction Even though offshoring1 of business processes has existed for many decades, it has increased substantially during the last decade. According to the Computer Economics report (2014/2015), the median spending on outsourcing in the IT budgets of large, medium and small organizations is 7.4%, 6.1% and 4.6%, respectively. Forrester Research estimates that by 2015, about 3.3 million jobs will be offshored from the U.S., and this trend is continuing at an accelerated pace (Subramanian and Sharma, 2008). Increasingly, companies are offshoring any process that can be digitized to decrease costs and focus on core competencies (Friedman, 2007). Blinder (2009) estimates approximately 22% to 29% of all U.S. jobs are potentially offshorable. For example, accounting processes such as billing services, internal auditing, accounting and auditing functions, tax processing, credit and collections, bank reconciliations, pension accounting, activity based costing, and project accounting are all candidates for offshoring. General Electric (GE), Dresdner Bank, British Telecom, Ford, American Express, HSBC, Citibank, BP, Standard Chartered, EXL (part of Conseco) and Hewlett Packard are some of the Fortune 500 firms that have already offshored their accounting function (Nicholson and Aman, 2008). The increasing trend of offshoring accounting processes places challenges on U.S. firms, particularly in reference to maintenance of their internal controls in the post-Sarbanes Oxley Act

1 Outsourcing refers to tasks and processes that are performed outside the boundaries of the firm, whereas offshore outsourcing refers to outsourcing done outside the home country. In this paper, we use the term “offshoring” to mean offshore outsourcing.

3

2002 (SOX, hereafter) era. Specifically, SOX sections 302 and 404 mandate that all public companies establish and maintain efficient and effective internal control over financial reporting (ICFR). After SOX became effective, the Public Company Accounting Oversight Board (PCAOB) requires user organizations (henceforth called onshore-client firms, OCF)2 that have outsourced key accounting processes (or underlying IT applications/infrastructure) to obtain assurance as to the design and operating effectiveness of the vendors’ ICFR. To satisfy the regulatory requirements, the client is responsible for making sure the business processes have appropriate internal controls, even when the entire process is offshored. Thus, offshore outsourcing does not absolve the auditor’s client from its responsibilities of maintaining effective ICFR. As pointed out by PCAOB, “Rather user management should evaluate controls at the service organization, as well as related controls at the user company, when making its assessment about internal control over financial reporting” (Auditing Standard [AS] No. 2 & No. 5, PCAOB). In spite of the PCAOB’s clear guidelines, a number of PCAOB inspection reports find clients’ auditors deficient in obtaining sufficient competent evidential matter related to reports generated by service organizations (Bierstaker, Chen, Christ, Ege, and Mintchik, 2013). Thus, organizations that offshore their accounting processes should be particularly cautious about the internal controls’ requirements. In order to comply with Section 404 of SOX, the client company can either perform an audit of the vendor’s ICFR or obtain a Service Organization Control (SOC) report related to the effectiveness of the vendor’s ICFR in the form of a special-purpose third party internal control verification report. In either case, an audit trail of data from the client to the vendor level should be available for the entire process (Kaarst-Brown and Kelly, 2005). While internal controls for offshored

2 In the original Statement of Accounting Standards No. 70 issued by AICPA, the terminologies used are “user organization” for clients, and “service organizations” for vendors. As this paper is in the offshoring context, we use the terms onshore client firm (OCF) and vendor, which are popular in offshoring parlance.

4

accounting processes and related regulatory changes have been increasingly important topics, little research has been devoted to exploring their implications on accounting and auditing literature. We attempt to bridge this gap by synthesizing prior research on internal controls and auditing, and further develop a set of research questions for academic research. Our hope is to spur a new area of research that has not been explored before. A related paper, Bierstaker, Chen, Christ, Ege, and Mintchik (2013), focuses on the outsourcing of accounting services and develops a framework that describes how clients' use of service organizations affects financial statement and internal control audits. However, it doesn’t differentiate between accounting services outsourced to offshore locations or to locations within the country. Since cultural norms, societal trust, and investor protection differ widely from country to country, Bierstaker, Chen, Christ, Ege, and Mintchik (2013) call for more work to help understand the audit implications of offshoring accounting outsourcing activity. To fill in this gap in the literature, our study focuses on the offshoring of accounting outsourcing services (Quadrant II and Quadrant III), and examines how it impacts offshore vendors, OCFs, and the audit process. The paper is organized as follows. Section 2 provides background and motivation. Section 3 provides a discussion about the implications of SOCs on offshore vendors, OCFs, and their auditors. This section also includes research questions and recommendations for future research. Section 4 summaries and concludes the study. Section 2. Background and Motivation Srivastava, Teo and Mohapatra (2008) classify outsourcing into four types as suggested in figure 1. Quadrant II and III are about offshoring (i.e. offshoring can occur when accounting processes are outsourced beyond the firm boundary). For example, when General Electric has a captive call center in India, it is within the firm boundary and hence it would be an offshoring but not 5

