Skip to content

Free 15-minute cybersecurity consultation — no obligation

Book Free Call
Tax42 min readDeep Dive

Accounting Firm WISP Template Examples & Guide 2026

IRS-compliant accounting firm WISP template examples with required sections, implementation steps, and compliance checklist. Protect client data in 2026.

Accounting Firm WISP Template Examples & Guide 2026 - accounting firm wisp template examples

Accounting Firm WISP Template Examples and Guide 2026

A Written Information Security Plan (WISP) is a formal, documented policy that defines how your accounting firm collects, stores, accesses, and protects client data. Under IRS Publication 4557 and the Federal Trade Commission's (FTC) Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, every tax preparer and accounting firm handling client financial data must maintain a written security plan regardless of firm size or annual return volume.

Accounting firms are prime targets for cybercriminals. A single client tax file contains Social Security numbers, bank account details, income history, and often business financials spanning multiple years. Professional services firms experienced a 45% increase in ransomware incidents between 2024 and 2025, according to the Verizon 2026 Data Breach Investigations Report (DBIR). IRS data shows that tax professionals reported over 1,200 data theft incidents in the 2025 filing season, a 20% increase from the prior year.

Despite clear legal mandates and well-documented threat patterns, many firms still operate without an IRS-compliant WISP, or maintain a generic document that has never been reviewed since creation. This guide provides detailed accounting firm WISP template examples with annotated section breakdowns, required components, and a practical implementation framework to ensure your firm is protected and compliant in 2026.

Tax Practice Security By The Numbers

1,200+
IRS-Reported Data Theft Incidents

Tax professionals in the 2025 filing season, up 20% year over year

45%
Ransomware Increase

Professional services firms, 2024-2025 (Verizon DBIR 2026)

$250K
Max FTC Penalty Per Violation

FTC Safeguards Rule, per violation, per day for willful noncompliance

The Legal Framework Requiring WISP Compliance

Three overlapping legal frameworks require accounting firms to maintain a WISP. Understanding each one shapes how your document must be structured and what specific controls you must implement.

IRS Publication 4557 and the FTC Safeguards Rule

IRS Publication 4557, titled Safeguarding Taxpayer Data, explicitly states that all tax preparers must create and maintain a WISP that identifies risks to client data and describes controls to mitigate those risks. The Publication references the FTC Safeguards Rule as the statutory authority. Under the updated FTC Safeguards Rule (effective June 2023), any financial institution subject to GLBA, including tax return preparers, must implement a written information security program.

Key mandates include designating a qualified individual responsible for overseeing the security program, conducting and documenting a written risk assessment, implementing access controls and encryption for all customer financial data, and providing security awareness training for all staff with access to client data. For a detailed breakdown of how the rule applies to tax professionals, see our guide to the FTC Safeguards Rule for tax preparers.

NIST SP 800-171 as a Structural Framework

While NIST Special Publication 800-171 Revision 3 is written for contractors handling Controlled Unclassified Information (CUI), its 110 security requirements provide an excellent structural framework for accounting firm WISP template examples. Many IRS-recommended WISP templates align closely with NIST SP 800-171 control families, including access control, audit and accountability, incident response, and system and communications protection.

PTIN Registration and WISP Obligations

Tax preparers with a Preparer Tax Identification Number (PTIN) operate under IRS oversight that extends to data security. The IRS treats a WISP as a condition of responsible professional practice. Our guide to PTIN and WISP requirements details how security documentation connects to your ongoing registration obligations.

WISP Implementation Process

1

Inventory All Systems and Data

Document every platform storing or processing taxpayer data: tax software, cloud storage, email, local servers, backup drives, and mobile devices.

2

Conduct a Written Risk Assessment

Identify internal and external threats, evaluate likelihood and impact, and assign mitigation tasks with owners and deadlines as required by the FTC Safeguards Rule.

3

Draft Policy Sections for Each Control Domain

Write specific policies for access control, encryption, employee training, vendor management, incident response, and physical security.

