WISP Checklist for CPA Firms: 2026 IRS Compliance Guide

Why Every CPA Firm Needs a WISP—and a Checklist to Build One Right

If your firm handles federal tax returns, you are legally required to maintain a Written Information Security Plan (WISP). Under IRS Publication 4557 and the Federal Trade Commission (FTC) Safeguards Rule (16 C.F.R. Part 314), any tax preparer or accounting professional who receives, maintains, processes, or transmits taxpayer information must document exactly how they protect it—in writing, with specifics.

Yet thousands of CPA firms still operate without a current, implemented WISP. This creates a gap that attackers actively exploit. A single compromised preparer account gives criminals access to dozens or hundreds of client tax files, enabling large-scale refund fraud. The consequences for your firm extend well beyond a breach: IRS sanctions, FTC enforcement actions, EFIN suspension, and civil liability all become live risks the moment you process client data without a documented security program.

This guide gives you a detailed, actionable WISP checklist for CPA firms built around IRS Publication 4557, the Gramm-Leach-Bliley Act (GLBA), and the NIST Cybersecurity Framework. Whether you are drafting your first WISP or auditing an existing plan before filing season, every required element is covered here with implementation-level specificity.

If you want to start from a pre-built document, our free 2026 WISP template for tax professionals is ready to customize. For a plain-language explanation of what the IRS expects, see the IRS WISP requirements overview before working through this checklist.

The Legal Basis: What Actually Requires a WISP for CPA Firms

Before working through the checklist, understanding the overlapping legal mandates that drive the WISP requirement prevents the common mistake of treating it as an IRS-only obligation.

IRS Publication 4557 and the FTC Safeguards Rule

IRS Publication 4557 directs all tax preparers to implement a WISP aligned with the FTC Safeguards Rule. The Safeguards Rule, updated in 2023 with more prescriptive requirements, applies to any financial institution that is "significantly engaged" in providing financial products or services—a definition that explicitly includes tax preparation. The updated rule requires covered entities to designate a qualified individual to oversee the program, produce a written risk assessment, implement specific technical controls, and test those controls. These are not optional recommendations; they are enforceable requirements. See our IRS Publication 4557 guide for a section-by-section breakdown.

Gramm-Leach-Bliley Act (GLBA)

The GLBA is the federal statute underlying the Safeguards Rule. It requires financial institutions—including CPA firms—to protect the confidentiality and integrity of customer financial information. Civil penalties for willful violations reach $100,000 per violation, and responsible officers face personal liability. The GLBA also requires that you contractually obligate your service providers to maintain appropriate safeguards.

State-Level Data Security Laws

Federal requirements set the floor. States impose additional mandates that apply based on where your clients reside, not where your firm is located. California (CCPA/CPRA), New York (SHIELD Act), Massachusetts (201 CMR 17.00), and more than a dozen other states have their own breach notification timelines and security requirements. A properly constructed WISP checklist for CPA firms that satisfies the FTC Safeguards Rule will address most state-level obligations as well. For a detailed breakdown of enforcement history and penalty structures, see our FTC Safeguards Rule guide for tax preparers.

The Complete WISP Checklist for CPA Firms: Section by Section

The following checklist maps directly to the sections your WISP document must contain under IRS Publication 4557 and the FTC Safeguards Rule. Each item must be addressed in writing within the WISP itself—implemented controls that are not documented do not satisfy regulatory requirements.

Section 1: Program Overview and Designated Coordinator

• WISP effective date and version number documented at the top of the plan
• Full name and title of the designated WISP coordinator
• Coordinator responsibilities defined in writing (risk assessment, vendor oversight, training, incident response)
• Backup coordinator identified for business continuity
• Scope of the plan (which offices, systems, and data categories are covered)
• Statement of management approval signed by the firm owner or managing partner

Section 2: Written Risk Assessment

• Inventory of all systems storing or transmitting taxpayer data (see Section 3 below)
• Threat identification for each system category (ransomware, phishing, insider misuse, physical theft, third-party compromise)
• Likelihood and impact rating for each identified threat
• Documentation of existing controls and residual risk after controls are applied
• Risk assessment signed and dated by the coordinator
• Reassessment schedule documented (minimum annually)

