Outsourcing Compliance for
Accounting Firms: IRS §7216,
AICPA Code & FTC Safeguards

Both the AICPA and the IRS mandate that written consent must be obtained from the client when outsourcing services. In addition to this core requirement, there are several specific and often overlooked rules regarding how the written consent must be presented and obtained. These include stipulations about formatting—such as minimum font size and paper size—to ensure the document is easily readable. The consent must be presented in a way that allows the client to review it thoroughly, page by page if it’s in print, or by scrolling if it’s provided electronically. Furthermore, when consent is obtained electronically, the client must manually type in their name; it cannot be pre-filled. They must also actively check a box to indicate their agreement. These technical compliance requirements, while seemingly trivial, are essential and must be studied and implemented carefully to avoid regulatory issues.

Both the AICPA and IRS require CPAs and accounting firms to obtain affirmative, explicit, and specific consent from clients when outsourcing any part of their services. This means that passive or implied consent—such as assuming agreement if the client does not respond within a certain period (e.g., “if we don’t hear from you in 15 days, we’ll assume your consent”)—is not acceptable.

Instead, consent must be actively given by the client. The engagement letter must clearly disclose the purpose of the consent and explain how and why client information will be shared with a third-party service provider. This includes detailing:

• The nature of the information that will be shared
• The identity of the outsourcing provider (i.e., naming the third-party firm)
• The purpose of using their services
• How the data will be handled or processed

In summary, consent must be informed and documented, with full transparency around the who, what, and why of third-party involvement, in accordance with both AICPA standards and IRS regulations.

Both the IRS and AICPA require CPAs and accounting firms to obtain prior written consent from clients before outsourcing any work to a third-party service provider. This means that client information cannot be shared with the outsourcing vendor until the client has been informed and has explicitly agreed to the arrangement. The consent must be secured in advance and should clearly outline what information will be shared, with whom, and for what purpose. This ensures transparency, protects client confidentiality, and aligns with both regulatory bodies’ ethical and legal standards.

Both IRS regulations and AICPA standards stats that all consents must require the taxpayer’s affirmative consent to a tax return preparer’s disclosure or use of tax return information. A consent that requires the taxpayer to remove or deselect disclosures or uses that the taxpayer does not wish to be made (i.e., an “opt-out” consent) is not permitted.

The IRS requires that the name of the third-party outsourcing service provider be explicitly identified in the written consent obtained from the client, typically as part of the engagement letter. This ensures that the client is fully informed about who will have access to their confidential tax information. In contrast, the AICPA does not mandate naming the specific third-party provider in the engagement letter. While the AICPA does require that the client be informed about the use of third-party service providers and that consent be obtained, it allows for more flexibility in how this information is disclosed.

All client consents related to outsourcing must be signed by the firm, specifically requested by the client, and appropriately dated. This ensures a clear record of the client’s authorization and the firm’s acknowledgment, aligning with both IRS and AICPA requirements for maintaining compliance and documenting informed consent prior to sharing any confidential information with third-party service providers.

The IRS requires that for 1040 clients, a separate engagement letter must be obtained specifically for outsourcing, and this letter must include content as specified under IRS Section 7216 regulations. However, for other types of engagements (such as business returns or advisory work), the required outsourcing language may be incorporated directly into the existing engagement letter, provided it fully complies with the consent and disclosure requirements set forth by the IRS and AICPA.

In the case of outsourcing individual tax returns (Form 1040), a separate engagement letter is required to comply with IRS regulations. For other types of engagements, however, a separate engagement letter is not necessary. Instead, the consent requirements related to outsourcing can be incorporated directly within the primary engagement letter, ensuring that the client is informed and that proper consent is documented without the need for a separate document.

Under IRS regulations, practitioners are required to specify the duration of consent for outsourcing when obtaining client authorization. However, the IRS does not prescribe a specific duration. In the absence of a stated duration, the consent is assumed to be valid for one year. In contrast, the AICPA Code of Conduct does not mandate a specific validity period for engagement letters. Instead, it suggests that the engagement remains valid until it is replaced or terminated. Nevertheless, the AICPA recommends that practitioners review and update the engagement letter with clients on an annual basis to ensure continued relevance and clarity.

AICPA, IRS, and FTC all mandate that accounting firms must have a written agreement in place with any outsourcing service provider they engage. This agreement must explicitly confirm that the outsourcing provider will comply with all applicable data privacy, confidentiality, and security requirements outlined under each regulatory body’s framework.

