CPA firms do not get to pick which data security rules apply to them. The AICPA sets professional standards. The IRS sets requirements for anyone handling taxpayer data. The FTC enforces safeguards for financial data under the Gramm-Leach-Bliley Act. All three apply simultaneously, and all three have implications for firms that use offshore teams.
The good news is that there is significant overlap between these requirements. A firm that builds a security program to satisfy all three is not doing three times the work. It is doing one program with a few regulator-specific additions.
We help CPA firms meet these requirements every day at Madras Accountancy. Our security program is designed around these three regulatory frameworks. This article walks through each one, what it requires, and what it means practically when you have an offshore accounting team.
The AICPA governs CPA firms through its Code of Professional Conduct and related standards. When it comes to outsourcing and data security, two areas are most relevant.
ET Section 1.700.001: Confidential Client Information Rule. This rule requires CPA members to not disclose confidential client information without the client's consent. Using a third-party service provider (including an offshore team) constitutes disclosure, which means the CPA firm needs either client consent or a reasonable basis to believe the third party will maintain confidentiality.
In practice, most firms address this through their engagement letters, which include language authorizing the use of service providers. Some firms also include a specific outsourcing disclosure. Our guide to talking to clients about outsourcing covers how to handle this communication.
SSAE 18 and SOC Reports. When a CPA firm uses a service organization (which an offshore accounting provider qualifies as), AICPA standards may require the firm to understand the service organization's controls. For attest engagements, this means the firm needs to evaluate whether the service organization's controls are suitably designed and operating effectively.
A SOC 2 report from the offshore provider is the most direct way to satisfy this requirement. SOC 2 covers trust service criteria including security, availability, processing integrity, confidentiality, and privacy. Not every offshore provider has a SOC 2 report. We maintain one at Madras because we recognize that CPA firms need it for their own compliance.
What CPA firms must do. Obtain client consent (explicit or through engagement letter language) before sharing data with an offshore provider. Evaluate the provider's controls, either through a SOC 2 report or through the firm's own due diligence. Document the evaluation and the firm's conclusion. Monitor the provider's controls on an ongoing basis, not just at initial engagement.
Our vendor risk assessment guide covers how to evaluate a provider's SOC 2 and other compliance certifications.
The IRS has specific requirements for anyone who handles taxpayer data, including CPA firms and their service providers. The key guidance documents are Publication 4557 (Safeguarding Taxpayer Data) and Revenue Procedure 2007-40 (which covers outsourcing by tax practitioners).
Publication 4557 is the IRS's practical guide for tax professionals on data security. It is updated periodically and reflects the IRS's current expectations. The key requirements include creating a written information security plan (WISP), designating an employee to coordinate the security program, identifying and assessing risks to taxpayer data, implementing safeguards to address identified risks, evaluating the effectiveness of safeguards regularly, training employees on security practices, and having an incident response plan.
When a CPA firm outsources to an offshore provider, the WISP must address the risks created by the outsourcing arrangement. This means documenting what data is shared with the provider, what controls the provider has in place, how the firm monitors those controls, and how data is transmitted, stored, and eventually destroyed.
Revenue Procedure 2007-40 specifically addresses the outsourcing of tax return preparation. It requires that the taxpayer consent to the disclosure of their tax return information to the service provider. The consent must be in writing, signed by the taxpayer, and must identify the service provider (by name or by category, such as "offshore tax preparation service providers"). The consent must also specify what information will be disclosed and the purpose of the disclosure.
This is where many CPA firms get tripped up. General engagement letter language about "service providers" may not satisfy the specific consent requirements of Rev. Proc. 2007-40. The consent needs to be explicit about the fact that tax return information will be shared with a third party for preparation purposes.
IRS Safeguards requirements for specific data apply when a firm handles data received from the IRS through e-Services, Transcript Delivery System, or similar channels. These require additional controls including background checks on personnel with access to IRS data, physical security of facilities where IRS data is accessed, and specific logging and audit trail requirements.
What CPA firms must do. Create and maintain a WISP that covers the outsourcing arrangement. Obtain specific taxpayer consent for disclosure of tax return information to the offshore provider. Ensure the offshore provider meets the security standards outlined in Publication 4557. Verify that the provider conducts background checks on personnel with access to taxpayer data. Include the outsourcing arrangement in the firm's regular security risk assessment.
