Book a call
AICPA Peer Review · Documentation

Peer review documentation package for CPA firms using offshore staff.

What a peer reviewer typically wants to see when a CPA firm uses offshore staff for audit, attest, or review engagements. Documentation package structure, sample evidence list, and common peer review findings related to third-party staffing.

Peer review reality

What peer reviewers actually look at

Under the AICPA Peer Review Program, CPA firms performing audit, review, compilation, or attest engagements undergo peer review on a triennial cycle. The peer reviewer's job is to evaluate whether the firm's quality control system is designed and operating effectively. When a firm uses third-party (including offshore) staffing on engagements subject to peer review, the reviewer will look at specific documentation to confirm:

  • The firm's policies and procedures address the use of third-party service providers.
  • The firm exercised appropriate oversight of third-party personnel.
  • Confidentiality obligations were appropriately handled (AICPA §1.150.040).
  • The engagement partner maintained responsibility for the engagement.
  • Workpapers demonstrate review and sign-off by the engagement team.

These aren't heavy lifts. A firm with reasonable documentation practices already has 80–90% of what a peer reviewer will ask for. The purpose of this page is to help firms consolidate that documentation into a clean package so peer review goes smoothly rather than becoming a scramble.

When this matters most: firms that have recently added offshore staff for audit support, or firms with offshore staff on attest engagements for the first time. Peer reviewers often flag these firms for additional scrutiny simply because the third-party provider use is new to the quality control system.
Documentation package

What to include in your peer review package

Firm-level documentation

  1. Quality control policy addressing third-party service providers. Written policy describing when the firm uses offshore staff, how engagements are supervised, what controls apply, and who is responsible for the oversight.
  2. Provider due diligence documentation. Record of the due diligence performed before engaging the provider: security questionnaire responses, SOC 2 report review (if applicable), references checked, contract review, insurance verification.
  3. Entity-level confidentiality agreement. Signed confidentiality agreement between the firm and the offshore provider.
  4. Individual-level NDAs. Signed NDAs from each offshore staff member assigned to audit/attest engagements. (See our NDA template.)
  5. §1.150.040 compliance documentation. Sample engagement letter language, client disclosure tracking, evidence that disclosure occurred before confidential information was shared. (See our §1.150.040 template.)
  6. Training records for offshore staff. Evidence that offshore staff received training on applicable auditing standards, firm methodology, and confidentiality obligations.
  7. Background check certifications. Evidence that offshore staff passed appropriate background checks before engagement.

Engagement-level documentation

  1. Engagement supervision plan. For each audit or attest engagement using offshore staff, documentation of the supervision model: who reviews what, when, and how. Time allocations between offshore preparation and US-based review.
  2. Workpaper review evidence. Workpapers show clear preparation and review sign-offs. Offshore staff sign as preparer; US engagement team (senior or manager) signs as reviewer. Partner sign-off documented.
  3. Engagement partner responsibility evidence. Documentation (email, memo, engagement completion checklist) showing the engagement partner maintained responsibility and reviewed key judgments.
  4. Quality control review documentation. For engagements subject to EQCR (Engagement Quality Control Review), evidence that the EQCR happened and was performed by an appropriately qualified US-based reviewer independent of the engagement team.
  5. Issues log. Any quality issues identified during the engagement, the resolution, and any process changes implemented as a result. Peer reviewers appreciate evidence that the firm has an honest feedback loop.

How to organize the package

Simplest structure: one master document (Word or PDF) that indexes the firm-level documentation with links/references to each supporting file. For each engagement subject to peer review, a separate folder with the engagement-level items 8–12. Peer reviewer gets the master document and picks which engagements to dig into.

Common findings

The peer review findings we see most often

  • §1.150.040 disclosure not documented. Firm has been using offshore staff for a year; engagement letters don't mention third-party providers; peer reviewer flags this as a quality control deficiency. Fix: update engagement letter template and re-issue to active clients.
  • Individual NDAs missing for staff assigned to attest engagements. Entity-level NDA exists but individual offshore staff working on audits don't have personal NDAs. Fix: obtain individual NDAs retroactively and include going forward.
  • Supervision model not documented. Firm used offshore staff on 6 audits but there's no written record of how each engagement was supervised, who reviewed what, or when. Fix: build standard supervision documentation template for future engagements; retroactively document where possible.
  • Review sign-offs unclear in workpapers. Workpapers show preparer initials but no reviewer sign-off, or sign-offs not dated, or EQCR sign-off missing. Fix: strengthen workpaper review procedures; train team on documentation expectations.
  • Firm lacks documented quality control policy. No written QC policy addresses third-party providers. Fix: update firm's quality control document to explicitly cover offshore provider engagement and oversight.
  • Training records unavailable. Offshore staff worked on 2026 audits but the firm can't produce training records showing the staff received training on the audit methodology. Fix: obtain training records from offshore provider and maintain going forward.

For the service scope that sits under this peer review documentation, see offshore audit support. For CPA firm engagement economics generally, see CPA firms page.

Disclaimer: Not legal or professional advice. AICPA Peer Review standards are subject to change; always verify current standards and consult your peer review captain, AICPA peer review administrator, or qualified counsel for specific situations.

Related

Related compliance resources

Hub

All Compliance Forms

Every template in this cluster – §7216, §1.150.040, NDA, BAA, and more.
Security

Security & Infrastructure

The technical controls that sit underneath the contractual compliance layer.
Audience

For CPA Firms

How CPA firms handle compliance when deploying offshore staffing.

Compliance layer sorted – ready to scope the engagement.

Book my call →