November 2004
The Monthly Newspaper of the NYSSCPA
Vol. 7, No.14
What’s the Right Thing to Do in Outsourcing?

By Ric Rosario

Some issues surrounding the outsourcing of work to third-party service providers have been relatively settled for some time, while other issues are not so settled and are currently being debated.

In 1973, when accounting firms were sending confidential client information to computer service bureaus for tax-return processing, the American Institute of CPAs issued an ethics ruling that members “must take all necessary precautions to be sure the use of outside services does not result in the release of confidential information.”

The AICPA ethics code has also made it clear that the CPA remains responsible for the services provided by a third party—a responsibility that has significant implications for CPA firms sending and receiving client information via the Internet to and from third parties. Some third parties may be located outside of the United States; other third parties in the U.S. may be sending and receiving information to subsidiaries or affiliates located outside of the U.S. (also known as “offshoring”).

The distances between the CPAs and the third-party service providers create major difficulties for CPAs attempting to provide adequate due diligence, supervision and legal protection for their clients and their firms. Moreover, identity theft and other crimes committed via the Internet have become serious problems.

Client Disclosure/Permission

Camico has long recommended that CPAs disclose to clients the use of third-party service providers, whether offshore or not. Such a proactive approach:

  •  clarifies the nature of the services being provided;
  •  corrects any false expectations clients may have about their personal information remaining inside of their CPA’s offices; and
  •  helps forestall negative client reactions in the event something goes wrong with the outsourced services.

Camico’s view is that the right thing to do is for CPAs to disclose to clients what is being done with their information, and if clients want to opt out, they can. This is a better approach than dealing with angry clients afterward. CPAs should include a disclosure regarding third-party service providers in their client engagement letters. A proactive approach protects against liability should there be damages relating to a CPA’s use of a third-party provider.

An indication of how important the issue of disclosure has become is the fact that the AICPA is now proposing that a similar disclosure be required. See “Omnibus Proposal of Ethics Division Interpretations and Rulings,” available on the AICPA website at www.aicpa.org/members/div/ethics/ed_outsourcing.htm.

CPAs also need to consult with the state board of accountancy or state CPA society to determine any applicable client disclosure requirements for each state.

U.S.-Based or Foreign-Based?

If a CPA firm outsources work containing confidential client information, the safest approach is to use a U.S.-based third party, which is preferable to a foreign-based offshore third party with a U.S. branch. The more contacts an offshore third party has in the United States, the more legal recourse the client and CPA have in the event of an unauthorized client-data disclosure.

Due Diligence

If using a third party, CPAs are responsible for: 1) checking the security measures the third party uses; and 2) monitoring whether or not those measures stay in place. CPAs should also be prepared to answer client questions about their due diligence process to ensure the integrity of that information. Clients may want to know how the information is made secure, and why the third-party outfit is reputable and reliable.

When client information is transmitted via the Internet, the AICPA recommends that CPAs require sufficient security measures of third-party providers, such as:

  •  encryption techniques;
  •  the use of private leased lines or virtual private networking connections with authorized users;
  •  the processing integrity and availability of the information;
  •  whether the third-party provider has had an engagement performed (internal or external) on the security of their systems; and
  •  whether the third-party provider has obtained an independent security attestation regarding their systems.

Third-party providers can use various measures and computer protections that prevent downloading, printing, scanning or copying client information. Some use nondisclosure agreements with employees and incorporate firewall security measures to help prevent outsiders from hacking into the system. More information about AICPA guidance on privacy issues can be found at www.aicpa.org/privacy.

Contractual Agreements

CPAs who use third-party service providers must enter into a contractual agreement with the provider to ensure the confidentiality of client records—one of the rules promulgated by the Federal Trade Commission (FTC), and one of the new rules being proposed by the AICPA.

The FTC rules require providers of financial services, or financial institutions (e.g., CPAs), to oversee third-party providers’ use of information and to ensure compliance with the Gramm-Leach-Bliley Act. Financial institutions (CPAs) must oversee third-party providers by:

  •  taking reasonable steps to select and retain providers that are capable of maintaining appropriate safeguards for client information; and
  •  requiring providers by contract to implement and maintain safeguards.

Camico recommends that agreements with third-party service providers contain language indicating that:

  •  the third-party provider will treat any client data it receives as confidential and will not make any unauthorized disclosures or use of the information; and
  •  the provider will be financially responsible for any unauthorized disclosures or use that it commits.

Gramm-Leach-Bliley requirements for privacy notices also apply to CPAs who prepare individual tax returns or provide personal financial planning services. Camico provides guidance to policyholders who may be required to send privacy notices to clients. More information on FTC rules can be found at: www.ftc.gov/privacy/privacy initiatives/financial_rule_lr.html.

Ric Rosario, CPA, CFE, is vice president of risk management services with Camico Mutual Insurance Co. He advises Camico’s policyholders and other CPAs on loss prevention principles and techniques.

Home | Print Story | E-mail Story


Home | About Us | Continuing Education | Future CPAs | Government Affairs | Professional Resources | Publications | Sound Advice | Tax Resources
Chapters | Committees | Member Center | Events Calendar | Classifieds | Careers | E-zine Subscriptions | The Trusted Professional | The CPA Journal



Search | Site Map | Become a Member | Jobs | Press Room | Contact Us | Feedback

©1997 - 2008 New York State Society of Certified Public Accountants. Legal Notices