Most accounting outsourcing contracts we see from CPA firms are thin. A few pages covering scope of work, pricing, and maybe a confidentiality clause. That works fine when everything goes well. It fails the moment something goes wrong, and something always eventually goes wrong.
A client has a data breach. A preparer leaves and takes client knowledge with them. Quality drops and the SLA says nothing specific enough to enforce. The firm wants to terminate but the transition period is undefined. These are not hypothetical scenarios. We have seen each of them in our years of operating at Madras Accountancy.
We are going to walk through every major contract section that a CPA firm should include when engaging an offshore accounting provider. This is not legal advice (your attorney should draft and review the actual contract), but it is practical guidance on what needs to be in there and why.
The scope of work clause defines what the offshore team will and will not do. Vague scope leads to scope creep, which leads to disputes about whether something was included in the base price.
A good scope of work section specifies the service types (bookkeeping, tax preparation, payroll processing, audit support), the specific deliverables for each service type (monthly financial statements, completed tax returns, reconciliation reports), the volume expectations (number of returns per month, number of bookkeeping clients, transaction volume ranges), the complexity boundaries (what return types or client types are included and excluded), and the software platforms the work will be performed in.
Volume ranges matter more than fixed numbers. Accounting work is seasonal. A firm that sends 50 returns per month in summer and 200 per month during tax season needs a contract that addresses both scenarios. Fixed volume commitments that do not account for seasonality create friction on both sides.
We also recommend including a scope change procedure. When the firm wants to add a new service type or significantly increase volume, how is that handled? In our contracts, scope changes go through a documented request and agreement process, with updated pricing if the change affects resource allocation.
The SLA section is where most contracts fail. They include language like "provider will deliver high-quality work in a timely manner." That is meaningless. You cannot measure "high-quality" or "timely" without specific definitions.
Our SLA guide for offshore accounting covers the seven clauses that actually prevent quality problems. Here is a summary of what your SLA section needs.
Turnaround time commitments should be stated in business hours or business days, broken down by service type and complexity tier. Example: simple individual tax returns delivered within 48 business hours of receiving complete documentation. Complex business returns delivered within 5 business days. Monthly bookkeeping closes delivered by business day 8 after month-end.
Quality metrics with targets should include first-pass acceptance rate (target 85 percent or higher), critical error rate (target below 2 percent), and client-reported correction rate (target below 1 percent of deliverables). Each metric needs a clear definition. What counts as a "first pass acceptance?" What is a "critical error" versus a "minor error?" Define these in the contract, not after the first dispute.
Measurement and reporting frequency specifies how often these metrics are calculated and reported. Monthly reporting is standard. The contract should state who calculates the metrics (usually the provider, verified by the firm) and what format the report takes.
Remedy provisions for SLA misses describe what happens when the SLA is not met. Options include service credits (a percentage discount on the next month's invoice), right to add resources at no cost, right to terminate without penalty if SLA misses persist for a defined period (typically 3 consecutive months), or escalation procedures that trigger additional oversight.
The remedy provisions are what give the SLA teeth. Without them, the SLA is just a target that the provider can miss without consequence.
For CPA firms, data security is not just a best practice. It is a regulatory requirement. The AICPA, IRS, and FTC all impose obligations on how taxpayer and client data must be protected, even when (especially when) that data is shared with a third-party service provider.
Your contract should include a data security section that covers the following.
Compliance requirements should specify which standards the provider must meet. At minimum: IRS Publication 4557 (Safeguarding Taxpayer Data), AICPA Code of Professional Conduct (if the provider's work is used in attest engagements), FTC Safeguards Rule (if applicable), state data privacy laws applicable to the firm's clients, and any voluntary standards the provider maintains (SOC 2, ISO 27001).
Technical controls should be listed specifically, not generically. "Provider will maintain appropriate security controls" is not sufficient. Instead, specify encrypted data transmission (TLS 1.2 or higher), encrypted data at rest (AES-256 or equivalent), multi-factor authentication for all system access, data loss prevention controls that prevent unauthorized data extraction, endpoint security on all devices used to access firm data, network segmentation that isolates client data, and access logging with a defined retention period.
Access controls define who within the provider's organization can access firm and client data. Principle of least privilege: only the specific team members assigned to the engagement should have access. The contract should require that the provider maintain a current access list and provide it upon request.
