Risk Management Considerations for Firms Contemplating Outsourcing
February 13, 2023
By Suzanne M. Holl
Outsourcing is a hot topic right now for the profession as CPA firms struggle with staffing constraints. Current challenges associated with firms attracting and retaining talent are expansive and include issues such as staffing qualified professionals for complex engagements, employee burnout, unrealistic and “heavy” workloads, as well as limitations on the ability to maintain and foster high-touch client relationships.
As firms evaluate options to get work done efficiently and effectively with limited resources, more firms are considering outsourcing.
Two primary outsourcing scenarios:
- Onshore outsourcing: Work is outsourced domestically to a third-party service provider and work is not disclosed in any manner outside U.S. borders.
- Offshore outsourcing: Work is outsourced to individuals or companies outside U.S. borders. This would include the use of an onshore company that utilizes offshore employees. Note: a firm may also choose to establish a firm office abroad in lieu of using a third-party service provider.
When considering the efficacy and viability of outsourcing, due diligence is a critical first step. Not all outsourcing entities are created equal. For example, CPAs are responsible for protecting their clients' data and, as such, need to ensure that the third party has appropriate security protocols and safeguards in place (whether using remote or in-office personnel) to protect confidential information against external and internal risks. As part of a firm's due diligence process, firms need to assess the adequacy and reasonableness of the entity's administrative, physical and network security measures to prevent breaches. This includes (but is not limited to) determining whether the entity's safeguards are reasonable to prevent the potential misuse or unauthorized disclosure of confidential information (e.g., inappropriately accessing, using, downloading, printing, scanning, or copying client information) to comply with applicable data and privacy laws, professional standards, and your contractual terms. There should be explicit written terms in any contractual agreement with the third party that confirms the responsibility of the outsource entity to maintain the security and confidentiality of client information.
CAMICO strongly encourages CPAs to review proposed outsource agreements to understand the implications of the agreement's legalese, in order to make an informed assessment of terms and conditions that may place undue burden or unacceptable liability exposure on your firm. Make sure you are comfortable with the agreement — and the expectations created — before entering into the contract. Be willing to reject outsourcing options if unable to negotiate the terms and risk to your satisfaction.
Important risk management considerations firms should address when evaluating the viability of outsourcing options include:
- Security issues: Consider the added security exposures associated with outsourcing and assess whether the firm's existing infrastructure is sufficient or requires enhancements. Speak with your IT team and external IT consultants to ensure the firm has appropriate safeguards to minimize potential for added cyber risks/exposures related to this type of relationship.
- Compliance and regulation: Identify the rules and regulations applicable to your outsourcing option (offshoring or onshoring) given the anticipated services contemplated (e.g., tax, audit, CAS, etc.). This is a critical step to ensure the firm understands and is willing and able to meet the legal, professional, and regulatory standards of the relationship. Refer below to: What rules and regulations should CPAs consider regarding outsourcing arrangements?
- Client implications: Determine which clients will be affected and assess how they will potentially react to such a relationship. Do potential reputational issues exist that need to be considered? Would the client be receptive to higher fees if they are unwilling to allow the firm to outsource?
- Processes: Identify processes, documentation, dependencies, and training required to ensure a successful outsourcing solution.
- Insurance: Before entering into an outsourcing arrangement, contact CAMICO and your other applicable insurance carriers to assess potential coverage implications.
What rules and regulations should CPAs consider regarding outsourcing arrangements?
- AICPA Code of Conduct
To comply with AICPA rules (see ET sections 1.150, 1.300 and 1.700, et seq.), CPAs using third-party service providers reach agreements with the providers containing contractual terms ensuring the confidentiality of their clients' records.
Further, AICPA ethics rules state members are responsible for all work outsourced to third-party service providers. As part of the firm's overall responsibility to ensure that all professional services are performed with professional competence and due professional care, firms must supervise these professional services. As such, the firm is responsible for the accuracy and completeness of the services delivered by the providers.
- IRS
In general, under Internal Revenue Code §7216 (“IRC §7216”) and Treas. Reg. section 301.7216-3, require tax return preparers to obtain written consents from taxpayers for the disclosure or use of their tax return information.
It is important to note that the IRS has special rules for disclosing tax return information outside the United States under IRC §7216 regulations and the regulations thereunder, which protect disclosures of any income tax return information.
The IRS has FAQs on its website to help tax practitioners understand and apply §7216 and the regulations thereunder (https://www.irs.gov/tax-professionals/section-7216-frequently-asked-questions).