Specifically:

• The AICPA requires written agreements that ensure the outsourcing provider adheres to professional standards, including confidentiality under the AICPA Code of Professional Conduct (ET Section 1.700).
• The IRS, under Section 7216 and related publications, mandates that any third party receiving taxpayer data must be bound by a written agreement to follow stringent data security and confidentiality protocols.
• The FTC, under its Safeguards Rule, requires that businesses—including CPA firms—to have written contract with third party service provider

These agreements should clearly outline the scope of work, responsibilities, data handling procedures, security measures, and breach notification protocols, and should be reviewed and updated periodically to ensure continued compliance.

The AICPA, IRS, and FTC require that CPA and accounting firms adequately supervise and oversee any outsourcing company and the work performed by them. This obligation is not limited to just having a written agreement in place, but extends to active and ongoing monitoring of the outsourced activities to ensure that:

• The work is performed with due professional care and competence.
• The confidentiality and security of client data is maintained in accordance with regulatory standards.
• The outsourcing provider adheres to the agreed-upon policies, procedures, and ethical standards.
• The firm maintains sufficient internal controls to detect errors, fraud, or non-compliance in outsourced functions.

Specifically:

• The AICPA Code of Professional Conduct emphasizes that members must take steps to ensure that services performed by third parties meet professional standards
• The IRS under Section 7216, and associated regulations, implies a duty of care when taxpayer information is shared externally.
• The FTC, through its Safeguards Rule, mandates that firms monitor service providers to ensure compliance with data protection protocols.

In essence, outsourcing does not relieve the CPA firm of its professional responsibilities—the firm remains ultimately accountable for the quality, compliance, and security of all outsourced work.

The AICPA, IRS, and FTC all require periodic reassessment of both the competency of the outsourcing service providers and the safeguards they have in place to protect client data and ensure compliance.

• Under the AICPA Code of Professional Conduct, firms are expected to evaluate and monitor third-party service providers on an ongoing basis to ensure that they maintain the required professional standards, technical competence, and ethical behavior.
• The IRS, particularly under Section 7216 and related guidance, emphasizes the importance of maintaining reasonable safeguards to protect taxpayer information. This includes reviewing and reassessing the outsourcing provider’s security policies, procedures, and practices periodically.
• The FTC’s Safeguards Rule mandates that accounting firms and tax professionals must regularly monitor and assess the effectiveness of their vendors’ safeguards, including technical, physical, and administrative controls. This includes not just an initial vetting but also ongoing oversight and periodic evaluations to verify continued compliance.

In summary, CPA and accounting firms are not only responsible for initial due diligence before engaging an outsourcing vendor but are also required to periodically reassess the provider’s qualifications and security posture to ensure ongoing compliance with AICPA, IRS, and FTC standards.

The AICPA, IRS, and FTC all require that CPA firms and accounting professionals ensure that their outsourcing service providers are competent and qualified to perform the services they are engaged for. While they do not mandate that these providers undergo periodic testing, firms are expected to periodically assess and verify the ongoing competency and qualifications of these providers.

This means firms must:

• Conduct initial due diligence to confirm that the outsourcing provider has the necessary skills, experience, and qualifications.
• Perform periodic reviews to ensure the provider continues to meet professional standards and is up to date with regulatory and technical developments.
• Maintain documentation of these assessments as part of their supervisory and compliance responsibilities.

So, while periodic testing is not a mandatory requirement, periodic competency evaluations through supervision, documentation, and performance reviews are a regulatory expectation under AICPA, IRS, and FTC standards.

As part of due diligence, the AICPA recommends that firms request client references from the outsourcing vendor—ideally from firms of similar size and structure. Firms should also review case studies or past project examples that demonstrate the vendor’s capabilities, and directly contact those references to evaluate the vendor’s performance, reliability, and adherence to professional standards.

The AICPA requires that firms maintain proper documentation when engaging third-party service providers. This includes noting the name of the offshore outsourcing vendor, their location, years of operation, and the contact person with relevant contact details to ensure transparency, accountability, and ease of reference

The AICPA advises that legal and regulatory compliance should be reviewed in consultation with your CPA firm’s attorney. This includes verifying whether the outsourcing vendor is registered and compliant with local laws, checking for any past or ongoing legal or regulatory issues—especially those involving CPA firms—and confirming if the vendor holds any relevant certifications or accreditations related to the services offered.

The AICPA recommends assessing the financial stability of your outsourcing vendor by requesting audited financial statements for the past three years—including the balance sheet, income statement, and cash flow statement. This helps determine whether the vendor is financially sound and capable of meeting obligations, and whether there are any signs of financial distress or irregularities that could pose a risk to your firm.

