Compliance requirements for outsourcing stem primarily from three key regulations: FTC guidelines, AICPA standards, and IRS mandates. The IRS specifically outlines compliance requirements related to outsourcing, while the FTC and AICPA focus on regulations concerning the use of third-party services, which extend to outsourcing practices. These requirements are equally applicable when engaging independent contractors. In this blog, we will delve into these regulations in detail to provide a comprehensive understanding of their implications.
Taking a client’s consent under IRC 7216 or as per AICPA Professional code of Conduct requirement might feel like stumbling through a nightmare, but it isn't as daunting as it appears. This consent is pivotal for safely handling and sharing taxpayer information in today's data-driven accounting world. Post-COVID, as firms adjust to new normals and pre-COVID when practices were different, understanding and applying Section 7216 remains a constant necessity.
If you're hesitant to ask your clients for 7216 consent or AICPA Professional code of Conduct , you might be surprised to learn that it's simpler than you think, even when you're considering offshore outsourcing to manage heavy workloads.
We’ll cover everything your firm needs to know about Section 7216 and AICPA Professional Code of Conduct requirements for obtaining client consent that will help you navigate through the hurdle you might expect in obtaining such consent.
Getting Consent is easier
Breaking the perception, What would my client think about offshoring? Read our full blog here to unleash your concern, providing detailed guidance on this question.
Since its introduction in 2009, the client consent process has been streamlined. There have been zero IRS enforcement actions reported under this section to date. Notably, tax services aren't subject to peer reviews, which focus on audits, not tax work. Post-pandemic, the landscape for offshoring has broadened significantly, further allaying initial concerns within the tax community. Offshoring has not only persisted but flourished, debunking early apprehensions about client resistance.
Summarized Comparison
| Regulation | Consent & Disclosure | Due Diligence & Supervision | IT & Data Security |
|---|
| IRS | ✅ | ✅ | ✅ |
| AICPA | ✅ | ✅ | ✅ |
| FTC | - | ✅ | ✅ |
AICPA Requirements
Technical Requirements:
Clients may not expect the member to use a third-party service provider to assist the member in providing the professional services. Therefore, before disclosing confidential client information to a third-party service provider, the member should do the following:
Requirement 1:
Prior Consent In Writing (Refer 1.150.040 Use of a Third-Party Service Provider) : Obtain specific consent from the client before disclosing confidential client information to the third-party service provider.
Requirement 2:
Contractual Agreement with Service Provider (1.700.040 Disclosing Information to a Third-Party Service Provider): Enter into a contractual agreement with the third-party service provider to maintain the confidentiality of the information and provide reasonable assurance that the third-party service provider has appropriate procedures in place to prevent the unauthorized release of confidential information to others. The nature and extent of procedures necessary to obtain reasonable assurance depends on the facts and circumstances, including the extent of publicly available information on the third-party service provider’s controls and procedures to safeguard confidential client information.
OR
Specific Consent (1.700.040 Disclosing Information to a Third-Party Service Provider) : Obtain specific consent from the client before disclosing confidential client information to the third party service provider.
Other Requirements
Due Diligence Documentation (Refer 1.300.040 Use of a Third-Party Service Provider) : Before using a third-party service provider, the member should ensure that the third-party service provider has the required professional qualifications, technical skills, and other resources. Factors that can be helpful in evaluating a prospective third-party service provider include business, financial, and personal references from banks, other CPAs, and other customers of the third-party service provider; the third-party service provider’s professional reputation and recognition in the community; published materials (articles and books that he or she has authored); and the member’s personal evaluation of the third-party service provider.
AICPA Recommended Due Diligence Checklist (Link)
Adequate Supervision (Refer 1.300.040 Use of a Third-Party Service Provider) : the member must adequately plan and supervise the third-party service provider’s professional services so that the member ensures that the services are performed with competence and due professional care. The member must also obtain sufficient relevant data to support the work product and comply with all technical standards applicable to the professional services.
