Managing Security and Compliance Risk in FAO

by David Rutchik, Dave Borowski

Finance and Accounting Outsourcing (FAO) provides both middle market buyers and large enterprises with an opportunity to gain tangible operational and financial benefits. These benefits cannot be achieved, however, without addressing equally tangible risks. Outsourcing risks, especially security and regulatory compliance risks, are crucial, but often misunderstood factors in the success of any FAO engagement. Such considerations become increasingly important when an outsourcer provides finance and accounting services from an offshore location because of the sensitivity of the information being handled and the implications of security breaches.

These issues and associated risks can constitute the difference between a successful FAO engagement and one that creates lingering issues that outweigh any outsourcing benefits. In addition to ensuring that the outsourcing provider is meeting the customer’s business requirements, companies should pay close attention to ensuring physical infrastructure security, discrete data control, and legal and regulatory compliance when selecting an FAO provider and constructing an FAO contract.

Physical Infrastructure Security
The physical infrastructure an FAO provider utilizes to provide support services is a key factor to ensuring secure outsourcing conditions. This includes managing risks associated with force majeure events (e.g., terrorist attacks, political/social unrest, natural disasters) or other more routine, but still disruptive, infrastructure considerations (e.g., power outages, unauthorized access, security breaches) that can result in damage to the building, IT assets, or other infrastructure elements. These physical infrastructure security concerns are heightened when the support services are being provided from emerging markets such as India, China, and various Eastern European or Latin American locations.

To mitigate force majeure risks and other interruptions, companies should require FAO providers to develop and provide appropriate, detailed disaster recovery and business continuity plans. Such plans should include physical, logical, technical, and organizational security measures to maintain necessary redundancy and ensure relocation options. These measures enable business process continuity without interruption outside of predetermined tolerances.
In addition, certain personnel-related and intellectual property (IP) risks are associated with the outsourcing provider’s physical infrastructure. To thwart the unauthorized removal of proprietary data from the workplace, enterprise customers should require FAO providers to:
• employ security personnel, utilize intrusion detection and alert systems, and enable a controlled work environment accessible through gates, locks, and/or codes;
• utilize dedicated project workspace that is physically segregated from other provider customers;
• ensure in writing that each assigned resource is aware of and complies with security and IP policies;
• obtain appropriate indemnities under the contract from the FAO provider parent company;
• prohibit personnel from bringing transportable storage devices (e.g., laptops, PDAs, cell phones, flash drives) into the workspace where customer support is being provided; and
• perform all enterprise work in a controlled, dedicated workplace (i.e., not remotely) unless prior written consent is given.
As an outsourcing customer, an enterprise engaging in FAO should retain the right to interview and approve resources prior to assignment; require the provider to conduct appropriate criminal, educational, and financial background checks on its staff; and certify the results of these checks. These safeguards limit the risk to the enterprise.

Keeping Data Safe
Data control and logical protections relate to the security of a customer’s (and in many cases the customer’s customers’) data, independent of any physical infrastructure breach. In an outsourced environment, the customer inherently gives up a certain element of control. However, when dealing with critical data and important intellectual property, a baseline amount of control and security, as well as the ability to audit and verify, must be maintained at all times. This includes managing risks of data or IP theft from hackers, insufficient intellectual property protection in the local laws where the services are performed, and the FAO provider outsourcing work to third parties who may not exercise the same levels of control and security.

Data encryption, complex and dynamic passwords, secure servers, and appropriate data back-up and purging procedures are essential to protecting against breaches. Likewise, isolating each enterprise customer’s data is key to limiting risk. FAO providers should establish and maintain secure, firewall-protected wide area and local area networks that are logically segregated specifically for the customer. This prevents proprietary data from being commingled with other provider customers’ data and prevents access by non-approved provider personnel or third parties.

