If your CPA firm outsources any accounting, tax, or audit work to a third party (whether offshore or domestic), you are subject to AICPA ethics guidance on the use of third-party service providers. Specifically, ET Section 1.700.040 of the AICPA Code of Professional Conduct. For more detail, see our choosing the right outsourcing partner.
Many firms outsource without fully understanding these requirements. Some assume that because they work with a reputable provider, compliance happens automatically. It does not. The ethical obligations fall on your firm, regardless of how good your outsourcing partner is. For more detail, see our outsourcing ROI analysis.
This is not meant to scare you away from outsourcing. Outsourcing is a powerful strategy that works for thousands of CPA firms. But doing it properly means understanding the rules. So let us walk through them in plain English.
ET Section 1.700.040, titled "Use of a Third-Party Service Provider," applies when a member in public practice uses a third-party service provider to assist in providing professional services. This covers any arrangement where someone outside your firm (an outsourcing provider, a subcontractor, a freelance preparer) handles work that contributes to the services you deliver to clients.
The standard is built around three key obligations:
Let us take each one in detail.
This is the area that generates the most questions. When do you have to tell your clients that you are using an outsourcing provider?
The AICPA requires client notification when the use of a third-party service provider involves sharing confidential client information with the service provider, and the service provider is not operating under the member's direct supervision and control in the way an employee would.
In practical terms, this means: if you are sending client data (tax returns, financial records, personal information) to an offshore or domestic outsourcing provider, you need to notify your clients.
The standard does not require client consent. It requires notification. There is an important distinction.
You must inform the client that you are using a third-party service provider. You do not need the client's permission to do so. However, if the client objects, you need to consider whether you can still provide the service without using the third-party provider, or whether the engagement cannot continue on those terms.
Most firms handle this through one of three approaches:
Here is an example of engagement letter language that works:
"In connection with providing services to you, we may use the services of a third-party service provider. Our firm may share your confidential information with this provider in order to deliver the agreed-upon services. We require any such provider to maintain the confidentiality of your information and to maintain appropriate safeguards over your data."
Keep it straightforward. Clients appreciate transparency, and in our experience working with dozens of CPA firms, client objections to outsourcing are rare when the firm communicates clearly and confidently.
For more on how to handle client communication around outsourcing, our article on staying compliant when outsourcing tax and accounting work provides additional practical guidance.
The AICPA Code of Professional Conduct has always required members to protect confidential client information (ET Section 1.700.001). When you outsource, this obligation extends to ensuring your service provider protects that information as well.
You must take "reasonable steps" to ensure that the third-party service provider has appropriate safeguards in place to protect confidential client information. "Reasonable steps" is not defined precisely, but it includes:
When evaluating an outsourcing provider's data protection, here is what you should look for:
Technical safeguards:
Organizational safeguards:
Certifications and audits:
Our detailed guide to vendor risk assessment and security certifications walks through each of these standards and what they mean for your firm.
If your outsourcing provider experiences a data breach involving your client information, the liability flows back to your firm. The client relationship is with you. The AICPA standards hold you responsible for taking reasonable steps to protect their data.
This is why contractual protections matter so much. Your agreement with the provider should clearly define:
The third pillar of the AICPA guidance relates to your firm's responsibility for the quality of work produced by a third-party service provider.
Using a service provider does not relieve you of your professional responsibility for the work product. The tax return, audit opinion, or financial statements that bear your firm's name are your responsibility, regardless of who prepared the underlying workpapers.
This means you must maintain adequate supervision over the outsourced work, including:
In practice, adequate supervision of outsourced accounting work mirrors the supervision you would provide to a domestic staff member, with a few additional considerations.
Clear work instructions. Every engagement should have documented procedures that specify what the offshore team is expected to do, what standards to follow, and what the finished product should look like. This is good practice even for domestic teams, but it is essential for outsourced work.
Structured review processes. At Madras Accountancy, we maintain our own internal review before delivering work to the onshore CPA firm. But the firm's own review is still required. The CPA or designated reviewer should examine the work product with the same rigor they would apply to any staff member's work.
Documentation of review. Keep records of your review process. Review notes, sign-offs, and any corrections you required. This documentation demonstrates your supervision in the event of a peer review, regulatory inquiry, or professional liability claim.
Ongoing communication. Regular communication with your outsourcing provider about quality standards, common errors, and process improvements is part of effective supervision. This is not micromanagement. It is professional oversight.
Our article on quality control in outsourced accounting provides a detailed framework for building review processes that meet these standards.
While the AICPA sets the professional ethics framework, individual state boards of accountancy may have additional requirements related to outsourcing. These vary by state and can include:
Check with your state board or your professional liability carrier for state-specific requirements. In our experience, most state board requirements align with or are less stringent than the AICPA standard, but exceptions exist.
