MANAGING SECURITY RISK IN OFFSHORE ACCOUNTING OUTSOURCING: A CONCEPTUAL FRAMEWORK

 

Noraini binti Omar

INTRODUCTION

Outsourcing has become increasingly appealing in both accounting and non-accounting services in recent years. The availability of online services has enabled outsourcing services to provide a more secured services, efficient, user-friendly and cost effective software (Daley, 2008). In the US, as the number of degrees awarded to accounting major in 1999 has decreased by 20% from 1996, the cost of recruiting new accounting staff has also rise (Robertson et al, 2005). At the same time, the number of candidates sitting for CPA exams has been declining since 1993 (Robertson et al, 2005).

Due to this phenomenon, most US firms are getting more interested to reduce their labor cost by outsourcing the accounting service overseas. India is one of the most popular outsourcing destinations given a number of reliable outsourcing accounting services providers such as SurePrep and Xpitax. Like for example SurePrep has performed work for more than 150 US accounting firms in 2004 and in 2008 has served more than one third of the top 100 US firms (Konrad, 2004, Daley, 2008).

On the other hand, the controversies surrounding the offshore outsourcing services are related to the concerns over the security of confidential information of the clients (the outsourcers hereafter) to the vendor (the outsourcing service provider hereafter). Most academic literature in this area have outline the cost and benefits of the offshore outsourcing, but the main interest of this paper is to investigate how the security risk arise at each stage of outsourcing process and what are the useful strategies to mitigate the risk.

In the case of tax return preparation which contains highly confidential information such as legal name, bank account number, and other personal information, India has one of the best security control (Daley, 2008). Like for example, SurePrep prohibits bags and briefcases from facilitites, no printers or any removable storage is allowed and internet is strictly for internal sites and tax research (Konrad, 2004). These are the kind of security that a client should be looking for in protecting their data security and privacy concerns. Some critics argued that offshore outsourcing services can still exposed client’s information to identity theft (Scott, 2008). It is impossible that all the electronic transmission of data is completely secured.  Therefore, the need to tighten security control on the outsourcing process has resulted in more specific regulation to alleviate public concern.

A few studies have developed a framework of strategies to mitigate the transaction cost economies and to alleviate the risk of losing data security (Sahney & Syu, 2005).  To contribute to the existing literature, this paper explores the risk of losing data security during the outsourcing process and some effective strategies that could reduce the concerns of potential and existing clients.

The study in this empirical paper is guided by the following research question:

·         What are the security risks involved and how to minimize the risks in offshore outsourcing services?

Different than other outsourcing services such as information technology (IT), software development project, R&D project, and manufacturing project, accounting services involved a large number of financial, accounting data and personal data that might expose the client’s business to a threat. While some companies are concerns regarding the intellectual property (IP) in outsourcing their R&D or manufacturing division to offshore providers, other companies runs the risk of losing their business if their accounting division does not fully operationalized as expected.  Take for example if a vendor mistakenly arranges the company’s payroll system, the client’s business may face a big problem to pay their employees. Thus, a good system should ensure that all the data transferred are secured from any miscalculation, inaccuracy, incompleteness and exploitation.

Security risk in offshore outsourcing is also associated with the violation of intellectual property and loss of confidential information as vendors have the rights to access their client’s business information (Patterson, 2006 as cited in Raisinghani et al, 2008). There are a few types of security, physical security, personnel security, electronic security (Alexander, 2009, Muragalla, 2009, Vashista, 2006). The higher is the security risk, the less likely that clients would use the vendor services and therefore it is important to reassure the client that the vendor has a reasonable and sufficient security in their system to protect client’s confidential information.

From the perspective of the vendors, most major Indian outsource companies have secured the ISO 27001 certification which has a strict information security policies and other security controls in their organization (www.outsourcesportfolio.com, pg 7, March 2000). The SANS (SysAdmin, Audit, Network, Security) is another source where we can find information about security policies and guidelines. These can enhanced the credibility of the vendor and improve the trust between the clients and the service providers. In the next section, the transaction cost economies theory is discussed in detail to described how the choice between the in-house or outsource decision is made.

 

THEORETICAL FRAMEWORK

The transaction cost economies is used in this study to describe the optimal choice between market and in-house production based on the tradeoffs of production and transition cost (Wiliamson, 1975,1986; Nicholson, Jones & Espenlaub, 2004). The transaction cost theory has often being used in examining outsourcing situation (Aubert et al, 1998, Lacity & Hirschheim, 1993, Lacity & Willcocks, 1995, Wanf, 2002, Nicholson et al, 2004) and it allow the identification of transactions costs and understanding of  strategies used to mitigate the costs. Outsourcing has been referred to as the “delegation of activities that are normally, but not always, performed in-house to an outside supplier” by Nicholson et al (2004). A company may outsource the services from the start without first conducting the in-house production.

