Should your firm pick co-managed IT or fully managed IT? It is the question almost every CPA firm owner gets to once they grow past four or five staff, lose a key IT person, or fail a security questionnaire from a bigger client.
The goal here is to give your firm a decision framework you can apply in an afternoon, with the FTC accountability lines mapped, the RACI ownership spelled out, and clear “choose X if” scenarios for a 1 to 20 person tax practice.
By the end you will know which model fits your firm, where the regulator draws the line on responsibility, and what to ask before you sign anything. The Verito comparison comes later in the post.
TL;DR: Co-Managed vs Fully Managed at a Glance
If you only have five minutes, read this table. The rest of the post explains how to use it.
| Dimension | Co-Managed IT | Fully Managed IT |
|---|---|---|
| Cost predictability | Variable. You pay the MSP plus your in-house staff salary. Hours can flex by month. | Flat. Per-user or per-device subscription covers a defined scope. |
| Who owns the work | Split. Your internal staff own day-to-day; the MSP fills specific gaps (security, after-hours, projects). | The MSP owns the full stack. You own the relationship and the risk. |
| FTC Safeguards accountability | Your firm. The MSP shares execution but the firm signs the program. FTC 16 CFR 314.4(f) still applies. | Your firm. Same rule. The MSP carries more execution evidence, but the firm is the regulated entity. |
| After-hours response | Depends on contract. Often “MSP covers nights and weekends, internal staff cover business hours.” | Built in. 24×7 helpdesk and incident response are part of the standard scope. |
| Tax season scalability | Strong if the MSP scope includes surge support. Weak if the in-house person is the bottleneck. | Strong by default. The MSP is staffed for seasonal load and SLA-bound to respond. |
| Best fit by firm size | Firms with 1 existing IT person who is overloaded, or firms with 10 to 20 staff scaling beyond what one IT body can cover. | Firms with 1 to 10 staff and no internal IT, or larger firms that want predictable cost and one accountable vendor. |
The short version: co-managed IT shares the load with your existing IT person. Fully managed IT replaces the need for one. Both can work for a tax firm. The right answer depends on whether you already have someone in-house, what they cover well, and what your FTC Safeguards evidence trail looks like today.
What “Co-Managed IT” Actually Means in a CPA Firm
Co-managed IT is a split. Your firm keeps an internal IT person, often part-time or wearing several hats, and brings in a managed service provider (MSP) to fill the gaps. Datto, one of the largest platforms MSPs run on, defines it as “a customized IT service model that combines the convenience of an internal IT department with the expertise of a managed service provider.” (Datto, June 2023)
In a CPA firm, that split usually looks like this. Your in-house person handles new-hire setups, password resets, printer problems, the QuickBooks file that will not open, and questions from staff in the back office. The MSP handles the heavier lifting: patching servers, running the Endpoint Detection and Response (EDR) console, monitoring backups, responding to security alerts at 2 a.m., owning your FTC Safeguards documentation, and managing your hosting environment.
The model is flexible by design. Datto describes the splits as based on “technology, skill gaps or expertise” rather than fixed lanes. (Datto, June 2023) That flexibility is the appeal. It is also the trap. If the contract does not draw the lines clearly, both sides assume the other is doing it. Patching slips. EDR alerts get ignored. The MSP thinks the in-house person owns it. The in-house person thinks the MSP does.
NIST frames the same idea more formally. The NIST Cybersecurity Framework 2.0 Small Business Quick-Start Guide tells small business owners that the framework can be used “as a discussion prompt between a business owner and whomever they have chosen to help them reduce their cybersecurity risks, such as a managed security service provider (MSSP).” (NIST SP 1300) That is co-managed IT in plain English: a shared responsibility model where the firm and the provider both have lanes, and both have to know what those lanes are.
For a CPA firm, the most common co-managed setup is: your in-house generalist plus an MSP that owns security, compliance documentation, after-hours coverage, and infrastructure. The firm gets cybersecurity depth without paying for a full security team. The in-house person stays focused on user-facing work that does not require deep security tooling.
What “Fully Managed IT” Actually Means in a CPA Firm
Fully managed IT is the model most CPA firms with 1 to 10 staff actually buy. There is no in-house IT person. The MSP is the IT department. Everything technology-related, from a printer that will not connect to a ransomware incident at 3 a.m., goes to the same provider.
