Vendor Contract Negotiation Checklist

Write down the specific outputs you expect — for a payroll vendor: 941/940 filings, W-2 generation, garnishment processing, multi-state tax registration. For an AP tool: invoice capture accuracy %, ACH cutoff time, approval routing depth. Vague scope ("manage payroll") is the leading cause of post-signature disputes.

Identify who uses the vendor day-to-day (staff accountant, AP specialist), who owns the relationship (controller, partner), and who signs (managing partner, CFO). Loop in IT if the tool touches the firm network or client data.

Pull a Dun & Bradstreet report and request the vendor's last two years of audited financials or reviewed statements. For SaaS vendors, ask for ARR, churn, and runway — a vendor running out of cash mid-contract is the worst kind of dependency for a tax-season-critical tool.

Ask references about implementation timeline vs. quote, support response times during tax season, and any unexpected fee escalations at renewal. Skip the references the vendor hand-picks; ask for at least one firm of similar size that left the vendor in the last 12 months.

Any vendor touching client SSNs, EINs, bank account numbers, or tax returns triggers GLBA Safeguards Rule and IRS Pub 4557 obligations on the firm. Document-management, tax-prep, payroll, and portal vendors almost always qualify; CRM and marketing tools usually do not.

Pull pricing from CPA.com, AICPA PCPS benchmarks, or two peer-firm controllers under NDA. Per-seat SaaS pricing for accounting tools varies 3x between list and negotiated; never accept the first quote on Karbon, TaxDome, Bill.com, or similar.

TCO includes implementation fees, training, integration cost, expected seat growth, transaction-based fees (per-pay-run, per-bill, per-return), and the auto-renewal escalator. A $400/month tool with 7% annual escalators and a 90-day exit notice is materially more expensive than the sticker.

Acceptance criteria for software: documented integration with QBO/Xero/Sage Intacct passing test transactions, single sign-on enabled, user provisioning working. Acceptance for services: a defined first deliverable with a specific date and the right to withhold payment if not met.

Net 30 from invoice, not from contract date. Cap late fees at 1.5%/month. Reject "all fees due upon execution" for multi-year deals — pay quarterly or annually in arrears where possible to preserve leverage if service degrades.

Termination for convenience with 30-60 day notice (not 180). Termination for cause with a 30-day cure period. Data export rights at termination — the vendor must deliver client data in a usable format (CSV, SQL backup, API export) within 30 days at no additional fee. This matters when the vendor goes out of business or gets acquired.

The contract must require the vendor to maintain safeguards equivalent to those required of the firm under FTC Safeguards Rule and IRS Pub 4557 — encryption, access controls, employee training, incident response. Add language obligating the vendor to support the firm's WISP attestation requirements.

Breach notification within 24-72 hours of vendor discovery, not "reasonable time." Data residency must accommodate state laws — MA 201 CMR 17.00, NY SHIELD Act, CCPA. If the firm has clients in the EU, confirm GDPR-adequate transfer mechanisms (SCCs).

One-page memo: scope, term, total committed spend, deviations from firm's standard terms, residual risks. This is what the partner reads before signing — not the 40-page contract. File alongside the executed agreement.

For deals over $100K, the managing partner reviews the negotiation memo, the redline summary from counsel, and the SOC 2 exceptions before signing. Schedule a 15-minute review call rather than a forwarded email — partner questions caught here save renegotiation later.