Outsourcing tax work is no longer unusual. What is unusual is how few CPA firms can clearly explain their compliance posture when asked.
Most firms focus on cost savings, capacity relief, and faster turnaround times. Those are real benefits, but they are not what regulators, insurers, or clients care about first. What they care about is whether the firm understands its responsibilities when tax data leaves direct internal control.
That gap is where risk shows up. In the 2025 filing season, as per Tigta the IRS identified about 6,000 tax returns as identity theft, stopping payment of $54 million in fraudulent refunds. The IRS also issued 6.3 million Identity Protection PINs as a preventive measure by March 1, 2025
This blog walks through the non-negotiable compliance checks CPA firms must have in place when using offshore or outsourced tax services. Not in theory. In practice.
Before you talk about compliance, you need clarity.
“Outsourcing” is not a single thing. It is a catch-all word that hides important differences. Different outsourcing models trigger different ethical, disclosure, and security obligations. Start by documenting your current operating model. Not what you intend to do. What is actually happening today?
Ask four basic questions and write the answers down.
Be specific.
Vague descriptions such as “back office support” or “tax assistance” are red flags in an audit or inquiry. They suggest that the firm has not assessed risk at the task level.
Common outsourced tax tasks include:
Each of these tasks carries a different risk profile.
Outsourcing data entry is not the same as outsourcing tax planning support. Outsourcing research is not the same as outsourcing client communication. Regulators and insurers look at what is outsourced, not just that outsourcing exists.
If you cannot articulate exactly which tasks are handled externally, you cannot defend your controls.
Firms must document:
Location matters for disclosure, privacy expectations, and security design.
A controlled office environment with managed devices is fundamentally different from a remote, bring-your-own-device setup. If you treat those as equivalent, you are underestimating risk. This information should be documented internally. Also, when getting 7216 signed, you need to share this info with your client too.
Many firms know the vendor name but cannot name the roles that actually access client data. That is a problem.
You should be able to list categories of individuals who touch data, such as:
This is not about naming individuals. It is about understanding access paths.
If you cannot name the types of people who access data, you do not have meaningful control. At Credfino, we share the name of the person responsible for their set of duties. If your offshore provider is not doing this, you need to reconsider.
Next, inventory every system that outsourced staff can access.
Common systems include:
This inventory becomes the foundation for access control, monitoring, and audit readiness. If a system is accessed by an external party, it must be included in your security and compliance scope.
This is where many firms get exposed. The core rule of Internal Revenue Code (IRC) Section 7216 is that a tax return preparer cannot knowingly or recklessly disclose or use taxpayer information for any purpose other than preparing the tax return, unless the taxpayer gives explicit, written consent or a specific regulatory exception applies.
Consent exists to protect the client and the firm. When handled poorly, it feels like an afterthought. When handled well, it builds transparency and trust.
Consent must be obtained before tax return information is disclosed to a third party.
Best practice includes:
Firms that bury consent language in dense engagement letters often create client trust issues later. Clients feel surprised when they discover offshore involvement after the fact.
Your engagement letter should clearly state:
Avoid euphemisms and vague phrasing. Plain language protects you.
Many firms now offer two consent paths:
This approach gives clients agency. It demonstrates that the firm is not hiding its model and is willing to adapt controls based on client comfort level.
Consent is meaningless if you cannot produce it.
Document:
During an inquiry, being able to retrieve consent quickly matters. Scrambling for documentation signals weak controls.
Outsourcing does not dilute ethical responsibility.
Your firm remains accountable for confidentiality and professional conduct, regardless of who performs the work.
Every individual with access to tax data should be bound by:
A vendor-level NDA is not sufficient. Ethical responsibility follows individuals, not contracts alone.
Your agreements should clearly state:
Silent subcontracting is one of the fastest ways firms lose control. If you do not know who is touching data, your compliance posture is already compromised.
Access should be role-based, not convenience-based.
If someone does not need a system to perform their task, they should not have access.
Excess access is one of the most common root causes of breaches.
CPA firms are required to maintain a written information security program that covers both internal operations and vendors.
A WISP is not a generic policy document. It is an operating document.
Your WISP should address:
It should reflect how your firm actually operates, not how you wish it operated.
Training is part of compliance.
Your program should document:
Vendors and offshore teams should be explicitly included in scope.
If something goes wrong, who does what?
Your plan should define:
A plan written after an incident is too late.
This is where most breaches actually occur. Policies fail when access controls are weak.
Access must align with job function.
No shared logins.
No generic credentials.
No exceptions “just for busy season.”
Temporary access is still access.
MFA should be mandatory on:
If a system cannot support MFA, reassess whether it should be used for sensitive data.
You need a documented process for:
Delays here create silent exposure.
Policies only work if they are enforceable.
Define where data is allowed to live.
Best practice includes:
Convenience is not a justification for risk.
If local downloads are allowed at all, controls must exist:
Many firms now prohibit local storage entirely to reduce exposure.
Data should be encrypted:
This applies to both firm systems and vendor systems.
Your agreements should define:
You do not want to discover backup gaps during a ransomware incident.
At contract end, data must be:
Ambiguity here creates long-term risk.
Before onboarding any vendor, document your review.
This is not about mistrust. It is about accountability.
Ask for evidence, not promises.
Examples include:
For roles handling sensitive data, background checks should be considered and documented, subject to local laws.
Confirm:
If work is office-based, assess:
Ask directly:
How a vendor answers this question often matters more than the answer itself.
Regulators are not becoming more lenient. Clients are becoming more informed. Cyber insurers are asking harder questions.
Firms that cannot clearly articulate their outsourcing controls will feel pressure from multiple directions at once.
Outsourcing done well is a competitive advantage. Outsourcing done casually becomes a liability.
If your firm is using offshore or outsourced tax services, compliance is not something you “get to later.” This might seem like a lot which is why we are here.
We are a 7216 ready firm and can help you design your security protocols too.
The real ROI of offshore staffing for CPA firms with our calculator. See how much your firm can save while scaling efficiently.
Explore training-friendly offshore accounting models for CPA firms to scale faster with structured onboarding and quality support.
The pros, cons, and key tradeoffs of offshore staffing for CPA firms. Learn how outsourcing can reduce costs, improve efficiency, and support firm growth.