The transaction cost economies arise from the production and transition costs. Due to market imperfections (perfect information, homogenous product), the possibility of market failure gives rise to the cost of coordinating and controlling the external market (Nicholson et al, 2004). These costs include all search and information cost, monitoring costs, and cost associated with economic exchange that varies regardless of market price of the good and services (Wiliamson, 1986).

If the extent of market failure is extreme, the in-house provision can provide a more cost efficient services than market transaction. Unless the external suppliers are able to exploit the economies of scales and scope, market transaction would result in a lower production cost. When the aggregate of transaction costs incurred exceeds the aggregate production cost savings, the activities is better organized internally rather than outsource (Nicholson et al, 2004). Management decision to choose between the in-house provisions or outsource is also termed as the choice of ‘governance structure’ or the ‘make-or-buy’ decision (Nicholson et al, 2004).

There are three attributes of transaction which are the asset specificity, frequency of transactions and uncertainty (Nicholson et al, 2004). Asset specificity refers to the extent to which the supplier or the buyer investment in assets that are relationship specific and have no salvage value outside the specific exchange relation.  The party who commits assets is vulnerable to opportunism behavior (Globerman & Vining, 2004, Ulset, 1996).  Regardless of the prices agreed in the contracting stage, the other party may renegotiate and offering Lower prices that only cover incremental cost (Pirron, 1993, Globerman & Vining, 2004). In the case of security risk, company may have to spend money at the contract stage in reviewing the security of the vendor. These may includes an inspection of the vendor site, hiring a lawyer to ensure that the law imposed on the contract is legally enforceable, and bearing the cost of losing data security and privacy to a competitor in case of a loophole in the security and misjudgment of the employee integrity.  Therefore, the next section discusses the specific drivers that motivate a firm to outsource their accounting and business function to an offshore vendor and how the benefits can be offset by the costs associated with the process.

 

The Cost and Benefits of Offshore Accounting Outsourcing

A good understanding of the potential benefit and costs of outsourcing and their specific drivers can prepare the clients with the possible problems that they may need to encounter with in the outsourcing process. This section outlines several benefits and costs that can be derived from offshore accounting outsourcing. The benefits includes competitive advantage, more job opportunities in developing countries and strategic management, whereas the costs includes transactions cost, job losses in developed countries, communication and culture gaps and lose of data protection and security.

Being competitive advantage is the primary drivers of outsourcing where they are able to get the advantage of lower cost of labor in the developing countries like India, China, Philippines, Hungary and several Latin America countries.  Vendors in the developing countries may cost at least one third or less than domestic vendors and in-house operation (McLaughlin, 2003). Daley (2008) found that firms who have been able to cut costs and increase the number of their staff are less concerned about most issues such as privacy and client relationships. At the same time, companies can allow their existing staff to concentrate on other aspect of the business to generate more income (Daley, 2008). By this way, firms are able to meet customer’s demand without the need to hire a new staffs or any new financial investment (Barkley; Wilson, 2006).  The tax return preparation like for example has only one end product regardless of where and whoever prepared them (Daley, 2008).  Therefore, this allows firms such as Accenture Ltd, Datamatics  Technologies Ltd,  Out services that Outsourcing Partners International (OPI), SurePrep and Xpitax to offer a timely services that enable firms’ to reduce their cost without compromise on control and quality (Daley, 2008). Another example is an airline which offshore outsources its account payable auditing to India can recover $75 million in delinquent account that would cost even more if it is done domestically because of the lower labor rates (Farrell, 2004 as cited in Daley, 2008).

As more and more accounting and finance firms outsourcing their tax return to offshore service providers, more jobs are created in the developing countries. During year 2005, Ernst & Young (E&Y) has outsourced 15,000 taxes return abroad (Daley, 2008), KPMG, has six offices providing tax and consulting services for 2,000 companies in India (Daley, 2008). At the time of writing, Daley (2008) found that Pricewaterhousecoopers, LLP does not outsource US return and has no plan to outsource (Konrad, 2004).

As a strategic purpose, management may use outsourcing to spur innovation, develop new products, and new markets (Carmel & Agarwal, 2002). According to Agarwal & Carmel (2002), most US companies focus on the intention to cut the labor cost can actually result in cheaper price of products and services and reduce inflation.  Globalization gives the urges to meet cost challenges to provide a higher return to shareholders. Schroeder & Aeppel (2003) found that two thirds of the economic benefits from sending jobs offshore flows back to US economy in the form of lower prices and expanding overseas market for U.S. products.

