Successfully moving business to an offshore location like India, China, or the Philippines is often easier said than done. A recent study by Harvard Business School showed that only 48% of businesses that outsourced saw long-term success. Large enterprises are no exception to this challenging predicament.
For CPAs the trend of outsourcing to offshore locations has largely remained very limited till very recently. A survey conducted by the AICPA in 2023 saw only 30% of firms outsource accounting related activities. However, this is quickly changing as a shortage of skilled CPAs in the US is pushing firms to more promising shores.
So, how are CPAs supposed to successfully navigate the offshoring hurdle without getting their fingers burnt. To help them in this endeavor, AICPA has introduced their ten-point due diligence checklist. This essential tool provides CPA firms with a structured framework to assess potential partners’ capabilities, compliance, and performance metrics.
This blog breaks down the ten points in AICPA’s checklist, providing an overview of what each element on the checklist entails and what should be the plan of action for CPAs.
1. Check for Legal and Regulatory Compliance
The AICPA’s first checklist item is evaluating legal and regulatory compliance standards of an outsourcing vendor. This is especially true for CPA firms handling sensitive financial data and client information. Here is a breakdown of the recommended legal and regulatory checks to be considered by CPAs when shortlisting vendors.
Vendor Registration and Local Compliance
Confirm that the outsourcing vendor is properly registered and operates in accordance with the laws and professional standards of their jurisdiction. Request official documentation, such as business registration certificates, tax IDs, or operating licenses.
History of Legal or Regulatory Issues
Investigate whether the vendor has faced any legal actions, sanctions, or regulatory penalties—particularly those involving CPA firms, accounting practices, or client data handling. A vendor with unresolved or repeated issues may pose a reputational or compliance risk.
Relevant Certifications or Accreditations
Verify if the vendor holds certifications that demonstrate adherence to quality, security, and industry best practices (e.g., ISO 27001 for information security, SOC 2 for data protection, or relevant financial process accreditations). These credentials provide assurance that the vendor meets high compliance and operational standards.
AcoBloom Top Tip: Document all findings and request written assurances or declarations from the vendor regarding their legal standing and compliance practices. Include these in your due diligence records for audit purposes.
2. Check for Financial Stability
The next checklist item for CPAs is to assess the financial health of an outsourcing vendor. This is essential to ensure they can sustain operations and fulfill service commitments without disruption. Here is a breakdown of the checklist items under financial stability.
Request and Review Financial Statements
Obtain audited or certified financial statements for the past three years, including the balance sheet, income statement, and cash flow statement. Analyze key financial ratios such as liquidity, profitability, and solvency to gauge overall financial stability.
Evaluate Financial Health
Determine whether the vendor has adequate cash flow, positive net income, and a healthy balance of assets and liabilities. A vendor with strong financials is less likely to default on service agreements or experience sudden operational disruptions.
Watch for Red Flags
Identify any signs of financial distress, such as repeated losses, negative cash flow, declining revenues, lawsuits related to unpaid debts, or significant changes in ownership or capital structure. These may signal instability or potential risk to your firm.
AcoBloom Top Tip: Engage your internal finance team or CPA to assist in interpreting financial documents. Don’t hesitate to request further clarifications from the vendor if any data points appear unclear or out of place.
3. Check for Loopholes in Infrastructure and Technology
A thorough assessment of the vendor’s infrastructure and technology looks at the vendor’s long-term capabilities to deliver services reliably, securely, and in alignment with your firm’s operational requirements. Here is a breakdown of the checklist items under infrastructure and technology.
Evaluate Hardware and Software Resources
Assess whether the vendor uses modern, well-maintained hardware and up-to-date software platforms to support efficient service delivery. Confirm whether they use licensed software and recognized tools suited for accounting or CPA workflows.
Review Data Security Protocols
Verify the use of robust security measures such as data encryption (in transit and at rest), firewalls, access controls, intrusion detection systems, and secure authentication protocols. Inquire about employee access policies and cybersecurity training practices.
Examine Backup and Disaster Recovery (DR) Systems
Request documentation on backup procedures, DR plans, and business continuity strategies. Confirm how frequently data is backed up, where it is stored, and how quickly systems can be restored in the event of downtime.
