For most CPA firms, the 2026 tax season looks a lot like 2025 – except harder. The April 15 deadline hasn’t moved. Client complexity hasn’t reduced. And roughly 340,000 accountants and auditors have left the US workforce in the past five years, a 17% decline, according to US Bureau of Labor Statistics data; a gap that shows no sign of closing at the pace the profession needs.
Outsourcing tax preparation to a qualified external team is the solution an increasing number of US firms are turning to. The economics are clear. The capacity benefit is real. But for every managing partner who has made the move, there is another who hasn’t, not because outsourcing doesn’t make sense, but because the tax compliance questions haven’t been answered clearly enough to make them comfortable.
What are the IRS rules around sharing client data with a third-party preparer? What do professional conduct obligations require? What should firms be asking about data security? And what does the internal review process need to look like to keep the firm on the right side of its professional obligations?
This guide answers those questions directly. The compliance framework for outsourcing tax preparation is more straightforward than most firms expect. What follows is a practical walkthrough of the key requirements — written in plain language, without the legal complexity, so that the decision can be made based on facts rather than uncertainty.
Why CPA Firms Hesitate to Outsource Tax Preparation and Why the Concerns are Manageable
The hesitation is understandable. When a managing partner considers outsourcing tax preparation, a set of legitimate questions surfaces quickly: Who has access to our clients’ data? What does the IRS say about sharing return information with a third-party preparer? Are we still professionally accountable if something goes wrong? What happens if a client finds out?
These are not irrational concerns. They are the right questions. The problem is not that firms are asking them; rather, they do not always find clear, authoritative answers. The reality is this: the compliance framework for outsourcing tax preparation has been in place for decades. The IRS has published clear guidance. The AICPA has addressed it directly within its Code of Professional Conduct. The firms that haven’t made the move yet are not being cautious; they are being under-informed. This guide is designed to change that.
IRS Section 7216 and Outsourcing Tax Preparation: What CPA Firms Must Do
Section 7216 of the Internal Revenue Code is the primary federal rule governing the disclosure of tax return information to third parties. For CPA firms considering outsourcing tax preparation, understanding what it actually requires is the starting point.
In plain terms, Section 7216 prohibits a tax return preparer from knowingly or recklessly disclosing or using tax return information for any purpose other than preparing the return, unless the taxpayer provides written consent. When a firm engages an external team to assist with return preparation, that constitutes a disclosure under Section 7216 — and written client consent is required before any return information is shared with a third-party preparer.
The consent must meet specific requirements set out in Treasury Regulation 301.7216-3. It must be a separate document or a clearly separate section of a larger document. It must identify the recipient of the information, the purpose of the disclosure, and the tax return information to be disclosed. It must be signed and dated by the taxpayer and obtained before the disclosure takes place.
This is not a significant operational burden. For most CPA firms, it means adding a Section 7216 consent form to the client onboarding or engagement process — a one-time update that covers all subsequent preparation work for that client. The penalty for non-compliance, however, is significant: up to one year imprisonment and fines of up to $1,000 per violation under IRC Section 7216, and additional civil penalties under Section 6713.
The practical takeaway: Section 7216 compliance for outsourcing tax preparation is a process update, not a barrier. Firms that have done it describe it as a single afternoon of template work followed by a smooth, repeatable workflow.
PTIN Requirements When You Outsource Tax Prep: What Still Applies
A Preparer Tax Identification Number (PTIN) is required for any individual who is paid to prepare or substantially assist in preparing a federal tax return. This requirement applies under IRC Section 6109(a)(4) and IRS regulations — and it does not change when an external team performs preparation work.
The key distinction is between preparation and signing. The individual who prepares the return — including external preparers working under a firm’s engagement — must have a valid PTIN and must include it on the return. The signing CPA or Enrolled Agent at the firm must also have a valid PTIN and remains the responsible party for the accuracy of the return as filed.
In a properly structured outsourced tax preparation arrangement, the external preparation team holds and uses its own PTINs for the work it performs. The firm’s signing CPA reviews the prepared return, applies their own PTIN, and signs it. The accountability chain is clear: the firm is responsible for what goes out under its name, regardless of who prepared the underlying work.
This is the same accountability structure that applies when a firm uses a junior associate to prepare a return that a partner reviews and signs. The external nature of the preparer does not change the obligation — it simply requires that the firm verifies PTIN compliance as part of its vendor due diligence process before outsourcing tax preparation begins.
AICPA Code of Professional Conduct: What It Says About Third-Party Tax Preparers
The AICPA Code of Professional Conduct addresses the use of third-party service providers under ET Section 1.700.001 — the Confidential Client Information rule. The obligation is clear: a CPA firm must not share confidential client information with a third-party tax preparer without the client’s consent, unless the provider is subject to confidentiality obligations equivalent to those that apply to the firm itself.
In practice, this means the firm must be satisfied — before engaging an outsourcing provider — that the provider has appropriate confidentiality commitments in place: a formal non-disclosure agreement, documented data handling policies, and a demonstrated operational standard that reflects the firm’s own confidentiality obligations to its clients.