The scope is broader than people expect. A fully managed engagement built for a tax firm typically covers user setup and offboarding, helpdesk for your team, endpoint patching and updates, EDR and antivirus, email security, multi-factor authentication (MFA) enforcement, endpoint backup, server and hosting management, vendor coordination (the “who do I call” problem), FTC Safeguards documentation, WISP maintenance, and incident response when something goes wrong.
The pricing model is usually flat. Per-user or per-device monthly subscription, sometimes tiered. You know what next month costs. The MSP carries the staffing risk. If your firm needs four hours of helpdesk this week and ten hours next week, you do not get a separate bill.
The trade-off is control. You are not directly running your firm’s IT; you are buying outcomes from someone else who runs it. That is fine for most CPA firms because most CPA firm owners do not want to run IT. They want compliance covered, tax season uptime, and a phone number to call when something breaks. Fully managed delivers that with one accountable vendor instead of three or four. The Journal of Accountancy points out that this is exactly why CPA firms are moving toward managed IT: the Safeguards Rule “qualified individual” requirement, encryption mandate, MFA enforcement, training, and third-party oversight is more than a small firm can run on its own. (Journal of Accountancy, February 2023)
The downside of fully managed: if the MSP is generic and does not know tax software, you spend tax season explaining what Drake, Lacerte, or UltraTax is to the helpdesk. Tax-firm-specific MSPs avoid that problem; generic SMB MSPs do not.
Side-by-Side RACI: Who Owns What
This is the table to send to your team and your prospective MSP. Print it. Mark each row. If both sides cannot point to the same answer, the contract is not done.
| Function | In-House Only | Co-Managed | Fully Managed |
|---|---|---|---|
| Operating system and application patching | In-house | MSP (with in-house verification) | MSP |
| Endpoint backup configuration and monitoring | In-house | MSP | MSP |
| EDR and antivirus deployment, alerts, response | In-house | MSP | MSP |
| Email security (anti-phishing, spam, impersonation) | In-house | MSP | MSP |
| Helpdesk for staff (password resets, software issues) | In-house | In-house (Tier 1) plus MSP overflow | MSP |
| MFA enforcement and exception management | In-house | MSP defines policy; in-house enforces | MSP |
| FTC Safeguards Rule documentation and reporting | In-house (firm signs) | MSP drafts; firm signs and owns | MSP drafts; firm signs and owns |
| Vendor management (tax software, ISPs, hosting) | In-house | Split by vendor | MSP |
| Hardware refresh planning and procurement | In-house | MSP advises; firm purchases | MSP advises; firm purchases |
| After-hours incident response | In-house (best effort) | MSP (contractual SLA) | MSP (contractual SLA) |
Two rows on this table get firms in trouble more than any others.
The first is FTC Safeguards documentation. Even with a fully managed MSP, your firm signs the program. The regulator does not look at your MSP when something goes wrong; it looks at you. More on that in the accountability section below.
The second is after-hours response. In a co-managed setup, this is the single most common gap. The in-house person works 9 to 5. The MSP “supports” after hours. Read the contract. If the SLA does not say “X minutes to first response, 24×7,” you do not have after-hours coverage. You have a voicemail.
Cost Comparison: Pricing Model Shapes, Not Fake Benchmarks
This section will not give you a single dollar figure. The “MSPs charge $X per user per month” benchmarks you see on most blog posts are not sourced to primary research; they are repeated from other blog posts. We will not do that here.
What is verifiable is how MSPs structure their pricing, and what drives variance. There are four common shapes.
- Per-user, all-inclusive. One monthly price per active user covers helpdesk, endpoints, security tools, and a fixed scope of services. Easy to budget. Tends to be priced higher per unit because the MSP carries surge risk.
- Per-device. One price per managed laptop, desktop, server, or firewall. Common when staff use multiple devices or when you have shared workstations. Less predictable as your fleet changes.
- Flat-fee block hours plus monitoring. A monitoring stack (RMM, EDR) at a base fee, plus a block of helpdesk hours per month. Hours over the block are billed. Common in co-managed setups.
