5 Risk Management Tips for CPA Firms Contemplating Outsourcing
Due diligence is critical for CPA firms who are considering outsourcing their work to a third party. Before signing any contracts or agreements, consider these five risk management tips.
Digital Exclusive – 2023
Outsourcing is a hot topic right now as CPA firms evaluate options to get work done efficiently and effectively with limited resources and staff. Whether it be “onshore outsourcing,” where work is outsourced domestically to a third-party service provider, or “offshore outsourcing,” where work is outsourced to individuals or companies outside of U.S. borders, more and more firms are contemplating if using third-party providers is right for them.
Of course, not all outsourcing entities are created equal. While outsourcing may help firms free up valuable time and resources, the option comes with risk. Here are five risk management tips for CPA firms to consider.
1. Ensure Proper Security Protocols, Safeguards Are in Place
CPAs are responsible for protecting their clients’ data and, as such, need to ensure that any third party has appropriate security protocols and safeguards in place (whether using remote or in-office personnel) to protect confidential information against external and internal risks.
As part of a firm’s due diligence process, firms need to assess the adequacy and reasonableness of the entity’s administrative, physical, and network security measures to prevent breaches. This includes, but isn’t limited to, determining whether the entity’s safeguards are reasonable to prevent the potential misuse or unauthorized disclosure of confidential information (e.g., inappropriately accessing, using, downloading, printing, scanning, or copying client information) to comply with applicable data and privacy laws, professional standards, and your contractual terms. There should be explicit written terms in any contractual agreement with a third party that confirms the responsibility of the outsource entity to maintain the security and confidentiality of client information.
2. Pay Attention to Contractual Agreements Before Signing
Before entering any contract with a third party, firms should make sure they’re comfortable with the agreement and be willing to reject outsourcing options if unable to negotiate the terms and risk to their satisfaction. Specific attention should be given to the contractual details to ensure outsourcing relationships don’t jeopardize the firm’s ability to meet and satisfy standards of care. Additionally, firms should ensure their agreements don’t violate any of their applicable insurance policies.
3. Consult With Experts
Firms should consider consulting with an attorney in their relevant states if they have questions regarding the efficacy and potential exposures to their firms of certain legal terms and conditions related to governing law, indemnification, and harmless clauses, before signing agreements containing such language. Consulting with IT professionals may also be needed to appropriately address security measures and safeguards for the transmission of confidential client information.
4. Follow Best Practices on Client Disclosure and Consent
It’s recommended that CPAs disclose to clients the use of third-party service providers. If clients want to opt out, they should have an opportunity to do so. It’s better to be forthright with a client than later deal with an angry client. Also, CPAs should always include a disclosure regarding third-party service providers in their engagement letters. This proactive approach protects against, and helps to reduce, potential liability exposure in case any damages arise.
5. Identify Applicable Rules and Regulations
This is a critical step to ensure the firm understands and is willing and able to meet the legal, professional, and regulatory standards of outsourcing. Some of the rules and regulations that may apply include:
- AICPA’s Code of Conduct: The AICPA’s ethics rules state members are responsible for all work outsourced to third-party service providers. It’s the firm’s overall responsibility to ensure that all professional services are performed with professional competence and due professional care, and firms must supervise these professional services.
- Internal Revenue Code (IRC) §7216: Under IRC §7216, tax return preparers are required to obtain written consents from taxpayers for the disclosure or use of their tax return information. The IRS has special rules for disclosing tax return information outside the United States to protect disclosures of any income tax return information. Keep in mind IRC §7216 is a federal criminal provision. As such, if a firm is investigated by the IRS for failing to follow applicable §7216 disclosure and consent requirements, it’ll likely be considered a criminal matter.
- Federal Trade Commission (FTC): FTC rules require providers of financial services, or financial institutions (e.g., CPAs) to oversee third-party providers’ use of information and to ensure compliance with the Gramm-Leach-Bliley Act. Under these rules, CPAs must oversee third-party providers by taking reasonable steps to select and retain providers who can maintain appropriate safeguards for individual client information. CPAs must also have contractual agreements with providers mandating they implement and maintain appropriate safeguards.
- State Boards of Accountancy: CPAs should consult with their respective state boards of accountancy to determine applicable client disclosure requirements. For example, there may be states (e.g., California) that prohibit outsourcing without the client’s written permission and require written disclosure and client permission when the outsourcing is outside of the United States.
- Other: Firms may have executed non-disclosure/confidentiality agreements with existing clients that may need to be reviewed to ensure the firm doesn’t breach any contractual terms of those agreements. Based on the specific industries and/or services the firm specializes in, there may be other regulatory bodies (e.g., the U.S. Securities and Exchange Commission, U.S. Department of Labor, etc.) with disclosure and consent guidance that should be reviewed for compliance.
Outsourcing offers a world of possibilities but also increases potential risks for CPAs. Tread carefully, arm yourself with knowledge, and comply with the professional and regulatory rules that govern such a relationship.
Suzanne M. Holl, CPA, is the senior vice president of Loss Prevention Services at CAMICO. With almost 30 years of experience in accounting, she draws on her Big Four public accounting and private industry background to provide CAMICO’s policyholders with information on a wide variety of loss prevention and accounting issues.