outsourcing process. However, offshoring can also be outsourcing beyond the firm boundary to a vendor outside the firm boundary. [Insert figure 1 here] One major reason offshoring accounting processes have become popular is the availability of low-cost skilled personnel, because offshoring sites are low cost destinations. For example, India and the Philippines offer a cost of qualified labor that is less than that in the U.S (Olsson Conchúir, Ågerfalk, and Fitzgerald, 2008). Related, Aksin and Masini (2008) argue that offshoring increases the quality of services due to increased attention to a specific task by the offshore vendors, and along with cost, improved services may be another reason to offshore processes. A number of studies have examined how SOX affects U.S. companies in terms of assessment and disclosure of internal controls in accordance with Section 404 (e.g., Ge and McVay, 2005; Doyle, Ge and McVay, 2007a and b; Ashbaugh-Skaife, Collins, and Kinney, 2007; Ashbaugh-Skaife, Collins, Kinney, and LaFond, 2008; Beneish, Billings, and Hodder, 2008; Hoitash, Hoitash, and Bédard, 2009). However, little attention has been focused on internal control of offshored business processes. To fill in this gap in the literature, we focus in this study on offshoring of accounting outsourcing services (Quadrant II and Quadrant III) and examine how it impacts offshore vendors, OCFs, and the audit process. In the pre-SOX era, offshore vendors’ internal control systems were usually not as stringent because standards like SAS-70 were languishing. Moreover, offshoring of accounting processes became more popular in the last decade. Post-SOX era, offshore vendors are required to comply with the stringent internal control requirements of OCFs, which are mandated to follow SOX-404 internal control requirements. So, offshore vendors have great motivation to consider SOC reports as per U.S. or international standards. 6

When a U.S.-based OCF is offshoring its accounting processes, it has to comply with the PCAOB requirements for maintaining the internal controls. In order to do so, the U.S.-based OCF obtains a SOC-1 report, based on the Statement on Standards for Attestation Engagements (SSAE) No. 16, “Reporting on Controls at a Service Organization”.3 SOC-1 reports serve as a “conversation” document between the vendors’ auditor and the OCF’s auditor. When properly used, these reports can provide assurance about the internal controls of the business process offshored to a distant country to the external auditors of the OCF, which will assist the OCF’s auditors to satisfy section 404 of SOX. SOC-1 Type-I reports state whether the ICFR are fairly represented, appropriately designed, and implemented as of a specific date. SOC 1 Type II reports usually cover a longer period (e.g., 6 months or more) than that covered by Type I reports, and provide more comprehensive information than that provided by Type I reports. Type II reports include an assessment of the operating effectiveness of ICFR over a specified period of time.4 Thus, in order to comply with the SOX-404 ICFR requirements, the OCF has to obtain Type-II reports from their offshore vendors. After the SSAE 16 comes into effect, management of the service organization has to provide an assertion about the design of the internal controls of the accounting processes being managed by them, and their effectiveness. Section 3. Implications of Offshored Accounting Process on Accounting and Auditing Research Research on the impact of offshoring on the internal controls of the OCF is important for several reasons. First, in the absence of third party audit reports (like SSAE-16), the external auditors

3

Superseding the Statement on Auditing Standards (SAS) No. 70 and effective in June 2011, SSAE 16 is more in line with ISAE-3402 for international service organization reporting standards. SOC 1 engagements are performed in accordance with SSAE no. 16 and focus solely on controls at a service organization that are likely to be relevant to an audit of a customer’s financial statements. For further information, please check out Appendix A: The background of SSAE-16. 4 SOC 2 and SOC 3 reports provide attestation regarding Trust Service principles. While SOC 2 reports cover privacy, security and integrity of controls at the service organization, SOC 3 reports on the needs of the current or prospective customers of the service organization. We do not focus on these reports.

7

have to travel to far-off countries (e.g., India or the Philippines), which would be cost prohibitive as well as require more effort. This effort would need to be replicated for each and every client/vendor combination, resulting in multiplicity of efforts that could be efficiently avoided using third party internal control reports, which is why we have third party reports.5 So, the external auditor has to rely on the SOC report of SSAE-16 conducted by a third party auditor. Second, offshoring is riskier than traditional outsourcing. Offshoring may involve additional business risks due to the greater geographical distance and more hostile political climate of nations where the vendors are located (Mao, Lee, and Deng, 2008). Daugherty, Dickins and Fennema (2013) demonstrate that prospective U.S. jurors awarded greater damage awards against auditors when certain audit tasks were performed offshore than when they were performed in the U.S, which reflects the perceived riskiness of offshoring as compared to outsourcing onshore. Further, offshoring creates substantial challenges in managing teams comprised of individuals from culturally different backgrounds (Daugherty, Dickins and Fennema, 2012). For example, Wong-on-Wing and Lui (2013) find that Chinese participants consider it less moral (compared to their American counterparts) for a fraudster to commit fraud when that person is under tremendous financial pressure to do so (e.g. to pay for expenses incurred in a recent medical emergency). In addition, by shifting chunks of its business processes to distant, unfamiliar nations with completely different cultures and language, the OCF may face risks of poorer quality of service, lower reliability, and increased communication difficulties (Schoenherr, Tummala and Harrison, 2008). The lack of information about a vendor in a faraway country, where the OCF has no direct ownership or control, adds another dimension of risk (Nicholson and Aman, 2008).

5 However, recent research suggest that audit quality is affected when an SEC-registered principal audit firm performs its audit work with another participating audit firm that has limited experience in audits of U.S. public companies (Dee, Lulseged, and Zhang, 2014).