IT Infrastructure and Data Security: Members must ensure that the third-party service provider adheres to robust IT infrastructure and data security protocols. This includes implementing secure data transmission methods, establishing user rights management systems, and deploying incident response plans. The service provider should also follow cybersecurity best practices, conduct regular audits, and maintain compliance with relevant data protection regulations. Additionally, members should ensure that cloud-based solutions meet AICPA-recommended security standards and that the provider has the capacity to safeguard confidential client data against unauthorized access, breaches, or loss. These measures are critical to upholding professional and ethical responsibilities when outsourcing.
AICPA Recommended IT Set up & Security Guidelines (Link)
View AICPA Code of Conduct
Sample Language by AICPA
(AICPA Sample Client Disclosure Language for Outsourcing Rules)
The firm may from time to time, and depending on the circumstances, use third-party service providers in serving your account. We may share confidential information about you with these service providers, but remain committed to maintaining the confidentiality and security of your information. Accordingly, we maintain internal policies, procedures and safeguards to protect the confidentiality of your personal information. In addition, we will secure confidentiality agreements with all service providers to maintain the confidentiality of your information and we will take reasonable precautions to determine that they have appropriate procedures in place to prevent the unauthorized release of your confidential information to others. In the event that we are unable to secure an appropriate confidentiality agreement, you will be asked to provide your consent prior to the sharing of your confidential information with the third-party service provider. Furthermore, the firm will remain responsible for the work provided by any such third-party service providers.
View AICPA Sample Language Guidance
IRS 7216 Requirements
Basic Consent Requirement
1. Separate Written Document:
Consent for each separate disclosure or use must be in a distinct written document. Can be provided on paper or electronically. May be included as an attachment to an engagement letter.
2. Paper Consent Requirements:
Must use 8.5" x 11" (or larger) paper. All text must solely address the authorized disclosure or use. Font size must be at least 12-point (no more than 12 characters per inch). Must include all elements specified in section 5.04 (and section 5.06, if applicable).
3. Electronic Consent Requirements:
Presented on one or more computer screens, with text only related to the consent (except navigation tools). Text size must match or exceed standard body text size on the website or software. Must include:
- All required elements from section 5.04 (and section 5.06, if applicable).
- Signature and date fields for taxpayer compliance with section 6.
- A readable and printer-friendly format.
4. Identification of Parties:
The consent must include the names of both the tax return preparer and the taxpayer.
5. Purpose and Recipient of Disclosure:
For disclosures, the consent must specify the intended purpose. The consent must identify the specific recipient(s) of the information. For uses beyond tax preparation, each type of product or service (e.g., loans, insurance) must be identified.
6. Specific Information to Be Disclosed or Used:
The consent must clearly specify the tax return information that will be disclosed or used.
7. Disclosure to International Recipients:
If the information is disclosed to a preparer located outside the U.S., prior taxpayer consent is required under § 301.7216-3, per § 301.7216-2(c) and (d).
8. Signature and Date:
The consent must be signed and dated by the taxpayer.
Additional Requirements for 1040 Outsourcing
1. Form & Content:
Form & Content of the disclosure shall be as prescribed in the 7216. (View Sample Consent Prescribed by AICPA)
2. Prior Consent:
Taxpayer consent should be obtained prior to any disclosure of their information.
3. Affirmative consent:
All consents must require the taxpayer’s affirmative consent to a tax return preparer’s disclosure or use of tax return information. A consent that requires the taxpayer to remove or deselect disclosures or uses that the taxpayer does not wish to be made (i.e., an “opt-out” consent) is not permitted.
