Before committing to outsourcing, CPAs should understand what professional liability risks exist and what actions firms can take to help mitigate those risks.
By Deborah K. Rood, CPA, MST
With an aging workforce, increasing demand for services, and a decline in accounting graduates, it’s challenging for CPA firms and finance departments to find enough qualified people to do the work. Reaching a bigger, even international, talent pool is one reason many CPA firms consider outsourcing. Additionally, working “in the cloud” allows work to be performed across geographic boundaries. CPAs in Georgia may work with professionals in Wyoming, Arizona, or even the Philippines.
Outsourcing can take many forms. It may involve working with a solo subcontractor or a provider with many professionals. Work may be performed domestically or offshore. Regardless of the model, the CPA firm remains ultimately responsible for the services delivered to its clients and cannot outsource this responsibility to others. Therefore, before committing to any outsourcing model, CPAs should understand what professional liability risks exist and what actions firms can take to help mitigate those risks.
Conduct due diligence
First, vigorous due diligence should be performed to understand the strengths and weaknesses of the prospective outsourcing provider.
Competence
The AICPA Code of Professional Conduct (Code), ET Section 1. 300.040,
Use of a Third party Service Provider, states that members should ensure Third party service providers have the required professional qualifications and technical skills. Does the provider have the necessary education, technical background, and experience to perform the services needed by the CPA firm? What internal processes does the outsourcing provider employ to help support the quality of the services that are provided to the CPA firm? Can you review an example of the provider’s outputs to assess its capabilities? You also should consider speaking with other CPA firms that have utilized the outsourcing provider to understand the quality of its work.
Consider the level of effort the CPA firm will need to take to direct and monitor the services that are delivered by the outsourcing provider as well as the level of review necessary once its output is received. How confident are you that your deadlines will be met and that what you will receive will be consistent with what you expect? Low-quality work increases the CPA’s risk and likely requires additional time and effort to get it to an acceptable level.
Data security
An outsourcing provider will have access to confidential client information, so it’s important to understand what data security safeguards it has in place to protect your clients’ information. Understand the provider’s IT infrastructure and data security policies to help prevent and detect the unauthorized release of confidential information to others. Does the provider have an incident response plan in place to direct its response to a security incident? Can you access an appropriate Service and Organization Controls (SOC) report from a reputable firm that speaks to the outsourcing provider’s data security processes and controls? Don’t forget about physical security, such as disabling USB ports, to prevent unauthorized persons from taking and using your client’s confidential client information.
Client data held by the CPA firm may be subject to a multitude of international, federal, and state data privacy laws, as well as contractual rules in engagement letters or nondisclosure agreements. These requirements extend to the firm’s Third party service providers that have access to confidential client data, including outsourcing providers. As such, it is imperative that steps are taken to help ensure the outsourcing provider has data security protocols at least as robust as the CPA firm’s.
Working together
The outsourcing provider should be a good partner, both in terms of corporate responsibility and ease of process. If the outsourcing provider has public financial statements, consider reviewing them to assess its long-term viability.
Investigate how the outsourcing provider selects new employees. How does it screen and conduct background checks on prospective employees? Will you interview candidates? Consider a video interview for client-facing employees.
Are you able to choose the professional you work with, or are you assigned a different one from a pool of qualified individuals for each engagement? Who is responsible for training? If the outsourcing provider is responsible, is its training commensurate with how the firm’s employees are trained? If the CPA firm is responsible for training, how will you conduct such training remotely? Some CPA firms include outsourced personnel in the same training and engagement team meetings offered to their own professionals.
Contract with the outsourcing provider
After completing due diligence and selecting an outsourcing Provider, it's time to enter into a contractual relationship with it. Some of the items related to the provider that should be addressed in the agreement include, but are not limited to:
- The availability of professionals, turnaround times, escalation procedures, and other items essential to service delivery;
- The minimum data security requirements, including procedures to prevent the unauthorized release of confidential information and indemnification of the CPA firm in the event of a data security incident involving the outsourcing provider;
- Indemnification of the firm for claims and losses resulting from the outsourcing provider's fraud or gross negligence in the performance of the specified services;
- The ability to further subcontract, either by prohibiting it outright or requiring any subcontractor of the outsourcing provider to comply with data security and quality protocols at least as stringent as what applies to the outsourcing provider;
- The maintenance of appropriate insurance coverages, including professional and cyber liability by the outsourcing provider(s) . While a CPA firm's professional liability insurance coverage generally extends to work performed by subcontractors of the named insured, subject to policy terms, it is still recommended that the outsourcing provider maintain its own coverage;
- The choice of law, choice of forum, and dispute resolution provisions, especially if the outsourcing provider is offshore; and
As with any contract, consultation with legal counsel is recommended.
Obtain client consent
The Code also addresses disclosing confidential client information to Third party service providers. ET Section 1.700.040,
Disclosing Information to a Third party Service Provider, states that the CPA should:
- Obtain specific consent from the client before disclosing confidential information to a Third party service provider; or
- Enter into a contractual agreement with the provider to maintain confidentiality and provide reasonable assurance that the Third party has procedures in place to prevent the unauthorized release of confidential information.
Even though an option is provided by the Code, from a risk management perspective, it is recommended that CPA firms consider taking both steps.
In addition, Internal Revenue Code Sec. 7216 requires client consent before disclosing to a Third party any information furnished to the CPA in connection with the preparation of a tax return. Violating Sec. 7216 carries criminal penalties; therefore, reviewing the statute and regulations is advised. AICPA guidance on Sec. 7216, including sample consent forms, is available for download. Sec. 7216 consent requirements are more robust, and specific language is required if tax information, particularly for individual tax clients, is disclosed to parties offshore.
Tax practitioners who are AICPA members or are CPAs in states where the Code applies to them must also comply with the AICPA Statements on Standards for Tax Services Section 1.3, Data Protection, which states a CPA should make reasonable efforts to safeguard taxpayer data, including data transmitted or stored electronically.
Performing services
It is critical to remember that the CPA firm remains responsible for the deliverable, even when an outsourcing provider is used. Any work performed by an outsourcing provider should be directed, supervised, and reviewed the same as if it were performed by a firm member. Consider time zone overlap, or lack thereof, when making team assignments and estimating deadlines. Poor or untimely interactions between local and outsourced staff affect work quality as well as engagement realization.
Final thoughts
The use of an outsourcing provider may help CPA firms solve staffing problems, but outsourcing rarely occurs without hiccups. With careful preparation, however, CPA firms can help anticipate and smooth out the bumps that are likely to occur.
Outside help
40% and 34%: The shares of the AICPA 2023 National Management of an Accounting Practice (MAP) Survey respondents that plan to outsource work domestically and offshore, respectively, in the future.
Source: 2023 National MAP Survey.
Deborah K. Rood, CPA, MST, is a risk control consulting director at CNA. For more information about this article, contact
specialtyriskcontrol@cna.com.
This article originally appeared in the
Journal of Accountancy.