As an outsourcing provider’s local laws may not be as protective as necessary, an enterprise customer should insist that the governing law of the contract be the law local to the customer rather than to the FAO provider. Independent of where the services are provided, customers can gain significant protection by utilizing an internationally accepted commercial standard, such as New York law, that affords greater data and IP protection than currently exists under many developing country laws.

FAO provider subcontractors bring another risk element into the outsourcing equation, and there are three ways to ensure customers are protected both operationally and contractually.

• Require notice and prior written approval before any subcontractor is permissible under the contract. This will ensure that no third parties handle data or otherwise provide services without the customer’s prior knowledge and consent.
• Require the FAO provider to maintain affirmative obligations and provide corresponding indemnities for all actions of any approved subcontractors. With these provisions, the FAO provider is responsible and liable in all cases, and will therefore pay extra attention to ensure that the subcontractor acts properly.
• Require audit rights to evaluate the manner in which any approved subcontractor is handling data and managing logical security.

Compliance
FAO providers must comply with laws and regulations in all countries involved in the outsourced activities, including the countries in which: (i) the customer is based, (ii) the customer’s customers reside, and (iii) the FAO services are performed. For each country involved, there are generally four categories of legal and regulatory compliance to consider: (i) financial and information systems audit requirements; (ii) confidentiality; (iii) export control regulations; and (iv) laws specific to local jurisdictions.

Systems Audits
For public, U.S. and foreign-owned companies under Securities and Exchange Commission jurisdiction, the Sarbanes-Oxley Act has become a driving force in determining financial and information systems requirements. This extends to all outsourced systems, so the stakes can be high. In addition, companies that are not public, but may want to go public in the future, typically want to be compliant with these requirements including one stipulating that CEOs and CFOs certify financial filings and effectiveness of internal controls for financial reporting. An effective way to address this requirement is to mandate that FAO providers conduct Statement on Auditing Standards no. 70 (SAS 70) examinations and produce reports under SAS 70. This can then be utilized as an indication of diligence and compliance.

Confidentiality
While all companies maintain confidentiality requirements, there are certain industries that must adhere to mandated standards and regulations. FAO providers must also adhere to these standards. For example, in the U.S., the Health Insurance Portability and Accountability Act (HIPAA) ensures the confidentiality, integrity, and availability of all electronic protected health information and protects against any privacy violations. FAO providers serving healthcare providers should be required to comply with all HIPAA requirements and to contractually certify that they have done and will do so going forward.

In addition, FAO companies in Europe must comply with European Data Protection Directive restrictions on the transfer of EU residents’ data to customers located in countries the EU has found to have inadequate privacy protection.

Export Control
U.S. companies providing technology or technical data that is “controlled” for export purposes must obtain export licenses from the appropriate governmental agencies. This requirement applies to outsourcing providers for these companies and is typically focused on sensitive government information and items relating to national security.

Local Jurisdictions
When outsourcing, a company must ensure that the work is performed in a manner that meets the legal and regulatory requirements of various entities and jurisdictions. The magnitude of compliance risk may differ based on the location from which services are being provided. Outsourcing to Canada requires different considerations than outsourcing to China. A company can manage the risk of complying with such laws by working closely with its legal team to understand applicable rules, requiring the FAO provider to understand and comply with these requirements and closely monitoring its actions.

The Bottom Line
Companies that are considering FAO, whether offshore or onshore, must build security considerations and risk assessments into each stage of the competitive sourcing process as it is essential to delivering the necessary safeguards and protecting them throughout the outsourced relationship. Outsourcing finance and accounting functions does not mean outsourcing the associated security and regulatory compliance. In fact, outsourcing such functions may actually increase the effort related to ensuring security and regulatory compliance.

Fortunately, such considerations are critical to leading FAO providers, as well. It is reputation suicide for an outsourcing vendor to experience a security breach. Companies and their FAO providers must work together to mitigate security risks and manage regulatory considerations, and in so doing maximize the numerous benefits of Finance and Accounting Outsourcing.

David Rutchik is a partner and Dave Borowski is a senior associate at Pace Harmon, an advisory and management consulting firm.