- Tiered (good / better / best). Same scope at the base, with security or compliance add-ons unlocking higher tiers. Vendors like Kaseya and Datto build product portfolios that map directly to these tiers, which is why MSPs structure their offers this way.
The variance between two MSP quotes for the same firm can be large. The drivers are: how many security tools are bundled in (EDR, email security, dark web monitoring, security awareness training), whether after-hours response is included or charged, how compliance work (Safeguards documentation, WISP maintenance) is priced, and whether the MSP runs on a unified platform like Kaseya or stitches together five separate vendors. Kaseya’s 2024 MSP Benchmark Survey reported that “73% of MSPs said cybersecurity is a top revenue driver” and “85% of participants noted that automation is a must-have in IT management solutions.” (Kaseya 2024 MSP Benchmark Survey) That tells you where the cost goes: tools, automation, and security stack.
For co-managed specifically, the cost math has two parts. The MSP cost (variable depending on scope) plus the fully-loaded cost of your in-house IT person (salary, benefits, training, certifications). For fully managed, there is one number. When firms pencil this out, the breakeven is usually around firm size 12 to 15. Below that, fully managed is almost always cheaper. Above that, co-managed often wins because you have enough work to keep an in-house person busy and the MSP fills the depth gap.
The macro context: Gartner forecasts worldwide IT spending to grow 9.8% in 2026, exceeding $6 trillion. (Gartner, October 22, 2025) IT cost is going up, not down. The cheapest option this year will not be the cheapest option in 2027 if scope creeps and tools get added piecemeal.
FTC Safeguards Rule: The Buck Stops With Your Firm
This is the section most “co-managed vs managed” articles skip. It is the most important one for a CPA or tax firm.
Tax preparation firms are explicitly listed as “financial institutions” under the FTC Safeguards Rule. The rule lives at 16 CFR Part 314, and Section 314.4 lists the nine required elements of an information security program: a qualified individual, a written risk assessment, technical safeguards including encryption and MFA, training, third-party service provider oversight, incident response, and annual reporting. (FTC, Safeguards Rule guidance)
Section 314.4(f) is the one that matters for the co-managed vs fully managed decision. It requires covered companies to oversee service providers: select providers capable of safeguarding customer information, contractually require those safeguards, and periodically assess them. The FTC’s own guidance puts it bluntly: “If your company brings in a service provider to implement and supervise your program, the buck still stops with you, as it’s your company’s responsibility to designate a senior employee to supervise that person.” (FTC, 16 CFR 314.4(f))
Translated: it does not matter whether you go co-managed or fully managed. The regulator holds your firm accountable. Both models require the same firm-side ownership of:
- The qualified individual designation (a named senior employee).
- The written risk assessment, signed and updated annually.
- Service provider oversight evidence: a contract, periodic assessments, documented review.
- Incident response and breach notification, including the requirement to notify the FTC of a notification event affecting 500 or more consumers within 30 days. (FTC, October 27, 2023; effective May 13, 2024)
The IRS reinforces the same point. The Security Summit reminds tax pros that “tax professionals are required by law to create a Written Information Security Plan (WISP) to protect their clients’ data.” (IRS Security Summit) The IRS publishes a WISP template specifically for smaller tax practices in Publication 5708, with the companion creation guide in Publication 5709. IRS Publication 4557 ties it together with the broader safeguarding-taxpayer-data obligation.
Where the two models differ is execution, not accountability. Under co-managed, your in-house person and the MSP split the evidence trail. That works only if both sides are documenting their lane. Under fully managed, the MSP carries most of the evidence, but the firm still has to produce the qualified individual, the signed risk assessment, and the breach response plan.
The enforcement record is real, even for small firms. The FTC’s 2017 case against TaxSlayer is the cleanest precedent. TaxSlayer failed to develop a written information security program until November 2015, failed to conduct a risk assessment, and failed to implement safeguards; hackers gained access to nearly 9,000 TaxSlayer accounts between October and December 2015. The settlement prohibited the company from violating the Safeguards Rule for 20 years and required biennial third-party assessments for 10 years. (FTC, August 29, 2017) The state-level pattern is also active: New York Attorney General Letitia James settled with Albany-based CPA firm Wojeski & Co. for $60,000 in 2024 after two ransomware attacks exposed 4,700+ people’s PII. (Accounting Today, 2024) The IRS reported that Stakeholder Liaisons received “nearly 200 tax professional data incidents potentially affecting up to 180,000 clients” through spring 2024. (IRS Security Summit, July 2, 2024)
The takeaway: pick whichever model your firm can actually execute. Both leave the firm legally responsible. The wrong model is the one your firm will not maintain.