Incident response covers what happens in the event of a data breach or security incident. The contract should specify notification timing (we recommend within 24 hours of discovery), content of the notification (what data was affected, how many records, what containment steps were taken), cooperation requirements (the provider assists the firm in meeting its own notification obligations), and remediation responsibilities and costs.
Data return and destruction specifies what happens to firm and client data when the engagement ends. The provider should return all data in a usable format and certify destruction of all copies within a defined period (typically 30 to 60 days after engagement end).
Our data security checklist for offshore accounting covers the full security framework. Our guide to encryption, DLP, and access reviews gets into the technical details of each control.
The confidentiality clause in an outsourcing contract needs to go beyond a standard NDA. CPA firms handle some of the most sensitive financial information that exists, including tax returns, financial statements, payroll data, bank account details, and Social Security numbers.
The confidentiality section should define confidential information broadly (all client data, firm data, processes, pricing, and business information), specify the permitted use (only for performing the contracted services), require that the provider restrict disclosure to only those employees who need access, survive termination of the contract (typically for 3 to 5 years, or indefinitely for certain categories like taxpayer data), and include a carve-out for legally required disclosures (but with a requirement to notify the firm first).
Non-solicitation provisions are also worth including. You do not want the provider recruiting your clients or your staff, and they do not want you recruiting their team members. A mutual non-solicitation clause with a 12 to 24 month tail after termination is standard.
Who owns the work product? This sounds straightforward but it is not. The offshore team creates workpapers, templates, checklists, spreadsheets, and processes during the engagement. Some of these are built specifically for the firm (custom). Some are the provider's standard tools adapted for the firm (hybrid). Some are purely the provider's intellectual property used to deliver the service.
The contract should address each category. Client deliverables (financial statements, tax returns, reconciliation reports) are the firm's property. Full stop. The provider has no rights to these.
Firm-specific workpapers and templates created for the engagement should also belong to the firm. If the relationship ends, the firm should be able to take these and give them to a new provider or in-house team.
Provider tools and methodologies remain the provider's property. The firm gets a license to benefit from them during the engagement but does not own them.
This distinction matters at termination. If the firm assumes everything belongs to them and the provider disagrees, the transition becomes a dispute. Define it upfront.
Termination clauses are the most underappreciated section of an outsourcing contract. Firms spend time negotiating pricing and skip over the terms that govern how the relationship ends.
Termination for convenience allows either party to end the engagement without cause. Standard notice periods range from 30 to 90 days. We recommend 60 days as a balance. Thirty days is too short for a proper knowledge transfer. Ninety days locks firms in for too long if they are unhappy.
Termination for cause allows immediate or accelerated termination when specific conditions are met. Common triggers include material breach of the contract not cured within a defined period (typically 30 days after written notice), data security breach caused by the provider's negligence, persistent SLA failures (3 or more consecutive months below minimum thresholds), and bankruptcy or insolvency of either party.
Transition assistance is the critical missing piece in most contracts. When the engagement ends, how does the knowledge transfer happen? The contract should require the provider to cooperate in transitioning work to the firm's in-house team or a new provider. This includes documenting all ongoing work and its current status, transferring all data and work product, making key personnel available for questions during the transition period (typically 30 to 60 days), and maintaining service levels during the transition period.
Without a transition assistance clause, a terminated provider has no obligation to help you move to someone else. That creates significant operational risk, especially if you terminate mid-tax-season.
Pricing structure varies by engagement type, but the contract should clearly state the pricing model (per return, per hour, per FTE, or blended), rates for each service type and complexity tier, how volume changes affect pricing (volume discounts, surge pricing for rush work), what is included in the base price and what incurs additional charges, payment terms (net 15 or net 30 is standard), and annual rate adjustment provisions (tied to inflation, cost of living, or a fixed percentage cap).
Rush fees deserve their own subsection. During tax season, firms sometimes need returns completed faster than the standard SLA. What does that cost? Define it upfront. A 50 percent surcharge for 24-hour turnaround on work that normally has a 48-hour SLA is a common structure.
Dispute resolution for billing should also be addressed. If the firm disagrees with a charge, what is the process? Typically, the firm notifies the provider within 30 days, both sides review the disputed amount, undisputed amounts are paid on time, and disputed amounts are resolved within 60 days or escalated.
