When CPA firm owners evaluate outsourcing providers, they tend to focus on two things: price and capability. Can you do the work? How much will it cost? Those are necessary questions, but they are not sufficient. And they are exactly the questions every provider is prepared to answer with a polished pitch.
The questions that actually protect you are the ones that make the sales rep pause. The ones about what happens when things go wrong. The ones about who owns your data. The ones about how easy it is to leave.
We are an outsourcing provider ourselves, so yes, we are giving you a playbook to use against our competitors (and against us, for that matter). We do this because the firms that ask hard questions make the best clients. They set clear expectations, they hold us accountable, and they build relationships that last because they are built on transparency rather than assumptions.
Here is every question worth asking before you sign.
Who, specifically, will work on my account? Not a team name. Not a department. Names. Backgrounds. Qualifications. Experience levels. You should know who is touching your clients' financial data. Ask to meet them, even if just by video call. If the provider will not introduce you to your team before signing, ask yourself why.
What happens when one of my assigned staff members leaves? Staff turnover happens at every provider. What matters is the transition plan. How much notice do you get? How is knowledge transferred? What is the expected ramp-up time for a replacement? Is there a bench of trained backup staff, or are they recruiting from scratch?
At Madras, we maintain team-level documentation for every client so that institutional knowledge does not live only in one person's head. Our approach to building stable offshore teams is designed specifically to minimize the impact of individual transitions.
What is your annual staff retention rate? Ask for the number. Not "we have great retention" or "our people love working here." The number. Anything above 85 percent is solid. Below 75 percent should concern you. Below 65 percent means you will be re-training constantly.
Do your staff work exclusively for my firm, or are they shared across clients? Both models exist. Dedicated staff provide deeper familiarity with your firm's methods but cost more. Shared staff are cheaper but may produce less consistent work because their attention is divided. Neither model is inherently better, but you need to know which one you are paying for. If you are paying dedicated rates for shared staff, that is a problem.
How do you handle busy season staffing? Every CPA firm has peak periods. Tax season, audit busy season, year-end close. Can the provider scale your team by 25 to 50 percent during these periods? Where does the additional staff come from? Are they trained on your workflows, or are they pulled from other projects? Our guide on conquering busy season with offshore teams digs into what good seasonal scaling looks like.
What are the specific turnaround time commitments? "We deliver quality work on time" is not an SLA. You need specific, measurable commitments. Bookkeeping completed within X business days of month-end. Workpapers delivered within Y hours of receipt of source documents. Tax returns prepared within Z days of receiving the organizer.
What are the consequences when you miss an SLA target? If there is no consequence for missing a deadline, the SLA is decorative. Good SLAs include fee credits, escalation procedures, and at severe levels, termination rights without penalty. The SLA clauses that actually prevent quality slippage are the ones with teeth.
How do you measure and report quality? Ask for their quality metrics framework. What do they track? Error rates per deliverable? Rework percentages? First-pass acceptance rates? How frequently do they report these metrics to you? Monthly reporting is the minimum. If they do not track quality metrics at all, they cannot improve quality systematically.
What is your error rate, and how has it trended over the past 12 months? This one makes most sales reps uncomfortable. But any provider serious about quality control tracks this data and can share it. If they claim zero errors, they are either lying or not measuring. A 1 to 3 percent error rate with a declining trend is realistic and honest.
Do you have a current SOC 2 Type II report? Not Type I. Type II. The difference matters. Type I says controls were designed properly at a point in time. Type II says controls operated effectively over a period (usually 12 months). Ask for the full report, not a summary or certificate. Review it, or have your IT advisor review it.
How do you handle data in transit and at rest? Encryption standards matter. TLS 1.2 or higher for data in transit. AES-256 for data at rest. If they cannot specify their encryption standards, they probably have not thought about it carefully enough.
Who has access to my clients' data? Ask for a description of their access control framework. Role-based access? Least privilege principle? How often are access rights reviewed? What happens to access when a staff member is reassigned or leaves? Our data security controls guide covers the specific controls you should expect.