8

Third, vendor countries may not have stringent regulatory requirements as in the U.S., so the sole responsibility for internal controls depends on the benevolence of the vendor. For example, corporate governance in general is poor in some vendor countries in Asia (Zhuang, Edwards, Webb, and Capulong, 2000; Hodgson, Lhaopadchan, and Buakes, 2011). Fourth, from a control perspective, offshore vendor auditing can become complex since the auditors have to look into additional controls in areas such as cross-border data transfer, handover points between user and service organizations, etc. Finally, researchers find that cultural differences can impact accounting, auditing practices, and management control practices (Joshi, 2001). For example, vendors in different countries may implement internal controls for business processes, since different countries have different accounting standards. Moreover, the limited resources available to internal audit teams in some countries may constrain the internal auditors’ role in risk assessment (Sarens and Beelde, 2006). For instance, the India internal audit’s survey by Ernst and Young in 2009 finds that 51% of Indian firms do not integrate a formal fraud risk assessment into the audit process (Economic Times, 2009).6 Thus, it is important to understand internal controls of accounting processes from an offshoring perspective, as well as related audit issues. Our study is a step in this direction, and attempts to integrate the accounting theories and the research questions related to offshoring of accounting processes and internal control. While Bierstaker, Chen, Christ, Ege, and Mintchik

(2013) discuss outsourcing-related

business risks, and apply the audit risk model to develop a set of research questions on outsourcing of accounting processes, our study focuses on offshored accounting processes and the possible

6

http://articles.economictimes.indiatimes.com/2009-06-25/news/28397020_1_audit-function-assessments-audit-

plans

9

implications for the auditing of financial statements of OCFs and vendor organizations. In the next subsections, we conceptualize the research questions (RQs) based on theory and prior literature. 3.1 Resources invested in accounting controls: Training needs and technology gaps Ge and McVay (2005) and Doyle, Ge, and McVay (2007b) find that inadequate investment in resources related to accounting controls is associated with material weaknesses in internal controls. There are two important investments that firms need to make for accounting controls: in technology and training the personnel. Bhattacharya, Behara, and Gundersen (2003) suggest that lack of qualified personnel may affect the quality of service provided by vendors. In addition to quality of service provided, lack of qualified personnel can also impact the level of regulatory compliance provided by vendors. Hence, employees of vendors need to be properly trained. Training deficiency of internal auditors can affect the implemented internal controls (Wallace, Hui, and Cefaratti, 2011). The India Internal Audit Survey (2009) by Ernst and Young finds there is a dearth of IT auditors in India because of the low percentage of companies that conduct an IT risk assessment before finalizing their audit plan. However, to be well acquainted with the internal controls of OCFs, vendors should make sure that they have an internal auditing team that is also well trained in IT. The training in IT is crucial, because most offshore vendors use IT-enabled processes, and IT is ingrained in their offshored processes that necessitate effective ICFR. The level of IT training in an internal audit staff may impact the viability of complying with a SOC request. Apart from the IT training, the employees of the offshore vendor need training in compliance regulations of the vendor countries (e.g. the Health Insurance Portability and Accountability Act of 1996 “HIPAA”, and SOX 2002 in the U.S.). Better understanding of the compliance requirements by employees may improve the internal controls of the business processes being managed.

10

The use of technologies has also been suggested by the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO, 2009) report for internal controls monitoring either with control monitoring tools or process management tools (Masli, Richardson, Sanchez, and Smith, 2010). A few examples of these popular technologies in the U.S. include SOX express, Paisley’s risk navigator, and SOXA accelerator. These technologies can include automation of routine control tests, enhancement of risk assessments, evaluation and documentation of controls, and management and communication of control assurance activities. Masli, Richardson, Sanchez, and Smith (2010) find that many U.S.-based firms are implementing these technologies. Further, they find that firms that have internal control monitoring technologies have a lower probability of material misstatements. However, such use of audit technologies may or may not be pervasive in low cost offshore destinations. Thus, based on training and investments on accounting controls in offshore firms, academicians would be interested in the following RQs: RQ: Does the level of IT expertise within internal audit teams of vendors impact OCFs’ compliance with SOX internal control reports? RQ: How do IT vendors deal with the shortage of IT auditors with appropriate training programs? Does the shortage of IT auditors in low cost offshore destinations affect internal controls of offshored accounting processes? RQ: How aware are offshore vendors about internal control monitoring technologies? Are they using these technologies for maintenance of internal controls of the offshored accounting processes? RQ: Does the level of IT expertise within internal audit teams vary across major offshoring destinations, and does it impact the decision to offshore an accounting process?

11

Prior studies investigate the interaction between offshore vendors and their OCFs. For example, Stringfellow, Teagarden, and Nie (2008) find that increased interaction between offshore vendors and OCFs has a moderating effect on the risks of offshoring. Risks are shown to be positively related to the likelihood of weaknesses in internal controls (Doyle, Ge and McVay, 2007b). Thus, we expect increased and effective communication and interaction between offshore vendors and OCFs to have a moderating effect on the likelihood of weaknesses in internal controls related to third parties. Further, as the majority of offshoring is IT-enabled services, Weidenmier and Ramamoorti (2006) call for research into the association between IT and internal auditing within organizations in the post-SOX period. Hermanson, Hill and Ivacevich (2000) survey 100 internal audit directors, and find that they are more concerned with traditional IT risks and controls compared to system development and acquisition of IT product issues. They conclude that internal auditors of OCFs may be less focused on IT risks and controls for offshored IT-enabled processes. This latter conclusion triggers some RQs as follows: RQ: How do increased interaction and improved communication between offshore vendors and OCFs affect internal controls of offshored process? RQ: How do internal auditors of OCFs interact with IT vendors (and their internal auditors) to assess the risks and controls related to these offshored IT-enabled processes? 3.2 Process knowledge stickiness and internal controls of offshored processes Process knowledge’ “stickiness” refers to the difficulty of transferring knowledge from one set of personnel to another set of personnel (Jensen and Szulanski, 2004). Factors like recipient’s lack of absorptive capacity, causal ambiguity, and a strenuous relationship between the OCF and vendors can impede the transfer of knowledge assets (Szulanski, 1996). The sticky effect is magnified when knowledge has to be transferred from onsite personnel to offshore personnel, 12