4. Adequate data protection safeguard:
Pursuant to § 301.7216-3(b)(4), a tax return preparer located within the United States, including any territory or possession of the United States, may disclose a taxpayer’s SSN to a tax return preparer located outside of the United States or any territory or possession of the United States with the taxpayer’s consent only when both the tax return preparer located within the United States and the tax return preparer located outside of the United States maintain an adequate data protection safeguard at the time the taxpayer’s consent is obtained and when making the disclosure. An adequate data protection safeguard is a management-approved and implemented security program, policy, and practice that includes administrative, technical, and physical safeguards to protect tax return information from misuse, unauthorized access, or disclosure and that meets or conforms to one of the following privacy or data security frameworks:
- The United States Department of Commerce “safe harbor” framework for data protection (or a successor program);
- A foreign law data protection safeguard that includes a security component (e.g., the European Commission’s Directive on Data Protection);
- A framework that complies with the requirements of a financial or similar industry-specific standard that is generally accepted as best practices for technology and security related to that industry (e.g., the BITS, Financial Services Roundtable, Financial Institution Shared Assessment Program);
- The requirements of the AICPA/CICA Privacy Framework;
- The requirements of the most recent version of IRS Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies and Entities; or
- Any other data security framework that provides the same level of privacy protection as contemplated by one or more of the frameworks described in (1) through (5).
5. Disclosure of the Name of Company Located Outside the U.S.:
The provision requires disclosing the name of the company or tax preparer located outside the U.S. who is involved in handling your information.
6. Electronic Consent: If electronic consent is taken then
- Taxpayer affirmatively enters 5 or more characters unique to the taxpayer that the tax return preparer uses to verify the taxpayer’s identity. For example, entry of a response to a question regarding a shared secret could be the type of information by which the taxpayer authorizes disclosure or use of tax return information.
- Have the taxpayer type in the taxpayer’s name and then hit “enter” to authorize the consent. The software must not automatically furnish the taxpayer’s name so that the taxpayer only has to click a button to consent.
7. Validity of Consent:
Your consent remains valid for the duration you specify. If no duration is specified, the consent is valid for one year from the date of signature. We typically recommend that clients obtain multi-year consents, with many opting for a 5- or 10-year term. However, a consent stating that it remains valid as long as you remain a client may not meet IRS requirements.
For Non-1040 work
Non-1040 taxpayers – Consent to disclosure of tax return information
Taxpayers who are not filers of returns in the Form 1040 series may use language prescribed in this revenue procedure or consents whose formats and content do not conform to this revenue procedure as long as the consents otherwise meet the requirements of Treas. Reg. § 301.7216-3. For non-1040 work, such as payroll, sales tax, or corporate tax returns, write up work the following content can be added to the engagement letter for 1099-related services. While the form and content haven’t been specified, all Section 7216 regulations still apply to non-1040 work. This includes obtaining prior, affirmative consent signed by the client, ensuring adequate data protection safeguards from service providers, and disclosing the name of the third-party service provider. If the consent is obtained electronically, it must also comply with electronic consent regulations. All other requirements, including consent validity, remain applicable. So all basic requirement of the consent shall be followed.
Foreign Outsourcing Disclosure Engagement Letter Sample Langauge as prescribed by AICPA for Non-1040 work
“The taxpayer authorizes that any and all information furnished to us for or in connection with the preparation of tax returns under this engagement letter may, for a period of up to [insert number of years] years from the date of this engagement letter, be disclosed to [insert name], located outside the United States, engaged directly or indirectly in providing tax planning or preparation of tax returns. Disclosures under this paragraph may consist of all information contained in tax returns. If the taxpayer wishes to request a limited disclosure of tax return information, the taxpayer must inform us. The taxpayer acknowledges that their tax return information may be disclosed to our affiliates, related entities or subcontractors located outside the United States.”
Recommendation to Include General Disclosure Consent in Engagement Letters
Although content and form haven’t been specified in regulation, to ensure compliance, we recommend including a general consent as prescribed by AICPA for disclosure within engagement letters for all clients. This consent should identify the service provider explicitly, addressing any potential claims or violations proactively. While Section 7216’s requirements leave room for interpretation, our discussions with insurance providers and legal counsel support this approach as a best practice. This consent should apply firm-wide to maintain consistency and compliance, with possible exceptions for a small subset (1-2%) of high-value clients, as needed.