4

Designate Your Information Security Coordinator

Name a specific individual accountable for maintaining the WISP, coordinating training, and managing incident response, not a title or department.

5

Implement Technical Controls

Deploy multi-factor authentication (MFA), endpoint protection, full-disk encryption, and network firewalls. Document the specific tools used in each policy section.

6

Train Staff and Document Completion

Conduct security awareness training for every employee with access to client data. Record who completed training, what was covered, and the date.

7

Review and Update Annually

Schedule an annual WISP review and update the document after any security incident, significant system change, or new hiring of remote staff.

Required Sections in Every Accounting Firm WISP

The IRS and FTC do not prescribe a specific page format, but they specify what a WISP must address. When reviewing accounting firm WISP template examples, ensure each contains these mandatory sections tailored to your specific firm, not generic placeholder language.

Firm Identification and Designated Security Coordinator

Your WISP must identify your firm by legal name and designate a specific individual as the Information Security Coordinator (ISC). This person is accountable for maintaining the WISP, coordinating training, and managing incident response. For solo practitioners, the ISC is typically the preparer. For larger firms, it's usually a managing partner with direct authority over IT decisions.

Complete Inventory of Data and Systems

You cannot protect what you haven't identified. Your WISP must document every system where client data lives: tax software platforms like Drake, Lacerte, UltraTax CS, or ProSeries; cloud storage solutions; email platforms; local servers; backup drives; and mobile devices. For each system, identify who has access, under what conditions, and from which locations. This inventory also supports your client portal security documentation.

Written Risk Assessment with Specific Threats

The FTC Safeguards Rule explicitly requires a written risk assessment. Your assessment must identify reasonably foreseeable internal and external threats, evaluate likelihood and impact, document existing controls, and assign mitigation tasks with owners and deadlines. Threats specific to accounting firms include phishing campaigns targeting tax professionals, ransomware delivered through email attachments, credential stuffing against tax software portals, and physical theft of laptops during tax season travel.

Administrative, Technical, and Physical Safeguards

Your WISP must detail the specific controls protecting client data across three categories. Administrative safeguards include employee training programs, access management procedures, and incident response protocols. Technical safeguards cover encryption, access controls, and audit logging. Physical safeguards address facility security, device management, and secure disposal of sensitive materials. The IRS Written Information Security Plan guide provides additional detail on each safeguard category.

Vendor Management and Third-Party Security

If your firm uses cloud-based tax platforms, document management systems, or third-party IT providers, data flows through vendor systems outside your direct control. Your WISP must document how you vet vendors' security practices, what contractual provisions you require, and how you monitor ongoing compliance. Reference your cloud service providers' security certifications, such as SOC 2 Type II or ISO 27001:2022, directly in this section.

Common WISP Mistakes Accounting Firms Make

After reviewing dozens of WISPs from CPA firms and tax practices nationwide, several patterns of failure appear consistently. Avoid these mistakes when using accounting firm WISP template examples as your starting point.

Submitting an Unadapted Generic Template

The IRS provides a sample WISP through IRS Publication 5708, and many firms download that document and file it unchanged. A template with placeholder firm names, generic risk descriptions, and no reference to your actual systems is not a compliant WISP, it's a form. Regulators and auditors identify unadapted templates quickly. Your WISP must reflect the specific systems you use, the staff who have access, and the threats your practice realistically faces.

Treating the WISP as a Filing Cabinet Artifact

A WISP written in 2022 and never reviewed doesn't reflect your current systems, staff, or operating environment. If your firm adopted new tax software, moved to cloud storage, hired remote employees, or changed IT vendors since the plan was last updated, your document is materially inaccurate. The FTC Safeguards Rule requires periodic review and specifically mandates review after any security incident. Use the step-by-step WISP creation guide to build an annual review process into your calendar.

Missing Remote Work Security Policies

The shift to hybrid and remote work created security gaps many WISPs fail to address. If any staff access taxpayer data outside the office, including seasonal employees working from home, your WISP must address remote security explicitly with specific technical controls and monitoring procedures. See the remote work security guide for policy language you can adapt directly.

