AICPA Proposes Outsourcing Rules

AICPA Proposes Outsourcing Rules

By Simon Eskow

The American Institute of CPAs’ Professional Ethics Executive Committee (PEEC) has proposed three new rulings for members using outsourcing services.

The rulings would require firms to inform their clients of the use of a third-party service provider, reiterating that the member is responsible for the work performed by the provider and inveighing members to enter into a contract with the third-party provider to ensure the confidentiality of their clients’ private data.

Members of the New York State Society of CPAs’ Professional Ethics Committee discussed the proposed revisions at the committee’s September meeting.

“Basically, there’s no downside risk to what the AICPA is proposing except for the definition of ‘control,’” committee member Debbie Cutler said. “Clearly that’s the key to the whole thing. This is really about transparency: the more your client knows, the less exposure you have later down the line. (But) you have to define the control issue.”

The AICPA’s exposure draft on the revisions states that a “third-party service provider” is “considered to be any entity that the member, individually or collectively with his or her firm or with members of his or her firm, cannot control (as defined by accounting principles generally accepted in the United States).”

Committee members said the definition of control needs to be better defined and not considered a GAAP issue, since the services that CPAs frequently outsource—such as tax services—are not accounting related.

Committee members expected to submit a formal comment to the AICPA before an Oct. 8 deadline.

Outsourcing has become a hot-button issue since American businesses increasingly export everything from telephone call centers to radiology in order to reduce costs. Businesses associated with the accounting profession have followed that trend, especially tax processing services that have moved bureaus offshore.

But transmission of clients’ sensitive tax information to parts unknown around the globe presents new problems to practitioners, with no new guidance. Practitioners have worried over how they can protect their clients’ sensitive tax information when it is transmitted to countries without adequate safeguards and enforcement against fraud or identity theft.

Guidance has been limited. The AICPA’s ET Section 391, “Ethics Rulings on Responsibilities to Clients in the Code of Professional Conduct,” allows for outsourcing tax services, but charges CPAs “to take all necessary precautions” that this use does not release confidential information.

The NYSSCPA Code of Conduct Rule 301 appears to take a stronger stance, stating that members can’t disclose client information without specific consent by the client, with some caveats in regard to investigations, subpoenas and professional peer review.

The NYSSCPA last year formed a task force to explore the issue of outsourcing in general.

Details of Proposed Rules

The AICPA PEEC formed a similar task force on Aug. 9 and issued an exposure draft on the three proposed rules. The proposals would revise Ethics Ruling No. 1, “Computer Processing of Clients’ Returns,” under Rule 301, Confidential Client Information, and new ethics rulings under Rule 102, Integrity and Objectivity, Rule 201, General Standards, and Rule 202, Compliance with Standards.

According to the AICPA, the proposed ethics ruling under Rule 102, Integrity and Objectivity, “would require that a member inform the client that he or she may be using a third-party service provider when providing professional services to the client, prior to sharing confidential client information with the service provider.”

Also, the proposed ethics ruling under Rule 201 and Rule 202 would clarify the application of these rules “to members who use a third-party service provider in providing professional services to clients…(it) would make clear (PEEC’s) position that the member is responsible for all work performed by the service provider.”

Finally, the proposed revisions to Ethics Ruling No. 1 under Rule 301 would “update and broaden the application of the ethics ruling beyond that of an outside tax service bureau and make it applicable to any third-party service provider used by the member. The revised ethics ruling also would clarify that disclosing confidential client information to a third-party service provider for the purpose of providing professional services to clients or for administrative support purposes would not be in violation of rule 301; however, the member would be required to enter into a contractual agreement with the third-party service provider to maintain the confidentiality of the client’s information, and use reasonable care in determining that the third-party service provider has appropriate procedures in place to prevent the unauthorized release of confidential client information.”

The AICPA has published an exposure draft on the rulings at www.aicpa.org/members/div/ethics/ed_outsourcing.htm. The public is invited to comment on the exposure draft. The deadline for submitting comments is Oct. 8.