In a recent letter to Scott Voynich, Chairman of the Board of Directors for the AICPA, the Executive Board of the Texas Society of CPAs expressed concern over the growing trend of CPAs outsourcing services to foreign countries. You may read the AICPA's response below.
Nita J. Clyde, Chairman
Texas Society of Certified Public Accountants
c/o Clyde Associates
Dallas, Texas 75230-1753
The issues raised in your November 11, 2003 letter regarding outsourcing are both timely and the subject of active discussions among several in our profession. As you recognize, outsourcing is not new to this profession or to other endeavors. It is helpful in controlling costs, permitting greater efficiency and in allowing professionals to focus on providing more value added services for clients.
However, I share your Board’s concern regarding the increase in the use of outsourcing to foreign countries, where it may be more difficult to gain confidence as to the quality of the service and adequately ensure confidentiality. Accordingly, I have asked our staff to report to me on the ethical and legal ramifications of this practice. The following is what I have learned from them:
Since 1973, the Code of Professional Conduct has addressed the issue of members utilizing the services of an outside service bureau for the processing of clients’ tax returns. (See Ethics Ruling No. 1 under Rule 301, Computer Processing of Clients’ Returns [ET section 391.001-.002]) Regardless of whether the services are outsourced to a foreign location or within the United States, the Code is clear that the member is responsible for ensuring that the client’s information remains confidential. Accordingly, in the context of outsourcing the preparation of clients’ tax returns, the member is required to exercise due care, which should include discussing the specific controls in place with the outsourcing provider to safeguard the client’s information and be satisfied that such controls are adequate. For example, where client information is transmitted via the Internet, the member should inquire as to specific security measures in place such as encryption techniques and use of proprietary lines. In addition, the member should be satisfied that controls are in place to ensure that those with access to the clients’ information are bound by nondisclosure agreements and cannot misuse the clients’ financial information (e.g., no ability to download, print, scan or copy the clients’ financial data).
Members should also be aware that they are responsible for ensuring the accuracy of the services provided by the outsourcing provider. The Code of Professional Conduct (Rule 201-General Standards [ET section 201.01], requires that all professional services be performed with professional competence and due professional care. In addition, the member is responsible for adequate supervision of all professional services. Accordingly, the member must review all the work performed by the outsourcing provider and take full responsibility for the accuracy and completeness of the services performed.
There is no specific ethical requirement that the member disclose to the client that they are using the services of an outsourcing provider. Additionally, I am informed that there are no federal laws which would require disclosure of this practice. Indeed, there is a specific exemption to the notice and opt-out requirements in the Gramm-Leach Bliley Act (“GLBA”) for “processing and servicing transactions.” This does not mean there is no legal responsibility. The FTC has promulgated “safeguard rules” that require an institution to oversee the service providers’ use of the information to ensure compliance with the GLBA.
PEEC considered this issue at their last meeting and decided no change in the rules was necessary. Because of the apparent increase in the use of outsourced service providers, I have asked our staff to publish guidance to our members concerning their responsibilities when they use outsourcing in their public practice. We are attempting to elevate this issue so that members fully understand their responsibilities if they pursue this path. I want to thank the TSCPA Executive Board for sharing your timely concerns and input on this matter. State society and member involvement give us strength and your efforts are most appreciated.
S. Scott Voynich
AICPA Board of Directors