The due diligence process does not need to be onerous. It does need to be documented. Firms should request and retain the provider’s confidentiality policy, NDA template, and any relevant security certifications as part of their vendor onboarding process. Providers with established compliance infrastructure — such as Befree, which holds ISO 27001 certification — will have this documentation readily available and should be able to provide it without delay.
One important caveat that is frequently overlooked: the AICPA Code sets the professional floor, but it is not the only applicable framework. State CPA licensing boards — including those in California, New York, Texas, and Florida — may impose additional or stricter requirements around client confidentiality and the use of third-party preparers. CPA firms outsourcing tax preparation should verify their specific state board rules before finalising any arrangement. The consequences of a state ethics violation can include licence suspension or revocation, which makes this a non-negotiable step in the due diligence process.
Do You Have to Tell Your Clients?
From a legal standpoint, Section 7216 already handles this. Written client consent is required before return information is shared with a third-party preparer, so clients are informed through that process regardless of any other communication the firm chooses to make.
The broader question — whether firms are obligated to go further and proactively disclose that preparation work is handled externally — depends on your specific state board’s ethics rules. There is no universal federal obligation beyond Section 7216. Check your state board requirements first. If they require additional disclosure, that takes precedence. If they don’t, the decision is yours.
Many firms say nothing beyond the consent form and are entirely within their rights. Others disclose proactively, framing it as a quality and capacity decision with partner oversight at every stage — and find that clients respond well. What matters is that the choice is informed and consistent.
Data Security for Outsourced Tax Prep: SOC 2, ISO 27001, and IRS Publication 4557
Three frameworks matter most in the context of outsourcing tax preparation, and understanding their meaning helps firms make a more informed assessment.
ISO 27001 is an internationally recognised standard for information security management. A provider that holds ISO 27001 certification has implemented a documented, independently audited framework for managing the confidentiality, integrity, and availability of the data it handles. For CPA firms, this means the provider has demonstrated, to an external auditor’s satisfaction, that client tax data is protected across storage, transmission, access control, and incident response.
SOC 2 Type II is a US-specific audit standard that evaluates a service provider’s controls over security, availability, processing integrity, confidentiality, and privacy over a defined period — typically six to twelve months. A SOC 2 Type II report is stronger than a SOC 2 Type I because it tests whether controls operated effectively over time, not just whether they existed at a point in time.
IRS Publication 4557 — Safeguarding Taxpayer Data sets out the IRS’s own expectations for how tax professionals protect taxpayer information. It is not a certification but a practical standard covering physical security, electronic security, data disposal, and incident response.
The FTC Safeguards Rule under the Gramm-Leach-Bliley Act also applies to tax preparation firms and their service providers. It requires a written information security programme and specific safeguards for customer financial data.
Beyond certifications and frameworks, firms should ask every prospective provider the following before signing anything:
- How is client data transmitted? Is end-to-end encryption in place for all file transfers?
- Where is data stored?
- Who within the provider’s organisation has access to client return data, and how is that access controlled and logged?
- What is the provider’s incident response process in the event of a data breach, and what are the notification timelines?
- Is a formal NDA in place, and does it cover all personnel with access to client data?
Engagement Letters, Vendor Agreements, and CPA Firm Oversight: The Compliance Infrastructure That Makes Outsourcing Work
Client Engagement Letters
Vendor Agreements
The Internal Review and Sign-Off Process
This is the element that matters most for professional compliance — and the one most frequently underestimated. Under IRS rules, the signing CPA is responsible for the accuracy of every return that goes out under their name, regardless of who prepared it. Outsourcing tax preparation does not transfer that responsibility. It changes the workflow.
A robust review process when working with an external preparation team should include: a standardised documentation package from the client before preparation begins, a defined checklist for reviewing prepared returns before sign-off, a clear escalation path for exceptions or queries from the preparation team, and a documented sign-off record for every return filed.
Firms that build this review process properly find that the quality of prepared returns from a well-managed external team is consistently high — and that the review itself becomes faster and more systematic than the ad hoc review process many firms apply to internally prepared returns.
Must Read: Why CPAs Shouldn’t Wait: Benefits of Early Tax Preparation Outsourcing
Outsourcing Tax Preparation Compliance: A Practical Path Forward for CPA Firms
The compliance framework for outsourcing tax preparation is specific, documented, and manageable. Section 7216 consent is a process update. PTIN compliance is a vendor verification step. The AICPA Code requires due diligence, not prohibition. Data security is about asking the right questions and requiring the right documentation.
The firms gaining capacity and margin in 2026 are not doing anything extraordinary. They worked through these questions methodically — and then got on with it.
If your firm is ready to do the same, the checklist below covers every step. Download it, work through it step by step, and use it as a framework for any outsourcing conversation.
Download the Free CPA Firm Outsourcing Compliance Checklist
Covering Section 7216 client consent, PTIN verification, AICPA Code and state ethics due diligence, data security standards (SOC 2, ISO 27001, IRS Publication 4557, FTC Safeguards Rule), client communication, vendor agreement clauses, engagement letter updates, and internal review sign-off workflow.