Keep in mind IRC §7216 is a federal criminal provision. As such, if a firm is investigated by the IRS for failing to follow applicable §7216 disclosure and consent requirements, it will likely be considered a criminal matter. Therefore, it is extremely important a firm understand and address IRC §7216 implications when modifying the firm's policies and procedures for outsourcing tax services.
- Federal Trade Commission (FTC)/Gramm Leach Bliley Act (GLBA)
FTC rules require providers of financial services, or financial institutions (e.g., CPAs) to oversee third-party providers' use of information and to ensure compliance with the GLBA. Under these rules, CPAs must oversee third-party providers by:- Taking reasonable steps to select and retain providers that can maintain appropriate safeguards for individual client information; and
- Have contractual agreements with providers mandating they implement and maintain appropriate safeguards.
- State Boards of Accountancy
CPAs should consult with their respective state boards of accountancy to determine applicable client disclosure requirements. For example, there may be states (California, for example) that prohibit outsourcing without the client's written permission and require written disclosure and client permission when the outsourcing is outside of the U.S.
- Other
Firms may have executed non-disclosure/confidentiality agreements in place with existing clients that may need to be reviewed to ensure the firm does not breach any contractual terms of those agreements.
Based on the specific industries and/or services the firm specializes in, there may be other regulatory bodies (e.g., SEC, DOL, etc.) that may have disclosure and consent guidance that should be reviewed for compliance.
Frequently Asked Questions on CAMICO's hotlines:
Question:Our firm understands that the IRS has stringent requirements for disclosure and consent when offshoring tax preparation work for individual 1040 filers, but our firm is considering offshoring tax preparation work for non-1040 filers to another country. What are the client disclosure/consent requirements under applicable IRS requirements?
Answer: According to Treas. Reg. § 301.7216-3(a)(3)(iii), “…a consent to disclose or use tax return information with respect to a taxpayer not filing a return in the Form 1040 series may be in any format, including an engagement letter to a client, as long as the consent complies with the requirements of § 301.7216-3(a)(3)(i).” Please note that the engagement letter must be signed for the consent to be valid.
Here is a link to §7216 FAQs found on the IRS website: https://www.irs.gov/tax-professionals/section-7216-frequently-asked-questions. FAQ 14 and 15 specifically state:
Question: What are the special rules for disclosing tax return information outside the United States?
Answer: Disclosing tax return information to another tax return preparer that is assisting in the preparation of the return or providing auxiliary services in connection with preparing the return generally does not require the consent of the taxpayer. However, if the other tax return preparer is located outside the United States or any territory or possession of the United States, the taxpayer must agree and sign a form consenting to the disclosure. See Revenue Procedure 2013-14, section 5.04(e) for specific language that must be included in the consent form. If the tax return information to be disclosed includes social security numbers, see Q15.
Question: What are the special rules for disclosing social security numbers outside the United States?
Answer: Generally, tax return preparers may not obtain consents to disclose social security numbers to tax return preparers located outside the United States or any territory or possession of the United States. If social security numbers are included in documents for which the tax return preparer has obtained the consent of the taxpayer to disclose, the tax return preparer must redact or mask any social security number before disclosing the tax return information to a return preparer outside the United States. There is an exception. Social security numbers may be disclosed to tax return preparers located outside the United States if taxpayer consent is obtained and both the sending and receiving tax return preparers maintain adequate data protection safeguards defined in Revenue Procedure 2013-14, section 5.07. See also Revenue Procedure 2013-14, section 5.04(e)(ii) for specific language that must be included in the consent form.
Question:Our firm is considering offshoring non-tax work (bookkeeping, audit services, etc.) to another country. Since IRS rules don't apply, is our firm required to disclose the relationship to clients and obtain written consent for releasing confidential client information outside of the U.S.?
Answer: At a minimum the firm will need to comply with applicable professional and regulatory standards (e.g., AICPA, state boards of accountancy, Securities and Exchange Commission (SEC), General Accountability Office (GAO), etc.) that may be applicable when outsourcing confidential information outside of the U.S. From a risk management best practice perspective, CAMICO strongly encourages firms to be transparent and obtain written client consent for all engagements when outsourcing out of the U.S., even if not required. We believe this “defensive documentation” is an important risk mitigation step to minimize the potential liability risks associated with clients who may later allege that they were harmed by not being fully informed of the nature of the disclosures of confidential client information to third parties outside of the U.S.
