Outsourcing Considerations

April 10, 2023

Take Heed of These Risk Management Considerations

By Suzanne M. Holl
The challenges associated with firms attracting and retaining talent are expansive and include issues such as staffing qualified professionals for complex engagements, employee burnout, unrealistic and “heavy” workloads, as well as limitations on the ability to maintain and foster high-touch client relationships. 

As firms evaluate options to get work done efficiently and effectively with limited resources, more firms are considering outsourcing. There are two primary outsourcing scenarios:
Onshore: Work is outsourced domestically to a third-party service provider and work is not disclosed in any manner outside U.S. borders. 
Offshore: Work is outsourced to individuals or companies outside U.S. borders. This includes the use of an onshore company that utilizes offshore employees. Note: A firm may also choose to establish an office abroad in lieu of using a third-party service provider. 

Due diligence is a critical first step when considering outsourcing, as not all outsourcing entities are created equal. For example, CPAs are responsible for protecting their clients’ data and, as such, must ensure the third party has appropriate security protocols and safeguards to protect confidential information. 

As part of that due diligence, firms need to assess the adequacy and reasonableness of the entity’s administrative, physical and network security to prevent breaches. This includes (but is not limited to) determining whether the entity’s safeguards are reasonable to prevent the potential misuse or unauthorized disclosure of confidential information to comply with applicable data and privacy laws, professional standards and the firm’s contractual terms. There should be explicit written terms in any contractual agreement with the third party that confirms the responsibility of the outsource entity to maintain the security and confidentiality of client information. 

CAMICO encourages CPAs to review proposed outsource agreements to understand the implications of the agreement’s legalese to make an informed assessment of terms and conditions that may place undue burden or unacceptable liability exposure on your firm. Make sure you are comfortable with the agreement—and be willing to reject outsourcing options if unable to negotiate the terms and risk to your satisfaction. 

Risk Management Considerations
Important risk management considerations firms should address include:
  • Security: Consider the added security exposures associated with outsourcing and whether the firm’s infrastructure is sufficient or requires enhancements. Speak with your IT team and external IT consultants to ensure the firm has appropriate safeguards to minimize potential for added cyber risks/exposures related to this type of relationship. 
  • Compliance and regulation: Identify the rules and regulations applicable to your outsourcing option (offshoring or onshoring) given the anticipated services contemplated (e.g., tax, audit, CAS, etc.). This is a critical step to ensure the firm understands and is willing and able to meet the legal, professional and regulatory standards of the relationship. 
  • Client implications: Determine which clients will be affected and how they will potentially react to such a relationship. Do potential reputational issues exist that need to be considered? Would the client be receptive to higher fees if they are unwilling to allow the firm to outsource?
  • Processes: Identify processes, documentation, dependencies and training required for a successful outsourcing solution.
  • Insurance: Before entering an outsourcing arrangement, contact CAMICO and your other applicable insurance carriers to assess potential coverage implications.  
Rules and Regulations to Consider
AICPA Code of Conduct: With AICPA rules (see ET sections 1.150, 1.300 and 1.700, et seq.), CPAs using third-party service providers reach agreements with the providers containing contractual terms ensuring the confidentiality of their clients’ records. Further, AICPA ethics rules state members are responsible for all work outsourced to third-party service providers. 

As part of the firm’s responsibility to ensure that all professional services are performed with professional competence and due professional care, firms must supervise these professional services. As such, the firm is responsible for the accuracy and completeness of the services delivered by the providers. 

IRS: In general, Internal Revenue Code Sec. 7216 and Treas. Reg. section 301.7216-3 require tax return preparers obtain written consents from taxpayers for the disclosure or use of their tax return information. The IRS has special rules for disclosing tax return information outside the United States under IRC 7216 regulations and the regulations thereunder, which protect disclosures of any income tax return information. IRS FAQs to help tax practitioners understand and apply IRC 7216 and the regulations thereunder can found on the IRS website.

Keep in mind IRC 7216 is a federal criminal provision. As such, if a firm is investigated by the IRS for failing to follow applicable IRC 7216 disclosure and consent requirements, it will likely be considered a criminal matter. Therefore, it is important that a firm understands and addresses IRC 7216 implications when modifying the firm’s policies and procedures for outsourcing tax services. 

Federal Trade Commission (FTC)/Gramm Leach Bliley Act (GLBA): FTC rules require providers of financial services or financial institutions (e.g., CPAs) to oversee third-party provider use of information and ensure compliance with the GLBA. Under these rules, CPAs must: 
  • Take reasonable steps to select and retain providers that can maintain appropriate safeguards for client information; and 
  • Have contractual agreements with providers mandating they implement and maintain appropriate safeguards. 

State Boards of Accountancy: CPAs should consult with their respective state boards of accountancy to determine applicable client disclosure requirements as there may be states (California, for example) that prohibit outsourcing without the client’s written permission and require written disclosure and client permission when the outsourcing is outside of the U.S.

Other: Firms may have executed non-disclosure/confidentiality agreements in place with existing clients that may need to be reviewed to ensure the firm does not breach any contractual terms of those agreements. Based on the specific industries and/or services the firm specializes in, there may be other regulatory bodies (e.g., SEC, DOL, etc.) that may have disclosure and consent guidance that should be reviewed for compliance. 

Risk Management Tips
  • Stay current on the rules and risks associated with outsourcing. 
  • Before signing an agreement/contract with a third-party service provider, ensure your firm has considered and provided for potential liability risks. Specific attention should be given to the details to ensure outsourcing relationships do not jeopardize the firm’s ability to meet and satisfy standards of care. Be sure your agreements do not violate any of your applicable insurance policies.
  • Engage experts (legal counsel, IT professionals, etc.) as needed to assist you with your due diligence efforts. 
  • Follow best practices regarding client disclosure and client consent requirements. CAMICO has long recommended CPAs disclose to clients the use of third-party service providers to clarify the nature of contemplated services; correct any false expectations clients may have about their confidential information remaining inside of their CPAs’ offices; and help forestall negative client reactions if there should be an issue with the outsourced services. CAMICO also recommends CPAs always include a disclosure regarding third-party service providers in their engagement letters, which protects against and helps reduce potential liability exposure should damages arise relating to a CPA’s use of a third-party provider. 
CAMICO policyholders with questions regarding this or other risk management questions may contact the Loss Prevention department via email or call the advice hotline at (800) 652-1772.

Suzanne M. Holl, CPA, is senior vice president of loss prevention services with CAMICO. 

Back to News