because intra-firm knowledge transfer beyond national boundaries is more difficult than intra-firm knowledge transfer within a country (Galbraith, 1990). Knowledge stickiness may significantly affect offshored process performance. It would be informative to determine if process knowledge stickiness makes it more difficult for vendors to maintain the internal controls of the OCF due to vendors’ inability to acquire direct knowledge of controls for that process. Moreover, the knowledge continuum model suggested by Jayanty (2006) shows there are three phases for business processes: data, information, and knowledge phases. In the data phase, processes are more routine and codifiable. In the information phase, even though most work is codifiable, some discretionary decision making may be required. In the knowledge phase, the work involves a significant amount of expertise from experience. The processes in the data and information phases are inherently less sticky and more easily transferable to offshore personnel compared to processes in the knowledge phase. We argue that there is a need to explore whether internal control problems differ between processes that are in the data phase, information phase, or knowledge phase of the knowledge continuum model. If the evidence shows that internal control problems indeed differ across the three different phases, offshore vendors, with assistance from OCFs, will have to exert more effort and devote more resources to improving internal controls of offshored processes in the knowledge phase. In this regard, a number of RQs might be raised: RQ: How can knowledge stickiness for business processes be ameliorated, so that vendor personnel as well as external and internal auditors have complete knowledge about the process and its effect on the internal controls of the OCF (without compromising the OCF’s confidential knowledge)? RQ: Which accounting processes are more prone to knowledge stickiness, and hence more susceptible to internal control deficiencies?

13

3.3 Audit fees, audit effort and audit lag Auditors’ fees are a complex issue in auditing because they depend on many interrelated factors such as the demand for audit and assurance, the market conditions, the form of marketing and strategies, and the number of hours spent in the audit process (Causholli, De Martinis, Hay and Knechel, 2010). The audit cost is composed of not only the direct production costs but also the expected future losses that could result from litigation and lawsuits brought against the auditor (Simunic, 1980). Post-SOX, a major research stream explores the impact of SOX on audit fees. Researchers find that audit fees increased significantly in the post-SOX period (e.g. DeFond and Francis, 2005; Billings and Hodder, 2008; Cosgrove and Niederjohn, 2008), due to the additional work required to comply with section 404 of SOX 2002. Compliance with internal controls requirements significantly increases the costs of auditing and impacts the audit fees (Krishnan, Rama and Zhang, 2008). Based on Simunic (1980)’s production view of the audit process, researchers find that one of the major determinants of audit fees is the OCF’s complexity of operations. Overall, increased complexity of the business operation is positively associated with audit hours and hence contributes to the increase in audit fees (Knechel, Rouse and Schelleman, 2009; Causholli, De Martinis, Hay and Knechel, 2010). Prior research also provides evidence that audit lag (or audit delay), which is the difference between a company’s year-end date to the audit report date, increases when an OCF client firm has more reportable segments and subsidiaries (Munsif, Raghunandan, and Rama, 2012). Prior literature finds that the number of subsidiaries, the number of foreign subsidiaries, the proportion of foreign assets, and the number of business segments are all related to higher audit fees (Hay, Knechel and Li, 2006). While the complexity of business should increase with increased 14

offshoring of accounting processes, no studies have documented the impact of business complexity on the audit effort, audit delay, or audit fees. There is evidence that that audit fees are significantly higher for firms with internal control material weaknesses (Hogan and Wilkins, 2008; Krishnan, Rama, and Zhang, 2008). Related, Munsif, Raghunandan, Rama, and Singhvi (2011) find that firms that remediate their material weaknesses in internal controls have lower audit fees compared to firms that continue to report material weaknesses in internal control. Thus, audit research suggests that complexity of offshoring operations—as well as increased control risk—might affect the audit fees, audit lag, effort and time. This stimulates us to seek answers to this set of RQs: RQ: Does increased offshoring of accounting processes increase or decrease audit fees for OCFs? RQ: Will SSAE 16 help constrain high cost of audit for OCF, thereby leading to a reduced fee? RQ: Will the impact of SSAE 16 be different across unique outsourced business processes and industries? 3.4 Organizational Knowledge Creation and impact on audit fees, audit effort, and audit lag of vendors (service providers) Nonaka, Byosiere, Borucki, and Konno (1994) suggest that organizational knowledge can be created by interaction among individuals through mechanisms such as observation, imitation, or apprenticeships. Knowledge from outside the firm can sometimes be an important stimulus for change and organizational improvement. Vendors that are required to perform internal controls design and testing for OCFs in order to comply with SSAE 16 might gain more knowledge about their own organizations’ processes, controls, risk analysis and internal control during the report

15

process (Pedersen and Stålbäck, 2005).7 The following are some interesting RQs subject to investigation by academicians: RQ: Do offshore vendors gain knowledge about their own internal controls, in the process of maintaining internal controls of business processes outsourced to them from OCFs? This would be most valid for offshore vendors who do not have stringent internal controls yet. Experience with tight internal controls and international regulatory standards is not only familiarizing these vendor organizations with strict internal controls, but also preparing them to be listed in the international stock exchanges (such as the New York Stock Exchange), where compliance requirements tend to be more stringent than in vendors’ home countries. Moreover, a third party internal control report (SSAE 16) is perceived to be related to a more strict internal control standard than those in vendors’ home countries; thus, domestic investors in vendors’ home countries can have more confidence in the vendors’ companies. SOC engagements may improve the internal controls of the business of the vendor because of the spillover effect (i.e. while vendors are preparing themselves for stringent internal control requirements of the processes they are managing for their OCFs, they may work simultaneously on improving their internal controls for their in-house accounting processes). For example, let us consider a BPO firm in India that manages payroll for an OCF in the U.S. If the BPO must acquire SOC for the managed process, it must learn about the internal controls requirements for payroll, which will have an impact on the internal controls of in-house payroll of the BPO firm itself. This will decrease the risks of material misstatement. The audit risk model would suggest that the

