{"id":6463,"date":"2026-05-05T08:00:00","date_gmt":"2026-05-05T12:00:00","guid":{"rendered":"https:\/\/verito.com\/blog\/?p=6463"},"modified":"2026-05-05T22:09:12","modified_gmt":"2026-05-06T02:09:12","slug":"co-managed-it-support-scope","status":"publish","type":"post","link":"https:\/\/verito.com\/blog\/co-managed-it-support-scope\/","title":{"rendered":"Co-Managed IT Support Scope for CPA Firms (2026)"},"content":{"rendered":"

What Co-Managed IT Support Services Actually Cover<\/strong><\/span><\/h2>\n

The FTC Safeguards Rule requires every U.S. tax preparer to oversee their service providers. That’s hard to do when you’re not sure what you actually bought.<\/p>\n

Co-managed IT support services cover some of your IT workload, leave some to your in-house team, and rarely include a few items buyers assume are bundled. This post walks through the standard scope, what shifts compared to fully managed IT<\/a>, and what to verify in writing before you sign.<\/p>\n

Co-managed IT<\/a> is a split-responsibility model. The MSP brings tooling, monitoring, security operations, and after-hours coverage. Your internal IT person or office manager keeps the relationships, strategy decisions, and day-to-day judgment calls. The Federal Trade Commission frames it plainly in Safeguards Rule guidance: you can outsource the work, but the buck still stops with you. Use the table below as your scope reference, then read the prose for what each line looks like in practice at a CPA firm.<\/p>\n\n\n\n\n

\"Server<\/figure>\n\n\n

Co-Managed IT Master Scope Table<\/strong><\/span><\/h2>\n

Sixteen common service lines, who typically owns each one in a co-managed agreement, and how that compares to fully managed. Use this as your first-pass checklist when reading a Statement of Work.<\/p>\n

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Service Line<\/strong><\/th>\nCo-Managed Ownership<\/strong><\/th>\nFully Managed Ownership<\/strong><\/th>\n<\/tr>\n<\/thead>\n
Endpoint patching (Windows, third-party apps)<\/td>\nProvider<\/td>\nProvider<\/td>\n<\/tr>\n
Endpoint Detection and Response (EDR) \/ antivirus<\/td>\nProvider<\/td>\nProvider<\/td>\n<\/tr>\n
Email security (anti-phishing, link-scan, attachment sandbox)<\/td>\nProvider<\/td>\nProvider<\/td>\n<\/tr>\n
Multi-Factor Authentication (MFA) enforcement and review<\/td>\nShared<\/td>\nProvider<\/td>\n<\/tr>\n
Helpdesk Tier 1 (password resets, basic break-fix)<\/td>\nClient retains or Shared<\/td>\nProvider<\/td>\n<\/tr>\n
Helpdesk Tier 2-3 (server, network, escalations)<\/td>\nProvider<\/td>\nProvider<\/td>\n<\/tr>\n
24\/7 after-hours incident response<\/td>\nProvider (verify in SLA)<\/td>\nProvider<\/td>\n<\/tr>\n
Endpoint and server backup<\/td>\nProvider<\/td>\nProvider<\/td>\n<\/tr>\n
Disaster Recovery (DR) testing<\/td>\nShared<\/td>\nProvider<\/td>\n<\/tr>\n
Network monitoring (firewall, switches, Wi-Fi)<\/td>\nProvider<\/td>\nProvider<\/td>\n<\/tr>\n
FTC Safeguards Rule documentation<\/td>\nShared (firm signs, MSP supports)<\/td>\nShared (firm always signs)<\/td>\n<\/tr>\n
Written Information Security Plan (WISP<\/a>) authoring<\/td>\nShared or Client retains<\/td>\nShared<\/td>\n<\/tr>\n
Hardware procurement and refresh<\/td>\nClient retains<\/td>\nOften add-on<\/td>\n<\/tr>\n
Vendor liaison (Drake, Lacerte, ProSeries, ISP)<\/td>\nShared<\/td>\nProvider<\/td>\n<\/tr>\n
New-staff onboarding (account, device, app provisioning)<\/td>\nShared<\/td>\nProvider<\/td>\n<\/tr>\n
Compliance reporting and audit support<\/td>\nShared<\/td>\nShared<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

