Compliance Standards

Effective 2026-05-29. Reviewed annually and after any material regulatory change.

Regulatory frameworks we align with

Troy Accounting is a professional accounting firm. We are not a licensed CPA firm. While we are not subject to the licensure rules that apply to CPA practices, we hold ourselves to comparable professional standards and align our operations with the following frameworks: IRS Publication 4557 (safeguarding taxpayer data), the FTC Safeguards Rule (information security for financial institutions), the AICPA Statement on Standards for Tax Services (where applicable to non-CPA practitioners), and Treasury Department Circular 230 to the extent we represent clients before the IRS.

Information security

We maintain a written Information Security Plan as required by FTC Safeguards. Core controls include: TLS 1.3 encryption in transit, AES-256 encryption at rest, mandatory multi-factor authentication on every team account, role-based access with least-privilege defaults, comprehensive audit logging, documented incident response, quarterly access reviews, and annual security training for all team members. A SOC 2 Type II audit is in progress for 2026 attestation. See the Security & Trust Center for current detail.

Anti-money laundering and sanctions

We screen prospective and active clients against OFAC SDN, Consolidated Sanctions, and equivalent EU/UK lists at onboarding and at periodic intervals. We collect beneficial ownership documentation appropriate to engagement risk. We do not knowingly engage in or facilitate transactions designed to evade U.S. or international sanctions. See the AML Policy.

Continuing education

Every team member is required to complete a minimum of 40 hours of relevant continuing professional education each calendar year, with at least 4 hours in ethics, 8 hours in tax law updates, and 4 hours in technology and security. Education hours and topics are tracked centrally and reviewed annually by firm leadership.

Independence and objectivity

For audit-readiness work, attest-coordination, and similar engagements, we apply AICPA independence standards as our baseline regardless of whether the engagement legally requires a CPA license. Staff and immediate family members may not hold material financial interests in client businesses, may not accept gifts above nominal value from clients, and may not perform paid work outside the firm for clients without written approval.

Quality control

Quality control operates at four layers. (1) Engagement-level: a senior preparer reviews every monthly close and tax return before delivery. (2) Manager-level: practice managers conduct a periodic peer review of a sample of engagements within each practice area. (3) Partner-level: senior partners review complex engagements (multi-entity, audit defense, international, M&A). (4) Firm-level: an annual practice review with documented corrective actions for any identified gaps.

Recordkeeping

Tax-engagement records are retained for at least seven years after the return is filed. Some categories are retained longer per IRS guidance. See the Record Retention Policy for detail.

Ethics complaints

Concerns about ethics, professionalism, or compliance: email info@troyaccounting.net with subject "Ethics Concern". For client matters, you may also escalate to your state attorney general or the IRS Office of Professional Responsibility. See our Whistleblower Policy for protected reporting channels.

External oversight

We are not subject to state CPA board oversight because we are not a CPA firm. We voluntarily submit to: (a) third-party penetration testing on key systems annually, (b) SOC 2 examination (in progress for 2026), (c) the same ethics escalation channels we recommend to staff and clients.