IT Best Practices Checklist to Follow IRS Guidelines When Offshoring Accounting Staff

Offshoring accounting staff can be a cost-effective and strategic way for US-based businesses to access global talent, improve efficiency, and expand their market reach. However, offshoring also comes with challenges and risks, especially regarding IT security and tax compliance. This document provides an overview of the IT best practices and IRS guidelines businesses should follow when offshoring accounting staff.

An Outline of IRS Guidelines for Offshoring Accounting Staff

Firms must consider tax compliance when offshoring accounting staff. The IRS has issued several guidelines and regulations that affect the tax implications of offshoring accounting activities. The following are the main takeaways from what a firm needs to uphold to maintain compliance with relevant parts of the IRS code.

Section 7216 of the Internal Revenue Code

Section 7216 prohibits the disclosure or use of tax return information by tax preparers without the taxpayer's consent. To comply with this regulation, businesses must:

• Obtain Consent: Secure the taxpayer's consent before sharing their information with an offshore service provider.
• Use of Information: Ensure that the offshore provider uses the taxpayer's information solely for the purposes authorized by the taxpayer.

Revenue Procedure 2013-14

Revenue Procedure 2013-14 outlines the requirements and procedures for obtaining taxpayer consent for the disclosure or use of tax return information by tax preparers. Key points include:

• Consent Form: Provide a consent form to taxpayers that clearly explains the types of information to be disclosed and the purpose of the disclosure.
• Retention: Retain a copy of the consent form for at least three years from the date of the taxpayer's consent.

No TIN List

Financial Institutions (FIs) are not required to obtain a foreign tax identification number (TIN) for an account held by a tax resident of a jurisdiction that appears on the IRS No TINs list. 

Currently, the list of jurisdictions fits into one of two categories:

• Jurisdictions that do not issue foreign TINs
• Jurisdictions with laws that restrict the collection or disclosure of foreign TINs of their residents and that request the U.S. competent authority to be exempt from the foreign TIN requirement.

Publication 4557

Publication 4557 provides guidance and best practices for tax preparers regarding safeguarding taxpayer data. Businesses should:

• Data Protection: Implement measures to protect taxpayer data from unauthorized access, use, and disclosure.
• Breach Response: Establish a breach response plan to address and mitigate taxpayer information data breaches.

Best Practices for Offshore Staff

So, what could implementing these IRS stipulations look like? These are some of the most important policies and guidelines for ensuring that overseas operations and employees remain compliant with regulations, including IRS 5293 and Gramm-Leach-Bliley compliance.

Administrative and Legal Measures

The first critical step in remote access security planning is ensuring that your offshoring practices are legally sound and that all parties are aware of their responsibilities.

• Clauses in Engagements for Offshore Labor: When drafting engagement contracts, it is essential to include provisions that explicitly allow the use of offshore labor. These clauses should outline the scope of work, security expectations, and compliance requirements to ensure the firm's and its clients' transparency and legal protection.
• Employee Contracts with Confidentiality Clauses: All onshore or offshore employees must sign contracts that include strict confidentiality clauses. These clauses should detail how sensitive information is handled, prohibit unauthorized disclosures, and outline the legal consequences of breaches.

Use of Firm-Owned Equipment

Providing and controlling the hardware used by remote employees is crucial for maintaining data security.

• Supply of Computers, Tablets, and Phones: The firm should supply all necessary equipment, including computers, tablets, and phones, to remote employees. This ensures that security configurations and software updates can be managed centrally.
• Restricted Use of Equipment: The provided equipment should be used exclusively by remote employees for work-related purposes. No other users should have access to this equipment, minimizing the risk of unauthorized access or data breaches.
• Optional Home Network Segmentation: The firm may provide firewalls and switches to segment their home network for employees working from home. This setup helps protect firm data by creating a dedicated, secure network environment separate from personal internet usage.

Setup of Remote Access Environments

Creating a secure remote access environment is essential for protecting sensitive data when accessed from overseas locations.

• International Security Group: Establish an international security group within your remote access infrastructure. This group should have specific security policies and monitoring mechanisms tailored to the unique risks of international access.
• Separate Virtual Machines (VMs) for International Use: Separate VMs are used for international employees. This segregation helps protect sensitive information by isolating international access from the rest of your network, reducing the risk of cross-contamination.

Application Setup – Flags and Restrictions

Configuring applications to recognize and enforce security policies for international users is key to maintaining compliance and security.

• Document Management System Segmentation: Implement flags within your document management system to segment access based on user location and role. This ensures that sensitive documents are only accessible to authorized users.
• Password Protection for Tax Systems: Require robust password protection for access to tax systems. This measure helps prevent unauthorized access to sensitive financial information.
• Filtering in Practice Management System: Use flags to filter access within your practice management system. This ensures that international users only access the data they can view and work with.
• International Licensing as Needed: Ensure that all software and applications used by international staff are appropriately licensed for use in their respective countries. This helps avoid legal issues and ensures compliance with local regulations.

IT Security Items

Implementing robust IT security measures is fundamental to protecting your firm's data from cyber threats.

• Firewalls: Deploy firewalls to protect your network from unauthorized access and cyber attacks. Ensure firewalls are configured to monitor and control incoming and outgoing network traffic based on predetermined security rules.
• Anti-Virus Software: Install anti-virus software on all firm-owned devices to detect and remove malicious software. Update the software regularly to protect against the latest threats.
• Anti-Malware Protection: Use anti-malware tools to identify and prevent malware infections. This additional layer of security helps safeguard against sophisticated cyber threats.
• Endpoint Protection: Implement endpoint protection solutions to secure all devices connected to your network. This comprehensive approach includes anti-virus, anti-malware, and firewall protections, ensuring that all endpoints are secure.

Access Controls

Strong access controls are essential to ensure that only authorized users can access sensitive data.

• Multifactor Authentication (MFA): Use MFA solutions such as DUO or Microsoft Authenticator to verify the identity of users accessing your systems. MFA adds an extra layer of security by requiring users to provide multiple forms of identification.
• Password Management: Implement password management solutions like Bitwarden, Keeper Password Manager, or LastPass Enterprise/Teams. These tools help users create and store strong, unique passwords for all their accounts, reducing the risk of password-related breaches.
• Data Loss Prevention (DLP): Adopt comprehensive DLP policies to prevent unauthorized access to and sharing of sensitive data. Enable DLP features in Microsoft 365 or other platforms to monitor and control data flows, preventing accidental or malicious data leaks.

Remote access security planning is a multifaceted process that requires careful attention to legal, physical, and technical aspects. By following this comprehensive checklist, CPA firms can effectively manage their IT and data security compliance while offshoring staff.

To ensure compliance when offshoring, Cetrom has tools like Cetrom Connect for unified security across all your networks, with EDR & MDR capabilities to protect locally managed devices for a complete security solution. Whether your team works in the office, at home office, or remotely overseas, our secure and compliant IT hosting solution drives accurate business continuity and peace of mind to help them sleep at night.

We can also help facilitate the requirements outlined in this checklist, whether that be separating databases, securing file and SQL servers, or other measures. If your firm is looking for offshore tax preparers or already does and you need assistance with these remote access security actions, please contact Cetrom to discuss your offshore security needs.