Risk Control in Outsourced Accounting Services

CPAs are often a client’s most trusted business advisor, and clients may look to the CPA to add value to the business in areas beyond accounting.

Increasingly, CPA firms are utilizing consulting services to enhance their ability to serve clients, an example of which is the provision of support services for a client’s accounting or finance functions. Due to the CPA’s familiarity with the client’s financial records, the CPA may be requested to provide staff or perform services traditionally performed by in-house accounting and finance personnel. Such services are sometimes referred to as outsourced accounting, CFO, or controller services. The AICPA’s Statement on Standards for Consulting Services (SSCS) and Code of Professional Conduct govern the conduct of such engagements.

The CPA’s knowledge of accounting and finance activities is of great benefit to the client, helping to foster the CPA’s ability to serve as a trusted business advisor and enabling the client to confidently rely on the CPA to execute the activities correctly and make appropriate decisions. However, certain exposures may arise when entering into engagements of this nature. Are there activities that are solely the responsibility of client management that CPAs should not perform? When does the CPA cease to be acting in the capacity of an independent contractor and begin to be perceived as a client employee or a member of client management? 

A CPA may provide support services to clients, which range from services delivered to multiple clients using a cloud-based or other technological solution, to providing staff to work on-site for the client full-time for a specified period of time.

Differences between Traditional Consulting and Support Services Engagements

Performance of support services under a sourcing model, whether on-site or virtual, is permissible under SSCS, but differs from traditional consulting engagements, and should be structured accordingly. Some key differences between traditional consulting engagements and sourced support services are illustrated below:


Traditional Consulting

Sourced Support Services

Scope of work

  • Scope and objectives agreed to in advance by client and practitioner and documented in engagement letter
  • CPA firm performs additional tasks as specified by the client 

CPA responsibilities

  • Execute agreed scope of work in accordance with engagement letter
  • CPA determines tasks to be performed to achieve engagement objective
  • Provide competent and qualified personnel to client
  • Execute tasks as specified by the client

Client responsibilities

  • Agree on engagement scope and objectives
  • Provide input to practitioner to enable engagement completion
  • Oversee services provided by CPA firm
  • Direct and review CPA’s work
  • Determine authority of and decisions to be made by CPA
  • Accept responsibility for decisions made by CPA firm


  • Work product prepared on behalf of the CPA firm for client in accordance with engagement letter
  • Deliverable is CPA firm-branded
  • Ownership of deliverable retained by CPA
  • Work product prepared on behalf of client at the client’s direction
  • Deliverable is not CPA firm-branded
  • Ownership of deliverables or work product prepared by CPA retained by client

Oversight of CPA firm personnel

  • CPA firm oversees team executing the engagement
  • Client oversees activities and decisions of CPA firm

SSCS §100.05 clearly defines the responsibilities of the CPA and the client related to performance of support services:

  • CPA’s function is to provide appropriate personnel
  • The CPA performs tasks specified by the client
  • The client directs CPA’s staff as required

The CPA firm should not assume management responsibilities on behalf of the client. For example, hiring and firing client staff, approving journal entries or strategic business plans, and performing other duties that could be construed as the client’s management and fiduciary responsibilities should not be assumed by the CPA. 

A CPA performing support services under a sourcing model, however, may take actions or make decisions that do not require management approval. Such activities include, for example, preparing cash flow and profitability analysis for client consideration, recording transactions based upon client data, or preparing payroll, accounts receivable or accounts payable records in accordance with client directions. A clear written understanding must be established with the client regarding the responsibilities and decisions that are within the authority of the CPA, and those that are within the purview of client management. The client bears the ultimate responsibility and ownership regarding decisions made by the CPA while performing support services for the client. 

Considerations Related to the Performance of Support Services

Referring to accounting and consulting services as “outsourced” controllership or CFO services may lead to client confusion regarding responsibilities. This characterization increases the likelihood that the CPA may be asked to assume management duties that fall outside the scope of consulting services as defined in SSCS. 

While the provision of support services is permissible under SSCS, professional liability insurance policies typically limit or exclude coverage for services rendered when the policyholder also performs management duties or assumes management responsibilities on behalf of the client, regardless of whether or not a formal title is used to describe these duties or responsibilities. Therefore, CPA firms providing outsourced accounting services should confer with their professional liability insurance agent or broker regarding the application of insurance coverage if questions arise.

Recent malpractice claim experience has revealed several risk exposures that arise through the performance of support services: 

  • There is no engagement letter outlining services to be performed and client and CPA responsibilities;
  • The CPA performs services outside the scope of the engagement letter (scope creep);
  • The CPA becomes a "Jack of all trades" to a client, performing management duties such as negotiating contracts and making hiring decisions on their behalf;
  • In providing services, the CPA serves as a "de facto CFO" of the client. In these cases, the client may assert that the CPA was negligent in supervising client staff, failed to identify and correct weaknesses in internal controls, or that poor business decisions were made on behalf of the company.

Based upon these vulnerabilities, CPAs should not assume management responsibilities, perform management duties, or hold themselves out as managers, officers, or directors of clients.

The ultimate goal of providing consulting services to clients is to add value and become a trusted business advisor. Here are some examples of activities that CPAs can undertake on behalf of a client and those that should be avoided: 




Journal entries

  • Preparation or initial review of journal entries
  • Final approval of journal entries

HR matters

  • Providing recommendations regarding staffing and supervision
  • Interviewing candidates and providing feedback
  • Evaluating and rating employee performance
  • Hiring and firing employees
  • Making decisions on employee salary or promotion
  • Giving the appearance of being a member of management or an employee (including being named in company directory or on company website, having separate business cards, etc.)

Internal control evaluation

  • Reviewing deficiencies noted
  • Providing input on deficiency evaluation and remediation strategies
  • For clients with internal control reporting requirements, providing input on control matters noted to help enable the client sponsor to sign control certifications or sub-certifications
  • Determining whether control deficiencies identified constitute deficiencies, significant deficiencies or material weaknesses
  • Providing an overall assessment of internal controls over financial reporting
  • Deciding the remediation strategies that should be implemented
  • Signing internal control certifications or sub-certifications

Financial statements

  • Reviewing and providing input on financial statements, including performance of financial statement analysis
  • Providing final approval of financial statements


  • Reviewing and providing input on management reports, subject to review by the client’s legal counsel
  • Signing internal reports in the CPA firm name
  • Signing external reports on behalf of the client

Interactions / agreements with third parties

  • Reviewing agreements with third parties and providing input
  • Negotiating terms and signing contracts with third parties on behalf of the organization
  • Making representations to third parties on behalf of the client

Risk Control Considerations

To help mitigate the professional liability risks associated with sourced support services, consider the following:

  • Issue a clearly written engagement letter defining the scope of services to be rendered and the responsibilities of the CPA and the client;
  • If both traditional consulting and support services are delivered, ensure the engagement letter separately addresses the scope of these services as well as CPA firm and client management responsibilities. If additional services will be rendered that are subject to standards other than SSCS, define the scope of these services and note the applicable professional standards; 
  • Request that the client designate an individual (preferably at the executive level) with sufficient time and expertise to oversee all services provided by the CPA firm, communicate the day-to-day tasks to be performed, evaluate the adequacy and results of services rendered and accept responsibility for all decisions made, and
  • Avoid referring to outsourced accounting services as CFO or controllership services, which implies the assumption of management duties. 

How Helpful Was This Article?


Related Content

Related Products