Where is my data stored? On-premise servers? Cloud infrastructure? Which cloud provider? Which geographic region? Some firms have regulatory or client-imposed restrictions on where data can be stored. Clarify this before signing.
Do you have a data breach response plan? Not "yes." Ask to see it. A proper breach response plan includes detection procedures, containment steps, notification timelines, and remediation processes. If they have not documented this, they are not prepared for a breach.
Do you have cyber liability insurance? What is the coverage amount? Does it cover data breaches involving client data? Would your firm be indemnified for losses resulting from a breach at the provider? Get specifics.
What is included in the quoted price, and what costs extra? The base price is rarely the total price. Ask about onboarding fees, software licensing costs, rush processing surcharges, after-hours support charges, and year-end processing premiums. Get a complete picture of what your annual cost will actually be.
How will pricing change after the first year? Some providers offer introductory pricing that jumps significantly at renewal. Ask for their rate increase history over the past three years. Ask what triggers price increases. Is it annual? Tied to inflation? At the provider's discretion? Get the escalation mechanism in writing.
What happens if my volume decreases? If you lose clients or bring work back in-house, does your per-unit cost increase? Some providers have minimum volume commitments with penalties for falling below. Understand the structure before you sign. The cost analysis should account for both growth and contraction scenarios.
Are there any fees for terminating the contract? If yes, how much? Under what circumstances can you terminate without penalty? Is there a notice period? What does the wind-down process look like? These are not pleasant questions, but they are essential ones.
Who owns the work product? This should be unambiguous. You (or your client) own all work product. Templates, workpapers, financial statements, tax returns. Everything produced for your clients belongs to you. If the contract says otherwise, or if it is silent on the issue, fix it before signing.
Who owns the processes and templates developed during our engagement? This is trickier. If the provider develops a custom workflow or template specifically for your firm, who owns that? Can they use a similar process for their other clients? Can you take those processes to a new provider? Get this documented.
What happens to my data when the contract ends? You need explicit provisions for data return and deletion. Within what timeframe will they return all your data? In what format? Will they certify deletion of all copies from their systems? What is their data retention policy after contract termination?
Can the provider use my data for their own purposes? Analytics, benchmarking, training their AI tools. Some providers include broad data usage rights in their contracts. Read the fine print. Your clients' financial data should not be used for any purpose other than delivering the services you contracted for.
What software platforms do you support? Get a specific list. QuickBooks Online, QuickBooks Desktop, Xero, Sage, NetSuite, Drake, Lacerte, UltraTax, ProSeries, CaseWare. Do not accept "we support all major platforms." Get confirmation for the specific tools your firm and clients use.
How do we communicate? Email? Slack? Microsoft Teams? A proprietary platform? How quickly should you expect responses? Is there a single point of contact, or do you communicate directly with the working team? What about urgent issues outside normal hours?
How do you handle our firm's specific procedures and preferences? Every CPA firm has its own way of doing things. Chart of accounts preferences, report formatting, workpaper organization, review note conventions. How does the provider capture and maintain these preferences? Is there a firm-specific procedures manual? Who updates it?
What does the onboarding process look like? Step by step. Timeline. Milestones. What is expected from your team during onboarding? How much of your staff's time will onboarding consume? When should you expect the team to be fully productive? A realistic first 90 days plan sets proper expectations and prevents frustration.
What happens if your systems go down? Ask about their disaster recovery plan. Recovery time objectives (RTO) and recovery point objectives (RPO). Do they have redundant infrastructure? Backup power? Secondary data centers? A four-hour outage during payroll processing week is not just an inconvenience. It is a crisis.
What happens if there is a natural disaster at your location? Do they have a secondary office? Can their team work remotely? How quickly can they resume operations? COVID tested every provider's remote work capability. Ask how they performed during that period.