Based on the transaction cost economies theory, if the transaction cost involved in the outsourcing process exceeds cost of in-house production, therefore, the expected savings from outsourcing may not be achieved.  However, this claim is not well supported by some academic paper. Many research found that the cost of labor can be reduced at a very significant level by offshore outsourcing due to lower cost of labor (Daley, 2008)

The trend towards offshore outsourcing has exposed the domestic labor market on the developed countries such as U.S towards unemployment.  Recently, IBM is blamed by the Americans by firing hundreds of thousands of their workers which the exact amount is not being revealed to the public (Smith, 2009). Meanwhile, the top management such as the chairman and CEO Sam Palmisiano was rewarded for his efforts amounting to nearly $21 milion on salary, performance based bonus, stock options and perks (figures are reported to the U.S. Securities and Exchange Commission ) (Smith, 2009). IBM’s income in 2008 was $12.3 bilion which is higher than their prior year, $10.4 bilion. Morello (2003) mentioned that there are three areas of concern on offshore outsourcing, first is the loss of future talent in domestic IT, loss of intellectual assets and loss of organizational performance which is weakened by the loss of trust between the employees and the employer relationships. Thus, the loss of IT jobs of domestic IBM workers is a critical issues faced by the developed countries. On the other hand, the proponents of outsourcing believe that the cost savings by multinational companies can actually create more jobs due to the innovation and new product development. 

Despite the criticism that the outsourcing creates many job losses in the U.S., there are some views that the trend will change for the better. A study by Information Technology Association of America (ITAA) found that the outsourcing trend leads to lower inflation, create more jobs and boost productivity (MSN Money, 2009). It is expected that the savings from the labor cost cutting strategy would allowed companies to sell cheaper goods, build facilities and concentrate on research and development. 

What is less known to the public is that outsourcing is still experimental and may not work for some industries (Butler, 2005). Like for example, the call centers services in Asia is a failure due to several complaints on the indecipherable accents and generic answers of technical question from the Indian staff (Butler, 2005). These makes some clients resent the service calls answered by overseas people. 

Outsourcing services can exposed clients to the risk of losing their privacy if there the loophole in security system imposed by the vendors. There are many cases involving stolen identity, where, for instance in April, 2005, 16 Indian Citibank employees were arrested four New York Citibank account holders with damages totaling $350,000 (Frauenheim, 2005). Another case on September 2005, 250 Intel workers in India was fired due to false expenses claim (John, 2005).

The case of ‘identity theft is a main concern of many people in US and other developed countries where the credit card fraud usually involve the outsourcing of banking system to the outsiders (Scott, 2007 as cited in Daley, 2008). Thus, the security is one of the important mechanisms to attract clients to the vendors and to ensure a reliable and trustworthy agreement between the client and vendor. In the next section, this paper discusses the security risk involved at every stage and what strategies can be taken to reduce the risks.

 

The Security Risk

Despite the number of benefits over the offshore outsourcing, there are numerous risk associated at each stage of the outsource process that may outweigh the benefits. Once the risk has been identified, it will be easier to find the possible mitigating mechanism to enhance the probability of a successful offshore outsourcing decision. According to Nooteboom (1992, 1993), a transaction can divided into three stages; contact, contract and control. Both the client and vendors have different problems and cost arise at each stage.   This section highlights  the transaction cost arise from offshore outsourcing and  focus on how the client may lose their confidential information and data security at each stage.

The types of security risk, Muragalla (2009) classifies security concerns into eight main components which are business continuity and disaster recovery, intellectual property rights (IPR), customer privacy, information protection, personnel security, physical security, insurance coverage and network security.  During the selection stage of supplier of service providers, it is worth to analyze the potential impacts of disaster and the existence of recovery plan. An appropriate protection agreement is important to be evaluated and tests for its compliance before any contracts will be signed (Willoughby 2003 as in Muragalla, 2009).

In terms of physical security, the security guards must ensure that all employees does not bring home any trace of information belongs to the clients of vendor. Employees must be clean and trustworthy with no criminal record that can threaten company’s confidential information.

The electronic data protection may include the software application, network, updated firewall, malware and other support system that can affect the data electronically. The hardware and system malfunction, human error, software program malfunction, viruses and natural disaster are among the major threats that could affect company’s data (Vashistha, 2006 as in Muragalla, 2009). The personnel security also includes an installation of video surveillance, employee background checks, and a good infrastructure, the risk of losing security and confidential information due to physical theft can be reduced. 

Another concern is over protection of intellectual property which includes patents, certificates for computer enter license or franchise agreement. This area of concern usually affects the software development outsourcing and manufacturing industry. However, the strategies to manage the risk are no difference from other industries which includes proper agreement, understanding of laws of intellectual property and copyright issues and a time delay of employees to join another competitor after leaving the vendor organization can help to secure the IP of the outsources.

