professionalissues

BY SUZANNE M . HOLL

As firms evaluate options to get work done efficiently and effectively with limited resources , more firms are considering outsourcing . There are two primary outsourcing scenarios :

Onshore : Work is outsourced domestically to a third-party service provider and work is not disclosed in any manner outside U . S . borders .

Offshore : Work is outsourced to individuals or companies outside U . S . borders . This includes the use of an onshore company that utilizes offshore employees . Note : A firm may also choose to establish an office abroad in lieu of using a third-party service provider .

Due diligence is a critical first step when considering outsourcing , as not all outsourcing entities are created equal . For example , CPAs are responsible for protecting their clients ’ data and , as such , must ensure the third party has appropriate security protocols and safeguards to protect confidential information .

As part of that due diligence , firms need to assess the adequacy and reasonableness of the entity ’ s administrative , physical and network security to prevent breaches . This includes ( but is not limited to ) determining whether the entity ’ s safeguards are reasonable to prevent the potential misuse or unauthorized disclosure of confidential information to comply with applicable data and privacy laws , professional standards and the firm ’ s contractual terms . There should be explicit written terms in any contractual agreement with the third party that confirms the responsibility of the outsource entity to maintain the security and confidentiality of client information .

CAMICO encourages CPAs to review proposed outsource agreements to understand the implications of the agreement ’ s legalese to make an informed assessment of terms and conditions that may place undue burden or unacceptable liability exposure on your firm . Make sure you are comfortable with the agreement — and be willing to reject outsourcing options if unable to negotiate the terms and risk to your satisfaction .

Risk Management Considerations Important risk management considerations firms should address include :

Security : Consider the added security exposures associated with outsourcing and whether the firm ’ s infrastructure is sufficient or requires enhancements . Speak with your IT team and external IT consultants to ensure the firm has appropriate safeguards to minimize potential for added cyber risks / exposures related to this type of relationship .

Compliance and regulation : Identify the rules and regulations applicable to your outsourcing option ( offshoring or onshoring ) given the anticipated services contemplated ( e . g ., tax , audit , CAS , etc .). This is a critical step to ensure the firm understands and is willing and able to meet the legal , professional and regulatory standards of the relationship .

Client implications : Determine which clients will be affected and how they will potentially react to such a relationship . Do potential reputational issues exist that need to be considered ? Would the client be receptive to higher fees if they are unwilling to allow the firm to outsource ?

Processes : Identify processes , documentation , dependencies and training required for a successful outsourcing solution .

Insurance : Before entering an outsourcing arrangement , contact CAMICO and your other applicable insurance carriers to assess potential coverage implications .

Rules and Regulations to Consider AICPA Code of Conduct : With AICPA rules ( see ET sections 1.150 , 1.300 and 1.700 , et seq .), CPAs using third-party service providers reach agreements with the providers containing contractual terms ensuring the confidentiality of their clients ’ records . Further , AICPA ethics rules state members are responsible for all work outsourced to thirdparty service providers .

As part of the firm ’ s responsibility to ensure that all professional services are performed with professional competence and due professional care , firms must supervise these professional services . As such , the firm is responsible for the accuracy and completeness of the services delivered by the providers .

IRS : In general , Internal Revenue Code Sec . 7216 and Treas . Reg . section 301.7216-3 require tax return preparers obtain written consents from taxpayers for the disclosure or use of their tax return information . The IRS has special rules for disclosing tax return information outside the United States under IRC 7216 regulations and the regulations thereunder , which protect disclosures of any www . calcpa . org MAY 2023 CALIFORNIA CPA 13