Section 3: Information Systems and Data Classification

• Hardware inventory: all workstations, laptops, servers, mobile devices, printers, and external drives
• Software and cloud application inventory, including tax preparation software, cloud storage, payroll processors, and practice management platforms
• Network diagram showing data flows between systems and to third parties
• Data classification schema with at least three tiers: public, internal, and restricted (Personally Identifiable Information and financial data)
• Physical location of all data stores, including paper files and off-site backups

Determining which data elements trigger the highest protection requirements is addressed in our tax document encryption requirements guide. For risks specific to your Electronic Filing Identification Number (EFIN), see the EFIN protection guide.

Section 4: Access Controls

• Unique user credentials required for every employee—shared logins explicitly prohibited
• Role-based access control (RBAC) policy documented with access groups defined by job function
• Privileged account inventory with written business justification for each elevated account
• MFA required and documented for all remote access, cloud applications, and tax software portals
• Password policy specifying minimum length (12+ characters), complexity requirements, and prohibition on reuse
• Automatic screen lock configured to activate after no more than 5 minutes of inactivity
• Access revocation procedure: all credentials terminated within 24 hours of employee departure, documented by the coordinator

WISP Checklist Continued: Technical Controls, Training, and Vendor Management

Section 5: Technical Security Controls

The technical controls section of your WISP must name every safeguard in place—not just that you use antivirus software, but which product, how it is configured, its update schedule, and who monitors its alerts. Regulators and IRS examiners examining a breach expect that level of specificity. A vague WISP that says "we use security software" satisfies no one.

• Endpoint Detection and Response (EDR) solution deployed on all workstations, laptops, and servers—basic antivirus alone does not meet current IRS guidance
• Full-disk encryption enabled on all laptops and mobile devices; encryption standard (AES-256 minimum) documented
• Firewall configured with documented rule sets; guest Wi-Fi on a separate network segment isolated from business systems
• Email filtering with anti-phishing and anti-spoofing controls; SPF, DKIM, and DMARC records configured for your domain
• Automatic software patching enabled for operating systems and all applications; patch cadence documented
• Encrypted backup solution with off-site or cloud replication; backup restoration tested at least quarterly with results documented
• Secure client portal for sharing tax documents—unencrypted email attachments containing taxpayer data explicitly prohibited
• DNS filtering enabled to block access to known malicious domains

Phishing is the leading initial attack vector against accounting firms. Our guide to phishing attacks on tax professionals details the specific campaigns targeting CPAs and the technical controls that stop them. For protection against ransomware—which has devastated multiple accounting firms in recent years—see our ransomware protection guide for tax practices.

Section 6: Employee Security Training Requirements

• Annual security awareness training completed by all staff before each tax filing season; completion records retained in WISP appendix
• New employee training completed within 30 days of hire date, documented with signature
• Training curriculum covers: phishing and spear-phishing recognition, strong password practices, secure device handling, clean desk policy, physical security, and the firm's incident reporting procedure
• Simulated phishing exercises conducted at least twice per year; results used to target follow-up training
• Social engineering awareness included: pretexting calls, vishing (voice phishing), and business email compromise (BEC) scenarios
• Training provider, materials, and delivery method documented in WISP

Section 7: Vendor and Third-Party Service Provider Management

• Master list of all vendors with access to client data: tax preparation software, cloud storage, payroll processors, IT managed service providers, copier/printer vendors
• Written data security agreements with each vendor specifying their security obligations and breach notification timelines
• Annual review of each key vendor's security posture; request SOC 2 Type II reports where available
• Documented process for terminating vendor system access upon contract expiration or early termination
• Formal approval process for adding any new vendor that will touch taxpayer data

Incident Response and IRS Breach Notification Requirements

The incident response section is the most frequently missing element in CPA firm WISPs. Regulators do not just want to see that you have security controls in place—they want documented evidence that you know exactly what to do when those controls are tested. A plan that exists only in someone's head does not satisfy the Safeguards Rule.