The Stages of Outsourcing Process. According to Nooteboom (1992, 1993) in Nicholson et al, (2008), a transaction can divided into three stages; contact, contract and control. Both the client and vendors have different problems and cost arised at each stage.   This section highlights  the transaction cost arise from offshore outsourcing and  focus on how the client may lose their confidential information and data security at each stage.

 

Contact Stage

At the contact or selection stage, the client may incurred cost in searching for the right vendors that can be trusted, giving a reasonable data protection and suits their need. Whereas, the vendors spend their time and money on advertising to market their services and capability to handle client’s needs (Nicholson et al, 2004). One of the examples is the use of CMMI model which certify the competency of the outsourcing provider on their ability to secure client’s privacy and confidential information.

Direct search cost may include gathering of references of potential outsourcing providers, the employment of consultants to relocate, vet and certify vendors and site visit cost such as travel cost and opportunity cost of managerial work (Nicholson et al, 2004).  Meanwhile, the outsourcing providers are promoting their services through promotional materials and impressive looking website that can mislead the management decision (Woods et al. 2001). The limited number of suitable and qualified vendors makes the process even more difficult and costly.  Like for example, the lower added value like payroll processing may be plenty but the higher value added like management accounting and financial reporting may be relatively smaller (Nicholson et al, 2004).

Outside certification is one of the solutions to enhance the credibility and image of the vendors to convince their clients of the effectiveness of their security precaution.  In order to build trust and to lower the level of perceived risk, they obtain the certification such as ISO 9000 which focus on quality management, but less has address the ISO 2002 which focus on security precaution. Carnagie Mellon Software Engineering Institute’s Capability Maturity Models (CMM) products provide a structured process for software development where companies certified in one of CMM products must include security as an integral part of their software process (Sahney & Syu, 2005). According to Sand Hill Group (2003), “All Indian firms are CMM Level 5, whereas most software companies are Level 2”. Thus, this CMM certified firms can differentiate themselves from other offshore outsource providers and gaining more client trust through a better security put in place.

Contract Stage

The preparation of an agreement involved some legal cost and the needs to understand the differences in laws and culture of both party.  It is important to identify all the possible problems that may be encountered during the execution (Nicholson et al, 2004). Although security guidelines have been outlined in the contract, it needs to be monitored properly with the support of offshore provider (Koch, 2009). Atul Vashistha, a CEO of NeoIT, an offshore outsourcing consulting company mentioned that less than 20% of his clients audit the security of the vendors and just accept the security plan developed by the vendors (Koch, 2009).

The vice president of corporate security of Sony Electronics, Ken Whitely, is cited in Koch (2009) saying that most U.S. based companies are said to underestimate the risk such as the poor infrastructure, political instability and legal differences that are not in line with the western practices. Even though laws has been passed to prohibit interference with computer source code and hacking, the developing countries are still lagging behind the western countries in terms of data protection and intellectual property rights.

 

Control Stage

After the contract has been executed, clients need to monitor the working progress of the vendor, settling disputes that may arise, dealing with renegotiation that may involve opportunism and bargaining cost, and litigation. Koch (2005) writes that being an employee for Tata Consultancy Services (TCS), an Indian IT services providers working for a big American insurance company. Meaning that their bag is search everytime they come to work and the hand phone also need to be handed up to the security guard during office hours. All trace papers are shredded each night and no copying or moving files are allowed on the work screen. The phone provided can only call the insurance company help desk and the computer and CD-ROM are locked to each employee. In the case of anyone bringing home a copy of the insurance’s company confidential business process manual, he will be fired. This is an example of a rigid control process which may cause disruption to the vendor itself but is a good way of reducing security risk.

 

The Mitigating Strategies

According to Sahney and Syu (2005),  by developing a long term relationship between the client and the outsourcing services provider, both sides may derive benefits which are beyond the explicit contractual agreement.  Nevertheless, both of the client and the vendor would have a different focus on strategies to achieve a successful offshore outsourcing service that satisfy both parties.  Based on the framework suggested by Marv Adams, CIO of Ford Motor Company, on Intellectual Property Strategy of Firms, there are five areas of concern, information classification, financial control, organizational design, contractual relationship and ethical hacking group (Sahney & Syu, 2005). To comprehend the issue of security risk, some other strategies are adopted to add to the existing framework. These strategies are classified into the appropriate stage of outsourcing to ensure that the risks are mitigated at the right time.

Contact Stage

As stated in Murgalla (2009), according to the senior analyst at Gartner, Kelly Kavanagh, an understanding of the security and privacy risk at the earlier stage of outsourcing process  in a business process, application and technology is the key for a successful and to secure the outsourcing agreement(Conn, 2004). Thus, the correct classification of information, audit of security procedures, inspection of physical security, identification of access and authorization and due diligence assignment can assist in the understanding of the risk associated with the outsourcing before a contract is signed.