Inadequate Vendor Management Documentation

Many accounting firms rely on cloud-based tax platforms, online client portals, and third-party IT support. Each vendor that touches taxpayer data introduces risk your WISP must address. Document how you assessed each vendor's security before engaging them, what contractual security requirements you imposed, and how you monitor compliance over time. The tax client portal security guide covers vendor assessment criteria specific to common tax software providers.

2026 Filing Season Compliance Deadline

The IRS requires all tax preparers to have an updated, firm-specific WISP in place before the 2026 filing season begins. Firms operating without a compliant plan face potential PTIN suspension, FTC enforcement referrals, and civil penalties up to $250,000 per violation under the GLBA Safeguards Rule. Start your WISP development or annual review now, not during tax season when your staff is focused on client deadlines.

WISP Compliance Checklist for Accounting Firms

  • Designate a named Information Security Coordinator responsible for the WISP
  • Complete inventory of all systems storing or processing taxpayer data
  • Conduct and document a written risk assessment with specific, identified threats
  • Implement multi-factor authentication on all tax software and cloud systems
  • Deploy endpoint protection on all workstations and mobile devices
  • Establish secure backup procedures with offsite or cloud storage
  • Configure network firewalls with documented rule sets and annual review schedule
  • Enable full-disk encryption on all laptops and portable devices
  • Schedule annual employee security awareness training and document completion
  • Document incident response procedures with specific contact information
  • Establish vendor security assessment and monitoring procedures
  • Set up annual WISP review and update schedule

Operationalizing Your WISP: From Document to Practice

A WISP is a living document, not a one-time filing. Both the FTC Safeguards Rule and IRS guidance require that your security program be implemented, not merely written. Here's how to operationalize the key sections of your accounting firm WISP template after the document is complete.

Embed Access Controls Into Your Technology Stack

Rather than relying on policy reminders, build access control into your systems. Configure tax software and cloud storage to require multi-factor authentication at every login. Use group policy or mobile device management (MDM) to enforce password complexity and automatic screen-lock timeouts on all firm devices. Set up automated account deprovisioning workflows so that when an employee leaves, their system access is revoked simultaneously, not days later.

For password security across all firm accounts, see the best password managers for small practices and our guide to creating strong passwords that meet IRS recommendations.

Document Every Training Event with Verifiable Records

The IRS expects training records on request. Use a learning management system (LMS) or signed paper attendance sheets to document who completed training, what topics were covered, and the date. For phishing simulations, document click rates and the remediation steps taken with employees who failed the test. These records belong in your WISP appendix and should be updated after every training event. The phishing awareness guide covers simulation frameworks suitable for small tax practices.

Remote Work Requires Explicit Security Controls

Require all remote access to firm systems to occur through a firm-managed virtual private network (VPN). Personal devices used for work must meet the same security standards as firm-owned devices: full-disk encryption, MFA, and current patch levels. Our VPN selection guide covers recommended configurations you can reference directly in your WISP policy section. For seasonal employees who connect remotely only during tax season, consider issuing dedicated firm-managed devices rather than permitting personal device access.

Bottom Line

A WISP written but not implemented provides almost no legal protection. The FTC Safeguards Rule evaluates whether your security program is operational, not whether the document exists. Train your staff, configure your systems to enforce the policies you've documented, and test your incident response procedures before an actual breach forces you to improvise.

Structuring Your WISP Around the IRS Security Six

The IRS Security Six represent the baseline security measures every tax professional must implement. When developing your accounting firm WISP template, explicitly reference each by name, document the specific tools your firm uses to satisfy each requirement, and assign a named owner for each control. This approach aligns your WISP directly with IRS expectations and makes compliance verification straightforward during a review.

