Cloud computing services will continue to expand in the next few years. While there are many benefits of moving data to the cloud, it is important to also consider the risks.
As CPAs move their data management “to the cloud,” prudence dictates that the risks be considered along with the benefits. Certainly, one of the main benefits of cloud computing services is its low-cost availability via the Internet to large numbers of users, enabling providers to utilize economies of scale and to charge lower fees to users. At the same time, having large numbers of users sharing the same physical servers has heightened concerns about the security and controls over the users’ confidential and private information.
The regulatory response to data breaches, whether cloud-related or not, will most likely continue to be a major issue for providers and users. Organizations often must be compliant with regulations in the state where the data resides as well as the state where the data is received and sent. Some regulations, which vary by state, become stricter or even prohibitive when data is sent to providers outside the United States.
Cloud computing services, as a form of outsourcing, also call on CPAs to be responsible for processes such as client disclosure and consent, due diligence, and steps to ensure that client information is protected.
1. Client Disclosure/Consent
CPAs should disclose to clients the use of any third-party service providers. Such a proactive approach:
- clarifies the nature of the services being provided;
- corrects any false expectations clients may have about their personal information remaining inside of their CPA’s offices;
- helps forestall negative client reactions in the event something goes wrong with the outsourced services; and
- helps protect against liability should there be damages relating to the firm’s use of a third-party provider.
Client consent to disclose or use tax return information by tax return preparers is covered under Internal Revenue Code 7216. Absent a specific exception (as provided in Treas. Reg. 301.7216-2), prior written consent by a taxpayer is generally required to disclose or use tax return information. In particular:
- Form 1040 series filers must comply with the form and content required in Revenue Procedure 2008-35.
- Non-Form 1040 filers may include client disclosure and consent in any format, though there are content requirements. Disclosure and consent can be included as an addendum to the engagement letter.
CPAs should include a disclosure for outsourcing to non-tax third-party service providers in an addendum to their client engagement letters. A sample disclosure, “Outsourcing: Recommendations for Client Disclosure,” is available in the 9th edition of CPA’s Guide to Effective Engagement Letters, published by CCH. (An order form with a 10 percent discount for the book can be found at www.camico.com under “Risk Management Services” and “Risk Management Tools.”)
AICPA ethics rules require CPAs to inform clients that the firm may use a third-party service provider before providing the third party with confidential client information. Sample client disclosure language* can be found in AICPA guidance to Ethics Ruling No. 112 – Use of a Third-Party Service Provider to Assist a Member in Providing Professional Services: Sample Client Disclosure Language for Outsourcing Rules, also found at: http://www.aicpa.org/interestareas/professionalethics/resources/tools/downloadabledocuments/sample_disclosure_notification.pdf
CPAs should also check with their state boards of accountancy, which may have additional regulations requiring written disclosure and written client consent, especially when outsourcing confidential client information outside the United States.
2. Due Diligence
CPAs are responsible for the security, availability and integrity of the systems used by third parties to process personal and proprietary information. Cloud computing services present some extra challenges in this regard. The inherent lack of transparency in public cloud computing prevents users from seeing what is happening within the provider’s internal processes. This makes provider transparency and disclosure all the more important to the user. Some critical questions to ask include:
- Is the provider willing to undergo the scrutiny of third-party security certifications and audits? For example, AICPA Service Organization Control reports (SOC 1, 2 and 3 reports, which supplement SSAE No. 16).
- How detailed are the disclosures and information provided on security programs, policies, procedures, personnel (managers and administrators), subcontractors and business partners?
- What do the providers’ references say about the provider? What do they not say? Are the references using the providers for the same services you are seeking?
- Do your interactions with the provider indicate a trust relationship between the provider and your firm?
Use a U.S.-based provider, which is preferable to a foreign-based offshore provider with a U.S. branch. The more contacts an offshore provider has in the U.S., the more legal recourse the client and CPA have in the event of an unauthorized client data disclosure.
The financial viability of the provider over the long term is also a major consideration. If the provider becomes bankrupt or is acquired by another company, what assurances are there that your client and firm data will remain available in a format you can use after such an event?
3. Contractual Agreements
CPAs who use third-party service providers must enter into a contractual agreement with the provider to ensure the confidentiality of client records. Agreements with third-party service providers should contain language requiring that:
- the third-party provider will treat any client data it receives as confidential and will not make any unauthorized disclosures or use of the information; and
- the provider will be financially responsible for any unauthorized disclosures or use of confidential information that it commits. Find out whether the provider has insurance in place to cover the damages resulting from a data breach.
Service Level Agreements should require a high level of security and service. When negotiating other contracts for services, keep in mind that technology costs tend to go down as further advances in technology are made over a period of time, so it might not be cost-effective to lock in certain services, such as bandwidth, for too long of a period.
One of the benefits of cloud computing is the ability to back up records at multiple sites to avoid total losses. If disaster strikes at one location, the data may be available from another location. Proper and adequate disaster planning by the provider then becomes another issue to be addressed. Also, just as the CPA firm should have a response plan in place for potential data breaches, cloud service providers should also have a proper data breach response plan.
Cloud computing services will likely expand over the next few years, and CPAs who take appropriate steps to protect their clients and themselves will be in a better position to enjoy the benefits of such services while avoiding or minimizing any problems that may occur.
CAMICO has developed a wealth of information about what causes disputes between CPAs and their clients. This report describes five pitfalls that are especially prone to litigation and offers some preventive risk management advice.
* “The firm may from time to time, and depending on the circumstances, use third-party service providers in serving your account. We may share confidential information about you with these service providers, but remain committed to maintaining the confidentiality and security of your information. Accordingly, we maintain internal policies, procedures and safeguards to protect the confidentiality of your personal information. In addition, we will secure confidentiality agreements with all service providers to maintain the confidentiality of your information and we will take reasonable precautions to determine that they have appropriate procedures in place to prevent the unauthorized release of your confidential information to others. In the event that we are unable to secure an appropriate confidentiality agreement, you will be asked to provide your consent prior to the sharing of your confidential information with the third-party service provider. Furthermore, the firm will remain responsible for the work provided by any such third-party service providers.”