The FTC's Safeguards Rule (16 CFR Part 314) applies to "financial institutions," which includes tax preparation firms and accounting firms that handle consumer financial data. The rule was significantly updated in 2023 with more specific technical requirements.
The updated Safeguards Rule requires a qualified individual to oversee the information security program (this can be an employee or a service provider), a written risk assessment that identifies reasonably foreseeable risks to customer information, specific safeguards including access controls based on least privilege, encryption of customer information both in transit and at rest, multi-factor authentication for accessing customer information, secure development practices for any custom applications, and intrusion detection and response capabilities.
The rule also requires continuous monitoring or periodic penetration testing and vulnerability assessments, policies and procedures to ensure service providers maintain appropriate safeguards, and a written incident response plan.
The service provider oversight requirement is particularly relevant. The FTC rule explicitly requires financial institutions to take reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards and to contractually require those providers to implement and maintain safeguards.
This means the CPA firm has a legal obligation to evaluate the offshore provider's security before engaging them and to include security requirements in the contract. A handshake agreement is not sufficient. The security obligations need to be in writing.
What CPA firms must do. Designate a qualified individual to manage the security program. Conduct a written risk assessment that includes risks from outsourcing. Implement the specific technical controls required by the updated rule (encryption, MFA, access controls). Evaluate the offshore provider's safeguards before engagement. Include security requirements in the outsourcing contract. Conduct periodic assessments of the provider's continued compliance.
The overlap between these three frameworks is substantial. All three require a written security program or plan. All three require risk assessment. All three require controls around access, encryption, and monitoring. All three require oversight of service providers. All three require an incident response plan.
The differences are in the details. The AICPA focuses on professional standards and the duty of confidentiality. Its requirements are principles-based rather than prescriptive. The IRS is prescriptive about taxpayer consent (Rev. Proc. 2007-40) and has specific requirements for IRS-provided data. The FTC is the most technically specific, particularly after the 2023 update. It requires named safeguards (encryption, MFA) and a designated qualified individual.
A firm that builds its security program to satisfy the FTC's updated Safeguards Rule will likely satisfy the AICPA and IRS requirements as well, with the addition of the specific taxpayer consent requirements from Rev. Proc. 2007-40 and the SOC 2 evaluation recommended under AICPA standards.
Here is the consolidated checklist, organized by action area.
Written documentation. Written information security plan (WISP) that covers the outsourcing arrangement. Written risk assessment identifying risks from offshore data sharing. Service provider evaluation documentation (SOC 2 review, due diligence findings). Outsourcing contract with specific data security clauses. Taxpayer consent forms that meet Rev. Proc. 2007-40 requirements. Incident response plan that includes procedures for breaches at the service provider.
Technical controls at the provider. Encrypted data transmission (TLS 1.2 or higher). Encrypted data at rest (AES-256 or equivalent). Multi-factor authentication for all system access. Access controls based on the principle of least privilege. Data loss prevention (DLP) controls preventing unauthorized data extraction. Endpoint security on all devices used to access firm data. Network monitoring and intrusion detection. Audit logging with defined retention period (minimum 12 months).
Personnel controls at the provider. Background checks on all personnel with access to taxpayer data. Security awareness training (initial and annual). Confidentiality agreements signed by all personnel. Clear desk and clean screen policies. Exit procedures that revoke access immediately upon separation.
Physical security at the provider. Restricted facility access (badge, biometric, or key card). Visitor logging and escort requirements. No personal devices (phones, USB drives) in the work area. CCTV monitoring of work areas (common in offshore facilities).
Ongoing monitoring. Annual SOC 2 report review (or equivalent assessment). Annual security risk assessment update. Periodic penetration testing or vulnerability scanning. Regular review of access logs and user permissions. Annual contract review to update security requirements.
Our data security controls guide covers the technical controls in detail, including how encryption, DLP, and access review systems work in practice.
We built our security program to satisfy all three regulatory frameworks simultaneously. Here is what that looks like in practice.
SOC 2 Type II certification. We undergo an annual SOC 2 audit covering security, availability, and confidentiality. The Type II report covers a 12-month period and provides CPA firms with the assurance they need for their AICPA compliance obligations.
Physical security. Our facilities use badge access, CCTV monitoring, and a strict no-personal-device policy in work areas. All client work is performed on company-managed devices that are monitored and cannot be used to extract data.
