IRS, FTC Safeguards, and AICPA requirements — and the controls that satisfy them
Unlock full access
Section 1: Your Compliance Landscape
Framework | Who It Applies To | Key Requirements | Enforcement |
IRS Publication 4557 / WISP | All tax preparers and return preparers, any size | Written Information Security Plan; administrative, technical, and physical safeguards for taxpayer data | IRS audit; PTINs can be revoked; criminal exposure for willful neglect |
FTC Safeguards Rule | Financial institutions including tax preparers handling consumer financial data | Written security program, risk assessment, MFA, encryption, monitoring, incident response plan | FTC civil enforcement; fines up to $50,120 per violation |
AICPA Cybersecurity Framework | CPA firms (professional standard) | Risk management framework, security controls, SOC for Cybersecurity attestation | Professional discipline; client and partner expectations |
Arizona ARS § 18-552 | All Arizona businesses holding personal information | 45-day breach notification; AG notification if 500+ residents | Civil penalties up to $500K per breach; AG enforcement |
Cyber insurance requirements | All firms carrying cyber coverage | MFA, EDR, backup, SAT, IR plan — verified at application and post-incident | Claim denial for misrepresentation |
Section 2: The Written Information Security Plan (WISP)
The IRS requires every tax preparer to have a WISP. This section provides a template structure you can customize for your firm.
A WISP must be a living document — updated annually and whenever your systems or processes change significantly. Date and version-control every update.
WISP REQUIRED ELEMENTS
□ ☐ Firm name, address, PTIN(s), and designated security coordinator
□ ☐ Inventory of all systems containing taxpayer data (computers, servers, cloud services, mobile devices)
□ ☐ Assessment of foreseeable risks to taxpayer data in each system category
□ ☐ Safeguards implemented to address each identified risk
□ ☐ Procedures for selecting and overseeing service providers who access taxpayer data
□ ☐ Process for evaluating and adjusting the program in light of changes to operations or new risks
□ ☐ Employee training program for safeguarding taxpayer data
□ ☐ Incident response procedures for suspected or confirmed data breach
□ ☐ Procedures for securely disposing of taxpayer data
WISP last reviewed: _______________ Reviewed by: _______________ Next review: _______________
Section 3: FTC Safeguards Rule Compliance Checklist
ADMINISTRATIVE SAFEGUARDS
□ ☐ Designated Qualified Individual responsible for the information security program — name and title documented
□ ☐ Risk assessment completed and documented — identifies reasonably foreseeable internal and external risks
□ ☐ Risk assessment covers: employee training, information systems, physical security, service providers
□ ☐ Vendor/service provider contracts include appropriate security provisions for covered data
□ ☐ Service providers' security practices are periodically assessed
□ ☐ Security program is reviewed and updated in response to changes in operations, systems, or risks
□ ☐ Board or senior leadership receives written report on security program at least annually
TECHNICAL SAFEGUARDS
□ ☐ MFA is implemented for all individuals accessing customer financial information — no exceptions
□ ☐ Customer financial information is encrypted in transit (TLS) and at rest
□ ☐ Access controls limit access to the minimum necessary for each user's role
□ ☐ Audit logs capture access to customer financial information and are retained for at least 2 years
□ ☐ Monitoring and testing of safeguards is conducted at least annually
□ ☐ Vulnerability scanning or penetration testing is performed at appropriate intervals
□ ☐ Patch management program ensures timely security updates
PHYSICAL SAFEGUARDS
□ ☐ Physical access controls to areas where customer information is stored
□ ☐ Disposal procedures for paper records containing customer financial information
□ ☐ Secure disposal of electronic media and devices that contained covered information
□ ☐ Home office security procedures for staff working with covered data remotely
INCIDENT RESPONSE
□ ☐ Written incident response plan exists and is tested
□ ☐ Plan designates roles and responsibilities for incident response
□ ☐ Plan includes notification procedures for affected customers
□ ☐ Plan includes procedures for preserving evidence
□ ☐ FTC notification obligation reviewed — currently applies to breaches affecting 500+ customers
Section 4: Technology Controls by Data Category
Data Type | Where It Lives in Your Firm | Required Controls | Verification |
Social Security Numbers | Tax returns, client files, payroll | Encrypted storage; access-controlled; not transmitted by unencrypted email | Audit annually |
Financial account numbers | Client intake, direct deposit, payroll | Encrypted; never in email body; secure portal for collection | Test annually |
Prior-year returns | File storage, cloud, email archives | Access-controlled; encrypted at rest; retention and disposal policy | Audit annually |
Business financial statements | Client files, accounting software | Access by engagement only; not shared without client consent | Review quarterly |
Login credentials | Password manager, admin systems | Password manager for all staff; no shared credentials; MFA on all accounts | Test quarterly |
Taxpayer authorization forms (8879, etc.) | E-file records, client portal | Secure storage; defined retention period; secure disposal | Audit annually |
Section 5: Tax Season Security Protocol
Run this protocol every January before tax season volume begins.
JANUARY: PRE-SEASON VERIFICATION
□ ☐ MFA verified as enforced on tax prep software, accounting platform, email, and client portal — test with a non-admin account
□ ☐ Backup restoration test completed — restore at least one client file folder from backup to verify integrity
□ ☐ EDR active and reporting on all devices used for client work, including remote staff
□ ☐ WISP reviewed and updated for current year
□ ☐ All staff have completed annual security awareness training
□ ☐ Phishing simulation completed — results reviewed, training gaps addressed
□ ☐ Client portal configured for secure document collection — not email attachments for tax documents
□ ☐ IT provider emergency contact confirmed — 24/7 coverage verified
□ ☐ BEC wire verification protocol reviewed with all staff who handle payments
ONGOING DURING TAX SEASON
□ ☐ Monitor for unusual email account activity — unexpected forwarding rules, logins from unusual locations
□ ☐ Verify any urgent requests involving wire transfers or payment changes by phone to established number
□ ☐ Review access logs for any unusual file download activity
□ ☐ Immediately report any phishing click or suspected compromise to IT — do not wait to see if anything happens
POST-SEASON (APRIL–MAY)
□ ☐ Review access logs for full season — any unusual activity?
□ ☐ Offboard any seasonal staff — access revoked, devices recovered or wiped
□ ☐ Archive completed return files to access-controlled, encrypted storage
□ ☐ Document any incidents or near-misses for WISP update
□ ☐ Update WISP if any processes changed during the season
Section 6: Client Communication — Data Security Disclosure
Consider including a security disclosure in your engagement letter that covers:
• How you protect client data (encryption, secure portal, access controls)
• How clients should share documents with you (secure portal, not email for sensitive materials)
• Your incident response commitment — you will notify affected clients promptly in the event of a breach
• What clients can do to protect themselves — unique passwords, MFA on their own accounts
Client awareness reduces the risk of client-side compromise and demonstrates that you take security seriously — which increasingly matters to business clients evaluating professional services firms.
AEGITz serves Phoenix-area accounting firms with managed IT and security designed around IRS, FTC, and AICPA requirements — including WISP development, FTC Safeguards Rule compliance implementation, and tax season security protocols. Contact us at aegitz.com.
