One of the first things you hear about offshoring is that it would increase the potential for data theft. Let us assess this perception in a common sense way.

When we talk about any “increase” we have to say compared to what. In this case the CPA has to assess the data security for on-shore operations before he can assess the increased risk posed by offshoring.

What is the typical level of data security in a small business or a CPA office?

• Since there are few staff members, there is little separation of duties. Such lack of separation encourages internal security problems.

• The data resides in paper files. Paper files are vulnerable to fire and water damage.

• The office is not physically secure. Staff members, leasing office personnel, and janitors have keys to the office. Any of them can copy confidential data.

• Paper records are not shredded before being discarded.

• The computers have no protection from unauthorized users or have relatively weak password control. Often the password is taped to the workstation.

• Any email communication is done in the clear.

• Workstations have recording devices which makes it easy to copy data.

• Usually all workstations have email and internet access. It makes unauthorized transmission of data easy.

Let us look at how these factors change when accounting is sent offshore.

• Internal control improves because the people who are authorizing the transactions are separated from the people doing the record-keeping.

• All files are maintained electronically. Such data is backed up to an off-premises secure server. So threats from fire, water, and copying are significantly reduced.

• Offshore contractors restrict physical access to keep unauthorized people out.

• Workstations have access to only the data that is processed on that workstation.

• Email communications are encrypted.

• All recording devices on the workstations are disabled.

• Only supervisors have access to email and internet.
We believe that best security practices can be installed when the client, the CPA, and the offshore contractor work together.

The first line of responsibility lies with the client. Technical solutions are not enough. They must be combined with good practices in everyday management of the company.
The CPA should advise the client to implement the common sense measures advocated in this pamphlet.

The offshore contractor must apply the same real world as well as technical solutions to security. The offshore contractor must consider the sensitivity of the data Read More »