Question:Our firm is considering leasing A&A staff from a leasing agency located offshore. The agency's contract details a non-disclosure agreement with the talent, but they will not provide us a copy of that agreement.Should we have this person sign something on our end?
Answer: Yes,CAMICO recommends obtaining written assurances from the leased employee assisting you with your engagements that they, and any other contractors they work with, will adhere to the AICPA's Confidential Client Information Rule.
Question: We have an employee in our tax department who is temporarily relocating out of the country to help care for an elderly parent and they would like to continue to work for our firm during this period. Should we have the employee sign and acknowledge an agreement that they will limit their access to only those clients who have specifically consented to allow the employee access to work on their tax returns while located out of the country, or do we need to bifurcate our tax file server to limit the employee's access so as not to violate §7216 and the interpretations provided by the IRS of §7216?
Answer: CAMICO's guidance is limited in this situation, as we are not able to authoritatively opine on what the IRS would deem as “disclosure,” nor what would be considered by the IRS as sufficient safeguards for this specific fact pattern.
Under the IRS's FAQs, Q6 broadly defines disclosure as the “act of making tax return information known” to “any person” in “any manner whatsoever.” In this fact pattern, even if the “any person” (employee) has agreed in writing to limit opening only those files they have been assigned, the IRS may interpret “in any manner whatsoever” very broadly in the event of an investigation resulting in a “disclosure” if the employee were to have access to the entire tax file program.
Given the IRS's broad definition of what would deem to be a disclosure, and the potential exposure to criminal penalties, CAMICO strongly encourages firms to bifurcate their tax file server to specifically parse out the clients that have in fact consented to the disclosure out of an abundance of caution. For firms who desire to take a different approach in these situations, such as having the employee sign and acknowledge that they will only access a specific list of clients from the firm's tax file server, CAMICO recommends a firm seek the services of an attorney who represents tax practitioners, particularly before the Office of Professional Responsibility, to give perspective and opine on the appropriateness of such an approach to satisfy IRC §7216 requirements.
Risk Management Tips:
- Get educated and stay current on the rules and risks associated with outsourcing.
- Before signing an agreement/contract with a third-party service provider, ensure that your firm has considered and adequately provided for potential liability risks. Read and make sure you understand and are willing and able to agree to the terms and conditions of any proposed contract.Specific attention should be given to the contractual details to ensure outsourcing relationships do not jeopardize the firm's ability to meet and satisfy standards of care. Be sure your agreements do not violate any of your applicable insurance policies.
- Engage experts (legal counsel, IT professionals, etc.) as needed to assist you with your due diligence efforts. For example, consider consulting with an attorney in your relevant state if you have questions regarding the efficacy and potential exposures to your firm of certain legal terms and conditions related to governing law, indemnification, and hold harmless clauses, before signing agreements containing such language. IT professionals may also be needed to appropriately address security measures and safeguards for the transmission of confidential client information.
- Follow best practices regarding client disclosure and client consent requirements.
CAMICO has long recommended CPAs disclose to clients the use of third-party service providers. Such proactive approaches:- Clarify the nature of contemplated services
- Correct any false expectations clients may have about their confidential information remaining inside of their CPAs' offices
- Help forestall negative client reactions if there should be an issue with the outsourced services.
From CAMICO's perspective, the right thing to do is to disclose to your client what you're planning to do with their information. If clients want to opt out, they should have an opportunity to do so. Better to be forthright with a client than later deal with an angry client. CAMICO recommends CPAs always include a disclosure regarding third-party service providers in their engagement letters. This proactive approach protects against, and helps to reduce, potential liability exposure should damages arise relating to a CPA's use of a third-party provider.
Contact CAMICO. As you can imagine, outsourcing offers a world of possibilities but also increases potential risks for CPAs — tread carefully, arm yourself with knowledge, and comply with the professional and regulatory rules that govern such a relationship.
As noted above, CAMICO has various risk management resources to guide you in your risk assessment as you investigate the appropriate professional and regulatory requirements. CAMICO policyholders with questions regarding this communication or other risk management questions should contact the Loss Prevention department at lp@camico.com or call our advice hotline at 800.652.1772 and ask to speak with a Loss Prevention Specialist.
Suzanne M. Holl, CPA, is Senior Vice President of Loss Prevention Services with CAMICO. With almost 30 years of experience in accounting, she draws on her Big Four public accounting and private industry background to provide CAMICO's policyholders with information on a wide variety of loss prevention and accounting issues. She leads the risk management function of CAMICO and provides advice and resources important to CPAs and how they continue to practice.