If your firm is subject to AICPA peer review (which most firms performing attest services are), your outsourcing arrangements will likely be examined as part of the review process.
Peer reviewers will look for:
Firms that document their outsourcing compliance properly typically have smooth peer reviews. Firms that outsource without documentation can face findings or recommendations.
The key takeaway: document everything. Your engagement letters, your provider evaluation, your data protection review, your work review process. Keep it organized and accessible for when the peer reviewer asks.
Here is a summary checklist for CPA firms that outsource. This is not exhaustive legal advice, but it covers the major compliance points under AICPA guidance.
Before you start outsourcing:
When you begin outsourcing:
On an ongoing basis:
For a broader overview of outsourcing best practices including compliance, see our outsourced accounting services guide.
We understand that compliance is not optional, and we have built our operations to make compliance easier for the firms we work with.
Data protection infrastructure. We maintain encrypted transmission and storage, role-based access controls, secure facilities, and regular security audits. We can provide documentation of our security practices for your due diligence files.
Confidentiality protections. Every member of our team signs confidentiality agreements. We conduct background checks. We enforce clean desk policies and prohibit the use of personal devices for client work.
Quality review processes. Our multi-level review process means that work product leaving our team has already been through at least one quality check. This does not replace your firm's review, but it reduces the errors that reach your desk.
Compliance documentation support. We provide the documentation you need for your engagement letters, peer review files, and quality control records. We are accustomed to supporting firms through peer review processes and can provide whatever the reviewer requires.
Engagement letter language guidance. We can share sample notification language that our client firms have used successfully. This is not legal advice, but it is practical help based on years of experience.
Our outsourcing dos and don'ts guide covers additional best practices for running a compliant outsourcing operation.
Let us clear up a few things we hear frequently.
"I do not need to notify clients because my provider is in the US." Incorrect. The notification requirement under ET Section 1.700.040 applies to any third-party service provider, domestic or offshore. The location does not determine whether notification is required.
"Client consent is required before I can outsource." Incorrect. Notification is required. Consent is not. If a client objects, you should address their concerns, but you are not legally required to obtain their agreement.
"My provider is responsible for data protection, not me." Incorrect. You are responsible for taking reasonable steps to ensure the provider protects data. The obligation is on your firm. A quality provider makes this easier, but the professional responsibility remains yours.
"If my provider is SOC 2 certified, I have met my data protection obligation." Not quite. SOC 2 certification is strong evidence that you evaluated the provider's controls, but the AICPA standard is broader. You should also have contractual protections, understand the specific controls in place, and monitor ongoing compliance.
"I do not need to review outsourced work because the provider has their own review process." Incorrect. The provider's internal review is valuable, but it does not substitute for your firm's professional review. The work bears your name, and the professional responsibility is yours.
Not necessarily. If your current engagement letters already include language about the potential use of third-party service providers, existing clients are already notified. If your letters do not include this language, you have two options: send a separate notification to existing clients, or update the engagement letter at the next renewal. Many firms choose to send a brief notification and then update the letter at renewal. Either approach works.
In our experience, this happens rarely (less than 5% of the time when the firm communicates confidently). If it does happen, discuss the client's specific concerns. Often, explaining your data protection measures and the provider's security certifications resolves the issue. If the client remains opposed, you can accommodate them by keeping their work onshore, though this limits your efficiency for that engagement. You are not required to stop outsourcing for all clients just because one objects.
The core ET Section 1.700.040 applies to all professional services. However, audit and attest work may have additional supervision requirements under AICPA auditing standards (such as AU-C Section 600 for group audits or AU-C Section 402 for service organizations). Tax preparation outsourcing is generally more straightforward from a compliance perspective, but the notification and data protection requirements apply equally.
At minimum, annually. Request updated security certifications, review any changes to their infrastructure or processes, and ask about any security incidents they have experienced. If your provider undergoes significant changes (new ownership, major system migration, staff restructuring), reassess sooner. Many firms tie this reassessment to their annual quality control review.
Yes. The professional liability for work product bearing your firm's name rests with your firm. If outsourced work contains errors that cause client harm, your firm is responsible. This is why supervision and review are so critical. It is also why choosing a quality provider (which reduces errors) is more important than choosing the cheapest provider. Your professional liability insurance should cover outsourced work, but confirm this with your carrier.
Outsourcing is fully compliant with AICPA ethics guidance when done properly. If you want a partner that makes compliance straightforward, visit madrasaccountancy.com to learn about our approach.
Transitioning existing clients to an outsourced CAS team is operationally straightforward and emotionally tricky. Here is how to do it without losing clients.
Your first outsourced tax season will either be a relief or a disaster. The difference is whether you start preparing in October or panic-call a provider in February.
CPA firms are terrible at collecting their own invoices. Average days in AR is 65 days. Here is how outsourcing AR management cuts that to 40 and improves cash flow.
