Gelco, Concur Give SOX Aid

Gelco Information Network and Concur Technologies are taking the burden of Sarbanes-Oxley internal compliance attestation from clients by completing a Statement on Auditing Standards 70 Type II Report on their behalf.

Customers working toward compliance with the corporate governance law can attest to T&E expense auditing via the report completed by the vendors.

The Securities and Exchange Commission last June adopted the SAS 70 Type II report to clarify corporate compliance rules outlined by the law and "provide the professional standards and related performance guidance for independent auditors to attest to, and report on, management's assessment of the effectiveness of internal control over financial reporting under Section 404 of the Act," said SEC deputy secretary Margaret H. McFarland in a memo last year clarifying the standards.

Gelco said in a statement that the completion of the report "asserts the quality of the processes and controls built into Gelco's solutions" and "assures clients that transactions outsourced to Gelco are managed and reported appropriately."

Gelco vice president of marketing solutions Jeff Cronin said SEC is allowing vendors and business process outsourcers the ability to attest on behalf of their clients. "What they actually stated in their clarification was that a SAS 70 Type II from your service provider can replace your need to do audit and auditor attestation, which is one of the requirements of Sarbanes-Oxley," he said. "It means you don't have to have your auditors review this process any more. It not only saves customers now but also will save them money every year in which they have to file in relation to Sarbanes-Oxley."

Gelco said it is particularly well suited for the report's completion since it is a business services provider—often performing audits and other hands-on expense management functions—and not merely a software vendor.

"The SEC requires that you actually obtain a Type II from your service provider to eliminate the need to go through not just the document control process, but the tests that make sure your control processes are effective," Cronin said, adding that the attestation takes the responsibility away from corporate clients. "If you're a Gelco customer, your amount of Sarbanes-Oxley compliance work for expense management is getting the SAS 70 Type II report from Gelco and handing it to your auditor."

Concur Technologies also recently adopted the standards for its hosted expense offerings, yet the company's licensed product—which is owned and hosted by corporate customers—does not lend itself to such standards.

"With the rapid growth of the service bureau model—hosted application or outsourcing, essentially all three terms are synonymous—for expense reporting, the importance of tested controls becomes more important because the provider is hosting the system that enforces and reports on the client's travel policy," said Management Alternatives consultant John Ohaver.

"For the average client, SAS 70 Type II audit certification—versus Type I, which is the norm—is unimportant," he added. "A Type II audit, which includes a test of controls, is very important for those who outsource a service because SOX requires outsourced services to be just as compliant as those services performed in-house."

As such, Ohaver said vendor completion of the report is "nice to have in your hip pocket if your audit firm says it's needed," as it is unclear how harshly auditors will enforce Sarbanes-Oxley. "This audit certification probably is more important for expense management providers than any other segment of the business travel industry," he said.