When considering outsourcing, due diligence is a critical first step. CPAs are responsible for protecting their clients’ data and need to ensure that any third party has appropriate security protocols and safeguards. This blog discusses some vital risk management considerations when outsourcing.
By Suzanne M. Holl, CPA
Outsourcing is a hot topic right now as CPAs struggle with staffing constraints. Among the challenges associated with attracting and retaining talent are staffing qualified professionals for complex engagements, employee burnout, unrealistic workloads, and limitations on the ability to maintain and foster high-touch client relationships.
To get work done efficiently and effectively with limited resources, more firms are considering outsourcing. Here are the two primary scenarios:
When considering outsourcing, due diligence is a critical first step. CPAs are responsible for protecting their clients’ data, and, as such, need to ensure that a third party under consideration has appropriate security protocols and safeguards to protect confidential information against external and internal risks. As part of the due diligence process, firms need to assess the adequacy and reasonableness of the entity’s administrative, physical, and network security measures to prevent breaches. This includes (but is not limited to) determining whether safeguards are reasonable to prevent the potential misuse or unauthorized disclosure of confidential information to comply with data and privacy laws, professional standards, and your contractual terms. There should be written terms in any contractual agreement with a third party that explicitly confirms the responsibility of the outsource entity to maintain the security and confidentiality of client information.
Review proposed outsource agreements to make an informed assessment of terms and conditions that may place undue burden or unacceptable liability exposure on your firm. Make sure you are comfortable with the expectations created before entering into the contract, and be willing to reject outsourcing options if unable to negotiate the terms and risk to your satisfaction.
Important risk management considerations for outsourcing options include the following:
Several government agencies have explicit requirements and prohibitions on outsourced work. Make sure you are in compliance.
The AICPA Code of Conduct (ET Sections 1.150, 1.300, and 1.700, et seq.) states that CPAs using third-party service providers reach agreements with the providers containing contractual terms ensuring the confidentiality of their clients’ records. Further, AICPA ethics rules state members are responsible for all work outsourced to third-party service providers. As part of the firm’s overall responsibility to ensure that all professional services are performed with professional competence and due professional care, firms must supervise these professional services. As such, the firm is responsible for the accuracy and completeness of the services delivered.
With the IRS, under Internal Revenue Code (IRC) Section 7216 and Treas. Reg. Section 301.7216-3, tax return preparers must obtain written consents from taxpayers for the disclosure or use of their tax return information. It is important to note that the IRS has special rules for disclosing tax return information outside the United States, IRC Section 7216 regulations and the regulations thereunder, which protect disclosures of any income tax return information.
The IRS has FAQs on its website to help tax practitioners understand and apply Section 7216 and the regulations thereunder. Keep in mind IRC Section 7216 is a federal criminal provision. As such, if a firm is investigated by the IRS for failing to follow applicable Section 7216 disclosure and consent requirements, it will likely be considered a criminal matter. Therefore, it is extremely important to understand and address IRC Section 7216 implications when modifying the firm’s policies and procedures for outsourcing tax services.
Federal Trade Commission (FTC) and Gramm Leach Bliley Act (GLBA) rules require providers of financial services, or financial institutions (e.g., CPAs) to oversee third-party providers’ use of information and to ensure compliance with the GLBA. Under these rules, CPAs must oversee third-party providers:
State boards of accountancy also have a say in the matter. CPAs should consult their respective state boards to determine applicable client disclosure requirements. For example, there may be states (California, for example) that prohibit outsourcing without a client’s written permission and that require written disclosure and client permission when outsourcing is outside of the United States.
Firms may have nondisclosure/confidentiality agreements in place with existing clients that will need to be reviewed to ensure the firm does not breach any contractual terms of those agreements. Based on the specific industries and/or services the firm specializes in, there may be other regulatory bodies (e.g., the Securities and Exchange Commission, Department of Labor, etc.) that may have disclosure and consent guidance that should be reviewed for compliance.
There are various risk management resources available to guide you as you investigate the appropriate professional and regulatory requirements. Here are a few tips that CAMICO recommends:
Suzanne M. Holl, CPA, is senior vice president of loss prevention services with CAMICO. With almost 30 years of experience in accounting, she draws on her Big Four public accounting and private industry background to provide CAMICO’s policyholders with information on a wide variety of loss prevention and accounting issues. She can be reached at sholl@camico.com.
Sign up for PICPA's weekly professional and technical updates by completing this form.
Statements of fact and opinion are the authors’ responsibility alone and do not imply an opinion on the part of the PICPA's officers or members. The information contained herein does not constitute accounting, legal, or professional advice. For actionable advice, you must engage or consult with a qualified professional.
Statements of fact and opinion are the authors’ responsibility alone and do not imply an opinion on the part of PICPA officers or members. The information contained in herein does not constitute accounting, legal, or professional advice. For professional advice, please engage or consult a qualified professional.