AICPA suggests evaluating the infrastructure and technology capabilities of your outsourcing vendor, including their hardware, software, data security protocols, encryption standards, and disaster recovery systems. Ensure the vendor is technologically compatible with your systems and adheres to data privacy and consumer protection laws relevant to your firm.

AICPA recommends assessing the qualifications and expertise of the outsourcing vendor’s staff, including their education, professional certifications, and domain experience in accounting, tax, or audit. You should also review staff turnover rates, retention policies, and procedures for terminating access for former employees to ensure continuity and data security.

AICPA advises requesting details on the outsourcing vendor’s quality control processes, including how they ensure accuracy, completeness, and timeliness of deliverables. It’s also important to ask whether the vendor follows any recognized industry certifications or quality assurance frameworks to maintain service standards.

AICPA recommends requesting client references from similar-sized firms, reviewing case studies of past projects to assess the vendor’s capabilities, and directly contacting references to understand their experience and satisfaction with the outsourcing vendor.

AICPA recommends reviewing the outsourcing vendor’s SLAs and contract terms carefully—ensuring clarity on scope, deliverables, performance metrics, and dispute resolution. Legal counsel should review jurisdiction, termination clauses, and IP rights, especially for foreign operations.

AICPA advises confirming that the outsourcing vendor has valid professional liability, cyber, and relevant insurance coverage. Request proof of insurance, verify coverage limits and validity, and ensure your CPA firm’s liability insurer is informed of the outsourcing arrangement.

Develop a written, firm-wide information security program that addresses how client and firm data is protected. This should cover physical, administrative, and technical safeguards. The program must be tailored to the size, complexity, and nature of the firm’s operations.

Schedule regular internal and external security audits to evaluate the effectiveness of controls and identify vulnerabilities. Document and act on audit findings to strengthen the security posture.

Encrypt sensitive client data during storage and transmission using industry-standard encryption protocols. This helps prevent unauthorized access in the event of a data breach or system compromise.

Ensure all offshore or outsourced employees undergo thorough background checks before being assigned to client data or systems. This includes identity verification, employment history, and criminal record screening.

Establish a training program that educates employees on security policies, threat awareness, and safe data handling practices. Training should be refreshed regularly and tailored to different roles within the firm.

Implement layered safeguards across administrative policies, technical systems, and physical infrastructure. This holistic approach ensures comprehensive protection of sensitive client and firm data.

Establish a formal procedure to notify affected clients and regulators in case of a data breach. Timely notification is critical to maintain trust and meet legal requirements, including IRS and FTC obligations.

After risk assessments, promptly implement the recommended security measures. This may include updating firewalls, patching systems, or training employees based on identified gaps.

Continuously monitor the controls and safeguards implemented through regular audits and periodic reviews. This ensures that risk mitigation strategies remain effective and aligned with changing threats.

Conduct regular VAPT exercises to proactively identify and address vulnerabilities in your IT infrastructure, networks, and applications. These assessments simulate real-world attacks and help uncover gaps before malicious actors can exploit them. Reports should be reviewed by IT/security leads, and remediation plans should be documented and executed promptly. VAPT is a critical component of ongoing risk management and regulatory compliance.

Maintain a comprehensive incident response plan that outlines the firm’s strategy for detecting, reporting, and mitigating security incidents. It should clearly define roles, escalation processes, and communication protocols.

Appoint a qualified individual responsible for implementing and overseeing the firm’s security program. This person ensures alignment with FTC and IRS requirements and is accountable for compliance, monitoring, and continual improvement of the program.

Designate specific individuals responsible for reporting security events internally and externally. This ensures a clear line of responsibility and timely escalation in the event of a breach or incident.

Based on the risk assessment, implement specific administrative, technical, and physical safeguards. These may include access restrictions, firewalls, secure file transfer protocols, antivirus tools, and employee access controls.

Develop procedures to regularly test and monitor the effectiveness of implemented safeguards. This can include system audits, penetration testing, vulnerability scans, and regular security reviews to ensure ongoing protection.

Update the firm’s security program as business operations, risks, and technologies evolve. Periodic evaluations should be conducted to adjust policies, improve controls, and stay current with industry standards and regulatory updates.

Enable system logging and conduct regular audits to detect unauthorized activities or potential breaches. Audit trails help ensure accountability and allow for forensic investigations if incidents occur.

Establish secure data disposal procedures for both electronic and physical records. Ensure that sensitive client information is rendered unreadable or irretrievable when no longer needed for business or legal purposes.