Comparison
| IRS 7216 Consent Requirement |
|---|
| Applicable Rules |
| For 1040's | Non 1040 Work |
| Form & Content |
| Prescribed | Not - Prescribed |
| Separate Written Document | Basic | ✅ | ✅ |
| Purpose of the Consent | Basic | ✅ | ✅ |
| Paper Consent Requirement Rules Applicability | Basic | ✅ | ✅ |
| Electronic Consent Requirements Rules Applicability | Basic | ✅ | ✅ |
| Specific Tax Return Information To be Disclosed | Basic | ✅ | ✅ |
| Identification of Parties | Basic | ✅ | ✅ |
| Signature and Date | Additional | ✅ | ✅ |
| Form & Content as Prescribed | Additional | ✅ | ⛔ |
| Separate Engagement Letter | Additional | ✅ | ⛔ |
| Additional Electronic Consent Requirements Rules Applicability | Additional | ✅ | ✅ |
| Prior Consent | Additional | ✅ | ✅ |
| Affirmative consent | Additional | ✅ | ✅ |
| Adequate data protection safeguard. Pursuant to § 301.7216-3(b)(4) | Additional | ✅ | ✅ |
| Disclosure of the Name of Company Located Outside the U.S. | Additional | ✅ | ✅ |
| Validity of Consent | Additional | ✅ | ✅ |
FTC Safeguards Rule
The Federal Trade Commission (FTC) enforces the privacy and safeguard provisions of the GLBA for non-banking financial institutions, including CPA and Accounting firms.
What's Gramm-Leach-Bliley Act ?
The Gramm-Leach-Bliley Act requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data."
The Gramm-Leach-Bliley Act establishes the framework for protecting consumer financial information, while the FTC enforces these provisions.
Understand the FTC Safeguards Rule
Under the Safeguards Rule, financial institutions must protect the consumer information they collect. The Gramm-Leach-Bliley (GLB) Act requires companies defined under the law as “financial institutions” to ensure the security and confidentiality of this type of information. The “financial institutions” definition includes professional tax preparers.
Are CPA Firms Really Financial Institutions?
The definition of “financial institution” is broader than one may think. Per the Safeguards Rule “an entity is a ‘financial institution’ if its business is engaging in an activity that is financial in nature or incidental my client think about outsourcing? Practical Strategies for taking client consent for outsourcing. to such financial activities.” Per federal regulations referenced in the Safeguards Rule, this includes any number of financial and investment advisory activities, including providing tax planning and preparation services to any person for personal, family, or household purposes.
An accountant or other tax preparation service that is in the business of completing income tax returns is a financial institution because tax preparation services is a financial activity listed in 12 CFR 225.28(b)(6)(vi) and referenced in section 4(k)(4)(G) of the Bank Holding Company Act, 12 U.S.C. 1843(k)(4)(G)."
The FTC Safeguards Rule is a critical piece of compliance, especially when you're working with offshore partners. Let's dive into what it means for your CPA firm:
Why Applicable to Outsourcing ?
Outsourcing Company falls within definition of "Service Provider" : Service provider means any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a financial institution that is subject to this part.
CPA & Tax Firms Responsibility is to oversee service providers, by :
- Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue;
- Requiring your service providers by contract to implement and maintain such safeguards; and
- Periodically assessing your service providers based on the risk they present and the continued adequacy of their safeguards.
Key Requirements Your Offshore Partner Must Meet:
Under the FTC Safeguards Rule, your offshore partner must have a comprehensive security program in place. This includes designating a qualified individual to oversee the information security program and conducting regular risk assessments to identify potential threats to client data. The partner must also implement safeguards to address these risks, such as encryption, secure data disposal practices, and multi-factor authentication for anyone accessing customer information.