The provider should carry professional liability (errors and omissions) insurance and cyber liability insurance. The contract should specify minimum coverage amounts and require the provider to maintain coverage for the duration of the engagement plus a tail period.
Limitation of liability is typically negotiated. Providers will seek to cap their total liability at a multiple of the annual fees (1x to 3x is common). Firms will want carve-outs for data breaches and gross negligence. The final language is a negotiation, but both sides should enter the discussion knowing what they need.
Indemnification covers who pays if a third party (client, regulator, government agency) brings a claim related to the outsourced work. The standard approach is mutual indemnification: the provider indemnifies the firm for claims arising from the provider's negligence, and the firm indemnifies the provider for claims arising from the firm's instructions or client-provided data.
CPA firms operate in a regulated environment. The contract should address regulatory compliance explicitly.
AICPA standards apply when the outsourced work is used in attest engagements. The provider may be considered a "service organization" under AICPA standards, which triggers specific oversight requirements for the CPA firm.
IRS requirements apply to any provider handling taxpayer data. The contract should require the provider to comply with IRS Publication 4557 and any other applicable IRS guidance on third-party data handling.
State board of accountancy rules vary by state but many require that CPA firms maintain adequate supervision over outsourced work. The contract should not create a structure that conflicts with these requirements.
Our guide to staying compliant when outsourcing covers the regulatory landscape in full detail.
The contract should establish a governance structure for the ongoing relationship. This includes a named account manager or engagement lead on each side, a regular meeting cadence (weekly during onboarding, monthly in steady state), an escalation path for issues that cannot be resolved at the team level, and an annual review process for the overall engagement (scope, pricing, SLAs, staffing).
Communication protocols should specify the primary communication channel, expected response times for different priority levels (urgent: 2 hours, standard: same business day, low: 48 hours), and how after-hours or emergency requests are handled.
Every engagement at Madras Accountancy starts with a contract that covers all of the sections described above. We do not wait for a firm to ask for data security clauses or SLA metrics. They are standard in every agreement.
We also include a 90-day evaluation period at the start of every engagement. During this period, either side can terminate with 15 days notice if the engagement is not meeting expectations. This protects both the firm and us. If the fit is not right, neither party is locked in.
Our vendor risk assessment guide covers how to evaluate a provider's compliance posture before signing, which should happen before you even get to the contract stage.
If your firm is entering or renegotiating an outsourcing agreement and wants to see how a well-structured contract looks, reach out at madrasaccountancy.com. We are happy to share our approach and help you understand what to look for in any provider's contract terms.
Start with the provider's template, but always have your attorney review and modify it. The provider's template will cover the operational details well (scope, SLAs, workflow) because they do this frequently. But it may not adequately protect the firm on liability, data security, termination, and regulatory compliance. Your attorney adds those protections. The best contracts are a collaboration between both sides' templates.
Annually at minimum. The annual review should cover whether the scope still matches the actual work being performed, whether SLA targets need adjustment based on the past year's performance, pricing adjustments, any regulatory changes that affect the engagement, and whether the data security requirements are still current. Material changes mid-year (new service types, significant volume changes) should trigger a contract amendment rather than waiting for the annual review.
The market standard is 1x to 3x annual fees for general liability, with carve-outs (no cap or higher cap) for data breaches caused by gross negligence and intentional misconduct. The right number depends on the volume and sensitivity of data being handled. Firms processing high volumes of taxpayer data should push for higher caps on data breach liability specifically.
If the outsourcing involves personal data of EU residents (which is uncommon for US-focused CPA firms but possible with multinational clients), you may need a separate DPA for GDPR compliance. For purely US-based work, the data security and privacy clauses in the main contract are typically sufficient, provided they are detailed enough to cover the requirements discussed above.
This should be addressed in the contract under termination provisions. The contract should require that in the event of insolvency, all firm and client data is returned immediately, the provider cooperates in transitioning ongoing work, and data destruction is certified by a third party if return is not possible. Some firms also maintain their own backups of all data shared with the provider as an additional safeguard.
Transitioning existing clients to an outsourced CAS team is operationally straightforward and emotionally tricky. Here is how to do it without losing clients.
Your first outsourced tax season will either be a relief or a disaster. The difference is whether you start preparing in October or panic-call a provider in February.
CPA firms are terrible at collecting their own invoices. Average days in AR is 65 days. Here is how outsourcing AR management cuts that to 40 and improves cash flow.
