WISP Checklist: Verify Your Tax Practice Is Compliant

WISP Checklist: What Every Tax Preparer Must Verify in 2026

Tax preparers renewing their Preparer Tax Identification Number (PTIN) must attest on Form W-12, Line 11 that they maintain a Written Information Security Plan (WISP). False attestation constitutes perjury and can result in PTIN termination. With FTC penalties reaching $100,000 per violation and daily accumulation of $43,000 for continued non-compliance, a thorough WISP checklist is the fastest way to verify your practice meets every federal requirement before the IRS checks for you.

This WISP checklist walks through each element required by IRS Publication 5708, the FTC Safeguards Rule, and the Gramm-Leach-Bliley Act (GLBA). Whether you run a solo practice or manage a multi-preparer firm, use it to identify gaps before regulators do.

A WISP is a written document that details how your business identifies, assesses, and manages cybersecurity risks to protect sensitive client information. It is not a one-time filing—it requires ongoing maintenance, annual review, and documented updates as threats and regulations evolve. For a deeper look at what a WISP includes, see our full guide to Written Information Security Plans.

Why WISPs Are Mandatory: The Regulatory Timeline

Understanding why your practice needs a WISP checklist starts with the regulatory framework that created these requirements. Data protection mandates for financial professionals have expanded steadily over three decades, and each new rule has added specific obligations that your Written Information Security Plan must address.

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 first established standards for written security policies in healthcare, setting a precedent that later expanded to financial services. In 1999, Congress passed the Gramm-Leach-Bliley Act, requiring financial institutions—including tax preparers—to protect consumer financial information through written safeguards.

The Federal Trade Commission (FTC) introduced the Safeguards Rule in 2003, giving GLBA's requirements concrete enforcement teeth for non-bank financial institutions. The FTC amended the Safeguards Rule in 2021 to address modern technology, adding specific technical requirements including encryption, multi-factor authentication (MFA), and access controls. In 2023, the IRS began requiring tax practitioners to maintain a WISP as a condition of PTIN renewal. Most recently, in 2024, updated FTC data breach and security incident reporting requirements took effect, adding specific obligations for breach notification timing and content.

This regulatory progression means your WISP must satisfy multiple overlapping mandates simultaneously. A simple antivirus-and-password policy from a decade ago will not pass scrutiny. Your WISP checklist must address current IRS, FTC, and GLBA requirements together. For detailed guidance on the PTIN attestation requirement, read our PTIN WISP requirements guide.

Essential WISP Checklist for Federal Compliance

Operating without proper security documentation creates immediate legal exposure. Recent enforcement demonstrates that the IRS and FTC are treating WISP compliance as a priority, not a suggestion. Tax preparers lacking documentation face penalties starting at $10,000 for individuals and $100,000 for businesses, with daily penalties accumulating to $43,000 for continued violations. This enforcement reality affects unprepared practitioners nationwide.

Beyond regulatory penalties, insurance companies have refused to pay breach-related damages when the insured party lacked a WISP. Without documented security policies, your cyber insurance claim may be denied entirely—leaving your practice exposed to the full cost of breach notification, remediation, legal fees, and lost business. A thorough WISP checklist protects both your compliance status and your financial safety net.

Use the following checklist to verify your practice addresses every required element across IRS Publication 5708, the FTC Safeguards Rule, and GLBA mandates.

Six Required WISP Components Under IRS Publication 5708

IRS Publication 5708 defines six required components for every tax preparer's WISP. Your WISP checklist should verify each one is documented, current, and operational—not just written once and filed away. For step-by-step instructions on building your plan, see our guide on how to create a WISP.

1. Objective, Purpose, and Scope

Define what your WISP covers, which systems and data types fall under its protection, and the regulatory mandates it addresses. Catalog all taxpayer data types you collect—from basic identity information such as names, Social Security numbers, and addresses to financial records including W-2s, 1099s, and bank statements. Document the data flow through your systems, storage locations including cloud services, retention periods, and disposal methods ensuring complete destruction.

2. Designated Responsible Individuals

Every WISP must name two roles: a Data Security Coordinator (DSC) who oversees day-to-day security processes, and a Public Information Officer (PIO) who serves as the single point of contact for breach communications. In solo practices, both roles may fall to the practitioner, but the designations must still be documented in writing with clearly defined responsibilities.