“Provider” means the MSP runs and is accountable. “Shared” means the MSP does the heavy lifting but the firm makes decisions, signs artifacts, or reviews output. “Client retains” means the firm still owns the work. Most scope disputes happen on the Shared and Client-retains rows. Read those carefully in any contract.<\/p>\n

\n

Co-Managed IT Support Scope: Compliance<\/strong><\/span><\/span><\/h2>\n

Compliance is where co-managed agreements have the biggest gap between what the contract lists and what the firm is still on the hook for. Read this section before any other.<\/p>\n

FTC Safeguards Rule and IRS Publication 4557<\/strong><\/span><\/span><\/h3>\n

The Federal Trade Commission (FTC) Safeguards Rule (16 CFR Part 314) applies to every U.S. tax preparer because tax-prep firms are explicitly listed as financial institutions under the rule (FTC Safeguards Rule guidance<\/a>). Section 314.4 lists nine required elements of an information security program. A co-managed MSP can implement most of the technical controls (access controls, encryption, MFA, monitoring, change management, incident response). It cannot designate your Qualified Individual, sign your annual report, or own your written risk assessment. Section 314.4(f) also requires you to oversee your service providers, including the MSP itself.<\/p>\n

IRS Publication 4557, “Safeguarding Taxpayer Data,” lays out the data-security obligations for tax professionals (IRS Publication 4557<\/a>). Federal law, enforced through the FTC, requires every preparer to maintain a Written Information Security Plan (WISP). The IRS Security Summit reinforced it in 2024: tax professionals are required by law to create a WISP to protect their clients’ data (IRS Newsroom<\/a>).<\/p>\n

WISP Authoring and Audit-Ready Documentation<\/strong><\/span><\/span><\/h3>\n

Co-managed MSPs typically support WISP creation in one of three ways: deliver a templated WISP populated with your firm’s specifics, review and red-line a WISP your firm authored, or operate the technical controls referenced in your WISP. Some charge for authoring separately. Almost none sign the WISP. The Qualified Individual at your firm signs it; the firm carries the liability.<\/p>\n

Compliance-serious MSPs will give you a documentation pack: SOC 2 report, network diagrams, control descriptions, change-management logs, and quarterly review notes. If the MSP cannot produce a current SOC 2 Type II report on request, that is a scope flag.<\/p>\n

Shared Responsibility, Stated Plainly<\/strong><\/span><\/span><\/h3>\n

The National Institute of Standards and Technology (NIST) frames\u00a0cybersecurity<\/a>\u00a0as a shared responsibility for small businesses. Its Cybersecurity Framework 2.0 Small Business Quick-Start Guide positions the framework as a discussion prompt between a business owner and whomever they have chosen to help reduce their cybersecurity risks, including a managed security service provider (NIST SP 1300, CSF 2.0<\/a>). The FTC says the same thing more bluntly in its guidance.<\/p>\n

\n
\n

“The buck still stops with you.”<\/p>\n

FTC Safeguards Rule guidance<\/cite><\/p>\n<\/blockquote>\n<\/figure>\n

That is the most important sentence in this entire post.<\/p>\n

\n

Co-Managed IT Support Scope: Security<\/strong><\/span><\/span><\/h2>\n

Security is the line item that varies most. “Managed security” can mean a single antivirus license or a 24\/7 Security Operations Center. Verify the components.<\/p>\n

EDR, MFA, and Email Security<\/strong><\/span><\/span><\/h3>\n

Endpoint Detection and Response (EDR) is the modern replacement for legacy antivirus. EDR watches process behavior, not just file signatures, and can isolate a compromised endpoint automatically. A standard co-managed package includes EDR licensing, deployment, policy tuning, and active threat response. Confirm that “active threat response” means a human reviews and acts on detections, not just a rule firing into a logging queue.<\/p>\n

