That is a problem. A good sales team can make any provider look great for 45 minutes. The gaps only show up 3 months in when your assigned bookkeeper quits, the quality drops, or you discover that "SOC 2 compliant" meant they started the process, not finished it.
We built this checklist at Madras Accountancy because we kept hearing the same story from firms switching to us from other providers. "We did not know what to ask." "They seemed great in the demo." "Nobody told us about the 12-month lock-in clause."
We are publishing this list because we are confident we pass every item on it, and because we think the industry needs more transparency. If any provider cannot answer all 30 of these questions clearly, that tells you something. Our guide to choosing the right outsourcing partner covers the higher-level decision framework.
These are non-negotiable. If a provider fails any of these, stop the evaluation.
1. Do you hold a current SOC 2 Type II certification? Not Type I (which is a point-in-time assessment). Type II covers a minimum 6-month review period and confirms that controls are actually operating, not just designed. Ask for the report itself, not a summary or a marketing page. Our vendor risk assessment guide explains the difference between Type I and Type II.
2. Where does client data reside during processing? The correct answer is "on your infrastructure" or "on our secure cloud infrastructure." If data is downloaded to local machines, that is a disqualifying security risk. At Madras, all work happens on virtual desktop infrastructure (VDI). Zero client data touches local hard drives.
3. Do you enforce multi-factor authentication (MFA) for all staff accessing client systems? MFA should be mandatory, not optional. If a provider says "we recommend MFA but it is up to each team member," walk away.
4. What background checks do you perform on staff who handle client data? At minimum: criminal background check, education verification, and employment history verification. In India, this also includes address verification and reference checks. Ask how often checks are repeated for existing employees.
5. What happens to client data when an engagement ends? The provider should have a documented data destruction or return policy. All client data should be removed from their systems within 30 days of engagement termination, with written confirmation.
6. Do you have documented incident response procedures for data breaches? Ask what happens if a breach occurs. Who gets notified, in what timeframe, and what remediation steps are taken. If the answer is vague, they have not planned for it.
7. What encryption standards do you use for data in transit and at rest? Look for AES-256 for data at rest and TLS 1.2 or higher for data in transit. These are baseline standards, not premium features.
8. Are you compliant with IRS Publication 4557 (Safeguarding Taxpayer Data)? This publication specifically covers data security requirements for tax practitioners. Any provider handling tax return data should be familiar with it. Our data security checklist maps these requirements.
9. What qualifications do your bookkeepers and tax preparers hold? In India, look for CA (Chartered Accountant), CMA, or BCom with specific US GAAP training. In the Philippines, look for CPA (Philippine). Ask what percentage of the team assigned to your account holds professional qualifications versus entry-level hires.
10. How do you train your team on US GAAP and US tax code? There should be a structured training program, not just "they learn on the job." Ask how many hours of US-specific training new hires complete before they touch client work.
11. What is your annual staff turnover rate? Anything above 25 percent should concern you. The industry average in Indian BPO is 15 to 25 percent. Ask specifically about turnover in the accounting division, not the overall company.
12. What happens when my assigned team member leaves? The provider should have a documented knowledge transfer process. At Madras, we maintain client-specific runbooks that allow a replacement to get up to speed in 1 to 2 weeks instead of starting from scratch. Our best practices guide covers how to build resilient team structures.
13. Can I interview or approve the team members assigned to my account? You should be able to. If the provider says "we assign whoever is available," you have no control over quality.
14. Do your team members work exclusively on my account or are they shared across multiple clients? Dedicated staff produce better quality because they learn your clients deeply. Shared staff cost less but deliver less consistency. Know which model you are getting.
15. What is your supervision structure? There should be a team lead or manager reviewing work before it reaches your review queue. If the offshore bookkeeper's work goes directly to you without any internal review, you are doing the provider's quality control job for them.
16. How do you handle performance issues with team members? Ask about their process for addressing errors, providing feedback, and replacing underperformers. The answer should be specific, not "we handle it."
17. What are your standard turnaround times, and are they guaranteed in the SLA? Get specific numbers: 48 hours for monthly reconciliations, 72 hours for individual tax returns, 5 business days for business returns. If turnaround times are not in writing, they are not real. Our article on SLA clauses that prevent quality slippage covers what to include.
18. What happens when you miss an SLA target? There should be consequences: service credits, penalty reductions, or escalation procedures. If the SLA has no teeth, it is a marketing document.
19. How do you measure and report quality? Ask for their quality metric: error rate per deliverable, first-pass accuracy rate, or review notes per engagement. At Madras, we target below 2 percent error rate and track it weekly during the first 90 days.
20. What communication channels and cadence do you provide? Expect dedicated Slack channels (or equivalent), weekly status calls during ramp-up, and monthly performance reviews after stabilization. Email-only communication is insufficient for an active outsourcing relationship.
21. Who is my primary point of contact? You should have a named account manager who is not the same person doing the production work. If your only contact is the bookkeeper doing the work, escalation is impossible.
22. What tax software platforms does your team work in? They should support your specific platform (Lacerte, UltraTax, Drake, ProConnect). "We can learn any software" is not the same as "we have 50 people experienced in Lacerte."
23. How do you handle peak season capacity? Ask what happens when multiple CPA firm clients hit peak simultaneously. Do they have excess capacity, or does your team get stretched thin? Ask for their staff-to-client ratio during peak months.