3. Risk Assessment

Identify and evaluate threats to the confidentiality, integrity, and availability of client information. This includes internal risks such as employee errors and unauthorized access, external risks like phishing, ransomware, and social engineering attacks, and environmental risks including natural disasters and power failures. Document each identified risk, its likelihood, potential impact, and the controls you have in place to mitigate it.

4. Hardware Inventory

Maintain a complete inventory of every device that stores or processes Personally Identifiable Information (PII), including its physical location. This covers desktops, laptops, servers, tablets, smartphones, external drives, printers with storage, and any cloud-hosted infrastructure. Update this inventory whenever devices are added, replaced, or decommissioned.

5. Security Safeguards

Document the technical, administrative, and physical safeguards protecting client data. Technical safeguards include the IRS Security Six requirements detailed below. Administrative safeguards cover policies, training, and access management. Physical safeguards address facility access, device security, and document handling. See our IRS Publication 5708 sample WISP for example safeguard documentation you can adapt for your practice.

6. Implementation Clause

Specify when the WISP takes effect, the schedule for annual reviews, and the process for updates when threats or regulations change. This clause transforms your WISP from a static document into a living security program. Document who is responsible for triggering reviews and how changes are approved and communicated to all staff members.

FTC Safeguards Rule: Nine Mandatory Elements

The FTC Safeguards Rule applies to all non-bank financial institutions, including tax preparers, CPAs, and accounting firms. Your WISP checklist must verify compliance with all nine elements the rule mandates. For a full breakdown of each requirement, see our FTC Safeguards Rule guide for tax preparers.

Testing, Training, and Monitoring

Annual testing validates that your security controls actually work as intended. This includes vulnerability assessments and, depending on your firm's size and risk profile, penetration testing. Document all test results thoroughly—they serve as primary evidence of active compliance during audits and regulatory inquiries.

Training extends well beyond basic security awareness. Your program must include specialized education for your designated security coordinator, role-specific instruction for employees with elevated data access, and detailed completion tracking for every participant. Every team member needs education covering password policies, phishing recognition, data handling procedures, and incident reporting protocols. Provide training during onboarding, conduct annual refreshers, and document everything. Monthly phishing simulations and quarterly knowledge assessments identify gaps before they become breach vectors. For guidance on building effective programs, see our security awareness training guide for tax firms.

Monitoring requires a permanent shift from periodic reviews to ongoing vigilance. Review security events regularly, update controls in response to emerging threats, and adjust your security posture as your practice evolves. Continuous monitoring means your security program adapts in real time rather than waiting for the next annual review to catch problems.

Service Provider Oversight

FTC requirements demand thorough oversight of all service providers accessing customer information. Evaluate each provider's security posture before engagement, require contractual protections that match your own obligations, conduct regular assessments of their compliance, and document all oversight activities. Create a complete service provider inventory covering every vendor—from cloud storage and tax software platforms to IT support and document destruction services. The FTC specifically requires written agreements addressing security requirements with each service provider.

Incident Response

Your incident response plan must address multiple breach scenarios, establish clear escalation procedures, define team member roles, and include required legal reporting timelines. Test the plan through tabletop exercises at least annually. Document lessons learned from each exercise and update procedures based on findings. The 2024 FTC reporting requirements add specific obligations for breach notification timing and content that your plan must account for.

Technical Security Controls and the IRS Security Six

IRS Publication 5708 establishes six minimum technical requirements known as the Security Six. These are baseline requirements—not aspirational goals—and your WISP checklist should verify each is fully implemented across all systems that handle taxpayer data.

The Security Six requirements are: professional-grade antivirus protection on every device, properly configured firewalls separating your network from the internet, two-factor authentication on all tax software and email accounts, data encryption for files both in transit and at rest, reliable and regularly tested backup systems, and current software with security patches applied promptly. These represent the minimum standard. Practices handling large volumes of returns or storing data across multiple locations should implement additional protections beyond these baseline requirements.

Access Controls

Implement role-based access ensuring employees can only reach the data they need for their specific job functions. Use unique credentials for every user with no shared logins under any circumstances. Enforce strong password policies with minimum length and complexity requirements, and enable automatic account lockout after failed login attempts. Maintain access logs showing who accessed what data and when—these logs become essential evidence during both audits and breach investigations.