Choose Co-Managed If, Choose Fully Managed If
Use this scenario table to map your firm to the right model.
| Choose Co-Managed If | Choose Fully Managed If |
|---|---|
| You already have a strong in-house IT generalist who handles user-facing work well, but lacks the depth to run security tooling, after-hours response, or compliance. | You do not have an in-house IT person, and the partner with “the IT brain” is also the partner you bill out at the highest rate. |
| Your firm is 10 to 20 staff and growing. There is enough day-to-day work to keep an internal person busy, and you need an MSP for depth on security and compliance. | Your firm is 1 to 10 staff. The day-to-day workload does not justify a full-time IT body, but compliance and security still have to be covered. |
| You want hands-on control over user experience and prefer your team to know the IT person personally. | You want one phone number, one bill, one accountable vendor, and predictable monthly cost. |
| You want to keep institutional knowledge in-house, especially around firm-specific workflows, custom integrations, or legacy systems. | Tax season volume spikes and you need contractual SLA-backed response, not “Bob will get to it Monday.” |
| Your in-house person is the bottleneck on after-hours and weekend incidents, but is otherwise valuable to keep. | You have failed a security questionnaire from a larger client or referral partner and need documented FTC Safeguards evidence quickly. |
If you sit on the fence between the two columns, default to fully managed for firms under 10 staff and co-managed for firms above 12 staff. The crossover zone is firms of 10 to 12 staff with one underutilized in-house generalist; that is where either model can work, and the deciding factor is usually whether you want to keep that person.
For a deeper dive on what to look for once you have picked the model, see our guide on the best IT support providers for accounting and tax firms.
Common Mistakes When Picking a Model
These show up across firm sizes. Avoid them.
- Buying co-managed because it sounds cheaper. It often is not, once the in-house salary and benefits are loaded in. Run the numbers both ways before signing.
- Assuming “managed” means “all of it.” Read the scope. If MFA enforcement, email security, or after-hours response is “available as an add-on,” it is not in your contract. ConnectWise reported that 73% of SMBs are not fully confident in their MSP’s defense capability and 47% would switch providers for better cybersecurity. (ConnectWise SMB Cybersecurity, updated July 8, 2025) Most of that gap is scope ambiguity, not skill.
- Letting the MSP also be the qualified individual. The FTC requires a designated senior employee to supervise the program. That person has to be at your firm. The MSP can do the work; they cannot be the named accountable party.
- Confusing co-managed IT with IT staff augmentation. Co-managed includes a defined service scope, tooling, and SLAs. Staff augmentation is a body for hire, billed by the hour, with no committed outcomes. They are different products.
- Picking a generalist MSP that does not know tax software. Drake, Lacerte, ProSeries, UltraTax, and CCH have specific support patterns. A generalist MSP will keep escalating tax-software tickets to the vendor instead of resolving them. Hire an MSP that has CPA firms in its book of business.
How Verito Fits
If you have read this far, the framework is in place. Here is where Verito sits.
Verito’s managed IT product, VeritGuard, is built specifically for CPA and tax firms. The full-stack scope covers endpoint patching, EDR (Datto EDR plus Datto AV on the VeritGuard side), endpoint backup (Datto Backup), email security (INKY), MFA enforcement, password management (1Password), security awareness training (BullPhish ID), dark web monitoring (DarkWeb ID), VPN access (NordLayer), 24/7 SOC coverage on the Elite tier (RocketCyber), firewall policy management, and IT documentation in IT Glue. The standard Service Level Agreement is one-hour response.
Verito is SOC 2 Type II certified. The infrastructure side has maintained 100% uptime since 2016. Support analytics show NPS 95 and 92% first-touch resolution. Verito’s G2 rating is 4.9 across 150+ verified reviews on g2.com/products/verito.
