Vendor Contract Negotiation Checklist

Write down the specific outputs you expect — for a payroll vendor: 941/940 filings, W-2 generation, garnishment processing, multi-state tax registration. For an AP tool: invoice capture accuracy %, ACH cutoff time, approval routing depth. Vague scope ("manage payroll") is the leading cause of post-signature disputes.

Identify who uses the vendor day-to-day (staff accountant, AP specialist), who owns the relationship (controller, partner), and who signs (managing partner, CFO). Loop in IT if the tool touches the firm network or client data.

Tier drives the approval path: under $25K is typically controller-approved, $25K–$100K needs CFO sign-off, and over $100K requires managing-partner approval and a 3-year TCO model. Use total committed spend over the contract term, not first-year only.

Pull a Dun & Bradstreet report and request the vendor's last two years of audited financials or reviewed statements. For SaaS vendors, ask for ARR, churn, and runway — a vendor running out of cash mid-contract is the worst kind of dependency for a tax-season-critical tool.

Ask references about implementation timeline vs. quote, support response times during tax season, and any unexpected fee escalations at renewal. Skip the references the vendor hand-picks; ask for at least one firm of similar size that left the vendor in the last 12 months.

Any vendor touching client SSNs, EINs, bank account numbers, or tax returns triggers GLBA Safeguards Rule and IRS Pub 4557 obligations on the firm. Document-management, tax-prep, payroll, and portal vendors almost always qualify; CRM and marketing tools usually do not.

Request the current SOC 2 Type II report (not Type I, not a one-page summary) and read the exceptions section. Confirm the vendor's controls cover the trust-services criteria your WISP relies on — encryption at rest and in transit, MFA enforcement, breach notification timeline. A SOC 2 with five unaddressed exceptions is a red flag, not a checkbox.

Pull pricing from CPA.com, AICPA PCPS benchmarks, or two peer-firm controllers under NDA. Per-seat SaaS pricing for accounting tools varies 3x between list and negotiated; never accept the first quote on Karbon, TaxDome, Bill.com, or similar.

TCO includes implementation fees, training, integration cost, expected seat growth, transaction-based fees (per-pay-run, per-bill, per-return), and the auto-renewal escalator. A $400/month tool with 7% annual escalators and a 90-day exit notice is materially more expensive than the sticker.

Push for a CPI-capped renewal escalator (3-5%, not the vendor's standard 7-10%), volume discounts that kick in mid-term not just at renewal, and a most-favored-customer clause if the firm is anchor-sized for the vendor.

Acceptance criteria for software: documented integration with QBO/Xero/Sage Intacct passing test transactions, single sign-on enabled, user provisioning working. Acceptance for services: a defined first deliverable with a specific date and the right to withhold payment if not met.

Net 30 from invoice, not from contract date. Cap late fees at 1.5%/month. Reject "all fees due upon execution" for multi-year deals — pay quarterly or annually in arrears where possible to preserve leverage if service degrades.

Termination for convenience with 30-60 day notice (not 180). Termination for cause with a 30-day cure period. Data export rights at termination — the vendor must deliver client data in a usable format (CSV, SQL backup, API export) within 30 days at no additional fee. This matters when the vendor goes out of business or gets acquired.

Mutual indemnification for IP infringement and gross negligence. Reject the vendor's standard "liability capped at fees paid in prior 12 months" for any vendor handling client PII — push for at minimum 2x annual fees, with breach-related damages carved out from the cap entirely. Confirm vendor carries cyber liability and E&O insurance with the firm named as additional insured.

The contract must require the vendor to maintain safeguards equivalent to those required of the firm under FTC Safeguards Rule and IRS Pub 4557 — encryption, access controls, employee training, incident response. Add language obligating the vendor to support the firm's WISP attestation requirements.

Breach notification within 24-72 hours of vendor discovery, not "reasonable time." Data residency must accommodate state laws — MA 201 CMR 17.00, NY SHIELD Act, CCPA. If the firm has clients in the EU, confirm GDPR-adequate transfer mechanisms (SCCs).

For any contract over $25K or touching client PII, route the redlined draft to outside counsel before signature. Common counsel catches: auto-renewal traps, jurisdiction/venue clauses pulling disputes to vendor's home state, and overbroad data-use rights letting the vendor train AI models on firm data.

One-page memo: scope, term, total committed spend, deviations from firm's standard terms, residual risks. This is what the partner reads before signing — not the 40-page contract. File alongside the executed agreement.

For deals over $100K, the managing partner reviews the negotiation memo, the redline summary from counsel, and the SOC 2 exceptions before signing. Schedule a 15-minute review call rather than a forwarded email — partner questions caught here save renegotiation later.

Execute through DocuSign or Adobe Sign so the audit trail is preserved. File the executed contract in the firm's contract vault (SmartVault, ShareFile, or Karbon contract repository) with the renewal date tagged in the practice-management system so the next negotiation cycle starts 90 days before renewal, not 7.