7

Internal controls, an important constituent of internal corporate governance, can prepare these vendors for International Financial Reporting Standards (IFRS) convergence (e.g. Chen and Rezaee 2012). Further, analyst recommendations are favorable and useful to firms with good corporate governance, especially in countries where legal provisions for investor protection are weak (Yu, 2011).

16

improved internal controls might impact the auditor effort and the audit fees of the vendor. However, the vendor has to pay more for non-audit services for SOC preparation and the certification. This suggests further investigation to answer the following RQs: RQ: How do SOC engagements impact the audit efforts and audit fees for vendors? RQ: Do the SOC engagements increase the non-audit fees for the vendors substantially enough to prohibit them from providing services at a low cost? RQ: How do SOC engagements play a role during the contracting stage between an OCF and vendor due to the costs (for the vendor) in maintaining internal controls for processing the OCF? 3.5 Non-audit services, auditor reputation and economic bonding One of the provisions of SOX is prohibiting non-audit services undertaken by external auditors. The Securities and Exchange Commission (SEC) also states that the different types of nonaudit services might impact auditor independence (SEC 2002, 2003). Prior research shows that the independence of the auditor is compromised when auditors provide non-audit services (Hay, Knechel, and Li, 2006; Joshi, Bremser, Hemalatha, and Mudhaki, 2007). Research has focused on two theories to explain the benefits of non-audit services and the negative impact on auditor independence. Economic bonding theory suggests that large non-audit fees may provide incentives for the auditor to compromise his/her independence (DeAngelo, 1981) because the auditor becomes dependent on the client for a major portion of his/her revenues. Some researchers also find that nonaudit services do not impact auditor independence. (e.g., Zeff, 2003a and 2003b). However, Ruddock, Taylor, and Taylor (2006) show that audit firms will not compromise their independence, as it is offset by factors such as market-based incentives, litigation, and governance mechanisms. Further, audit firms with large clientele have more incentives to protect their reputation and remain independent (DeAngelo, 1981; Shwartz and Menon, 1985; Wallace, 1987, Kothari, Lys, Smith, and 17

Watts, 1988; Palmrose, 1988; Lys and Watts, 1994). So, a competing theory, the knowledge spillover effect, has been suggested to explain the beneficial effect of having non-audit services. According to Simunic (1984), knowledge spillover occurs "when the performance of non-audit service produces knowledge useful to the auditing division". Prior research suggests that when auditors provide nonaudit services, they also gain an opportunity to learn more about the client and its business because of increased interactions and better understanding of the business of the client (e.g., Knechel, Rouse, and Schelleman, 2009). Knowledge spillover can impact audit fees as well as audit lag (Causholli, Martinis, Hay, and Knechel, 2010). Most of the non-audit service research uses tax services or management advisory services to explain these two effects (Causholli, Martinis, Hay, and Knechel, 2010). There is limited research on either the provision of non-audit services in terms of SAS70/SSAE16 or any of the third party internal control reports by auditors. We contend that research in the context of non-audit services provided in terms of SAS70 or SSAE-16 is important for several reasons. In many developing countries, auditing firms are allowed to provide both audit and non-audit services for the same clients. The auditor independence is maintained by creating a “wall” between auditing teams working in non-audit services and external auditing teams; i.e., team members are not allowed to interact across teams. In addition, an auditing firm can provide auditing services for a client in the U.S., and for the vendor of the client in a foreign country. Thus, a SSAE 16 report might have been signed by auditing firm “X” for the vendor “A” while the same auditing firm “X” might be the auditor for the client “B”. There is a possibility of economic bonding, especially when the report is being produced for the first time and the SSAE16 fees are large. However, there is a good prospect for knowledge spillover. Financial auditors in foreign countries also verify internal controls of the audit clients, while an SSAE16 audit will verify internal controls of accounting processes offshored to a vendor’s 18

clients. Thus, there are synergies in the type of work that external auditors of vendors would eventually be doing because there seems to be a large overlap in the process of audit investigation with that of SSAE-16 reports. This discussion leads to a number of RQs: RQ: Do a sizable number of vendors have joint provision of auditing and SSAE 16 services? RQ: Does joint provision of auditing and SSAE 16 services impact auditor independence because of economic bonding? Does the joint provision increase the risk that the vendors’ financial statement has material misstatement? RQ: Is there a decrease in audit effort, when there is joint provision of auditing and SSAE 16 attestation services, because of knowledge spillover? RQ: Is there an impact of knowledge spillover from SSAE 16 to financial audit on audit fees? Does the knowledge spillover impact the audit lag? Section 4. Summary and conclusion Offshoring of accounting functions is no longer merely an option; it is essential for many businesses to maintain a competitive edge in today’s business environment. While offshoring saves costs and allows the clients to focus on their core competencies, it also poses risks to the clients’ organizations. To mitigate these risks and comply with the regulatory requirements of the countries where the clients are located, OCFs and their offshore vendors need to effectively establish adequate internal controls for offshored business processes. OCFs should seek those vendors who have appropriate processes in place and are willing to provide SOC reports (or at least are capable of providing a SOC report in the near future). Moreover, OCFs should avoid offshoring the processes that would exist in weak internal control systems. Similarly, vendors should avoid undertaking those processes for which they are incapable of maintaining efficient internal controls.