Employee management is a key aspect of compliance. Offshore partners should conduct background checks on employees who have access to sensitive customer information and provide regular security awareness training. Access to customer information should be restricted based on job necessity to minimize the risk of unauthorized access.
Service provider oversight is another requirement under the FTC Safeguards Rule. You must ensure that your offshore partner is capable of maintaining appropriate security safeguards and regularly assess their compliance with these standards. The rule also mandates that offshore partners develop and maintain a written incident response plan, covering data backup, recovery, and emergency operations in the event of a security breach.
Your Responsibilities:
- Ensure your offshore partner understands and complies with the FTC Safeguards Rule
- Regularly assess your partner's security measures
FTC Insights: "The Safeguards Rule requires companies to develop, implement, and maintain a comprehensive information security program." (FTC Safeguards Rule, 16 CFR Part 314)
Consequences Of Non-Compliance ?
- Under Title 18 of the United States Code, firms can face fines of up to $100,000 per violation
- Firm leaders can be personally liable for up to $10,000 per violation.
- There’s even the potential for a prison sentence of up to five years for non-compliance.
We suggest conducting an annual joint review with your offshore partner to assess FTC Safeguards Rule compliance and identify areas for improvement.
Challenges with Freelancers and Mom & Pop Shops:
When working with mom-and-pop shops or freelancers, there are typically compliance challenges under Section 7216.
1. Adequate data protection safeguard:
First, adequate data protection and safeguards required by section Pursuant to § 301.7216-3(b)(4) may not be met.
2. Foreign Company Name on the Consent:
It’s essential to specify the name of the company handling your information. As a U.S.-based company with an Indian counterpart, we offer the advantage of legal recourse within the U.S., meaning that if an issue arises, you can pursue action here. In contrast, working directly with a freelancer or foreign counterpart often leaves you without legal recourse and without assurance that required safeguards under Section 7216 are in place.
3. Contractual Agreement:
Additionally, the AICPA's professional code of conduct requires a formal contractual agreement, which may not always be adequately in place when working with freelancers or small, independent providers.
4. Adequate Due Diligence:
Furthermore, the code mandates thorough due diligence to assess the third-party service provider’s competence. This includes gathering documentation, obtaining reasonable assurances, and evaluating their credibility through references, community recognition, and published materials available online. Such due diligence can be challenging when dealing with third-party providers, particularly smaller or less established ones or freelancers.
Industry Expertise Matters
There are numerous outsourcing providers specializing in engineering, IT, medical billing etc who often expand into accounting services under the assumption that these fields are similar. However, the accounting industry demands specialized expertise, which is why the AICPA’s Professional Code of Conduct mandates that firms working with third-party service providers conduct thorough due diligence to evaluate their professional competence. CPAs and accounting firms, in particular, should ensure they do not engage with third-party providers that are incompetent. In such cases, as per AICPA requirements, members must ensure that any third-party provider has the necessary professional competence, technical skills, and credibility before engaging their services. Without this assurance, you may face additional challenges in meeting these standards.
WHY MYCPE ONE
1. Name Change Clarification:
As we transition from Entigrity to MYCPE ONE through our merger, we understand that some clients have questions regarding the impact of this change on previously obtained consents under Section 7216, particularly those with consent terms of 5 to 10 years. In 2024, the merger occurred at the parent level. The entity that previously operated under the name Entigrity remains intact, with no immediate change to its legal entity status or name. In 2025, we anticipate name change of the company. However, our existing DBA (Doing Business As) name, Entigrity, will continue to be recognized and valid, even after the rebranding process. If you have already obtained client consent under Section 7216 that references Entigrity, there is no need to renew or amend this consent. The DBA Entigrity will remain valid, and all consents referring to Entigrity will continue to comply with disclosure requirements. All prior consents remain legally effective, eliminating the need for additional consents solely due to our name change or merger activities at the parent level.
