By Suzanne M. Holl, CPA

Outsourcing is a hot topic right now as CPAs struggle with staffing constraints. Among the challenges associated with attracting and retaining talent are staffing qualified professionals for complex engagements, employee burnout, unrealistic workloads, and limitations on the ability to maintain and foster high-touch client relationships.

To get work done efficiently and effectively with limited resources, more firms are considering outsourcing. Here are the two primary scenarios:

• Onshore outsourcing: Work is outsourced domestically to a third-party service provider and work is not disclosed in any manner outside U.S. borders.
• Offshore outsourcing: Work is outsourced to individuals or companies outside U.S. borders. This could include onshore companies that use offshore employees. A firm could also choose to establish an office abroad in lieu of using a third-party service provider.

When considering outsourcing, due diligence is a critical first step. CPAs are responsible for protecting their clients’ data, and, as such, need to ensure that a third party under consideration has appropriate security protocols and safeguards to protect confidential information against external and internal risks. As part of the due diligence process, firms need to assess the adequacy and reasonableness of the entity’s administrative, physical, and network security measures to prevent breaches. This includes (but is not limited to) determining whether safeguards are reasonable to prevent the potential misuse or unauthorized disclosure of confidential information to comply with data and privacy laws, professional standards, and your contractual terms. There should be written terms in any contractual agreement with a third party that explicitly confirms the responsibility of the outsource entity to maintain the security and confidentiality of client information.

Review proposed outsource agreements to make an informed assessment of terms and conditions that may place undue burden or unacceptable liability exposure on your firm. Make sure you are comfortable with the expectations created before entering into the contract, and be willing to reject outsourcing options if unable to negotiate the terms and risk to your satisfaction.

Important risk management considerations for outsourcing options include the following:

• Security issues: Consider the security exposures associated with outsourcing and assess whether the firm’s existing infrastructure is sufficient or requires enhancements. Speak with your IT team and external IT consultants to ensure the firm has appropriate safeguards to minimize the potential for added cyber risks/exposures related to this type of relationship.
• Compliance and regulation: Identify the rules and regulations applicable to your outsourcing option (offshoring or onshoring) given the anticipated services (e.g., tax, audit, client accounting services, etc.). This is a critical step to ensure the firm is willing and able to meet the legal, professional, and regulatory standards of the relationship. (See Rules and Regulations CPAs Should Consider Regarding Outsourcing below.)
• Client implications: Determine which clients will be affected and assess how they potentially could react to such a relationship. Do reputational issues exist that need to be considered? Would the client be receptive to higher fees if they are unwilling to have the firm outsource their work?
• Processes: Identify the processes, documentation, dependencies, and training required to ensure a successful outsourcing solution.
• Insurance: Before entering into an outsourcing arrangement, contact your insurance carrier to assess potential coverage implications.

Rules and Regulations CPAs Should Consider Regarding Outsourcing

Several government agencies have explicit requirements and prohibitions on outsourced work. Make sure you are in compliance.

The AICPA Code of Conduct (ET Sections 1.150, 1.300, and 1.700, et seq.) states that CPAs using third-party service providers reach agreements with the providers containing contractual terms ensuring the confidentiality of their clients’ records. Further, AICPA ethics rules state members are responsible for all work outsourced to third-party service providers. As part of the firm’s overall responsibility to ensure that all professional services are performed with professional competence and due professional care, firms must supervise these professional services. As such, the firm is responsible for the accuracy and completeness of the services delivered.

With the IRS, under Internal Revenue Code (IRC) Section 7216 and Treas. Reg. Section 301.7216-3, tax return preparers must obtain written consents from taxpayers for the disclosure or use of their tax return information. It is important to note that the IRS has special rules for disclosing tax return information outside the United States, IRC Section 7216 regulations and the regulations thereunder, which protect disclosures of any income tax return information.

The IRS has FAQs on its website to help tax practitioners understand and apply Section 7216 and the regulations thereunder. Keep in mind IRC Section 7216 is a federal criminal provision. As such, if a firm is investigated by the IRS for failing to follow applicable Section 7216 disclosure and consent requirements, it will likely be considered a criminal matter. Therefore, it is extremely important to understand and address IRC Section 7216 implications when modifying the firm’s policies and procedures for outsourcing tax services.

Federal Trade Commission (FTC) and Gramm Leach Bliley Act (GLBA) rules require providers of financial services, or financial institutions (e.g., CPAs) to oversee third-party providers’ use of information and to ensure compliance with the GLBA. Under these rules, CPAs must oversee third-party providers:

• Take reasonable steps to select and retain providers that can maintain appropriate safeguards for individual client information.
• Have contractual agreements with providers mandating they implement and maintain appropriate safeguards.

State boards of accountancy also have a say in the matter. CPAs should consult their respective state boards to determine applicable client disclosure requirements. For example, there may be states (California, for example) that prohibit outsourcing without a client’s written permission and that require written disclosure and client permission when outsourcing is outside of the United States.

Firms may have nondisclosure/confidentiality agreements in place with existing clients that will need to be reviewed to ensure the firm does not breach any contractual terms of those agreements. Based on the specific industries and/or services the firm specializes in, there may be other regulatory bodies (e.g., the Securities and Exchange Commission, Department of Labor, etc.) that may have disclosure and consent guidance that should be reviewed for compliance.

Risk Management Tips

There are various risk management resources available to guide you as you investigate the appropriate professional and regulatory requirements. Here are a few tips that CAMICO recommends:

• Stay current on the rules and risks associated with outsourcing.
• Before signing an agreement/contract with a third-party service provider, ensure that your firm has considered, and provided for, potential liability risks. Make sure you understand and are willing and able to agree to the terms and conditions of any proposed contract. Specific attention should be given to the contractual details to ensure outsourcing relationships do not jeopardize the firm’s ability to meet and satisfy standards of care. Be sure any agreement does not violate any of your applicable insurance policies.
• Engage experts (legal counsel, IT professionals, etc.) as needed to assist with due diligence. For example, consider consulting an attorney if you have questions regarding the efficacy and potential exposures to your firm of certain legal terms and conditions related to governing law, indemnification, and hold-harmless clauses before signing agreements containing such language. IT professionals may also be needed to appropriately address security measures and safeguards for the transmission of confidential client information.
• Follow best practices regarding client disclosure and client consent requirements. CAMICO recommends that CPAs disclose to their clients the use of third-party service providers. This proactive approach clarifies the nature of contemplated services, corrects any false expectations clients may have about their confidential information remaining inside of their CPA’s offices, and helps forestall negative client reactions if there should be an issue with the outsourced services. If clients want to opt out, they should have an opportunity to do so. Better to be forthright with a client than later deal with an angry client. CPAs should include these disclosures regarding third-party service providers in their engagement letters. This approach may protect against, and help reduce, potential liability exposure should damages arise related to the use of a third-party provider.
• Contact your liability insurer. Outsourcing offers a world of possibilities, but also increases potential risks for CPAs. Tread carefully, arm yourself with knowledge, and comply with the professional and regulatory rules that govern such a relationship.

Suzanne M. Holl, CPA, is senior vice president of loss prevention services with CAMICO. With almost 30 years of experience in accounting, she draws on her Big Four public accounting and private industry background to provide CAMICO’s policyholders with information on a wide variety of loss prevention and accounting issues. She can be reached at sholl@camico.com.

Sign up for PICPA's weekly professional and technical updates by completing this form.

Statements of fact and opinion are the authors’ responsibility alone and do not imply an opinion on the part of the PICPA's officers or members. The information contained herein does not constitute accounting, legal, or professional advice. For actionable advice, you must engage or consult with a qualified professional.