Physical Security

Physical security protects client data through controlled office access using locks, key cards, or biometric systems. Secure server rooms and storage areas with additional layers of protection beyond standard office locks. Install cameras at entry points and maintain visitor logs documenting everyone who enters areas where client data is stored or processed. Implement clean desk policies requiring all documents and screens to be secured when employees leave their workstations. These visible measures also demonstrate security awareness to visiting clients and build confidence in your practice.

Device and Document Security

Lock unattended workstations with automatic screen timeouts set to 15 minutes or less. Secure portable devices with cable locks when stationary and encrypt all mobile devices including smartphones used for work purposes. Paper documents require equal protection: locked filing cabinets, written retention policies specifying how long records are kept, and cross-cut shredders for secure disposal. Maintain documented procedures for device decommissioning, ensuring all data is wiped before disposal or recycling using methods that meet NIST SP 800-88 standards.

Employee Security, Client Communication, and Vendor Management

Your WISP checklist must address the human elements of security—employee conduct, client interactions, and third-party vendor relationships. According to the Verizon Data Breach Investigations Report, the majority of successful breaches involve a human element, making these areas as important as any technical control you deploy.

Employee Requirements

The IRS expects documented employee measures including background checks for personnel with data access, signed confidentiality agreements before granting system access, completed security training records with dates and scores, detailed access control procedures defining who can access specific data categories, and termination checklists ensuring all access is revoked immediately when employees leave. Human error remains the leading cause of data breaches in small firms, making ongoing education your primary defense against both accidental exposure and social engineering attacks.

Secure Client Communication

Establish specific protocols for all client interactions involving sensitive data. Use encrypted email for transmitting tax documents, deploy secure client portals with strong authentication for document exchange, and maintain documented file-sharing procedures. Verify client identity before disclosing information during phone or in-person interactions. Never send Social Security numbers, financial statements, or tax returns via unencrypted email—this single practice violation can trigger FTC enforcement action on its own.

Third-Party Vendor Oversight

Your compliance obligations extend to every vendor that touches client data. Create a complete service provider inventory covering cloud storage, tax software providers, IT support, payroll processors, and document destruction services. Require contractual safeguards mandating equivalent security standards and conduct annual compliance monitoring. Document vendor evaluation processes, ongoing relationship monitoring, and specific procedures for handling security incidents involving vendor systems. An employee code of conduct should also address how staff interact with vendor platforms and what data they are authorized to share.

Return on Investment and Getting Started

While WISP implementation requires investment, the returns far exceed the costs when measured against potential losses. FTC penalties alone start at $100,000 for businesses—immediately exceeding years of security program investment. The IBM Cost of a Data Breach Report puts the average breach cost at $4.88 million when factoring in notification, remediation, legal fees, and lost business. Even a fraction of that figure would devastate most tax practices.

Beyond avoiding losses, a well-documented WISP provides tangible business advantages. Clients increasingly expect their tax preparer to demonstrate data protection, making your security program a competitive differentiator when prospects compare firms. Cyber insurance premiums decrease with documented security programs and annual testing. Operational efficiency improves through standardized procedures, and your practice becomes more resilient against the growing wave of cyberattacks targeting tax firms.

Getting started does not require overhauling your entire practice overnight. Begin by downloading a free WISP template to establish your baseline documentation. Complete the risk assessment, designate your responsible individuals, and address the most significant gaps first. Build momentum with quarterly milestones rather than attempting everything at once.

Building a Security Culture

Long-term success requires embedding security into your practice culture. Security becomes everyone's responsibility through regular training, consistent policy enforcement, and visible management commitment. Celebrate successes—strong phishing simulation results, clean audit findings—to make security a positive part of your firm's identity rather than a burden.

Measuring Effectiveness

Track meaningful metrics to ensure your WISP remains effective rather than becoming shelf-ware. Monitor incident frequency, training completion rates, patch implementation timelines, vulnerability assessment findings, and audit results. Analyze trends to identify improvement opportunities and use the data to justify continued security investment to firm leadership. Regular measurement transforms your WISP from a compliance checkbox into a genuine security program that protects your clients and your practice.