2. Our Due Diligence Checklist:
We provide comprehensive documentation to support your due diligence, ensuring compliance with AICPA, IRS, FTC requirements. This includes references from existing clients, testimonials, our IT and data security policies, contractual agreement, and cybersecurity and professional liability insurance policies etc. Additionally, we offer certifications, including Great Place to Work, ISO 27001, and GDPR compliance from a third party. Our active participation in community initiatives—such as webinars, events, conferences, and outsourcing awareness initiatives (including this blog)—further supports our commitment to transparency and compliance. (Please email us chris@my-cpe.com and we shall share with you the complete documentation about our company for you due diligence)
3. Our Expertise of working with CPA & Accounting firms:
For the past nine years, we have been exclusively dedicated to the accounting industry, building deep expertise in supporting accounting and CPA firms—not only through outsourcing but also in continuing education. This specialized focus aligns with AICPA professional code of conduct requirements and gives our clients a distinct advantage, allowing us to serve them more effectively than any competitor.
Resources
| Particulars | Topic | Link |
|---|
| How the FTC Safeguards Rule may affect your CPA firm | FTC Requirements | Click here |
| Can your firm complete the FTC Safeguards Rule checklist? | FTC Requirements | Click here |
| Written Information Security Plan (WISP) | IRS Requirements | Click here |
| AICPA resources and articles | IRS Requirements | Click here |
| Creating a Written Information Security Plan for your Tax & Accounting Practice | IRS Requirements | Click here |
| AICPA Outsourcing Toolkit - PCPS | AICPA Requirements | Click here |
| Safeguarding Taxpayer Data A GUIDE FOR YOUR BUSINESS | IRS Requirements | Click here |
| Section 7216 Guidance and Sample Consent Forms | IRS Requirements | Click here |
| Section 7216 Frequently Asked Questions | IRS Requirements | Click here |
| Rev. Proc. 2013-19 | IRS Requirements | Click here |
| Rev. Proc. 2013-14 | IRS Requirements | Click here |
| Treasury Regulations | IRS Requirements | Click here |
| Outsourcing and professional liability | AICPA Requirements | Click here |
| Guidance Note - AICPA Professional Ethics Executive Committee - Jan 2005 | AICPA Requirements | |
| AICPA Code of Professional Ethics | AICPA Requirements | |
Related Blogs
Disclaimer
Our guidance is grounded in extensive practical experience from the past nine years, during which we have worked closely with attorneys and insurance companies to support CPAs and accounting firms. This collaboration has provided us with valuable insights that shape our approach and recommendations. However, it's essential to consult with your independent attorney and insurance companies, seek expert advice on these legal matters, as well as conduct your own due diligence. Additionally, the data presented above is based on our internal experiences and estimates, not on any independent survey. Each state may have its own regulations regarding client consent. While most states adhere to AICPA guidance on the professional code of conduct, it’s essential to review your specific state’s requirements to ensure compliance with any additional disclosure obligations.
Yes, it is essential to inform your insurance company when you engage in outsourcing. Different insurance companies have their own requirements and may provide additional guidance, recommendations, or regulatory compliance expectations. We work closely with the AICPA Membership Insurance Program and Camico, and our guidance is informed by our experiences with these firms. Consulting your insurance provider ensures you meet their specific requirements and stay compliant with any additional recommendations they may have
Yes, it is essential to inform your insurance company when you engage in outsourcing. Different insurance companies have their own requirements and may provide additional guidance, recommendations, or regulatory compliance expectations. We work closely with the AICPA Membership Insurance Program and Camico, and our guidance is informed by our experiences with these firms. Consulting your insurance provider ensures you meet their specific requirements and stay compliant with any additional recommendations they may have
Yes, it is essential to inform your insurance company when you engage in outsourcing. Different insurance companies have their own requirements and may provide additional guidance, recommendations, or regulatory compliance expectations. We work closely with the AICPA Membership Insurance Program and Camico, and our guidance is informed by our experiences with these firms. Consulting your insurance provider ensures you meet their specific requirements and stay compliant with any additional recommendations they may have
Yes, it is essential to inform your insurance company when you engage in outsourcing. Different insurance companies have their own requirements and may provide additional guidance, recommendations, or regulatory compliance expectations. We work closely with the AICPA Membership Insurance Program and Camico, and our guidance is informed by our experiences with these firms. Consulting your insurance provider ensures you meet their specific requirements and stay compliant with any additional recommendations they may have.
