E-mail Story Print Story

While the preamble to the AICPA Code of Professional Conduct does not specifically address this topic, it lays a solid foundation on which to build any arguments, pro or con: .01 Membership in the American Institute of Certified Public Accountants is voluntary. By accepting membership, a certified public accountant assumes an obligation of self-discipline above and beyond the requirements of laws and regulations.
.02 These Principles of the Code of Professional Conduct of the American Institute of Certified Public Accountants express the profession’s recognition of its responsibilities to the public, to clients, and to colleagues. They guide members in the performance of their professional responsibilities and express the basic tenets of ethical and professional conduct. The Principles call for an unswerving commitment to honorable behavior, even at the sacrifice of personal advantage. [ Emphasis added]

Outsourcing is occurring throughout the business community in a variety of ways. Within the CPA profession, it is most prominent in the growing practice of having tax returns prepared by third parties who are not under the direct control of a CPA.

Here is a common scenario: The U.S. CPA, who has the client relationship, collects relevant documentation and other information from the client, as has been customary. This information is converted into an electronic format, usually by scanning. The electronic information is transmitted to the outsourcing service provider via the Internet, probably but not necessarily using various security measures such as encryption.

The outsourcing service provider then uses the transmitted information to prepare preliminary work product, typically federal, state, and local income tax filings or general ledger accounting, using commercially available software. The completed tax preparation or general ledger files are transmitted from the outsourcing service provider to the CPA via the Internet. Finally, the CPA reviews and adjusts the work product, then completes and delivers the final product to the client.

Supporters of outsourcing state that the cost to the CPA of servicing a client using an outsourcing service provider is substantially less than the comparable cost of preparing the same product using only in-house staff. Another stated advantage of this type of outsourcing is that it addresses the often severe problem of finding the competent seasonal staff necessary for in-house tax preparation.

Questions

Several issues arise from these circumstances. First, at least part of the outsourcing service is typically located outside the United States. Consequently, the contractual relationship between the CPA, the outsourcing service provider, and the employees or subcontractors of the service provider may become subject to interpretation and resolution under a legal system other than that of the United States, despite contractual agreements to the contrary.

The staff of the outsourcing service provider are not employees or even subcontractors of the CPA, and are not under the control of nor directly supervised by the CPA. Although representations are made to the CPA about the qualifications and experience of the staff and about the technology the service provider uses, as well as the controls used in the outsourcing process, the CPA seldom has practical means to confirm those representations or to monitor the outsourcing service provider’s practices. Even when the CPA does, there can be no assurance that the controls will remain in place.

Various state and federal laws and regulations impose special obligations on CPAs for controlling and safeguarding clients’ financial information. In addition to the Federal Privacy Act, state laws impose substantial responsibility on the holder of financial information. Consequently, some consumer protections either may not be delegated or, if delegated, may require informed consumer consent. At least some CPAs probably use procedures or controls in addition to those described.

Internet transmissions and computer storage, even using the highest available security measures, have some risk of being compromised. Basic tax information will contain the name, address, and Social Security or federal employer identification numbers of clients and dependents. To the extent that transmitted information includes scanned images of client documents, it will typically contain additional information that identifies the location of the client's assets or credit resources, the account executive’s name and contact information, financial account numbers, year-end balances, or usage histories. Most modern general ledger software packages contain similar information for third parties.

The process of converting client data into a competently prepared tax filing requires experience and the exercise of judgment. Proper business accounting usually requires substantial knowledge of the client’s business and operations that foreign outsourcers are unlikely to possess.

Current professional standards related to outsourcing have been interpreted to not require specific disclosures to clients. Those professional standards, however, predate the Internet, when a typical outsourcing engagement involved sending punch cards or input sheets to a service bureau across town. Some disclosures have been generic and without reference to the foreign location or the related risks.

While arguments can be made that outsourcing makes good business sense, given the cost savings and the reported unavailability of adequate competent staff in the U.S., the arguments against the possible misuse of a client’s personal information and the inability to pursue claims for any such misuse are less easily made. These concerns are frequently swept aside with arguments that transmitting client data to tax preparers in India is not substantially different from transmitting data via the Internet within the U.S. Proponents of outsourcing often dismiss these concerns without adequately weighing the current world political environment and trends in identity theft.

