Bookmark and Share


Printer Friendly


Outsourcing Tax Return Preparation



In November 2004, the AICPA adopted two new ethics rules and revised a third rule affecting AICPA members who use third-party service providers to render professional services to clients or administrative support services to members. If your firm is considering outsourcing professional services or is already doing so, it is important to become familiar with the new rule changes, effective for professional services provided on or after July 1, 2005 (except for services performed pursuant to agreements that are in force before July 1, 2005 and completed by December 31, 2005). For complete information regarding these rule changes, visit the AICPA Web site.

Within the past few years, outsourcing and internet-based application service providers (ASPs) have become popular alternatives for tax return preparation by CPA firms. Both options pose privacy and data security issues, and CPAs considering these approaches must address and manage the consequent risks.

Initially, a CPA must screen potential vendors and their product/service to determine if they meet the firm needs. It is especially important to consider the following precautionary actions:

  • Investigate the vendor business performance, including credit and financial history. How long has the vendor been in business? Who are the principals and operations managers of the business? How does their background and experience relate to both the development of the product or service and the needs of professional tax preparers?
  • Obtain and contact references. Learn about the product/service prior to contacting references, and then garner feedback about the product/service and the quality and timeliness of the vendor customer service. References may include customers, businesses (e.g., bank, attorney), other CPAs using the service, and business/professional associations.
  • Gain an understanding of the vendor business policies and practices. Review the following:
    • Employee screening, training, supervision, and quality control
    • Privacy policies and practices relating to client data
    • Data and systems security measures
    • Data backup and retrieval procedures
    • The existence, availability, and adequacy of software/system documentation
  • Consider what would happen if the vendor goes out of business. Will you be able to maintain backup copies of any data that will reside on the vendor's computers or servers? Is the data formatted in a way that will easily permit you to use another product, or will it be necessary to reformat the data or even re-key it into different software?
  • Determine if the vendor has liability insurance to cover the service contemplated. Any products/services to be purchased from a vendor should be covered by a written contract. Indeed, under the new AICPA ethics rule on outsourcing, specifically that guidance under Rule 301, members are required to enter into a contractual agreement with any third-party providers, to ensure that the providers agree to maintain information as confidential and to establish the proper procedures to do so. For more information, reference Rule 301 on the AICPA Web site.

    Your attorney should review all contracts before they are executed. From a risk management standpoint, contracts should, at a minimum, include:

    • A detailed description of vendor deliverables, responsibilities and other significant terms
    • An agreement that the vendor will comply with all applicable U.S. data security and privacy laws and rules (e.g., Gramm-Leach-Bliley Act and any state privacy laws that may apply to your firm)
    • An agreement that foreign-based vendors be bound by U.S. law and that any mediation, arbitration, or litigation be under U.S. jurisdiction.

    Vendor-supplied contracts typically include provisions that either impose contractual obligations on the user with respect to claims made against the vendor, or limit the legal remedies or damages that may be sought against the vendor in the event a claim arises from the use of the vendor's product/service. These include, for example, defense, indemnification and hold harmless agreements, and agreements to limit damages recoverable from the vendor to the amount of fees paid to the vendor. Such agreements may violate provisions included in your firm's professional liability insurance policy, as many accountants professional liability insurance policies exclude coverage for liabilities assumed under contracts. Accordingly, your attorney should also examine your insurance policy in connection with the review of the contract. Additionally, you should consult with your insurance agent regarding coverage for your firm and the vendor under your policy.

    As the paid preparer of a client's tax returns whether outsourcing or performing the job in-house your firm remains responsible for ensuring the accuracy of the returns based on the information provided by the client, according to both the AICPA Code of Professional Conduct (Rule 201) and U.S. Treasury Department Circular 230 (Section 10.22, Diligence as to Accuracy). Each tax return should be reviewed for accuracy as part of your firm's normal quality control practices prior to being provided to the client for filing.

    Under Ethics Ruling No. 112 under Rule 102 - Integrity and Objectivity, AICPA members are required to inform their clients of the use of third-party service providers prior to disclosing confidential client information to the third-party provider. Although there is no requirement that this disclosure be made in writing, this is recommended in the new ethics ruling, and from a risk management perspective, it is a best practice. An effective means of achieving this is to include the disclosure in the engagement letter. The following is sample engagement letter language a firm could use for this purpose:

    In the interest of enhancing our availability to meet your professional service needs while maintaining service quality and timeliness, we may use a third-party service provider to assist us in the preparation of your tax returns. This provider has established procedures and controls designed to protect client confidentiality and maintain data security. As the paid preparer of your tax returns, our firm remains responsible for exercising reasonable care in preparing your tax return, and your tax return will be subjected to our firm's normal quality control procedures. If you have any questions or concerns about this arrangement, please contact our office.

    For added protection, consider including a statement in the engagement letter that indicates client consent to the transmission of confidential client information via electronic medium. While a breach of client confidentiality through misappropriation or inadvertent disclosure of this data may be unlikely, disclosure and consent are appropriate means of limiting liability in such situations. The following is sample engagement letter language a firm could use for this purpose:

    In rendering professional services, we may communicate by facsimile transmission or by transmitting data over the internet, utilizing either electronic mail or computer software designed for this purpose. Such communications may include information that is confidential to you or your company. Our firm employs measures in the use of facsimile machines and computer technology designed to protect client confidentiality and maintain data security. While we will use our best efforts to keep such communications secure in accordance with our obligations under applicable laws and professional standards, we have no control over the unauthorized interception of this data once it has been transmitted outside of our firm. By signing this letter, you consent to the use of this technology to facilitate our services to you.

    Utilizing third-party vendors for tax return preparation can help lower costs and expedite client services by freeing up firm staff to perform more specialized services that require unique training and experience. However, due diligence is an essential element of soliciting and managing vendor relationships. When your firm outsources services to third-party providers, you must maintain effective quality control over these services and comply with AICPA ethics requirements. Successful quality control requires ongoing monitoring and supervision of all services provided by outside vendors.

    For information about added privacy responsibilities for California CPAs, read more.

    December 2004

    By: Joseph Wolfe, Assistant Vice President, Risk Control, and John McFadden, CPA, CFE, Risk Control Consulting Director, CNA, Accountants Professional Liability, CNA Center, Chicago, IL 60685

    The purpose of this article is to provide general information, rather than advice or opinion. It is accurate to the best of the author's knowledge as of the date of the article. Accordingly, this article should not be viewed as a substitute for the guidance and recommendations of a retained professional. Any references to non-CNA websites are provided solely for convenience, and CNA disclaims any responsibility with respect to such websites. In addition, CNA does not endorse any coverages, systems, processes or protocols addressed herein unless they are produced or created by CNA.

    Continental Casualty Company, one of the CNA insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program. CNA is a service mark registered with the U.S. Patent and Trademark Office. Copyright 2004, Continental Casualty Company. All rights reserved.





Home | Apply Now | Business Insurance
Personal Insurance | Risk Management Education | Contact Us
About Us | Sign Up for Our Free E-newsletter | Glossary
Site Map

McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams.

Read our Privacy Statement
Insurance License Information
© 2010 Aon Insurance Services