Here's how each of the Security Six maps to a WISP policy section:

  • Anti-virus software: Name the specific endpoint protection product deployed on all firm workstations and laptops, how it's updated, and who monitors alerts. Reference your device inventory as supporting documentation. See our comparison of EDR vs. MDR vs. XDR options for tax practices.
  • Firewalls: Document the firewall protecting your office network and any remote access gateway. Reference configuration standards and your annual review schedule.
  • Multi-factor authentication: Specify which systems require MFA, which MFA method is applied (authenticator app is preferred over SMS), and who manages account provisioning and deprovisioning.
  • Drive encryption: Name the encryption tool on every firm device. For Windows laptops, this is typically BitLocker; for macOS devices, FileVault. Document key storage location and the recovery procedure if a device is lost. Our guide to encryption vs. hashing explains the technical distinctions relevant to your policy language.
  • Backup and recovery: Define backup schedule, storage location (offsite or cloud), and your recovery time objective (RTO). The ransomware protection guide covers recommended backup architectures for firms of all sizes.
  • Phishing awareness training: Document training frequency, delivery method, and quarterly phishing simulation results. Include a log of completion dates in your WISP appendix.

A WISP that addresses each of the Security Six by name, rather than describing controls in abstract terms, provides a defensible, auditable document that maps directly to what the IRS expects to see during a compliance review. Our dedicated IRS cybersecurity requirements guide provides the full regulatory context behind each of these controls.

Get Your Free 2026 WISP Template

Our IRS-compliant WISP template is built specifically for tax preparers and accounting firms. Includes all required sections, firm-specific policy language, and a step-by-step implementation guide.

Advanced WISP Considerations for Growing Firms

As accounting practices grow beyond solo practitioners to multi-partner firms with remote staff, your WISP must address additional complexity. These advanced considerations distinguish thorough accounting firm WISP template examples from basic compliance documents.

Cloud Service Provider Security Assessment

When evaluating tax software vendors and cloud storage providers, your WISP should document specific security criteria. Look for SOC 2 Type II reports, which verify that service providers have implemented appropriate controls for security, availability, processing integrity, confidentiality, and privacy. For larger firms, require ISO 27001:2022 certification, which demonstrates a systematic approach to managing sensitive information. Document these assessments and keep copies of vendor security reports in your WISP appendix.

Segregation of Duties for Administrative Access

Firms with multiple staff members should implement segregation of duties for key security functions. No single individual should have unrestricted access to all client data, backup systems, and administrative controls simultaneously. Your WISP should document role-based access controls and require approval workflows for sensitive operations like data exports, system configuration changes, or user account modifications. This control directly addresses insider threat scenarios that the FTC Safeguards Rule risk assessment must cover.

Incident Response Testing and Documentation

Beyond documenting incident response procedures, your WISP should include an annual testing schedule. Conduct tabletop exercises that simulate realistic scenarios: a staff member receives a convincing phishing email, a laptop is stolen from a client site, or ransomware encrypts your tax software database. Document the results of these exercises and update your procedures based on identified gaps. Our incident response planning guide provides specific scenario templates for tax practices, including IRS notification timelines and state breach notification requirements.

For firms using multiple locations or extensive remote work arrangements, consider geographic risk factors. If your backup data is stored in a region prone to natural disasters, or if remote staff work from areas with unreliable internet connectivity, these factors should influence your business continuity planning within the WISP framework. See our guide on what to do after a data breach for post-incident documentation requirements.

Building Your WISP Implementation Timeline

Creating a compliant WISP is not a weekend project. Most accounting firms need 4-6 weeks to properly assess their current security posture, document required procedures, and implement missing technical controls. Start your WISP development process early in the calendar year, not during tax season when your staff is focused on client deadlines.

Consider using professional WISP template resources that provide firm-specific examples rather than generic checklists. Many successful accounting firm WISP template examples include detailed policy language for common tax practice scenarios: seasonal employee onboarding, client portal security, document retention schedules, and vendor management procedures. The Bellator WISP template for tax preparers covers each of these scenarios with editable policy sections.

Your completed WISP becomes the foundation for other security initiatives. Use it to guide technology purchasing decisions, evaluate insurance coverage adequacy, and establish security training curricula for your staff. The WISP guide for small tax firms provides detailed timelines and resource requirements for practices of different sizes.