Multi-Factor Authentication (MFA) is required by the FTC Safeguards Rule for any access to customer information, with limited written exceptions (FTC Safeguards Rule, 16 CFR 314.4<\/a>). The MSP configures, monitors, and reports on MFA enforcement across Microsoft 365, remote access, and your tax-software cloud. Your firm still owns the policy on who has MFA exceptions and why.<\/p>\n

Email remains the top entry vector against tax practitioners. Co-managed scope here is anti-phishing scanning, link rewriting and click-time detonation, attachment sandboxing, and Domain-based Message Authentication (DMARC) configuration. Verify whether security awareness training is bundled or sold separately.<\/p>\n

24\/7 SOC vs Business-Hours Monitoring<\/strong><\/span><\/span><\/h3>\n

A 24\/7 Security Operations Center (SOC) means humans review correlated security alerts around the clock. Business-hours monitoring means the queue gets reviewed Monday to Friday. The price gap is significant; the risk gap is larger during tax season, when phishing campaigns spike. Ask explicitly which one is in scope. Vulnerability scans usually run monthly or quarterly with a remediation report; penetration testing is almost always a separate engagement.<\/p>\n

\n

Co-Managed IT Support Scope: Daily Operations<\/strong><\/span><\/span><\/h2>\n

“Monitoring, patching, and helpdesk” is the headline of almost every co-managed package. What that means in practice is more specific than the headline suggests.<\/p>\n

Patching Cadence and Reboot Windows<\/strong><\/span><\/h3>\n

A standard agreement covers Windows patches, third-party app patches (browsers, Adobe, Java), and firmware on managed devices, typically weekly with critical security patches pushed faster. Verify the reboot window before tax season. Many MSPs default to a 2 a.m. local reboot every Tuesday, which works in May but not on March 14 when a senior partner is running extension calculations. A good co-managed agreement freezes non-critical patching from late January through April 15 and applies only emergency patches with firm sign-off.<\/p>\n

Monitoring and Escalation Paths<\/strong><\/span><\/h3>\n

Monitoring is agent-based polling of every covered endpoint and server, plus the firewall and switches. The MSP’s Remote Monitoring and Management (RMM) platform fires alerts on disk pressure, RAM saturation, failed logins, suspicious processes, agent disconnects, and patch failures. Cheaper agreements review alerts the next business day. Stronger agreements have a 24\/7 Network Operations Center (NOC) acknowledging critical alerts within minutes. Ask for the alert-to-acknowledgement Service Level Agreement (SLA) in writing.<\/p>\n

Helpdesk Tiers and SLAs<\/strong><\/span><\/span><\/h3>\n

Tier 1 is the everyday “I forgot my password” call. In co-managed agreements, Tier 1 often stays with your in-house person. The MSP picks up Tier 2 (misconfigurations) and Tier 3 (server, network, or identity issues). If your firm doesn’t have an in-house IT person, confirm Tier 1 is included or the per-incident rate will surprise you.<\/p>\n

On SLAs, response time is when a human picks up the ticket; resolution time is when the issue is fixed. Most MSPs publish a tight response SLA (15 to 60 minutes) and a vague or absent resolution SLA. For a CPA firm, the resolution target on Severity 1 (firm-down, e-file blocked) matters more than the response number. Push for both in writing. Our guide on\u00a0managed IT contracts for CPA firms<\/a>\u00a0walks through clause-by-clause language.<\/p>\n

\n

Co-Managed IT Support Scope: Backup and Disaster Recovery<\/strong><\/span><\/span><\/h2>\n

Backup is over-promised and under-tested in most co-managed agreements. The contract usually says “managed backup.” What that means varies.<\/p>\n

Endpoint vs Server Backup, RPO and RTO<\/strong><\/span><\/span><\/h3>\n

Endpoint backup covers laptops and desktops. Server backup covers your file server, your hosted Drake or Lacerte database, your QuickBooks file server, and your email environment. The agreement should state both are in scope. If only “endpoint backup” appears, the tax-software server backup is likely a separate line item.<\/p>\n

