Xpitax News Articles
News Updates: Legal and Ethical Considerations Regarding Outsourcing
In response to several AICPA member inquiries regarding the legal and ethical issues associated with outsourcing, the AICPA Professional Ethics Executive Committee (PEEC) formed a task force to consider outsourcing issues and make recommendations for the CPA profession. A paper was posted on the AICPA web site discussing the key outsourcing issues: AICPA ethical standards, the Gramm-Leach-Bliley Act privacy provisions and relevant Internal Revenue Code provisions (
www.aicpa.org/download/ethics/outsourcing.pdf).
The paper summarizes the following key items:
“THE CODE OF PROFESSIONAL CONDUCT STATES that a member remains responsible for ensuring the accuracy and completeness of the services rendered by the third-party provider.
MEMBERS SHOULD SATISFY THEMSELVES regarding the competence, practices and procedures of any third-party provider, regardless of the type of services provided or the location at which they are performed. At a minimum, it seems advisable for members to discuss with the third party the specific controls in place to safeguard the client’s information and to satisfy themselves such controls are adequate. For example, where client information is transmitted via the Internet, the member may want to inquire as to specific security measures in place, such as
- Encryption techniques.
- The use of private leased lines or virtual private networking connections with authorized users.
- The availability and processing integrity of the information.
- Whether the third-party provider has had an engagement performed (internal or external) on the security of their systems.
- Whether the third-party provider has obtained an independent security attestation regarding their systems.
WHATEVER THE MEASURES USED BY THE third-party provider, the member should be satisfied that reasonable efforts are undertaken to assure the confidentiality of the information to which the provider has access. A confidentiality breach by the outsourcer, even if all of the noted steps were taken, will still be the responsibility of the member."
“The issues addressed by the AICPA are critical to the industry,” states Mark Albrecht, CEO of Xpitax. “It is important for CPA firms to understand the controls and processes of their outsource providers, since each company is different. For instance, at Xpitax, we have a dedicated overseas facility and staff that does not work for other firms. In addition, we have a US data center where all files are stored. Keeping the files in the US and having our staff work on US servers through a VPN connection is unique. The IT security in the US data center coupled with the physical security overseas minimizes the control risks associated with outsourcing, and in many cases reduce the overall risks surrounding confidentiality. Each outsource provider has a different process and it is the CPAs responsibility to obtain an appropriate comfort level to ensure the safeguarding of their clients information”.