One of the most critical key to avoid loss of data security is to avoid sending sensitive data to offshore in the first place (Sahney & Syu, 2005). Adopting an information security classification similar as the national governments such as into confidential, secret and top secrets is a good thing to consider. In the case of accounting service, the security number of the tax payers and their tax account number can be sealed to avoid the possibility of identity theft. By correctly classifying the sensitive and non-sensitive data, it would be much easier to assign security protection (Sahney & Syu, 2005).  Moreover, the cost of restricting information to the public can be lowered.

The physical, electronic, personnel and legal security should be thoroughly checked to ensure that vendors does not just give a good impression based on their security procedures. The building used must have a reliable power supplies, earthquake resistant, alarms, fire alert system and does have a backup facility if anything goes wrong (Koch, 2009).  Employees should not be allowed to share space with another employee that work on a different customer’s account to avoid changing of private information of that particular customers (Koch, 2009). A video surveillance and a pass-card entry can ensure that only the authorized people can access a particular building and network. All removable storage devices such as hand phone, pagers and PDA shall be banned from the workplace (Koch, 2009).

In order for companies to benefit from the cost saving advantage of labour from offshore outsourcing, proper financial control must be put in place (Sahney & Syu, 2005).  The cost and benefit analysis must be quantify and assessed to ensure that companies does receive the benefits of outsourcing after cost consideration. The cost allocation methods such as the assignment of overhead expenses must be reconsidered in outsourced projects (Sahney & Syu, 2005).

Considering a due diligence assignment of selecting the appropriate vendor can cost some money. However, it is worth that companies who decides to do offshore outsourcing to take an extra work understanding the local reputation of the vendor by hiring a security consultants (Koch, 2009). Some companies may go further by hiring a lawyer in outsourcing destination to understand the data protection and intellectual property laws. They can also checks whether the provisions in the contract can be legally enforceable.

There are many areas to look on electronic data protection such as software application, network, and protection against virus, malware and hackers to avoid from losing data, client’s confidential information and disruption on ordinary operation.  In a wireless security, the two main form of protection are authentication and encryption (Gruman, 2008). If these devices are not fully protected, the passwords may be intercepted during transmission which can exposed the data to the hackers if the data is lost or stolen. Thus, encryption at the rest and during transmission and authentication to the authorized user are important to electronic security (Gruman, 2008).  According to Maiwald, the inclusion of SSL or other forms of encrytions for email and server access and VPN for a more secured connection tunnel when the users access the corporate file from a public spot of wireless system (Gruman, 2008).

As the offshore vendor operates through a network of system, the network should be properly maintained and updated (Muragalla, 2009). A routine network security assessment includes risk assessment, implementation of security action plans, evaluation of network security products (Vashistha, 2006 as in Muragalla, 2009). The storage of data all should not be on the desktops bur rather at the client server either onsite or offshore (Vashistha, 2006). Most importantly, the virus management process should be replicated by the vendor as used in the client location to ensure standardization or virus or worm detected (Vashistha, 2006).

Backups of data is critical to ensure that  client’s work are done as the pre-specified time to avoid  gathering the original data again and again in case of loss or disaster (Murugalla, 2009). The backup should be done in full at a specific period like once in a month or six months and the daily backups (Vashistha, 2006). Each backup must have a unique identification number and stored as archives outside the working location of the vendor (Vashistha, 2006).

During the contract stage, when the client do an onsite inspection on the vendor’s facilities and equipment, the security system also need a careful examination to ensure that the correct system are already in place. In any case if there are some security issues that are off the concern of the potential client, they can suggest a procedure during the contract stage. If the cost of implementing another security procedures may become a trouble to the vendor, the client can change to another vendor or bear the cost of security system needed.

There are two types of physical security, the personnel and the assets. Based on Vashista, 2006, the following are the best practices for effective physical security (Muragalla, 2009).

·         The personnel security is the access to secured system should be limited to authorize personnel only.

·         The security guards must be on duty at all times.

·         A proper authentication such as photo ID card or password is established.

·         The entry and exit to the building on each floor is controlled by a central computer.

·         Visitors must register, sign and obtain a temporary badge and if possible to be escorted by an authorized employee.

·         Each employee has a restricted access to their work area only.

·         All critical facilities are secured with electronic lock devices.

·         No printouts, photocopies, compute media or computing devices can enter or leave the floor without authorization.

·         All housekeeping staff must be under direct supervision of their supervisor according to their shifts.

·         Fire alarm, electronic grade firefighting equipment and emergency procedure must be installed and maintain.

All these procedures are recommended as the best practices, vendor may implement a multiple level of physical access control and other security measures that is deemed as necessary.