24. Do you offer a trial or pilot engagement? Any provider confident in their quality should offer a 30 to 90 day pilot with a subset of clients. If they require a 12-month contract with no trial option, that is a red flag.
25. What is the minimum contract length, and what are the termination provisions? Look for month-to-month or 90-day terms with 30-day termination notice. Avoid 12-month lock-ins, especially for a first engagement.
26. How is pricing structured and what triggers price increases? Understand whether you are paying per-FTE, per-client, per-return, or hourly. Ask when prices were last increased and by how much. Annual increases should be tied to a defined metric (CPI, percentage cap), not "we will let you know."
27. What is included in the base price versus what costs extra? Onboarding, training, software licenses, management oversight, and quality review should be included. If these are add-ons, the base price is misleading.
28. Who owns the work product and client data? You do. Always. This should be explicitly stated in the contract. If the provider retains any ownership or usage rights to work produced for your clients, do not sign.
29. What are the transition support terms if the engagement ends? The provider should commit to a 30 to 60 day transition period where they cooperate with knowledge transfer to your new provider or in-house team. This includes providing documentation, participating in transition calls, and maintaining access to work-in-progress files.
30. Can you provide references from CPA firms of similar size? Ask for 3 to 5 references from firms with comparable client count, service mix, and firm size. Call them. Ask what went wrong, not just what went right.
Score each question on a 0 to 3 scale. 0 means the provider cannot answer or the answer is unacceptable. 1 means partially acceptable. 2 means meets expectations. 3 means exceeds expectations.
Any provider scoring below 2 on questions 1 through 8 (data security) should be eliminated regardless of their scores elsewhere. A total score of 70 or higher out of 90 indicates a strong provider. Below 50 indicates significant gaps.
At Madras Accountancy, we share this checklist with prospective clients and invite them to score us. We believe transparency in the evaluation process benefits everyone. If you want to walk through this checklist with our team, reach out at madrasaccountancy.com.
In our experience working with firms that have evaluated multiple providers, certain patterns emerge consistently.
The providers with the best sales teams are not always the best operators. A polished presentation, professional website, and confident account executive tell you about the provider's marketing budget, not their delivery capability. The questions on this checklist get past the polish and into the substance. We have seen firms bypass the flashiest provider in favor of one that scored higher on data security and team qualifications, and those firms consistently report better outcomes.
Data security is the area with the widest gap between claims and reality. Nearly every provider says they are "SOC 2 compliant" or "enterprise-grade secure." When you ask for the actual SOC 2 Type II report, some providers admit they only have Type I, others say they are "in process," and a few cannot produce any documentation at all. If security matters to you (and it should), questions 1 through 8 need to be verified with documentation, not just verbal assurances.
Turnover rate is the metric most providers are least willing to discuss honestly. High turnover means your team changes frequently, which means repeated ramp-up periods and inconsistent quality. Providers with low turnover are usually proud of it and share the number freely. Providers who deflect the question or give a suspiciously low number may be counting turnover differently than you expect.
The pilot question (question 24) is a litmus test. In our experience, providers who refuse to offer a pilot or trial period are either not confident in their quality or are structured around long-term contracts that compensate for early-stage attrition. The providers who insist on pilots, as we do at Madras, are the ones who know their quality will sell itself once you see the work.
Once you have scored 3 to 4 providers on this checklist, the decision usually becomes clear. One or two providers will score significantly higher than the others. From there, we recommend two final steps before signing.
First, call the references. Not just the ones the provider gives you, which will obviously be their happiest clients. Ask the reference if they know of any firms that tried the provider and left. If you can talk to a former client, you will learn more in that conversation than in any demo.
Second, structure a pilot engagement before committing to a long-term contract. Our pilot engagement framework covers how to run a 30-day test with 3 to 5 clients that gives you real data on quality, turnaround, and communication. The pilot validates (or invalidates) what the checklist predicted.
Choosing based on price alone. The cheapest provider almost always has the highest hidden costs: more errors requiring onshore review time, higher staff turnover requiring repeated training, and weaker data security exposing you to compliance risk. The true cost of outsourcing includes these factors.
Yes. We recommend requesting proposals from 3 to 4 providers and running them all through this checklist. The comparison reveals patterns. If three providers score highly on data security and one does not, that tells you something.
Allow 2 to 4 weeks for the full process: initial conversations, proposal review, reference calls, and checklist scoring. Do not rush this. A bad provider choice costs 3 to 6 months of wasted time and damaged client relationships.
For your first outsourcing engagement, yes. Have an attorney review the data security provisions, termination clauses, liability limitations, and IP ownership terms. The cost of a contract review ($1,000 to $2,000) is trivial compared to the cost of discovering a problematic clause after you have onboarded 50 clients onto the provider's team.
Yes. The 30 questions apply regardless of the provider's geography. Data security requirements, team quality standards, SLA expectations, and commercial terms are equally important whether the team is in India, the Philippines, Colombia, or Mexico. The specific certifications may differ slightly by country (for example, data privacy regulations vary), but the underlying principles of security, quality, and accountability are universal.
Transitioning existing clients to an outsourced CAS team is operationally straightforward and emotionally tricky. Here is how to do it without losing clients.
Your first outsourced tax season will either be a relief or a disaster. The difference is whether you start preparing in October or panic-call a provider in February.
CPA firms are terrible at collecting their own invoices. Average days in AR is 65 days. Here is how outsourcing AR management cuts that to 40 and improves cash flow.
