Rulemaking Comments Submitted by Bierce & Kenerson, P.C. to the SEC on Outsourcing under Sarbanes-Oxley.

Subject: File No. S7-32-04

From: William B. Bierce

September 7, 2004

Jonathan G. Katz, Secretary
U.S. Securities and Exchange Commission
450 Fifth Street N.W.
Washington , D.C. 20549-0609

Re: File Number S7-32-04 (http://www.sec.gov/rules/proposed/s73204.shtml)

FILED ELECTRONICALLY (rule-comments@sec.gov)

Dear Mr. Katz:

Bierce & Kenerson, P.C. is a New York City-based law firm that provides legal advice in structuring, negotiating, implementing and re-negotiating outsourcing contracts for administrative and management support services in information technology, human resources and other business processes.  To some extent, such outsourced business services support the operations of virtually all accelerated filers, affected by the proposed rule, as well as virtually all other reporting companies.

I am writing to:

• support adoption of the proposed rule as a final rule for the extension of time for accelerated filers to meet their compliance deadlines under Section 404 of the Sarbanes-Oxley Act of 2002 (the "Act"); 
   

• urge favorable consideration of further delaying of Section 404 implementation to the extent necessary to enable reporting companies generally to adopt and "road test" effective controls under existing outsourcing service agreements; and  
  

• recommend an administrative interpretation of the word "adequate" as "sufficient to disclose all material information" or otherwise conform to existing investor-protection standards of materiality applicable for disclosure purposes.

Section 404 contains a statutory mandate for management to compile "an internal control report."  This periodic report has two functions, namely, to:

(1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and

(2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting." 

This statutory mandate is vague.  Whether an "internal control structure" and "procedures" will meet the undefined tests of being "adequate" or "effective" is a matter of judgment under all the circumstances.   Compliance will require the exercise of such judgment, initially by management, then by auditors, and eventually by courts.   One can anticipate a need for eventual judicial resolution of class action shareholder lawsuits under Rule 10b-5 and prosecutions of enterprises under the proposed Federal Sentencing Guidelines that consider it an aggravating factor not to have effective audit and compliance programs in place.  In the absence of administrative interpretation of vague law, enforcement of such vague statutory standards should be adopted only after a reasonable and fair time for establishment of "recommended practices" after appropriate analytical assessment and the exercise of judgment. 

Once a reporting company has decided upon its own internal control structure, the "procedures" for financial reporting may involve the company's entire supply chain of suppliers and customers.   The Act does not expressly impose a full set of "internal control structure and procedures" on all suppliers, for example.  Nonetheless, prudent reporting companies, under advice of counsel and auditors, are taking steps such that "adequate" "internal" controls are extended to all suppliers, particularly in the context of outsourcing. 

For reporting companies that are recipients of outsourced business services, compliance with Section 404 requires those reporting companies (who have not done so) to redefine their relationships with their service providers so as to ensure that the service providers will be part of the desired auditable transparency in corporate operations.  To a certain extent, the necessary controls will depend on the development, testing and implementation of new software and new internal procedures and relationship governance structures under existing outsourcing contracts.  Such technologies are still in development.  More time is needed for implementation.

Even with a three-year implementation plan for the "internal control report," any rush to implement a criminal and civil fraud statute that is based on the vague language of "adequate" and "effective" controls and procedures can only engender unnecessary disputes.  When launched to define judicially what the legislators and administrators have failed to define, such disputes will serve neither the investor nor the reporting company.  

Any such unnecessary disputes will also increase the cost of doing business with outsourcing service providers.   As a consequence, without administrative interpretation and more time, reporting companies might be deprived of certain opportunities for obtaining the many benefits from outsourcing.  Such benefits for reporting companies (and indirectly their investors) include an increased management focus on core business, conversion of fixed expenses to variable expenses, new variability in unit pricing of predictable services, economies of scale and avoidance of capital investment in rapidly changing technologies.     

Accordingly, the additional time is necessary because the applicable controls and audit requirements affect not only the affected reporting companies, but all suppliers of business process services.   Such suppliers need additional time to integrate their processes with emerging policies and procedures of reporting companies.  More time is needed to implement "digital dashboards" that reporting companies are now developing or beginning to license.   This time will greatly improve the quality of business processes that are being audited, the quality of the reporting, the integration of outsourced and insourced services across supply chains and ultimately investor protection.

Very truly yours,

William B. Bierce
wbierce@biercekenerson.com
Tel: 212.840.0080