What if your company is acquired or shuts down? This is the question nobody wants to ask. But in a fragmented industry with ongoing consolidation, it is relevant. What happens to your contract? Your data? Your assigned team? Is there a contractual provision that gives you early termination rights in the event of an ownership change?
These are the questions that genuinely separate thorough due diligence from surface-level evaluation.
Can I talk to a client who left you? Any provider can give you references from happy clients. Ask for a reference from a client who terminated the relationship. How the provider handled the departure tells you more than how they handle a satisfied client. If they refuse, consider what that signals.
What is your client churn rate? What percentage of clients leave each year? Why do they leave? If the number is above 15 to 20 percent annually, something systemic is driving clients away. Ask them to explain it.
Have you ever had a data breach? If yes, what happened? How did they respond? What changes did they make? A provider who has had a breach and handled it transparently may actually be more trustworthy than one who claims perfection, because the former has battle-tested their response plan.
What is your financial condition? You are entrusting critical client work to this company. If they go under, you are scrambling. Are they profitable? Growing? How long have they been in business? Who are the owners? You do not need audited financials, but you deserve basic financial transparency.
What do your employees say about working there? Check Glassdoor. Check LinkedIn. Are employees staying? Are they complaining about overwork, poor management, or lack of growth? A provider's internal culture directly impacts the quality and stability of service you receive.
Verbal promises mean nothing. Everything that matters should be documented in the contract or an attached service level agreement. Here is the minimum.
If your provider pushes back on including any of these, ask why. And be skeptical of the answer.
We share this article with prospective clients before they sign with us. Not after. We want firms to ask us every one of these questions because we have good answers and we are comfortable being held accountable.
We provide named staff assignments, monthly quality reporting, SOC 2 Type II certification, month-to-month contracts after onboarding, full data portability, and clear IP ownership terms. We are transparent about our retention rates, our client churn, and our financial stability.
The firms that ask the hardest questions become our best, longest-tenured clients. Because they chose us with eyes open, and the relationship starts with mutual accountability rather than mutual optimism.
Visit madrasaccountancy.com to start the conversation. Bring this list of questions. We look forward to answering every single one.
Should I have a lawyer review the outsourcing contract? Yes, especially for your first outsourcing relationship. An attorney familiar with professional services contracts can identify problematic clauses around liability, indemnification, and intellectual property that may not be obvious to non-lawyers. The legal review cost is trivial compared to the cost of a bad contract.
How long should the initial contract term be? We recommend a 90-day onboarding period followed by month-to-month terms. This gives both parties enough time to establish the relationship while preserving your ability to exit if the fit is not right. Providers who insist on 12-month minimums are usually trying to compensate for retention problems with contractual lock-in.
What is a reasonable SLA for turnaround time on bookkeeping? For monthly bookkeeping, 5 to 7 business days after month-end close is standard for the initial delivery. For payroll processing, 24 to 48 hours before the pay date. For tax preparation, turnaround varies by complexity, but 5 to 10 business days from receipt of complete information is typical. These should be documented with specific consequences for misses.
Can I negotiate the data security provisions in the contract? Absolutely. If the standard contract does not include the security requirements you need (specific encryption standards, access control procedures, breach notification timelines), add them. Any reputable provider will accommodate reasonable security requirements. If they push back on security provisions, that tells you something important about their priorities.
What recourse do I have if the provider breaches the contract? Your contract should specify dispute resolution mechanisms (mediation, arbitration, litigation), the governing jurisdiction, and limitation of liability provisions. For data security breaches specifically, indemnification clauses should cover your direct costs including client notification, regulatory fines, and remediation expenses. Ensure these provisions are explicit, not implied.
Transitioning existing clients to an outsourced CAS team is operationally straightforward and emotionally tricky. Here is how to do it without losing clients.
Your first outsourced tax season will either be a relief or a disaster. The difference is whether you start preparing in October or panic-call a provider in February.
CPA firms are terrible at collecting their own invoices. Average days in AR is 65 days. Here is how outsourcing AR management cuts that to 40 and improves cash flow.