 

Contract Stage

Previously we discuss about the information classification where the sensitive data should not be sent offshore if the main concern is the confidentiality of information. However, in some cases, highly integrated firms can develop their own office overseas rather than outsourcing. This can reduce the future organizational costs of coordination (Sahney & Syu, 2005).  In Malaysia for example, companies such as Microsoft, Oracle, Sun Microsystem, IBM and Intel have set up their operations as an outsourcing base location. Koch (2009) found that some experts still think that it is safer to hire companies own employees to offshore than to trust the outsiders.

Other than that, a good infrastructure adopted by the vendor in the system can ease the flow of data transfer.  If an appropriate mechanism is used to send the documentation electronically and fully protected from viruses, then the clients’ data can be more secured. The latest 1040 workpaper is one example of the software that can scan, organize, and populate tax software with numbers. The providers of the similar software includes SurePrep’s 1040Scan, CCH’s ProSystem fx Scan and Copanion’s GruntWorx, ATX/TaxWise Sacn & Fill, and GoFileRoom TaxSort (Johston, 2008).  Before that, it is important to plan accordingly before the decision is made on using the software such as in term of training, reviewing procedure, accuracy of data, a high quality scanner and other hardware and software to support the new systems. The benefits of using electronic workpaper products that convert paper documents to electronic source dynamic can provide a more efficient alternative to Adobe Acrobat (Johnston, 2008).  These products allow easy bookmarking, referencing, annotate source document, tracking the status of tax return, sharing and distribute workload and access to workpapers from any location. In addition, it can reduce staff workload because it is time savings and therefore improve services to client and also provide paperless environment workplace.

At the stage of writing and signing a contract, companies need to be very careful especially the inclusion of termination clauses and the validity of any implicit assumption (Sahney &Syu, 2005). The difference in the trade secret and non disclosure laws must be understood by client in the offshore services.  The liabilities held by each party must explicitly describe to avoid future disagreement in case on any legal action held by the court.  If the outsourcing services involve a highly regulated industries such as US government contracts, medical or pharmaceutical industry, the contract must be examine in detail. To ensure that clients can lower their security risk, contracts should spell out on how to use their computer networks and how much IT infrastructure will be specifically design to outsourcing work. Periodic audit on security and background checks on vendor’s employees should also be undertaken (Koch, 2009).

To ensure a fair deal, company must plan for contingency issues after their contracts end (Murugalla, 2009). The failure to do this can threaten the company’s success in the future. Consider a case of software company, Solideworks where the programmer in India stole the enture source code of the CAD systems of Solidwork in 2001 to the company’s competitor, Geometric Software Solutions Ltd (GSSL) (www.csoonline.com, Garfinkel, 2004). The employee has been fired due to poor performance before he sold the Solidworks 2001 Plus source code for millions of dollars. Unfortunately in India, this stealing of secret is not a crime at that time and thus the employee, Shekar Verma was only charged as a simple theft and no actions against him because he is no longer the employee of Solidwork (Garfinkle, 2004).

Thus, it is important to ensure that a company protects their source code and make it more anonymous to obscure personal information of their clients. In addition, the law firms in both home country and the outsourcing county must be legally enforceable to avoid unfair deal of the contract (Garfinkle, 2004).

It is a wise action to set up a written contract on how to recover the loss of electronic information and equipment, apart from the standard insurance cover on physical asset like building, equipment and personnel (Vashistha, 2006 in Murugalla, 2009). One of the company that provide cyber liability coverage for cyber crime such as hacking and website damage is Hiscox which is launced on August 13, 1999 (The risk or e-commerce). Another company named SafeOnLine also provides the same services ranging from protection of credit card purchases to cyber crime (The risk or e-commerce). The insurance can thus protect the clients and also the vendor as part of disaster plan to recover the cost of losing the data in case it happen.

Control Stage

In order to reduce the risk of losing data security in the offshore outsourcing services, the AICPA Code of Professional Conduct has set a new standard of which all AICPA members should follow. One of the standard is under Rule 301, Confidential Client Information, a member is required to obtain client consent prior to disclosing confidential client information to a third party service provider . The member should also enter into a contractual agreement with the third party service provider to maintain the confidentiality of the information and reasonably assured that appropriate procedures are in place to prevent the unauthorized release of client information (Daley, 2008). Internal Revenue Services (IRS) code section §301.7216-3(b)(4) prohibits the disclosure of taxpayer’s social security number to a third part tax return preparer located outside U.S.

Sahney and Syu (2005) suggest that outsourcing firm should consider establishing a separate group who is responsible for “ethical hacking”. This is only become clearer when the other strategies has been formed such as the information classification, financial controls, organizational design and contractual relationship. Periodic auditing is conducted to monitor the suppliers of onshore and offshore accounting services which include onsite inspections. For instance, companies may employ “white hat” hackers to test the network security (M. Adams, class lecture April 21, 2004 in Sahney & Syu, 2005). All these cost associated with strategies to mitigate data security should therefore be considered in the outsourcing decision.