19

While an SOC provides reasonable assurance about the internal controls of the offshored processes, PCAOB inspection reports suggest that some auditors are still grappling with third-party vendor internal controls. However, we find a paucity of research for offshored accounting processes, its impact on internal controls, its impact on auditing for OCFs, and how internal controls can be improved for offshored processes. The research questions in our study are set to stimulate academicians and standard setters as well as policymakers to better understand the implications of offshoring of accounting processes, with specific emphasis on internal control over financial reporting. For example, answers to our research questions can help us understand which accounting processes to offshore and how to develop a framework to maintain internal controls over offshored accounting processes. Our questions might also help in assessing the impact on audit fee and audit lag in an offshoring environment. Any attempt to answer some of our RQs might help us understand the impact of offshoring on non-audit services and auditor independence. References Aksin, O., and Masini, A. 2008. Effective Strategies for Internal Outsourcing and Offshoring of Business Services: An Empirical Investigation. Journal of Operations Management 26: 239– 56. Ashbaugh-Skaife, H., Collins, D., and Kinney, W. 2007. The discovery and reporting of internal control deficiencies prior to SOX 2002-mandated audits. Journal of Accounting and Economics 44: 166–192. Ashbaugh-Skaife, H., Collins, D., and LaFond, R. 2008. The effect of SOX 2002 internal control deficiencies and their remediation on accrual quality. The Accounting Review 83 (1): 217– 250.

20

Beneish, M., Billings, M., and Hodder, L. 2008. Internal control weaknesses and information uncertainty. The Accounting Review 83 (3): 665–704. Bennett, Coleman & Co. 2009. India Inc. lacks fraud-detection procedures in audit plans. The Economic

Times.

June

25,

2009.

Available

at:

http://articles.economictimes.indiatimes.com/2009-06-25/news/28397020_1_audit-functionassessments-audit-plans. Bhattacharya, S. Behara, R. S., Gundersen, D. E. 2003. Business risk perspectives on information systems outsourcing, International Journal of Accounting Information Systems 4 (1): 75–93. Bierstaker, J., Chen, L., Christ, M., Ege, M., and Mintchik, N. 2013. Obtaining Assurance for Financial Statement Audits and Control Audits When Aspects of the Financial Reporting Process Are Outsourced. Auditing: A Journal of Practice & Theory 32 (Supplement): 209– 250. Blinder, Alan S. 2009a. How many US Jobs might be offshorable? World Economics, 10 (2, AprilJune): 41–78. Causholli, M., De Martinis, M., Hay, D. and Knechel, R. 2010. Audit markets, fees and production: Towards an integrated view of empirical audit research. Journal of Accounting Literature 29: 167–215. Chen, Y. and Rezaee, Z. 2012. The role of corporate governance in convergence with IFRS: evidence from China. International Journal of Accounting and Information Management 20 (2): 171– 188. Computer

Statistics.

2014/2015.

IT

outsourcing

statistics.

Available

at:

http://www.computereconomics.com/page.cfm?name=Outsourcing

21

Cosgrove, S., and Niederjohn, S. 2008. The Effects of Sarbanes-Oxley on the Public Accounting Industry. Journal of Business Strategies 25 (1): 31–52. COSO. 2009. Committee of Sponsoring Organizations of the Treadway Commission-COSO (1992) Internal control. Integrated framework. Available at: http://www.coso.org/IC.htm Daugherty, B. E., Dickins, D., and Fennema, M. G. 2012. Offshoring Tax And Audit Procedures: Implications for U.S.-Based Employee Education. Issues in Accounting Education 27 (3): 733–742. Daugherty, B. E., Dickins, D., and Fennema, M. G. 2013. The effects of offshoring audit tasks on jurors’ evaluations of damage awards against auditors. Advances in Accounting Behavioral Research 16. DeAngelo, L. 1981. Auditor size and auditor quality, Journal of Accounting and Economics 3:183– 199 Dee, C., Lulseged, A., and Zhang,T. 2014. Who Did the Audit? Audit Quality and Disclosures of Other Audit Participants in PCAOB Filings. The Accounting Review (forthcoming). DeFond, M. and Francis, J. 2005. Audit Research after Sarbanes-Oxley. Auditing: A Journal of Practice and Theory 24: 5–30. Doyle, J., Ge, W. and McVay, S. 2007a. Accruals quality and internal control over financial reporting. The Accounting Review 82: 1141–1170. Doyle, J., Ge, W. and McVay, S. 2007b. Determinants of weaknesses in internal control over financial reporting and the implications for earnings quality. Journal of Accounting and Economics 44:193–223. Friedman, T. 2007. The world is flat: A brief history of the twenty-first century. New York: Farrar, Straus, and Giroux. 22

