Data security is the single most important non-financial decision in choosing an offshore accounting partner. A US CPA firm holding client data on behalf of attest, tax and advisory clients sits under multiple overlapping regulatory regimes: the Gramm-Leach-Bliley Act safeguards rule for financial information, state-level privacy regulations such as the California Consumer Privacy Act, AICPA professional standards on outsourcing, and the firm’s own quality control system. Any offshore partner must operate to standards that satisfy all of these regimes simultaneously. This article walks through the security controls a CPA firm should verify before signing an offshore engagement, the certifications that matter and the operational practices that turn certification into actual protection.
The Certification Stack That Matters
SOC 2 Type II. The American Institute of CPAs’ Service Organization Control 2 framework, with the Type II report covering the design and operating effectiveness of controls over a specified period (typically 12 months). SOC 2 Type II reports cover the five Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality and Privacy. For an offshore accounting provider, the Type II report on at least Security and Confidentiality is the baseline expectation.
ISO 27001. The international standard for Information Security Management Systems. ISO 27001 certification requires an organisation to operate a documented ISMS, identify and manage information security risks, and undergo independent surveillance audits annually. ISO 27001 is complementary to SOC 2; many offshore providers carry both.
GLBA Awareness. The Gramm-Leach-Bliley Act safeguards rule applies to US financial institutions, including CPA firms providing financial services. Offshore providers handling GLBA-covered data should demonstrate awareness of the standard and operate controls aligned to it, even though direct GLBA applicability runs through the US firm rather than the offshore provider.
AICPA Outsourcing Standards. The AICPA’s Code of Professional Conduct and its outsourcing-related interpretations set out the disclosure and consent requirements when a member outsources professional services. The offshore provider should be familiar with the standard and able to support the US firm’s compliance with it.
Physical and Logical Access Controls
Physical access. The offshore facility should operate badge-based access control, with separate zones for general office, secure processing areas and any zones holding hard-copy client information. Visitor access should be logged. Removable media (USB drives, mobile phones with cameras) should be prohibited in processing areas.
Logical access. Workstations should be configured to prevent local data storage. Two-factor authentication should be required for all systems holding client data. Role-based access should be enforced with the principle of least privilege: a tax associate working on Form 1040 returns should not have access to Form 990 returns for unrelated clients.
Data residency. Client source data should reside in the US firm’s own document management system (SmartVault, ShareFile, Canopy or the firm’s existing platform). The offshore provider accesses the data through controlled channels but does not download or replicate it. Outputs are returned to the same platform with no offline copies retained.
Network and Endpoint Security
Network. The offshore facility should operate a segmented network with the secure processing zone isolated from general office traffic. Firewalls should be enforced at perimeter and at zone boundaries. Logging should capture all network traffic to and from the processing zone, with logs retained for the period required by the SOC 2 audit and reviewable on request.
Endpoints. Workstations should run current endpoint protection with central management. Operating systems should be patched on the schedule defined by the ISMS. Removable media should be disabled at the operating system level. Print and screen capture should be restricted in the processing zone.
Email and messaging. Client data should never be transmitted by email. All communication with the US firm should run through the firm’s own document management system, the firm’s secure messaging platform or a dedicated secure portal.
People Controls
Pre-employment screening. Background checks should be conducted on all offshore staff with access to client data. Reference checks should cover prior employment, education verification and any disclosed regulatory history. The screening standard should be documented and applied consistently.
Training. New joiners should complete information security training before being granted access to client systems. Refresher training should run annually and should cover phishing awareness, data handling protocols and incident reporting.
Confidentiality and non-disclosure. Employment contracts should include enforceable confidentiality and non-disclosure clauses, with explicit reference to client data protection obligations.
Termination. Access should be revoked immediately on termination. Exit interviews should remind departing staff of ongoing confidentiality obligations.
Incident Response and Business Continuity
Incident response. A documented incident response plan should be in place and tested at least annually. The plan should cover identification, containment, eradication, recovery and post-incident review, with the firm being notified within the timeline agreed in the engagement contract.
Business continuity. A documented business continuity plan should cover infrastructure resilience, alternate facility arrangements and recovery time objectives. The plan should be tested at least annually with documented results.
Insurance. Cyber liability insurance covering the relevant exposure should be in place and verifiable on request.
How Innobrant Handles Data Security
Innobrant operates SOC 2 Type II controls on our processing zone and aligns to ISO 27001 practices. Client source data resides in the US firm’s own document management system; we access through controlled channels and do not replicate locally. Two-factor authentication is enforced; role-based access is enforced; removable media is disabled at the OS level. Endpoint protection is centrally managed and patched on schedule.
Pre-employment screening, annual security training and enforceable confidentiality terms are standard. The incident response plan is tested annually and is included in client engagement contracts. Our cyber liability insurance is in place and the policy summary is available on request.
For US CPA firms evaluating Innobrant, we provide the SOC 2 Type II report under NDA, the ISO 27001 certificate and the standard outsourcing disclosure language for client notices. We are happy to walk firm partners through the controls in detail before any engagement begins.
Twelve-Point Pre-Engagement Security Diligence Checklist
For a US CPA firm partner about to sign an offshore engagement, the twelve-point checklist below is the practical filter before formal SOC 2 review.
1. SOC 2 Type II report on file, covering Security and Confidentiality at minimum, dated within the last twelve months.
2. ISO 27001 certificate current and covering the offshore facility’s information security management system.
3. Data residency clarity: source data resides in the firm’s own document management system, accessed by the provider through controlled channels with no offline copies retained.
4. Two-factor authentication enforced on every system holding client data.
5. Role-based access enforced with engagement-level default and cross-engagement access only for senior reviewers with defined need.