For most CPA firms today, Verito is bought as fully managed: VeritGuard for endpoints and security, plus VeritSpace for hosting. Co-managed is the newer offer. It works the same way Datto and NIST describe it: your existing IT person stays in place; Verito takes the security stack, after-hours response, and FTC Safeguards evidence trail. If your firm is on the fence between models, the right starting point is a conversation about your current scope, your in-house staffing, and your last security questionnaire from a client.
If you want to compare your current setup against the framework in this post, you can book a free security assessment. It maps your existing controls to the FTC Safeguards Rule and flags the gaps. Or, if you have already decided co-managed is the right fit, our co-managed IT page covers the scope and onboarding process in detail.
For background on why vendor consolidation matters in this category, our post on hosting and IT support by different vendors covers the “who do I call” problem in more depth.
Frequently Asked Questions
Is co-managed IT cheaper than fully managed IT?
Sometimes. The MSP fee in a co-managed engagement is usually lower than fully managed for the same firm, but you also pay an in-house IT salary and benefits. Once you fully load that cost, fully managed is often cheaper for firms under 10 staff. Co-managed tends to win on cost only when the firm has 12+ staff and the in-house person is fully utilized on user-facing work the MSP would otherwise have to handle.
Can a CPA firm be FTC-compliant with co-managed IT?
Yes. The FTC Safeguards Rule does not specify which IT model you have to use. It specifies what your information security program must include and that your firm is accountable for it. Co-managed works as long as the lanes are clear, the MSP’s scope is contractually defined, and the firm designates a qualified individual under 16 CFR 314.4.
What’s the difference between co-managed IT and IT staff augmentation?
Co-managed IT is a service contract with a defined scope, tooling stack, and SLAs. The MSP commits to outcomes. Staff augmentation is bodies for hire, billed hourly or by the placement, with no committed outcomes. You direct staff augmentation; you partner with a co-managed MSP. Different products, different price structures, different accountability.
Do we need an in-house IT person to do co-managed?
Yes, that is the model. Co-managed assumes there is an internal IT body who handles a defined portion of the work. If you do not have one, fully managed is the right starting point. You can move to co-managed later if you hire IT in-house.
What happens during tax season? Which model handles the spike better?
Fully managed handles tax season spikes more reliably out of the box, because the MSP is contractually staffed for surge load and SLA-bound to respond. Co-managed handles it well if the contract explicitly includes surge support and after-hours response; it handles it poorly if the in-house person is the bottleneck and the MSP scope is “best effort.” Read the contract.
Can we switch from fully managed to co-managed later?
Yes. Most CPA firms that grow into co-managed start as fully managed, hire an in-house IT person around 12 to 15 staff, and rebalance the scope with their MSP. The MSP keeps the security stack, after-hours response, and compliance work; the new in-house person picks up day-to-day helpdesk and user-facing work. The contract usually changes, not the vendor.
What should be in the contract for either model?
At minimum: a written scope by function (use the RACI table above as a starting point), response and resolution SLAs by severity, after-hours coverage terms, security stack inventory (EDR, email security, MFA, backup), FTC Safeguards documentation responsibility, breach response procedure, exit and data return terms, and pricing structure including what is in-scope and what is billable extra.
Does co-managed IT work for a fully remote CPA firm?
Yes. The model is location-agnostic by design. The MSP runs everything via remote management tools, and your in-house IT person can be remote too. What matters is endpoint coverage, secure remote access (a managed VPN or hosted environment), and that incident response does not depend on someone being physically on site. For most remote tax firms, hosted infrastructure plus managed endpoints is the standard pattern.
The Next Step
You now have the framework. The RACI table, the cost-shape comparison, the FTC accountability lines, and the “choose if” scenarios are the same questions Verito works through with prospective firms before quoting either model.
If you want to compare your current setup against this framework, the simplest start is a free security assessment. It is a structured walk through your current controls, your FTC Safeguards evidence trail, and the gaps you would have to close under either model. The output is a written assessment your firm keeps regardless of whether you work with Verito.
Book a free security assessment →
If your firm has already decided co-managed is the right fit and you want to see the scope and onboarding flow, the co-managed IT service page covers it in detail.