What Your Incident Response Plan Must Include

• Firm-specific definition of a "security incident" covering: unauthorized system access, ransomware or malware infection, lost or stolen device, misdirected email containing client data, and vendor breach affecting your clients
• Incident severity levels (low, medium, high, critical) with corresponding response timelines for each
• Contact list: IRS Identity Protection Specialized Unit (1-800-908-4490), your state tax agency, the FTC (reportfraud.ftc.gov), your cyber insurance carrier, and outside legal counsel
• Evidence preservation procedure—do not power off infected systems, as doing so destroys memory forensics that may be needed for investigation
• Client notification templates approved in advance so communications go out immediately rather than waiting for legal review under pressure
• Post-incident review process: root cause analysis, control gaps identified, WISP updated within 30 days of incident resolution

The 24-Hour IRS Notification Requirement

If your firm experiences a confirmed theft of taxpayer data, you must notify the IRS within 24 hours. This is not a best practice—it is an explicit requirement documented in IRS WISP guidance for tax professionals. Failure to report promptly can result in suspension of your EFIN and referral to the IRS Office of Professional Responsibility. The 24-hour clock starts from the moment you have reasonable belief that a breach has occurred—not from when you complete a formal investigation.

Section 8: Physical Security Controls

• Office access controls documented: key card system, deadbolt, or alarm system with access logs
• Clean desk policy in writing—client files may not be left unattended on desks or common areas
• Secure destruction policy for paper documents: cross-cut shredding required for all documents containing taxpayer data; shredding service agreements retained
• Screen privacy filters installed on monitors visible to the public or to non-authorized staff
• Visitor log maintained for anyone accessing areas where client data is stored or processed
• Lost or stolen device procedure: remote wipe capability documented; incident reported to coordinator within one hour of discovery

Annual WISP Review: Keeping Your Plan Current and Enforceable

A WISP written in 2022 and never updated documents controls that may no longer exist and misses threats that have emerged since. The FTC Safeguards Rule requires you to review and adjust your information security program in response to four specific triggers:

1. Results of monitoring and testing your controls
2. Material changes to your operations or business arrangements
3. Changes in how you collect, store, or use customer information
4. Any other circumstances you know or have reason to believe may materially affect your security posture

Annual Review Checklist

Conduct the following at minimum every 12 months and document all findings in a review log attached to the WISP:

• Update the risk assessment with new systems, applications, vendors, or threats identified during the year
• Verify the employee access list reflects current staff only—all departed employees removed, all access fully revoked
• Confirm all vendor contracts include current data security language; renew agreements that have expired
• Review the security incident log for any events indicating a control gap requiring remediation
• Test backup restoration and document the result with the recovery time achieved
• Update hardware and software inventories; remove decommissioned equipment
• Conduct or schedule a penetration test or vulnerability assessment—our penetration testing guide explains what a tax firm should expect from the process
• Have the WISP coordinator sign and date the reviewed plan; update the version number and effective date

For firms benchmarking their WISP structure against real-world implementations, our accounting firm WISP template examples show how practices of different sizes organize their plans. The best WISP templates for accountants roundup identifies which starting templates require the least customization for a compliant result.

Aligning Your WISP with the NIST Cybersecurity Framework

While IRS Publication 4557 and the FTC Safeguards Rule set the minimum floor for WISP requirements, firms seeking a more rigorous foundation can align their plan to the NIST Cybersecurity Framework (CSF) 2.0. The framework organizes security activities into six functions: Govern, Identify, Protect, Detect, Respond, and Recover. Each section of this WISP checklist for CPA firms maps directly to one or more of these functions, making it straightforward to demonstrate compliance to clients, cyber insurance underwriters, and regulators simultaneously.

Firms handling government contracts or seeking to differentiate on security can go further with NIST SP 800-171 Rev. 3, which provides 110 specific security requirements that exceed what the IRS mandates. Alignment with SP 800-171 positions your firm ahead of emerging state-level data protection requirements without reactive scrambling.

Before each filing season, run through the tax season cybersecurity checklist to verify that every WISP control is active, tested, and functioning—not just documented. The period from January through April is when attackers most aggressively target tax professionals, and your WISP controls must be verified and operational before that window opens.