FAQ's
You can work with an offshore independent contractor, freelance worker, or a small mom-and-pop shop, provided they comply with IT, data security, and due diligence requirements. However, 99% of the time, such providers fail to meet these standards. So technically you will be in violation. This is why we always recommend partnering with a reputable player who specializes in this industry, has proven experience, and can serve as a reliable long-term partner. Offshoring is not a one-time task—it’s an ongoing commitment that requires consistent compliance and reliability. We provide comprehensive documentation in advance for your due diligence and IT and data security compliance in a single package, helping you meet all these requirements seamlessly. Connect with our specialist at chris@my-cpe.com or call us at 646-827-4348 for more information or feel free to schedule a call https://calendly.com/meetingscheduling/mycpeone
The requirement to obtain consent under IRS regulations depends on the type of work being performed. In contrast, the consent requirements under AICPA and FTC regulations are applied to the entity itself, irrespective of the nature of the work being conducted.
IRS Consent Applicability:
- Under IRS rules, consent is required based on the specific services being performed. For instance, bookkeeping services are generally not subject to this requirement unless they are explicitly linked to tax preparation.
- A nuanced scenario arises when bookkeeping and tax preparation are covered under a single engagement letter. In such cases, consent would be required because the joint engagement letter covers tax-related services.
Nuance in Tax Preparation and Write-Ups:
- A key question is whether an annual write-up prepared for the purpose of tax filing qualifies as part of tax preparation. While this area can be considered grey, the practical answer is yes.
- If the primary purpose of the write-up or annual bookkeeping is to facilitate tax return filing, it falls under the scope of IRS 7216, and consent is likely required.
Understanding and navigating these requirements is essential to ensure compliance with IRS, AICPA, and FTC regulations, particularly when multiple services are bundled under a single engagement
Yes, consent is required for business tax returns. IRS 7216 mandates consent for tax return information, though it does not prescribe a specific form or content for the consent. Following AICPA recommendations can simplify compliance. Here’s the AICPA’s prescribed format. (Click Here)
- While the consent doesn’t need to be on a separate form, it must explicitly disclose.
- The name of the service provider.
- The duration of the consent.
- This consent can be included in your engagement letter as long as it meets the above requirements.
IRS regulations require you to disclose the name of the service provider in the engagement letter, whether for 1040 work or non-1040 work. This requirement extends to all work under IRS work jurisdiction, including payroll, income tax, sales tax, and any personally identifiable information (PII) related to tax preparation.
- Affirmative Consent: All three regulatory requirements —IRS, AICPA, and FTC—require explicit affirmative consent. Implied or passive consent is not valid.
- Electronic Consent: Must include a five-digit unique code typed in by the client. The client must type their name and actively check a box to agree to terms and conditions. Auto-filled names or pre-checked boxes are not acceptable.
- Paper Consent: Must include a signature and date. Separate consent form is required for 1040 tax returns.
Many firms face challenges, such as delayed return of engagement letters from clients or finalizing fees only at the time of tax return copy given to the client. However, to comply with these regulations consent must be clear, prior and explicit. Delayed or implied consent will not suffice. Ensuring adherence to these requirements will help you avoid potential violations and ensure smooth compliance with IRS, AICPA, and FTC regulations.
Consent must be obtained prior to performing any work involving tax information. Sending the engagement letter or obtaining consent at the time of filing the tax return is a violation of these requirements. Consent must be secured in advance.