Recovery Point Objective (RPO) is how much data you are willing to lose, measured in time. Recovery Time Objective (RTO) is how long you can be down before recovery completes. Co-managed agreements should publish both as numbers, not adjectives. “Near real-time backup” is marketing. “RPO 15 minutes, RTO 4 hours” is a contract. For more on choosing between backup tiers, see our breakdown of\u00a0managed backup vs BaaS vs DRaaS<\/a>.<\/p>\n

Recovery Testing and Backup Exclusions<\/strong><\/span><\/span><\/h3>\n

Backups that have never been restored are not backups. A serious co-managed agreement schedules at least one full DR test per year with a written report. Many MSPs scope this as a paid add-on. Verify whether DR testing is in the base agreement and how you get the test results.<\/p>\n

Backup scope often excludes user-error file recovery beyond a defined retention window (commonly 30 to 90 days), personal cloud storage (Dropbox, OneDrive Personal), and external USB drives. It typically excludes data inside Software-as-a-Service apps unless a separate SaaS backup tool is in scope. If your tax software vendor hosts the database in their cloud, find out who is backing it up: them, you, or your MSP.<\/p>\n

\n

Co-Managed IT Support Scope for CPA Firms Specifically<\/strong><\/span><\/span><\/h2>\n

What changes when the firm being supported is a CPA practice instead of a generic professional services office? Five scope items shift in ways that matter at signing.<\/p>\n

Tax Software Hosting and Performance<\/strong><\/span><\/span><\/h3>\n

Drake, Lacerte, ProSeries, UltraTax CS, and CCH each have different hosting requirements. A firm running Drake on a local server has different scope needs from a firm running ProSystem fx in a vendor-hosted environment, which has different needs again from a firm using a private cloud host. The MSP needs to know which environment yours runs in and own the performance, patching, and integration boundaries for each. NVMe storage matters during March; spinning disk does not.<\/p>\n

Tax Season SLA Windows<\/strong><\/span><\/h3>\n

Generic MSP SLAs are flat across the year. CPA-firm SLAs should not be. Severity 1 response targets that are acceptable in October become unacceptable on March 14. A serious co-managed agreement names January 15 through April 15 as a heightened-priority window with tighter response and resolution targets, and freezes non-emergency change windows during that period.<\/p>\n

E-File Infrastructure<\/strong><\/span><\/h3>\n

IRS e-Services accounts, EFIN credentials, and transmission portals are the firm’s identity to the IRS, not a generic IT asset. The MSP scope should cover MFA enforcement on these accounts, monitoring for unauthorized access, and immediate incident response if credentials are suspected to be compromised. The firm still owns the EFIN and the relationship with IRS Stakeholder Liaison.<\/p>\n

Document Retention and Audit Support<\/strong><\/span><\/span><\/h3>\n

IRS retention requirements run seven years for most tax records and longer for some categories. The MSP scope should specify retention policies for both active and archived data, the format of audit-response data extracts, and how quickly the firm can pull a specific client’s records under subpoena or audit notice. If the SOW is silent on retention, the firm carries the assumption.<\/p>\n

Client Portal Management<\/strong><\/span><\/h3>\n

Most CPA firms run a client portal for document exchange (SmartVault, ShareFile, Liscio, or one bundled with their tax software). Scope should specify whether the MSP manages portal user access, handles client onboarding and offboarding in the portal, and supports clients calling for password help. If the firm runs a separate portal vendor, the MSP scope should include vendor liaison.<\/p>\n

If your draft SOW does not address these five lines, ask. Generic MSP scope documents do not, and the gaps become incidents during tax season.<\/p>\n

\n

What’s Typically NOT Included in Co-Managed IT<\/strong><\/span><\/span><\/h2>\n

These six items show up in the wishful interpretation of “managed IT” and almost never in the contract. Plan for them as separate spend.<\/p>\n