Galbraith, C. S. 1990. Transferring core manufacturing technologies in high tech firms. California Management Review 32(4): 56–70. Ge, W. and McVay, S. 2005. The Disclosure of Material Weaknesses in Internal Control after the Sarbanes-Oxley Act. Accounting Horizons 19 (3): 137–158. Gupta, P., and N. Nayar. 2007. Information content of control deficiency disclosures under the Sarbanes-Oxley Act: An empirical investigation. International Journal of Disclosure and Governance 4 (1): 3–18. Hay, D., Knechel, R. and Li, V. 2006. Non-audit Services and Auditor Independence: New Zealand Evidence. Journal of Business Finance and Accounting 33(5/6): 715–734. Hermanson, D., Hill, M. and Ivacevich, D. 2000. Information technology-related activities of internal auditors. Journal of Information Systems (Supplement): 39–53. Higgs, J., and Skantz, T. 2006. Audit and non-Audit Fees and the Market’s Reaction to Earnings Announcements. Auditing: A Journal of Practice and Theory 25 (1): 1–26. Hodgson, A., Lhaopadchan, S., and Buakes, S. 2011. How informative is the Thai corporate governance index? A financial approach. International Journal of Accounting and Information Management 19 (1): 53 –79. Hogan, C.E., and Wilkins M.S. 2008. Evidence on the audit risk model: Do auditors increase audit fees in the presence of internal control deficiencies? Contemporary Accounting Research, 25(1): 219–242. Hoitash, R., Hoitash, U., and Bédard, J. 2009. Corporate governance and internal control over financial reporting: a comparison of regulatory regimes. The Accounting Review 8 (3): 839– 867.

23

Jayanty, S. 2006. Studies in process quality, risk and governance in offshore outsourcing of services, University of Pennsylvania, PhD Dissertation. Jensen, R. and Szulanski, G. 2004. Stickiness and the adaptation of organizational practices in crossborder knowledge transfer. Journal of International Business Studies 35(6): 508–523. Joshi, P.L. 2001. The international diffusion of new management accounting practices: the case of India. Journal of International Accounting, Auditing and Taxation 10(1): 85–109 Joshi, P.M., Bremser, W.G., Hemalatha, J and Mudhaki, J.A. 2007. Non-audit services and auditor independence: empirical findings from Bahrain. International Journal of Accounting, Auditing and Performance Evaluation 4(1): 57–89. Kaarst-Brown, M.L, and Kelly, S. 2005. IT governance and Sarbanes-Oxley: The latest sales pitch or real challenges for the IT function? Proceedings of the 38th Hawaii International Conference on System Sciences. Knechel, W., Rouse, P.,Schelleman, C. 2009. A modified audit production framework: evaluating the relative efficiency of audit engagements. The Accounting Review (5): 1607–1638. Kothari, S. P., Lys, T., Smith, C. W. and Watts, R. L. 1988. Auditor liability and information disclosure. Journal of Accounting, Auditing and Finance 3 (Fall): 307–340. Krishnan, J., D. Rama, and Zhang, Y. 2008. Cost to comply with SOX Section 404. Auditing: A Journal of Practice & Theory May 27 (1): 169–186 Krishnan, J., Sami, H., and Zhang, Y. 2005. Does the Provision of non-Audit Services Affect Investor Perceptions of Auditor Independence? Auditing: A Journal of Practice and Theory 24 (2): 111–135. Lys, T., and Watts. R. L. 1994. Lawsuits against auditors. Journal of Accounting Research 32(Supplement): 65–93. 24

Mao, J., Lee, J., and Deng, C. 2008. Vendors’ perspectives on trust and control in offshore information systems outsourcing. Information and Management 45(7): 482–492. Masli, A., V. Richardson, J. M. Sanchez, and R. Smith. 2010. Returns to IT excellence: Evidence from financial performance around information technology excellence awards. International Journal of Accounting and Information Systems 12(3):189–205. Munsif, V, Raghunandan, K., Rama, D. 2012. Internal control reporting and audit report lags: further evidence. Auditing: A Journal of Practice & Theory 31 (3): 203–218: Munsif, V. Raghunandan, R. and Singhvi, M. 2011. Audit fees after remediation of internal control weaknesses. Accounting Horizons 25(1): 77–105. Nicholsan, B., and Aman, A. 2008. Offshore accounting outsourcing: The case of India. Institute of Chartered Accountants of England and Wales Report. Nonaka, I., Byosiere, P., Borucki, P.C., and Konno, N. 1994. Organizational knowledge creation theory: a first comprehensive test. International Business Review 3 (4): 337–351. Olsson, H., Conchúir, E.O., Pär J. Ågerfalk, and Brian, F. 2008. Two-stage offshoring: an investigation of the Irish bridge. MIS Quarterly 32 (2): 257–279. Palmrose, Z. V. 1988. An analysis of auditor litigation and audit service quality. The Accounting Review LXIII (1): 55–73. Pedersen, H., and Stålbäck, D. 2005. Consequences of Sarbanes-Oxley on IT sourcing companies. Master Thesis in Informatics, Göteborg University Ruddock, C., Taylor, S.J and Taylor, S.L. 2006. Nonaudit Services and Earnings Conservatism: Is Auditor Independence Impaired? Contemporary Accounting Research 23(3): 701–746.