After the due diligence process at the contact stage in checking all the security procedures outlined by a vendor and a careful design of security system in the contract stage,  a review of how it is implemented during the process is also essential (Vashista, 2006, Murugalla, 2009, .  Not only that the client come to visit the location of the work taking place but they should also send an investigator to check whether the vendor’s operation is done as close as to their manual procedure. An audit of security can test whether the system is working effectively to avoid any loss to the client’s privacy and confidential information. Some companies do employ “white hat” hackers to test the security network (Sahney & Syu, 2005).

 

CONCLUSION

In summary, this paper provides a conceptual framework on how to mitigate security risk in offshore accounting outsourcing at each stage of outsourcing process. The popularity of offshore outsourcing has raised a great concern among the IT worker and accountants in the domestic market in the developed countries like US, UK, and Australia. Despite the claims of high job losses among the large multinational companies like IBM and Dell, the proponents of outsourcing believes that the economic benefits of outsourcing will flows back to the home country.

In addition, the cost and benefits associated with offshore outsourcing is discussed in great detail to give a better understanding of the consideration being made. The transaction cost economies theory is used as the basis of understanding of whether or not to use offshore outsourcing services by analyzing the cost involved in the transition process including vendor selection, contract preparation, monitoring and settling disputes between the client and vendor.

The security risk can be categorized into physical, electronic and legal risk where each risk shall be assessed to implement a better strategy to mitigate the risk. During the contact stage, a due diligence process shall include an through investigation on the vendor’s background and how the services is actually done, the exact building used shall be known. On client’s behalf, the information send to offshore should be classified according where the most sensitive information that involves client’s customers’ privacy does not being sent overseas. The contract shall not just accept whatever the security policies have been outlined by the vendor, but the client should verify whether the policies are properly enforced in the system. At the control stage, a security audit can be conducted to ensure that the security system can really protect the company’s confidential information.

The physical security may includes denying the access of any removable storage such as hand phone into the working place, proper authorization of individual to assess the network and computer system, and by destroying all the scribbles on traces paper that may run the risk of taking the private information to the outside world.  In terms of the electronic security, the data shall be protected by an efficient and up-dated technology that can block the malware and viruses. The files and data must also not easily be corrupted or copied by any other form by installing a program that can be trusted and reliable. The legal environment of the vendor’s business must be able not only to protect the vendor but also the clients’ in case of a breach of contract or disputes between both parties.

 

REFERENCES

Alexander, P. (2009) “Offshore outsourcing: A look at the security risks”, 17 Oct 2007, SearchICO.com. Retrieved from http://searchcio.techtarget.com/news/column/ 0,294698,sid182_gci1277474,00.html.

Barkley, M. (2007). Meet deadlines and Earn Profit Via Tax Prepartaion Outsourcing. Ezine@rticles.com. Integrated Financial Resources LLC. 21 Nov. 2007. http://ezinearticles.com/?Meet-Deadlines-and-outsourcing&id=235473,

Bulkeley, W. M. “New IBM Jobs Can Mean Fewer Jobs Elsewhere”, The Wall Street Journal Online, March 8, 2004, Retrieved on Dec, 21, 2009 from http://ibmemployee.com.

Butler, D. L. (2004) “Bottom-line Call Center Management: Creating a Culture o Accountability and Excellent Customer Service”, Elsevier Butterworth-Heinemann: UK, ISBN: 0-7506-7684-1.

Bruman, G. May 04 2008. Wireless Security: The Basics. www.csoonline.com

Conn, Stamford. 2004. Gartner says Enterprises Must Evaluate the Security Risks Involved in Outsourcing Deals Before Signing an Agreement. Media Relations. May 10. http://www.gartner.com/press_releases/asset_72107_11.html

Daley, R. (2008) “The Accounting industry in the Age of Globalization and Offshore Outsourcing”, Honours Projects in Economics, Bryant University, paper posted at DigitalCommons@Bryant University.

Farrell, D., 2004. Beyond offshoring: assessing your company’s global potential. Harvard Business Review, December, 1–11.

Fitzgerals, M. (Nov, 1, 2003) Offshore Outsourcing: Big Savings, Big Risk. http://www.csoonline.com/article/218680

Globerman, S. & Vining, A. R. (2004) “The Outsourcing Decision: A strategic framework”, Working paper , Western Washington University, Washington.

Gonzalez, R. Gasco, J. & Llopis, J. (2006) “Information Systems Offshore Outsourcing: A deacriptive analysis”, Industrial Management & Data System, Vol. 106 (9),pp. 233-1243.

Gucwa, S. (2003) “Vendors and External Outsource Providers: How safe is your company confidential data?”, SANS Institute .

