WISP Checklist: Verify Your Tax Practice Is Compliant

Tax preparers in 2025 need a comprehensive WISP compliance checklist to meet strict federal requirements for protecting client data. With penalties reaching $100,000 per violation and active IRS enforcement, implementing proper security documentation isn't optional—it's a legal necessity under the Gramm-Leach-Bliley Act and FTC Safeguards Rule.

This WISP compliance checklist provides actionable steps to achieve full compliance while protecting your practice from devastating penalties. Whether managing a solo practice or larger firm, these requirements ensure you meet all federal mandates outlined in IRS Publication 5708 and current FTC regulations.

Essential WISP Compliance Checklist for Federal Requirements

Operating without proper security documentation creates immediate legal exposure. When renewing your PTIN, Form W-12 Line 11 requires attestation that you maintain compliant security measures. False attestation constitutes fraud with criminal penalties beyond financial consequences.

Recent enforcement demonstrates serious regulatory commitment. Tax preparers lacking proper documentation face penalties starting at $10,000 for individuals and $100,000 for businesses. Daily penalties accumulate to $43,000 for continued violations. This enforcement reality affects unprepared practitioners nationwide.

Employee Training and Security Awareness

Every team member requires comprehensive security education covering password policies, phishing recognition, data handling procedures, and incident reporting. Provide training during onboarding, conduct annual refreshers, and document completion for compliance records.

Regular knowledge testing ensures training effectiveness. Monthly phishing simulations, quarterly security assessments, and annual comprehensive evaluations identify knowledge gaps requiring additional education. Human error causes most data breaches, making ongoing education your primary defense.

Third-Party Vendor Management

Your compliance obligations extend to every vendor accessing client data. Create comprehensive service provider inventories from cloud storage to document destruction services. Require contractual safeguards mandating equivalent security standards and conduct annual compliance monitoring.

Document vendor oversight procedures including evaluation processes, relationship monitoring, and security incident responses. The FTC specifically requires written agreements addressing security requirements with service providers.

For detailed vendor management guidance, explore our cybersecurity solutions for tax professionals.

Physical Security Measures

Facility Access Controls

Physical security protects client data through controlled office access using locks, key cards, or biometric systems. Secure server rooms and storage areas with additional protection, install entry point cameras, and maintain visitor logs.

Implement clean desk policies requiring document security when employees leave workstations. This prevents unauthorized information viewing and demonstrates security awareness to visiting clients. Document physical security procedures including access management and breach responses.

Device and Document Security

Security plans must address electronic devices and paper documents containing client information. Lock unattended workstations with automatic timeouts, secure stationary portable devices with cable locks, and encrypt mobile devices including smartphones.

Paper documents require equal attention through locked filing cabinets, retention policies specifying record-keeping periods, and cross-cut shredders for secure disposal. Control document reproduction and maintain secure mail handling procedures.

Learn about incident response requirements in our cybersecurity compliance guide.

Testing, Training, and Monitoring

Annual testing validates security control effectiveness through vulnerability assessments and penetration testing when required. Document all results for compliance demonstration.

Training extends beyond basic awareness to specialized education for security officers, comprehensive staff programs, role-specific instruction for elevated access personnel, and detailed completion tracking.

Continuous monitoring represents fundamental shifts from periodic reviews to ongoing vigilance. Monitor systems real-time, review security events daily, update controls for emerging threats, and adjust security postures as needed.

Service Provider Oversight Requirements

FTC requirements extend to comprehensive oversight of all service providers accessing customer information. Evaluate provider security before engagement, require contractual protections matching your obligations, conduct regular assessments, and document oversight activities.

Incident response obligations include detailed plans addressing various scenarios, regular testing through exercises, required legal reporting, and improvement based on lessons learned.

For complete FTC implementation guidance, see our detailed compliance resource.

IRS Publication 5708 Requirements

Data Security Plan Components

IRS Publication 5708 provides the blueprint for tax professional requirements. Catalog all taxpayer data types collected from basic identity to complex financial records. Document data flow through systems, identify storage locations including cloud services, track retention periods, and map disposal methods ensuring complete destruction.

Security measures must address IRS Security Six requirements: professional-grade antivirus, properly configured firewalls, two-factor authentication, data encryption, and reliable backups. These represent minimum requirements, not optional enhancements.

Employee Security and Client Communication

The IRS expects robust employee measures including background checks for data access personnel, signed confidentiality agreements before system access, documented security training completion, detailed access control procedures, and comprehensive termination checklists.

Secure client communication requires specific protocols: encrypted email for sensitive data, client portals with strong authentication, documented file sharing procedures, identity verification for interactions, and appropriate communication channel encryption.

Download our free template including all IRS Publication 5708 requirements.

For help avoiding these common pitfalls, review our step-by-step guide to creating compliant security plans.

Professional Support Options

Complex requirements often benefit from professional support. Cybersecurity consultants specializing in tax practices understand unique industry requirements. Compliance attorneys familiar with GLBA provide legal guidance. IT managed service providers offer technical implementation and ongoing support.

Invest in appropriate professional support based on practice complexity and internal capabilities. Document engagements, recommendations, and implementation decisions.

Return on Investment

While implementation requires investment, returns far exceed costs considering potential losses. FTC penalties start at $100,000 immediately exceeding years of security investments. Data breaches average $4.35 million including notification, remediation, legal fees, and lost business.

Beyond avoiding losses, proper security provides competitive advantages. Clients increasingly expect robust protection making security a differentiator. Cyber insurance premiums decrease with documented programs. Operational efficiency improves through standardized procedures.

Long-Term Success

Building Security Culture

Long-term success requires security-conscious culture throughout your practice. Security becomes everyone's responsibility through regular training, consistent enforcement, and management commitment. Celebrate successes like phishing test results making security positive rather than punitive.

Document culture-building through training attendance, awareness communications, and policy acknowledgments. These records demonstrate ongoing commitment beyond initial implementation.

Adapting to Evolution

Your security program must evolve continuously as threats advance and regulations expand. Monitor emerging threats through industry publications and professional networks. Track regulatory changes at federal and state levels adjusting programs before non-compliance develops.

Document adaptation processes including intelligence sources, regulatory updates, and program modifications. This demonstrates proactive management rather than reactive scrambling.

Measuring Effectiveness

Regular measurement ensures continued effectiveness rather than shelf-ware. Track metrics including incident frequency, training completion, patch implementation, and audit findings. Analyze trends identifying improvement opportunities while celebrating successes.

Use metrics justifying security investments, demonstrating compliance effectiveness, and identifying areas needing attention. Regular management reporting ensures ongoing support and resource allocation.