6. Removable media disabled at the operating system level on workstations in the processing zone.
7. Pre-employment screening documented with background checks, reference checks and education verification.
8. Annual security training completed by all staff with access to client data, including phishing awareness and incident reporting.
9. Incident response plan tested within the last twelve months with the notification timeline specified in the engagement contract.
10. Cyber liability insurance certificate current with limits appropriate to engagement value.
11. AICPA outsourcing disclosure language supplied for the firm’s client notifications.
12. Engagement contract security clauses include audit rights, breach notification timelines, data deletion obligations on termination and appropriate limitations of liability.
A provider that can produce evidence on all twelve items in one diligence cycle is ready for serious commercial discussion. A provider that cannot, regardless of the commercial proposition, is not ready. Security and commercial readiness are inseparable for offshore engagements in 2026.
How Innobrant Operates Its Information Security Program
Innobrant operates SOC 2 Type II controls on our processing zone and aligns to ISO 27001 practices across the firm. The program covers six domains.
Governance. Our information security policy is documented, reviewed annually and approved at partner level. The Information Security Officer reports to the Director and is responsible for the day-to-day operation of the program. Annual ISO 27001 surveillance audits and the SOC 2 Type II audit cycle anchor the external assurance.
Access management. Two-factor authentication is enforced on every system holding client data. Role-based access is enforced with the principle of least privilege. Access reviews run quarterly with documented results. Access is revoked immediately on staff termination.
Endpoint and network security. Workstations are managed centrally with current endpoint protection, OS patching on the policy schedule, and disabled removable media at the OS level. The processing zone network is segmented from general office traffic with firewall enforcement at zone boundaries.
Data handling. Client source data resides in the firm’s own document management system. Innobrant accesses through controlled channels and does not replicate to local devices. Outputs are returned to the same platform. No client data flows through personal email or messaging.
Incident response. The incident response plan is documented, tested annually and includes the client notification timeline. Post-incident reviews are documented and the findings are tracked through remediation. Cyber liability insurance is in force.
People. Pre-employment screening, annual security training, enforceable confidentiality terms in employment contracts and a documented offboarding process complete the people-controls layer.
The full SOC 2 Type II report is available under non-disclosure agreement to firms evaluating Innobrant for engagement. The ISO 27001 certificate and the relevant policy summaries are similarly available on request.
A Three-Year Maturity Path for Offshore Security
Information security is not a static state. The right framework for assessing an offshore provider’s security maturity is the three-year path that distinguishes providers building durable security capability from providers operating to the minimum standard.
Year 1 baseline. Documented policies, SOC 2 Type I report, ISO 27001 certification in progress, basic access controls (2FA, role-based access), pre-employment screening, annual security training, documented incident response plan, cyber liability insurance in force.
Year 2 deepening. SOC 2 Type II report (the operating effectiveness review), ISO 27001 certification completed and first surveillance audit, segmented network architecture, advanced endpoint protection, quarterly access reviews, tabletop exercise of the incident response plan, expanded security training for senior staff.
Year 3 maturity. Continuous SOC 2 Type II monitoring with quarterly reports, ISO 27001 surveillance audits with documented improvements, security incident response tested through live red-team exercise, third-party penetration testing on the processing zone, security KPIs reported to the partner level, integrated GRC tooling with auditable trail.
A provider that has been operating for three years should be at year-3 maturity. A provider that has been operating for one year should be at year-1 baseline with a credible roadmap to year-2 by the next certification cycle. A provider that has been operating for three years but is still at year-1 baseline is a provider that has chosen not to invest in security maturity.
Innobrant’s own security program is at year-3 maturity. The full SOC 2 Type II report is available under non-disclosure agreement to firms evaluating us for engagement. The ISO 27001 certificate and the relevant policy summaries are similarly available on request. Annual third-party testing and quarterly internal reviews keep the program current, and the Information Security Officer reports to Director, CA Jashwanth Pasupuleti, with direct partner-level escalation for any incident or risk that crosses the materiality threshold.
Year-End Security Review for Existing Offshore Engagements
For firms with existing offshore engagements, an annual security review is the discipline that keeps the relationship protected as the threat environment evolves. The review covers six dimensions.
Dimension 1: Certifications current. Confirm the provider’s SOC 2 Type II report is dated within the last 12 months and the ISO 27001 certificate is in surveillance audit cycle. Expired certifications are a serious risk indicator.
Dimension 2: Personnel changes. Review the team’s tenure on the engagement and confirm any new staff have completed onboarding security training before access. Significant team turnover may warrant a refreshed risk assessment.
Dimension 3: Access controls. Confirm role-based access is still appropriately scoped, two-factor authentication is enforced and the quarterly access reviews have been completed.
Dimension 4: Incident history. Review any security incidents or near-misses during the year, the response and any process changes that resulted. Providers that have learned from incidents demonstrate maturity; providers that hide incidents are a risk.
Dimension 5: Client data handling. Confirm the data flow has not drifted from the agreed design (no local replication, no email transmission of client data, no third-party tools added without disclosure).
Dimension 6: Contract refresh. Update the engagement contract for any changed terms, refreshed disclosure language and any new regulatory requirements that have arisen during the year.
Frequently Asked Questions
Should we visit the offshore facility before signing an engagement? Yes, where practical. A site visit is the most effective way to verify physical controls and to meet the team. Where a site visit is not practical, a video walk-through and a detailed control review with the offshore provider’s information security officer are reasonable substitutes.
What happens if there is a security incident? Innobrant’s incident response plan requires notification to the affected firm within the timeline agreed in the engagement contract, followed by containment, eradication, recovery and a post-incident review with findings shared with the firm.Can we audit Innobrant’s controls? Yes. Firm-led audits are accommodated under the engagement contract, with reasonable notice and during normal business hours. Findings are addressed through documented remediation plans.