Check Technological Compatibility
Ensure the vendor’s systems integrate smoothly with your firm’s existing software, such as accounting platforms, workflow tools, or document management systems. Compatibility reduces friction and streamlines collaboration.
Confirm Data Privacy Compliance
The vendor should comply with relevant data protection laws (e.g., GDPR Readiness, CCPA, India’s DPDP Act). Ask for their privacy policy and how they manage client data, retention periods, and breach notifications.
AcoBloom Top Tip: Conduct a technology walkthrough or virtual demo to see the systems in action and ask detailed questions about performance, security, and integrations with the latest software patches.
4. Check for Gaps in Data Protection and Client Confidentiality
Protecting client data is paramount for CPA firms. The outsourcing vendor must have robust safeguards while complying with applicable data protection laws and ethical obligations. Here is a breakdown of the checklist items in data protection and client confidentiality.
Assess Data Security Measures
Inquire about the vendor’s data protection protocols, including physical security, network security, endpoint protection, multi-factor authentication, encryption standards, and secure file transfer methods.
Evaluate Confidentiality Controls
Confirm that the vendor enforces strict internal access controls, confidentiality agreements for staff, and secure handling of sensitive client information. Ask whether they conduct regular internal audits and employee training on data privacy.
Review Regulatory Compliance
Verify the vendor’s compliance with global and local data protection regulations such as the U.S. GLBA, GDPR, CCPA, or India’s DPDP Act, depending on jurisdiction. Ensure they align with industry best practices like SOC 2, ISO 27001, or NIST standards.
Understand Section 7216 Compliance
If the vendor handles U.S. tax return information, ensure they are aware of and compliant with IRC Sec. 7216, which restricts the disclosure and use of tax return information. The vendor should provide written documentation of policies addressing this regulation.
Incident Response and Breach Protocols
Ask for their data breach response plan. A reliable vendor should have a defined process for identifying, mitigating, and reporting data breaches in a timely and compliant manner.
AcoBloom Top Tip: Request third-party audit reports (e.g., SOC 2 Type II) or data protection certifications to substantiate claims and include signed confidentiality agreements as part of your vendor contract.
5. Check for Quality Assurance and Internal Processes
To remain true to their client’s expectations, CPA firms must ensure the accuracy and reliability of outsourced deliverables. A strong quality assurance framework reflects the vendor’s commitment to excellence and risk mitigation. Here is a breakdown of the quality assurance and internal processes checklist items.
Request Quality Control Documentation
Ask for detailed information about the vendor’s internal quality assurance processes, including review checkpoints, supervisory oversight, and escalation procedures for discrepancies or errors.
Understand Accuracy and Timeliness Protocols
Inquire how the vendor ensures that work is accurate, complete, and delivered on schedule. This may include standardized workflows, checklists, peer reviews, and use of automation or audit trails.
Assess Performance Monitoring Systems
Determine whether the vendor tracks performance metrics such as turnaround time, error rates, and client satisfaction. Ask if they provide regular performance reports or dashboards.
Verify Certifications and Frameworks
Confirm whether the vendor follows recognized AICPA quality standards such as Statement on Quality Management Standards (SQMS), Statement on Auditing Standards (SAS), Statement on Standards for Accounting and Review Services (SSARS), or other industry-relevant accreditations. These demonstrate a structured approach to quality and continuous improvement.
Review Sample Work and QA Records
Request anonymized samples of previous deliverables and quality audit logs, if available, to evaluate the consistency and rigor of their quality checks.
AcoBloom Top Tip: Include agreed-upon quality benchmarks and service level agreements (SLAs) in your contract to ensure accountability and transparency in service delivery.
6. Check for Workforce and Expertise
The quality of the vendor’s staff directly impacts on the accuracy and reliability of outsourced work. Assessing their qualifications, experience, and personnel practices ensures alignment with your firm’s professional standards. Here is a breakdown of the workforce and expertise checklist items.
Verify Educational Background and Certifications
Request profiles or resumes of key team members to confirm relevant academic qualifications, such as degrees in accounting or finance. Look for certifications like CPA, CA, EA, ACCA, or CIA that demonstrate professional competence.