Technical controls. All data transmission uses TLS 1.3 encryption. Data at rest is encrypted with AES-256. Multi-factor authentication is required for every system access. DLP controls prevent screen captures, file downloads, and clipboard operations outside of approved workflows. Our data security checklist details every control.
Personnel controls. Every team member undergoes a background check before joining. Annual security training is mandatory. Confidentiality agreements are signed at hiring. Access is revoked within one hour of separation.
Incident response. We have a documented incident response plan that includes 24-hour notification to affected CPA firms, forensic investigation procedures, containment and remediation protocols, and cooperation with the firm's own incident response process.
Beyond the three federal-level frameworks, some states impose additional data security requirements that affect CPA firms.
New York (23 NYCRR 500, applied through the DFS cybersecurity regulation) imposes requirements on financial services companies that may apply to some accounting firms.
California (CCPA/CPRA) imposes data privacy requirements that affect firms with California-resident clients.
Massachusetts (201 CMR 17.00) has a comprehensive data security regulation that applies to anyone handling personal information of Massachusetts residents.
The common thread is that these state regulations generally require the same types of controls (encryption, access management, incident response) but may have specific notification timelines or documentation requirements. CPA firms should work with their attorneys to identify which state regulations apply based on their client base.
CPA firms face various forms of regulatory scrutiny. Peer reviews under the AICPA's practice monitoring program, IRS audits of compliance with data security requirements, and state board of accountancy reviews.
If you are asked to demonstrate compliance with data security requirements for your outsourcing arrangement, you need to produce the WISP that covers the outsourcing relationship, the service provider evaluation (SOC 2 report or due diligence documentation), the outsourcing contract with security provisions, evidence of ongoing monitoring (annual reviews, access log reviews), and taxpayer consent documentation.
Having these documents organized and current is the key. The worst time to create them is when the auditor is asking for them. The best time is before you start the outsourcing engagement.
If your firm outsources accounting or tax work (or is considering it) and you are not sure whether your security program meets AICPA, IRS, and FTC requirements, that gap needs to be addressed. The regulatory environment is getting stricter, not more relaxed. The FTC's 2023 Safeguards update added specific technical requirements that many firms have not yet incorporated.
At madrasaccountancy.com, we can share our SOC 2 report, walk you through our security controls, and help you understand what your firm needs in its own security program to comply with all three frameworks. Reach out for a conversation.
For tax return information, yes. Rev. Proc. 2007-40 requires specific consent for disclosure of tax return information to a third-party service provider. Most firms incorporate this consent into their annual engagement letter. For non-tax accounting work (bookkeeping, financial statement preparation), the AICPA requires a reasonable basis for confidentiality, which can be addressed through engagement letter language and the provider's contractual confidentiality obligations.
It is not legally required by any of the three frameworks. However, it is the most efficient way to satisfy the AICPA's requirement to evaluate service organization controls and the FTC's requirement to select providers with appropriate safeguards. Without a SOC 2, the CPA firm would need to conduct its own detailed assessment of the provider's controls, which is more time-consuming and less standardized.
The CPA firm remains responsible for notifying affected clients and regulators as required by applicable law. This is why the outsourcing contract must include prompt breach notification requirements (we recommend 24 hours), cooperation obligations, and clear allocation of remediation responsibilities. The firm should also have cyber liability insurance that covers incidents at service providers.
It applies to CPA firms that handle consumer financial data, which includes tax preparation firms and firms providing accounting services to individuals. The FTC has broad jurisdiction over "financial institutions" under the Gramm-Leach-Bliley Act, and this definition includes tax preparers and financial advisors. If your firm prepares tax returns or provides financial planning services, the Safeguards Rule almost certainly applies.
Annually at minimum. The annual reassessment should include reviewing the provider's current SOC 2 report (or conducting an updated due diligence assessment), verifying that contractual security requirements are being met, reviewing any security incidents that occurred during the year, and confirming that the provider has adapted to any new regulatory requirements. Some firms also conduct mid-year check-ins, particularly during the first year of the engagement.
Transitioning existing clients to an outsourced CAS team is operationally straightforward and emotionally tricky. Here is how to do it without losing clients.
Your first outsourced tax season will either be a relief or a disaster. The difference is whether you start preparing in October or panic-call a provider in February.
CPA firms are terrible at collecting their own invoices. Average days in AR is 65 days. Here is how outsourcing AR management cuts that to 40 and improves cash flow.