25

Sarens, G., and Beelde, I.D. 2006. Internal auditors' perception about their role in risk management: A comparison between US and Belgian companies. Managerial Auditing Journal 21(6): 63– 80. Schoenherr , T., Tummala, V.M.R., Harrison, T.P., 2008. Assessing supply chain risks with the analytic hierarchy process: Providing decision support for the offshoring decision by a US manufacturing company. Journal of Purchasing and Supply Management, 14(2): 100–111. Securities and Exchange Commission. 2002. Proposed rule: Strengthening the commission’s requirements regarding auditor independence. Release Nos. 33-8154; 34-46934. Washington, DC: SEC. Securities and Exchange Commission. 2003. Financial Reporting Release No. 68: Strengthening the commission’s requirements regarding auditor independence. Washington, DC: SEC. Sherinsky, J., 2010. Replacing SAS 70, new standards for engagements involving outsourcing. Journal of Accountancy 210 (2). Shwartz, K. B., and Menon, K. 1985. Auditor switches by failing firms. The Accounting Review 60: 248–261. Simunic, D. 1980. The pricing of audit services: Theory and evidence. Journal of Accounting Research 18 (1): 161–190. Simunic, D. 1984. Auditing, consulting, and auditor independence. Journal of Accounting Research 22 (3): 679–702. SOX. 2002. The Sarbanes-Oxley Act 2002. Available at: http://www.soxlaw.com/ Srivastava, S. C., Teo, T. S.H., Mohapatra, P. S. 2008. Business-related determinants of offshoring intensity. Information Resources Management Journal 21(1): 44–58.

26

Stringfellow, A., Teagarden, M.A., and Nie, W. 2008. Invisible costs in offshoring services work, Journal of Operations Management, 26(2):164–179. Subramanian. S. and Sharma, V. 2008. IT firms: Upside from offshoring? Business Standard, 2008, available

at

http://www.business-standard.com/article/opinion/it-firms-upside-from-

offshoring-108091001076_1.html accessed on Nov 21, 2014. Szulanski, G. 1996. Exploring Internal Stickiness: Impediments to the transfer of best practice within the firm. Strategic Management Journal 17:27-43. Wallace, L., Lin, H. and Cefaratti, M. 2011. Information security and Sarbanes-Oxley compliance: an exploratory study. Journal of Information Systems 25 (1): 185–211. Wallace, W. A. 1987. The economic role of the audit in free and regulated markets: A review’, Research in Accounting Regulation 1: 7–34. Weidenmier, M. L., and Ramamoorti, S. 2006. Research opportunities in Information Technology and Internal Auditing. Journal of Information Systems 20 (1): 205-219. Wong-On-Wing, B. and Lui, G. 2013. Beyond cultural values: an implicit theory approach to crosscultural research in accounting ethics. Behavioral Research in Accounting 25 (1): 15–36. Yu, M. 2011. Analyst recommendations and corporate governance in emerging markets. International Journal of Accounting and Information Management 19 (1): 34 –52. Zeff, S. A. 2003a. How the U.S. accounting profession got where it is today: Part I. The Accounting Horizons 17: 189–205. Zeff, S. A. 2003b. How the U.S. accounting profession got where it is today: Part II. The Accounting Horizons 17: 267–286.

27

Zhuang, J., Edwards, D., Webb, D. and Capulong, M.V. 2000. corporate governance and finance in east Asia: a study of Indonesia, Republic of Korea, Malaysia, Philippines, and Thailand, Vol. 1, Asian Development Bank Publishing, Manila

28

Appendix A: The background of SSAE-16 The American Institute of Certified Public Accountants (AICPA) developed the Statement on Auditing Standards (SAS) No. 70, a widely recognized auditing standard and the authoritative guidance that allows service organizations to disclose their control activities and processes to their customers and their customers' auditors in a uniform reporting format. The issuance of a service auditor's report prepared in accordance with SAS No. 70 signifies that a service organization has had its control objectives and control activities examined by an independent accounting and auditing firm. Any outsourcing vendor that executes (and maintains) accountability of transactions and records transaction and process information is an ideal candidate for SAS 70 audits. The auditor at the service organization verifies that a vendor has policies and procedures in place. It authenticates the design of the controls and their effectiveness. A vendor can go a step further by having an SAS 70 Type II report that evaluates a history that internal controls are in place and that they are operating effectively for a period of at least six months. In other words, if a vendor states that they have policies in place, the SAS 70 Type II report tests and provides assurance that these policies are followed and work as they were designed to. SAS 70 Type II also identifies instances of noncompliance. The emphasis is more on evidential matter. The report is expected to have consistency of control objectives with contractual obligations and focus on the client auditor needs. It should also disclose the nature, timing, and extent of the tests of controls. In June 2011, SAS 70 was replaced by two new standards: a Statement on Standards for Attestation Engagements (SSAE) and an SAS (an auditing standard). SSAE no. 16, Reporting on Controls at a Service Organization, primarily provides guidance for reporting on controls at service organizations (other than an audit of financial statements), and the new SAS, Audit Considerations Relating to an Entity Using a Service Organization, primarily provides guidance for reporting on an 29

audit of financial statements of entities that use service organizations (see AICPA Audit Guide, Service Organizations, Applying SAS No. 70). SSAE No. 16 has the same focus on controls over systems and processes that influence the accuracy of journal entries for service firms’ customers, with a few requirements. For example, under SSAE No. 16, the service auditor must obtain a written assertion from management of the service organization about the fairness of the presentation of the description of the service organization’s system, the suitability of the design, and the operating effectiveness of the controls (Sherinsky, 2010). However, one important change is that the service organization has to provide an assertion from its management about the design and effectiveness of internal controls of the outsourced processes. SOC1 reports are prepared in accordance with the SSAE-16 standards.

30

Figure 1: Figure 1: Classification of Outsourcing

Inside

OCF Organization Boundary

Outside

Adapted from Srivastava, Teo and Mohapatra (2008)8

I

II

Onshore Outsourcing

Offshore Outsourcing

IV

III

Onshore Insourcing

Offshore Insourcing

Inside

Outside

OCF Country Boundary

8

Srivastava, S. T., Teo, S. H., and Mohapatra, P. S. 2008. Business Related Determinants of Offshoring Intensity, Information Resources Management Journal 21 (1): 44-58.

31