All three regulations require due diligence when engaging third-party service providers. AICPA provides a detailed due diligence checklist to ensure compliance. (Click here) Similarly, IRS requirements mandate proper vetting and safeguarding when working with third-party outsourcing vendors. Refer resources for the same at the bottom.
If the consent involves two individuals filing jointly, such as in the case of married filing jointly, we recommend obtaining consent from both individuals.
If the consent involves two individuals filing jointly, such as in the case of married filing jointly, we recommend obtaining consent from both individuals.
While the AICPA Professional Code of Ethics may not apply if you are not a member of AICPA, you are still subject to the compliance requirements established by the state accounting board with which you are registered. Most state boards either have their own Code of Ethics or align with the AICPA Code of Ethics, meaning you are likely still subject to similar ethical and compliance standards for outsourcing. It is essential to verify these requirements with your respective state board to ensure full compliance.
This is a unique situation where your accountants are offshore, and your tax preparers are based in the US. If the engagement letter is combined, the requirement for consent is unclear. Based on my understanding, consent may not be required in this scenario, but I strongly recommend consulting your attorney for clarity and legal guidance. This is a specific and nuanced situation that requires expert advice.
Unlike the IRS, AICPA and FTC regulations do not have specific guidelines solely focused on outsourcing. However, whether you outsource domestically within the US or work with a domestic service provider, the same requirements apply. This includes obtaining explicit consent through the engagement letter, conducting proper due diligence, and ensuring compliance with IT and data security standards. These measures are critical for maintaining compliance and safeguarding client information.
If you have separate engagement letters for accounting and tax services, only the tax engagement is subject to IRS 7216 requirements, while the accounting engagement is not. However, if you are a CPA or an accounting firm, the AICPA Code of Professional Ethics still applies to CPA firms, and FTC regulations continue to apply to all accounting and tax firms. These overarching regulations require compliance with ethical standards, due diligence, and data security, irrespective of the type of engagement.
If you have your own setup or office in an offshore country, your offshore entity will still be treated as a third party, even if it is a subsidiary. Similarly, if you directly work with an independent contractor and pay them directly, they are not considered your employees but remain independent contractors. Consequently, all applicable regulations—including those from the IRS, AICPA, and FTC—apply as if you were working with any other third party. This makes it crucial to ensure compliance with these regulations, including due diligence, data security, and consent requirements. Many firms that establish offshore operations fail to meet these compliance standards, underscoring the importance of understanding and addressing these requirements in detail.
The FTC regulation under the Gramm-Leach Bliley Act (GLBA) is primarily applicable to financial institutions because they serve as custodians of their customers’ personally identifiable information (PII). Under the GLBA’s definition, accounting and tax firms are considered financial institutions due to their role in handling sensitive customer information. As custodians of such sensitive data, these firms fall under the purview of FTC regulations, making compliance with the GLBA a critical requirement for safeguarding client information.
Yes, it is essential to inform your insurance company when you engage in outsourcing. Different insurance companies have their own requirements and may provide additional guidance, recommendations, or regulatory compliance expectations. We work closely with the AICPA Membership Insurance Program and Camico, and our guidance is informed by our experiences with these firms. Consulting your insurance provider ensures you meet their specific requirements and stay compliant with any additional recommendations they may have.
Co-Founder & CEO
Shawn Parikh is the CEO and Co-Founder of MYCPE ONE. A Chartered Accountant by qualification, he has over 15 years of experience of being a problem solver for small to mid-size firms and over time he has given consultation to thousands of CPAs, accountants and tax pros. Shawn has always been a big believer and advocate of social enterprises and small accounting firms & businesses. He consults and speaks on several topics ranging from Building Remote Team - Remote Working, Offshore Staffing, strategic planning, Scalability of Accounting Practice, cloud accounting, practice management, LinkedIn marketing, etc.
-1740065839.webp "Top 7 Benefits of Hiring an Offshore Accountant for Your Firm (2025)")
