Contemplating outsourcing? Do your due diligence

By Suzanne M. Holl

Outsourcing is a popular topic right now for the profession as CPA firms struggle with staffing constraints. Current challenges associated with firms attracting and retaining talent are expansive and include issues like staffing qualified professionals for complex engagements, employee burnout, unrealistic and “heavy” workloads, and limitations on the ability to maintain and foster high-touch client relationships.

As firms evaluate options to get work done efficiently and effectively with limited resources, more firms are considering outsourcing.

Here are two primary outsourcing scenarios:

• Onshore outsourcing: Work is outsourced domestically to a third-party service provider and work is not disclosed in any manner outside U.S. borders.
• Offshore outsourcing: Work is outsourced to individuals or companies outside U.S. borders. This would include the use of an onshore company that utilizes offshore employees. Note: A firm may also choose to establish a firm office abroad in lieu of using a third-party service provider.

When considering the efficacy and viability of outsourcing, due diligence is a critical first step. Not all outsourcing entities are created equal. For example, CPAs are responsible for protecting their clients’ data and need to ensure that the third party has appropriate security protocols and safeguards in place (whether using remote or in-office personnel) to protect confidential information against external and internal risks.

As part of a firm’s due diligence process, firms need to assess the adequacy and reasonableness of the entity’s administrative, physical and network security measures to prevent breaches. This includes (but is not limited to) determining whether the entity’s safeguards are reasonable to prevent the potential misuse or unauthorized disclosure of confidential information (e.g., inappropriately accessing, using, downloading, printing, scanning, or copying client information) to comply with applicable data and privacy laws, professional standards, and their contractual terms. There should be explicit written terms in any contractual agreement with the third party that confirms the responsibility of the outsource entity to maintain the security and confidentiality of client information.

CAMICO strongly encourages CPAs to review proposed outsource agreements to understand the implications of the agreement’s legalese to make an informed assessment of terms and conditions that may place undue burden or unacceptable liability exposure on your firm. Make sure you are comfortable with the agreement — and the expectations created — before signing the contract. Be willing to reject outsourcing options if you are unable to negotiate terms and mitigate risks to your satisfaction.

Risk management considerations

Firms should address these important risk management considerations when evaluating the viability of outsourcing options:

• Security issues: Consider the added security exposures associated with outsourcing and assess whether the firm’s existing infrastructure is sufficient or requires enhancement. Speak with your IT team and external IT consultants to ensure the firm has appropriate safeguards to minimize potential for added cyber risks/exposures.
• Compliance and regulation: Identify the rules and regulations applicable to your outsourcing option (offshoring or onshoring) given the anticipated services (e.g., tax, audit, CAS, etc.). This is a critical step to ensure the firm understands and is willing and able to meet the legal, professional and regulatory standards of the relationship.
• Client implications: Determine which clients will be affected and assess how they could react to such a relationship. Do potential reputational issues exist that need to be considered? Would the client be receptive to higher fees if they are unwilling to allow the firm to outsource?
• Processes: Identify processes, documentation, dependencies and training required to ensure a successful outsourcing solution.
• Insurance: Before entering into an outsourcing arrangement, contact CAMICO and your other applicable insurance carriers to assess potential coverage implications.

Rules and regulations

CPAs must consider certain rules and regulations when entering into certain arrangements.

AICPA Code of Conduct

To comply with AICPA rules (see ET sections 1.150, 1.300 and 1.700, et seq.), CPAs using third-party service providers reach agreements with the providers containing contractual terms to ensure confidentiality of their clients’ records.

Further, AICPA ethics rules state members are responsible for all work outsourced to third-party service providers. As part of the firm’s overall responsibility to ensure that all professional services are performed with professional competence and due professional care, firms must supervise these professional services. The firm is responsible for the accuracy and completeness of the services delivered by the providers.

IRS

In general, under Internal Revenue Code §7216 (IRC §7216) and Treas. Reg. section 301.7216-3, tax return preparers are required to obtain written consents from taxpayers for the disclosure or use of their tax return information.

It is important to note that the IRS has special rules for disclosing tax return information outside the United States under IRC §7216 regulations and the regulations thereunder, which protect disclosures of any income tax return information.
The IRS has FAQs on its website to help tax practitioners understand and apply §7216. See irs.gov/tax-professionals/section-7216-frequently-asked-questions.

Keep in mind: IRC §7216 is a federal criminal provision. If a firm is investigated by the IRS for failing to follow applicable §7216 disclosure and consent requirements, it will likely be considered a criminal matter. Therefore, it is extremely important for a firm to understand and address IRC §7216 implications when modifying the firm’s policies and procedures for outsourcing tax services.

Federal Trade Commission (FTC) / Gramm Leach Bliley Act (GLBA)

FTC rules require providers of financial services or financial institutions (e.g., CPAs) to oversee third-party providers’ use of information and to ensure compliance with the GLBA. Under these rules, CPAs must oversee third-party providers by:

• Taking reasonable steps to select and retain providers that can maintain appropriate safeguards for individual client information.
• Having contractual agreements with providers mandating they implement and maintain appropriate safeguards.

State Boards of Accountancy

CPAs should consult with their respective state boards of accountancy to determine applicable client disclosure requirements. For example, there may be states (California) that prohibit outsourcing without the client’s written permission and require written disclosure and client permission when the outsourcing is outside the United States.

Other regulations

Firms may have in place non-disclosure/confidentiality agreements with existing clients that may need to be reviewed to ensure the firm does not breach any contractual terms of those agreements.

Based on the specific industries and/or services the firm specializes in, there may be other regulatory bodies (e.g., SEC, DOL, etc.) that have disclosure and consent guidance that should be reviewed for compliance.

CAMICO has various risk management resources to guide you in your risk assessment as you investigate the appropriate professional and regulatory requirements. CAMICO policyholders with questions regarding this communication or other risk management questions should contact the Loss Prevention department at [email protected] or call the advice hotline at (800) 652-1772 and ask to speak with a loss prevention specialist.

Suzanne M. Holl, CPA, is senior vice president of loss prevention services with CAMICO, the VSCPA’s preferred insurance provider. She leads the risk management function of CAMICO and provides advice and resources important to CPAs and how they continue to practice.