Evaluate Experience and Domain Expertise
Assess whether the staff have experience in U.S. GAAP, IRS regulations, or other standards specific to your firm’s accounting, tax, or audit needs. Inquire about ongoing training and upskilling programs to ensure staff are up-to-date on the latest.
Understand Staff Turnover and Retention
High turnover can impact consistency and knowledge retention. Ask about the vendor’s average employee tenure, turnover rates, and strategies used to retain skilled professionals (e.g., training, incentives, career growth opportunities).
Review Protocols for Employee Exits
Inquire about protocols for revoking systems and data access for employees who leave or are terminated. Ensure they have immediate and auditable processes to prevent unauthorized access post-employment.
Assess Team Structure and Supervision
Understand the organizational hierarchy, including roles of managers, reviewers, and quality control personnel. This ensures accountability and clear oversight on deliverables.
AcoBloom Top Tip: Consider scheduling an introductory call or interview with the delivery team leads to assess communication skills, professionalism, and responsiveness.
7. Check for Client References and Case Studies
To gain insight into the vendor’s reliability, performance, and client satisfaction, it’s important to enquire into client references and case studies. This is especially true for firms that are similar in size and scope and have outsourced various accounting services over an extended period of time. Here is a breakdown of the client references and case study checklist.
Request Relevant Client References
Ask the vendor to provide references from current or past clients, preferably CPA firms or businesses of similar size, industry, or service needs. Prioritize references with long-standing engagements, which can indicate strong relationships and consistent performance.
Review Case Studies and Past Engagements
Request documented case studies or project summaries that showcase the vendor’s capabilities. Look for measurable outcomes such as improved turnaround times, reduced error rates, or cost savings. This demonstrates the vendor’s ability to deliver tangible results.
Contact References Directly
Reach out to references to gather first-hand feedback on key areas such as service quality, responsiveness, communication, issue resolution, and overall satisfaction. Ask if they encountered any challenges and how the vendor handled them.
Look for Industry Fit and Scalability
Evaluate whether the vendor has experience handling firms with similar workflows, compliance needs, or seasonal fluctuations. This ensures the vendor can adapt to your firm’s specific demands.
Assess Reputation and Client Retention
Ask how long clients typically stay with the vendor and what contributes to that loyalty. High client retention is often a good indicator of satisfaction and service consistency.
AcoBloom Top Tip: Keep a record of feedback gathered from reference calls as part of your due diligence documentation. Consider scoring vendors across a consistent set of criteria based on client feedback.
8. Check for Service Level Agreements (SLAs) and Contractual Terms
A clear, comprehensive contract and SLA form the foundation of a successful outsourcing relationship. Make sure to review the terms to ensure alignment with your firm’s expectations, legal requirements, and risk tolerance. Here is a complete breakdown of the SLA and contractual terms checklist.
Review Scope of Services and Deliverables
Ensure the SLA clearly defines the scope of work, types of services to be delivered, timelines, deliverables, and frequency of reporting. Ambiguities can lead to misaligned expectations and service gaps.
Assess Performance Metrics and Accountability
Look for specific performance indicators such as turnaround time, accuracy rates, error thresholds, and responsiveness. Ensure the SLA includes reporting mechanisms and consequences for non-performance.
Understand Escalation Procedures
The agreement should include structured escalation paths for resolving issues, delays, or service quality concerns. Know who to contact at each level and what timelines apply for issue resolution.
Evaluate Termination Clauses
Review provisions for contract termination, including notice periods, penalties (if any), and handover processes. Ensure you have the flexibility to exit the contract without undue risk if service expectations are not met.
Check Intellectual Property (IP) Rights
Confirm that your firm retains full ownership of all data, reports, and outputs generated through the outsourced engagement. Ensure confidentiality and IP protection clauses are clearly stated.
Review Dispute Resolution Mechanisms
Assess how legal disputes will be handled, whether it’s an arbitration, mediation, or litigation—and which jurisdiction’s laws will apply. This is especially critical when engaging offshore vendors.