Furthermore, the overriding issue concerns a professional relationship. If a CPA is outsourcing work that the client would reasonably expect to be done by the CPA, then the client has a right to know that some other group has access to the client’s information and will be preparing the tax return, even if present standards can be interpreted to not require such notice. Clients of a professional should also have the right to opt out of having their information sent overseas. This is an issue of doing what is right rather than what is required, and it is what separates being a professional from being a businessperson.

Analyzing the Issues

Identity theft is a large-scale and well-known problem. The type of information disseminated in the outsourcing services environment is an identity thief’s dream. Professionals must be concerned for the potential misuse of this information, whereas a businessperson would calculate the downside risks and proceed if they were simply outweighed by the additional profit potential. Whether the non-U.S. persons accessing this information are incapable of removing it from their work premises is not the real issue. The bigger question is how the client, whose data is possibly being compromised, will view this possibility.

A single well-publicized identity theft that is traced back to an outsourcing arrangement will blow the lid off the perception that this cannot happen. Will the damaged client, in pursuit of justice, go looking for the identity thief abroad to prosecute, or seek out the CPA who permitted this to occur? While the CPA may in turn have a claim against the outsourcing service provider abroad, what system of jurisprudence will come into play to adjudicate the matter, and how long will it take to rectify? Will whatever justice is wrought actually satisfy the client, especially if he was unaware of the CPA’s arrangement with the service provider?

Next, consider that in response to fears of terrorism, the federal government has raised the bar on U.S. businesses knowing the parties with whom they do business abroad. Greater degrees of information are being required by federal authorities when payments of U.S. dollars flow from American businesses to foreign accounts. The elements that would allow an identity thief to steal from a client would also provide any terrorist with an identity cloak to carry out acts of aggression. This is an additional risk when evaluating the use of outsourcing abroad.

While some will find reasons to dismiss each concern expressed about what terrible things might be done with a client’s information, they will be harder pressed to dismiss concerns over such matters coming from a client who hears of this practice from someone other than the CPA, after the fact. The best professional course would be to let a client make an informed decision about who handles personal information. Although many businesses are sending less-detailed but sufficiently rich personal information to enable an identity theft, for processing or warehousing abroad, the professional nature of the CPA-client relationship should be substantially different from the banking (with credit card data) and insurance (with medical data) industries.

CPAs, moreover, have historically received a higher level of trust, which has also allowed them to enjoy a financial premium for their services. Will nondisclosure of outsourcing be the next big black-eye that convinces the public that CPA tax preparers should be controlled like any other business rather than self-regulated like a profession?

Although outsourcing may offer substantial economic and staffing advantages, the profession must examine this practice within the context of current events. So far, the vast majority of CPAs have not been directly tainted by the recent scandals, and they still enjoy the trust and confidence of their clients. Outsourcing with neither adequate disclosure nor the informed consent of the client could damage the trust and confidence CPAs have traditionally enjoyed.

CPAs’ code of ethics requires an unswerving commitment to honorable behavior, even at the sacrifice of personal advantage. CPAs that use outsourcing service providers abroad should make a complete and thorough disclosure to their clients and allow them to opt out of having their personal information shared outside of the United States. (The California Board of Accountancy is considering regulatory changes that would require clear, written consent before client information is sent outside the United States.)

Arguing to “do the right thing, as a professional” may not result in its uniform adoption. Unless there is rapid adoption of modernized professional standards that require proper disclosure, using specific criteria, then at least some CPAs will not make comprehensive disclosures out of concern that their competitors are not. Therefore, while the spirit of the Code of Professional Conduct may be the guiding light, only professional and ethical guidance, applicable to all CPAs, will produce appropriate disclosure and ethical practice in the marketplace. Additionally, professional guidance will likely provide a more effective solution than one provided by governmental authorities, which could even vary from state to state if not imposed from the federal level. Professional guidance could cover areas of contract provisions as well as quality control, data security, or even the quality of the work product received from outsourcing service providers.