How new measures safeguard cloud computing data
Cloud computing and the use of outsourcing are on the rise. What do practitioners need to do to ensure the security of clients’ data?
Luke Dodemaide | February 2021
For finance professionals managing sensitive data, the concept of the “cloud” can be uncomfortable.
Cloud computing allows a business to tap into external resources of data not directly managed by the user which are, in most cases, just as reliable, but far less tangible.
Professionally, the debate around cloud computing in accounting circles has largely centred on client confidentiality and whether data is potentially being put at risk of compromise for the sake of convenience.
In other words, is it a viable and responsible way to collect and store sensitive information?
The Accounting Professional and Ethical Standards Board (APESB) addressed anxieties about the technology four years ago after it identified substantial growth in tech-based business outsourcing services.
“The use of an outsourced service provider has the potential to impact primarily upon the fundamental principles of professional competence and due care and confidentiality,” says Clare Bannon, Senior Manager, Professional Standards at CPA Australia.
“With the increasing risks brought about by technological advancements and the stringent regulatory regime, there is a heightened risk of non-compliance,” Bannon says.
This formed the basis of recommendations put forward in 2017, which were an evolved version of 2007 and 2009 guidance notes.
Each time, the recommendations acknowledged cloud computing’s increased prominence.
In November last year, the APESB again sat to formalise how the accounting industry classifies cloud computing. It was intent on increasing transparency in the practice between finance professionals and their clients while at the same time safeguarding members from any blowback.
Changes to engagement terms
Accordingly, APESB revised APES 305: Terms of Engagement. The Tax Practitioners Board has also shown recent interest in outsourcing arrangements.
“Since the 2017 guidance note was originally developed, there have been technological developments and innovations that have contributed to outsourcing becoming more widespread in practices,” Bannon says.
“We are increasingly seeing more of our public practitioners using outsourcing practices.”
These outsourced services must also stand up in the face of unpredictable business environments. Unforeseen events defined 2020, forcing practitioners to ask an entirely new set of questions.
“In light of COVID as well, what kind of business continuity plans do they have in place to look at data loss and recovery issues?” Bannon asks.
Detailing outsourcing changes
A key element of the new requirements stresses that outsourced services being utilised are clearly and concisely detailed to the client.
For the sake of total clarity, this now includes the geographic location of where outsourced services will be performed as well as their nature and how a client’s confidential information will be stored.
While this may not always determine the standard of the applicable software, the information ensures the client is abreast of exactly where their data is being stored.
More than ever, the onus is now on the accountant to deliver peace of mind to clients that outsourced facilities are reputable and reliable.
The essential of vetting systems
One of the amendments puts significant emphasis on finance professionals vetting the systems they use, which is intended to protect the client and uphold confidence in accounting practices.
“One of the risks related to this is [also] the protection of intellectual property rights over some of the information and systems being used. So, this started to all come out as outsourcing services were beginning to be used more frequently,” says Bannon.
How it works for you
While the changes are undoubtedly a benefit to all clients, it cannot be understated how important they could prove to CPA Australia members – especially when it comes to professional indemnity insurance (PII).
If data is compromised due to negligence by a third-party provider, it could result in confidential intellectual property being exposed or lost.
“[Members] need to look at their PII policies and ensure their cover includes outsourced services, particularly for outsourcing internationally,” Bannon warns.
“This is very important, as otherwise, they are opening themselves up to risk.”