Consult Your Attorney on Legal Considerations
Your CPA firm’s legal counsel should review the contract for jurisdictional issues, enforceability of clauses in the vendor’s country, data privacy obligations, and compliance with international service agreements.
AcoBloom Top Tip: Negotiate SLAs collaboratively with the vendor to ensure mutual understanding and avoid future friction. Keep the contract updated as services evolve over time.
9. Check for Security Assessments and Audits
Independent security assessments provide credible validation of a vendor’s data protection controls and risk management practices. Verifying these assessments is essential for safeguarding client data and ensuring regulatory compliance. Here is a breakdown of the security assessments and audits checklist.
Inquire About Third-Party Security Audits
Ask whether the vendor has undergone any recent independent security assessments, such as SOC 2 (Type I or II), ISO/IEC 27001, Cyber Essentials, or GDPR compliance audits. These certifications demonstrate adherence to recognized security standards.
Request Audit Reports and Certifications
Obtain copies of relevant security audit reports, certificates, or summaries from third-party assessors. Review the scope, findings, and date of the most recent audit to evaluate the vendor’s ongoing commitment to information security.
Review Frequency and Scope of Assessments
Determine how often the vendor conducts internal and external audits. Regular assessments suggest a proactive approach to maintaining and improving security posture.
Evaluate Remediation Practices
If audit reports highlight findings or deficiencies, inquire about the corrective actions taken and timelines for remediation. This shows the vendor’s responsiveness and maturity in managing security risks.
Verify Auditor Credibility
Ensure that audits are conducted by reputable, certified firms with expertise in cybersecurity and data privacy compliance.
Map Certifications to Your Compliance Requirements
Match the vendor’s certifications with the regulatory frameworks your firm is subject to (e.g., GLBA, HIPAA, GDPR, SOX). Confirm whether these reports cover data handling practices relevant to your CPA firm’s services.
AcoBloom Top Tip: Include a clause in your contract requiring the vendor to maintain current security certifications and share updated reports on a regular basis.
10. Check for Insurance Coverage
Verifying the vendor’s insurance coverage helps protect your CPA firm from potential financial exposure due to errors, cyber incidents, or service failures. This assessment should be reviewed in consultation with your firm’s insurance carrier. Here is a complete breakdown of the insurance coverage checklist.
Request Proof of Insurance
Ask the vendor to provide certificates of insurance (COI) for all relevant policies, including professional liability (errors & omissions), cyber liability, and any general business or data breach insurance.
Check Coverage Limits and Validity
Review the scope, coverage limits, deductibles, and expiration dates of each policy. Ensure coverage is adequate based on the nature and volume of outsourced work and the sensitivity of client data involved.
Confirm Relevance to Services Provided
Insurance should specifically cover the types of services being outsourced (e.g., accounting, tax preparation, data handling) and jurisdictions in which services are performed.
Verify Ongoing Validity
Ensure the vendor commits to maintaining active and sufficient coverage throughout the contract term. Include this requirement as a contractual clause with a provision to notify you of any policy changes or lapses.
Coordinate with Your Insurance Carrier
Inform your professional liability insurance provider about the outsourcing arrangement. Confirm that the arrangement does not violate any terms of your policy and that you remain covered in case of third-party errors or breaches.
Assess Risk Transfer and Indemnification
Review whether the vendor’s insurance offers primary or secondary coverage, and ensure your contract includes indemnification provisions aligned with their insurance limits.
AcoBloom Top Tip: Maintain copies of all vendor insurance certificates in your vendor file and set reminders to request updated documents before expiration.
Final Thoughts
Your choice of vendor can potentially make or break your decision of offshoring your accounting service. The AICPA’s checklist is extremely thorough and covers essential ground for vendor selection. This should serve as your guide to selecting the best outsourcing partner, so you can get offshoring successfully off the ground.
If you are looking for an outsourcing partner that checks all the boxes with a documented history of serving US CPA firms, AcoBloom should be your go-to. Our collaborative outsourcing services are specifically curated to meet the growing needs of CPAs in the US. Our “Cosourcing model”, in particular, has been an effective offshoring solution for CPA firms especially during busy tax seasons. For a more detailed discussion, feel free to contact us.