Jager, C. Vos, S. Borgers,M. Harmsen, F. Brinkkemper, S. & Wijngaert, L. (2008) “Controlling Risk Prior to Offshore Application Development”, Technical Report UU-CS-2008-009, www.cs.uu.nl. Uthrecht University.

Koch, C. (2005, May 01). “Offshore Outsourcing: Don’t forget IT security”, Retrieved from http://www.csoonline.com/article/220330/Offshore_Outsourcing_Don_t_Forget_IT_Security on 31 Dec 2009.

Kshetri, N., 2007. Institutional factors affecting offshore business process and information

lename=html/Output/Published/EmeraldFullTextArticle/Pdf/0291050501.pdf

Lum, M. (April, 2004) , “Offshore Outsourcing and Information Confidentiality: Foreign Practices and US Laws: Trends, Incidents and Possible Solutions”, SANS Institute InfoSec Reading Room.

McGee, R. W. (2005), “Ethical Issues in Outsourcing Accounting and Tax Services”, Paper presented at the 17^th Annual Meeting of the International Academy of Business Disciplines, Pittsburg, PA, April 7-10.

McLaughlin, L. An eye on India: Outsourcing debates continues. IEEE Software 20, 3 (may/June 2003), pp. 114-117.

MSN Money staff and news service, “ Outsourcing actually creates U.S. job”,http://www.sureprep.com, retrieved on Dec, 21, 2009.

Muragalla, K. (May, 2009) “Evolution of Outsourcing and Mitigating Risks”, University of Denver University College, Capstone Project.

Nicholson, B.  Jones, J. Espenslaub, S. (2004) “Strategies for mitigating transaction costs: the case of offshore accounting services”, Paper accepted for presentation at the Fourth Asia Pacific interdisciplinary Research in Accounting Conference.

Nooteboom, B. (1992) Information technology, transaction costs, and the decisions to make or buy. Technology Analysis and Strategic Management 4(4), pp.339-350.

Nooteboom, B. (1993) Firm size effects on transaction costs, Small Business Economics, 5, pp.283-295.

Patterson, D. A. (2006). Offshoring: Finally fact vs. folklore. Communications of the ACM. 49 (2). Pp.41-49.

Pfannenstein, L. L. & Tsai, R. J.  (2004)” Offshore Outsourcing: Current and Future Effects on American IT industry”, www.ism-journal.com.

Raisinghani,M. S. Starr, B. Hickerson, B. Morrison, M. & Howard, M. (2008) ,”Information Technology/ Systems Offshore Outsourcing: Key Risks and Success factors”. Journal of Information Technology Research, 1(1), pp. 72-92.

Ray, G. & Neck, P. A. (2007) “Finance and Accounting Outsourcing- The Next logical Step for small business”, Review of International Comparative Management, Vol. 8.

Sahney, M. & Syu, E. (2005) “ Data Security in Offshore Outsourcing”, Intellectual Property rights and Privacy Concerns, 15.967 paper.

Scott, R. (2007, November). Home for the Tax Days. Accounting Technology. Boston. 23(10): 16-22.

Shao, B. B. M. & David, J. S. (2007) “The Impact of Offshore Outsourcing on IT workers in Developed Countries”, Communications of the ACM, February, Vol. 50 (2).

Smith, C. “IBM Layoffs and Compensation Raise Disturbing Question About Corporate Ethics”, http://www.mcpressonline.com,  4^th April, 2009, Retrieved on Dec, 21, 2009.

Tafti, H.A. Mohammed. 2005. Risks factors associated with offshore IT technology outsourcing. Journal of International Management 13 (1), 38-56.

Traylor, P.S. (2003) “Outsourcing, CFO Magazine Inc, November, 17.

The Risks of Offshore E-Commerce - How to Insure Them. retrieved on 6^th January 2010 iat http://www.escapeartist.com/Offshore/Articles/Offshore_Ecommerce2/

Vashistha, Atul, Avinash Vashistha. 2006. The Offshore Nation: Strategies for success in Global Outsourcing and Offshoring. New York: McGraw-Hill.

Wiliamson, O. (1975) “Markets and Hierarchies”, New York: Free press

Wiliamson, O. (1986) “ Markets, Hierarchies and the Modern Corporation: An unfolding perspective”, Journal of Behavior and Organisation,  Vol. 17, pp. 335-352.

Wilson, H. (2006, June 30), Tax return Outsourcing for delivering Quality Service to customers, Express Press Release. Integrated Financial Resources LLC. 20 Aug. 2007.

Wood, D. Barrar, P. Jones, J. & O’Sullivan, K. (2001) “Finance Function Outsourcing in SMEs” Research Monograph, the Institute of Chartered Accountants in England & Wales.