Due diligence with CPA firm subcontractors.

Author:Wolfe, Joseph
Position:Certified public accountants

CPA firms often use subcontractors to help provide payroll, tax, accounting, and audit services or to provide administrative support to the firm. In the course of rendering these services, subcontractors may obtain access to a vast amount of confidential client data. Examples of subcontractors include part-time help hired during busy season, other accounting firms assisting with tax return preparation, or even companies that provide mailroom or office cleaning services.

Individuals with access to large amounts of electronic data pertaining to clients and the firm can create havoc in minutes. The legal and professional responsibilities of a CPA firm related to privacy of client data also extend to the actions of their subcontractors. Consider this related story involving a privacy breach by a subcontractor in the health care industry.

Example. GMR Transcription Services (GMR) employed a subcontractor named Fedtrans to transcribe audio files received from GMR's customers. Fedtrans downloaded the files from GMR's network, transcribed them, and uploaded the transcripts back to the network. Because of an error by the subcontractor, the transcripts were indexed by a major internet search engine and became publicly available to anyone using the search engine. The files contained detailed notes from medical examinations about psychiatric disorders, alcohol use, and other confidential patient information. The Federal Trade Commission (FTC) conducted an investigation and charged GMR with failing to employ reasonable and appropriate measures to prevent unauthorized access to personal information by the subcontractor.

The terms of the settlement with the FTC required GMR to submit biennial assessments and reports on its information security program for 20 years. (Federal Trade Commission, "Provider of Medical Transcript Services Settles FTC Charges That It Failed to Adequately Protect Consumers' Personal Information," available at ftc.gov.)


Typically, unauthorized disclosure of confidential client data by a subcontractor relates to the activities of its employees rather than a rogue act by an unknown third-party hacker. Subcontractors with inadequate controls over access to data present elevated risk to CPA firms. A breach may arise from unintentional and careless mistakes, as well as from intentional acts by subcontractor employees.

Understanding subcontractors' restrictions on access to electronic data and instituting...

To continue reading