Outsourcing your financial tasks to a third-party provider can often yield the same or better results at a fraction of the cost. For modern accounting departments that might be experiencing a scarcity of talent and the need to do more with less, business process outsourcing allows them to repurpose their budgets to focus on value-added activities.
According to a survey by Deloitte, 59% of businesses say cutting costs was the impetus for outsourcing a portion of their operations. Another 57% say it allows them to focus on core business functions – likely the reason why most companies initially explore outsourcing with more transactional processes, such as payroll.
Although many companies are exploring the option of outsourcing their financial operations, it is natural to have concerns. Chief among those concerns are fears related to security and data privacy. Financial data is extremely sensitive and there are many high-profile examples of companies that have failed to safeguard their own information as well as that of their customers.
Regardless of whether you share information with a third-party provider, security should always be top of mind. Outsourcing providers tend to take that risk incredibly seriously because their reputations hinge on protecting client data. They also invest more resources in security and have stricter policies associated with how people use, store and maintain data. That does not preclude risks, though.
So what takes priority when deciding whether to outsource your financial operations to a third-party provider? Choosing the right partner is definitely your first line of defense against a data breach. Verify that your new provider offers the following protections to ensure data safety and integrity throughout your partnership – not just at the beginning.
Globally, businesses are expected to spend $75.2bn on outsourcing security in 2019. Likewise, your goal should be finding a provider with complementary processes, people and technology to protect your information from digital attacks. Pare down potential outsourcing partners to those employing a multilayer approach to cybersecurity, with protection spread across computers, networks and data.
You should also inquire as to whether the provider schedules regular backups. Backups protect the outsourcing company from losing data caused by accidental deletion, system failures, data corruption and/or theft. If not, you will have no means of recovering lost, damaged or compromised information.
Security training and awareness policies
Confirm whether the third-party provider requires its employees to attend cybersecurity awareness training. Such training ensures staff members can handle digital threats effectively and understand the business consequences.
Take time to verify the company's policies about social media, computer use and information security. One laptop is lost every 53 seconds, so you want a framework in place to protect devices, networks and sensitive information. Information security policies should outline how the company will preserve critical data and information-processing facilities.
Employee screening and access
Before hiring anyone in a sensitive role, companies will typically conduct background checks. The same should be true of any third-party providers. Ask about the thoroughness of a provider's hiring and verification process and ensure employment history and instances of legal action are both a part of their background checks.
Depending on the sensitivity of your outsourced processes, you may even be obligated to ensure that your outsourced employees pass sufficient background checks. For example, Focused Technologies Imaging Services was fined $3.1m for outsourcing a fingerprint records processing contract to a company in India who did not meet New York State's requirements for pre-employment screening.
You might also want to discuss access – in that only role-based access should be given to the provider's employees. No one should have sole privileges to sensitive material. Throughout the contract, closely monitor and verify access rights at all times. Make sure you know your team and keep in frequent communication so you retain control of your data.
Leadership commitment and internal audits
Top management should offer a complete commitment to cybersecurity by providing all the necessary resources and support. My company, for example, has appointed a security leader at each site. Those security leaders report directly to their respective site heads, who monitor all security activities, protocols and cyberthreats.
You should also carry out internal audits which verify that the technology conforms to your requirements for management systems and organizational security. In 2014, three UK banks were fined $17.8m (£14m) each for IT failures caused by their third-party providers after customers were left without access to their banking services.
Audits also offer insight into the effectiveness of current processes, procedures and the maintenance of the system. Our company conducts vulnerability scans to evaluate weaknesses and implement controls on a regular basis.
International management systems like ISO 27001 provide guidelines for information security, including how to preserve the availability, confidentiality and integrity of critical and sensitive data and processing facilities. ISO 9001:2015, on the other hand, provides standards and guidelines for managing documented standard operating procedures. Ensure that your outsourcing provider is up-to-date on these certifications with plans to participate indefinitely.
Choosing to outsource low-impact financial tasks such as accounts payable/accounts receivable, transaction support and more is an excellent way to increase efficiency in corporate accounting. Vetting your outsourcing partner will ensure that your financial information stays safe and secure. By staying vigilant, choosing the best provider and safeguarding processes on the front end, you will be able to enjoy the benefits of outsourcing without any associated security fears.