WISP compliance is not a one-time achievement. The FTC Safeguards Rule requires regular updates, and the threat environment facing tax practices continues to evolve. Plan to review and update your WISP at least annually, and immediately after any security incident or significant change to your technology environment. For ongoing compliance support, the all-in-one compliance package includes annual WISP reviews, employee training, and managed endpoint protection.

Book a Free Tax Cybersecurity Assessment

Our security experts will evaluate your current WISP, identify compliance gaps, and provide a prioritized action plan for your firm.

Frequently Asked Questions

A Written Information Security Plan (WISP) is a formal document that defines how your firm protects client financial data. Under IRS Publication 4557 and the FTC Safeguards Rule, every tax preparer and accounting firm handling taxpayer data must maintain a compliant WISP, regardless of firm size or number of returns prepared annually. There is no minimum return threshold that exempts a preparer from this requirement.

The FTC Safeguards Rule requires you to review and update your WISP at least annually. You must also update it after any security incident, after significant changes to your systems or technology vendors, and after adding or removing staff with access to taxpayer data. An outdated WISP that no longer reflects your actual operating environment is considered non-compliant even if the document itself is thorough.

No. The IRS sample WISP provided in IRS Publication 5708 is a starting framework, not a complete compliant document. It must be customized to reflect your firm's legal name, specific systems, named staff roles, identified threats, and implemented controls. Filing an unmodified sample template is not compliant and regulators can identify generic templates quickly during an audit or enforcement review.

The FTC can impose civil penalties up to $250,000 per violation per day for willful noncompliance with the GLBA Safeguards Rule. The IRS may refer non-compliant preparers for FTC enforcement and can suspend PTIN registration. State attorneys general may also bring separate actions under state data security laws. Beyond regulatory penalties, firms without a WISP face significantly higher exposure in civil litigation following a breach because the absence of a security plan is evidence of negligence.

Yes. If any staff access taxpayer data outside the office, or if your firm uses cloud-based tax software, document management systems, or online client portals, your WISP must address these environments explicitly. Generic office-only policies are insufficient if your actual operations include remote employees or cloud platforms. The WISP must specify the technical controls, such as VPN requirements, MFA, and device encryption standards, that govern each access scenario.

The Information Security Coordinator (ISC) must be a named individual, not a job title or department. In solo practices, the preparer serves as their own ISC. In multi-partner firms, the ISC is typically a managing partner or office manager with direct authority over technology purchasing and IT vendor relationships. The ISC is accountable for keeping the WISP current, ensuring staff complete required training, and managing the firm's response to any security incident.

A WISP is the overarching security program document required by the IRS and FTC. It references and incorporates more specific policies, such as your password policy, remote access policy, and incident response plan, but those subordinate documents do not replace the WISP itself. Think of the WISP as the governing charter and the subordinate policies as the procedures that implement it. Both layers are needed for a complete, auditable security program.

There is no required page length. A compliant WISP for a solo practitioner might be 8-12 pages; a multi-partner firm with remote employees and multiple software platforms might produce a 25-40 page document. Length should be determined by the complexity of your operations, not a target page count. What matters is that every required section contains specific, accurate information about your firm, not generic placeholder language.

Incident response procedures can be included as a section of your WISP or maintained as a separate document that the WISP references. Either approach is acceptable, but the procedures must be detailed enough to be actionable under pressure. They should include specific contacts, notification timelines, containment steps, and IRS reporting procedures. Our incident response planning guide provides scenario-specific templates for tax practices.

Maintain written records of every training event: the date, topics covered, names of attendees, and the training delivery method (in-person, online, or video). For phishing simulations, record the simulation date, click rates, and any follow-up training provided to employees who failed the test. These records belong in your WISP appendix and should be updated after each training event. The IRS expects to see these records during a compliance review, so keep them organized and accessible.

Share

Share on X
Share on LinkedIn
Share on Facebook
Send via Email
Copy URL
(800) 492-6076
Share

Schedule

Need help with IRS compliance?

Our tax cybersecurity specialists can review your security posture and help you get compliant.

Protect your tax practice from cyber threats

Schedule a free consultation to assess your firm's security posture.