• Home
  • Services
  • IT For CPA Firms

      ⭐ Most Popular

      WISP Compliance

      CPA firms require reliable and secure IT services to manage sensitive financial data, ensure compliance.

      Learn More →

      Cybersecurity

      Advanced protection for CPA firms.

      vCIO / IT Consulting

      IT budgeting, growth planning.

      Email Security

      Advanced spam filtering.

      Secure Remote Work

      VPN or Zero Trust access.

  • Who We Are
  • How We Work
  • Contact
  • Home
  • Services
  • IT For CPA Firms

      ⭐ Most Popular

      WISP Compliance

      CPA firms require reliable and secure IT services to manage sensitive financial data, ensure compliance.

      Learn More →

      Cybersecurity

      Advanced protection for CPA firms.

      vCIO / IT Consulting

      IT budgeting, growth planning.

      Email Security

      Advanced spam filtering.

      Secure Remote Work

      VPN or Zero Trust access.

  • Who We Are
  • How We Work
  • Contact
Get Started
IRS Compliance Service

Your Firm Needs a Written Information
Security Plan. We Build It.

The IRS mandates a current WISP for every tax preparer. TechFiscal drafts a fully custom plan — built around your firm's actual systems, staff, and workflow — and delivers it in 5 business days.

Get Your WISP — Free Consultation See What's Included
IRS Pub. 4557 FTC Safeguards Rule GLBA Aligned Delivered in 5 Days
Governing Regulations
01
IRS Publication 4557
Mandates a written security plan for all tax preparers handling federal returns. Non-compliance = PTIN revocation risk.
02
FTC Safeguards Rule (2023)
Updated rules require financial firms to document encryption standards, access controls, and incident response procedures.
03
Gramm-Leach-Bliley Act (GLBA)
CPA firms handling client financial data must maintain a written program protecting that data — including annual reviews.
IRS Reminder: All tax professionals who prepare federal returns are required to have a current, signed WISP on file. Operating without one is a direct violation of IRS Publication 4557 and the FTC Safeguards Rule.
Understanding WISP

What Exactly Is a WISP?

A Written Information Security Plan is a formal policy document that describes how your firm collects, stores, accesses, and protects sensitive client data. It's not a technology product — it's a compliance document that proves your firm has a deliberate data security program in place.

100%
of tax preparers required to have one
5dy
TechFiscal delivery time
1yr
required review cycle by IRS
Why It Matters

Without a WISP, a single data breach can end your practice

WISP isn't just paperwork. It defines your firm's response to incidents, your vendor vetting process, your employee security training requirements, and your breach notification obligations — all in one document.

wisp compliances
Regulation Who It Applies To Key WISP Requirement Enforcement
IRS Publication 4557 All federal tax return preparers Written security plan covering device inventory, access controls, breach response, and staff training PTIN Revocation
FTC Safeguards Rule Financial institutions incl. CPA firms, tax preparers, bookkeepers Documented information security program with designated coordinator and annual risk assessment $50K+/violation
GLBA (Gramm-Leach-Bliley Act) Any firm handling consumer financial data Written safeguards program, vendor management policy, and employee training documentation State Penalties
Who Needs a WISP

WISP Is Required Across Your Entire Practice

If your firm touches federal tax data or client financial information in any way, you need a current, signed WISP on file — regardless of firm size.

CPA & Tax Firms
Accounting Firms
Financial Advisors
Insurance Agencies
Payroll Providers
Enrolled Agents
CPA & Tax Preparation Firms
IRS Required
Any CPA firm, tax preparation office, or enrolled agent who prepares or transmits federal tax returns must maintain a current, signed WISP at all times. This applies to every firm size — from a solo practitioner to a multi-partner practice. The IRS can request your WISP during any compliance review and can revoke your e-file privileges if you don't have one.
Accounting & Bookkeeping Firms
GLBA Required
Firms that store, process, or transmit client financial records fall under the GLBA Safeguards Rule. Even if you don't prepare tax returns, if you're handling sensitive financial data for clients, you're required to document your security practices in writing.
Financial Advisors & Planners
FTC Required
Financial advisors and wealth management firms that maintain consumer financial information are required under the FTC Safeguards Rule to have a formal, written information security program — including a designated security coordinator and documented annual review process.
Payroll Service Providers
IRS Required
Payroll processors have access to some of the most sensitive data a business possesses — employee SSNs, employer EINs, and direct deposit information. The IRS and FTC both require payroll service providers to maintain documented security policies protecting this data.
What's Included

Every Component Your WISP Requires

TechFiscal builds a complete, firm-specific WISP — not a downloadable template. Here's exactly what's in it.

# Section Key Deliverables Status
01
Firm Profile & Data Inventory
Documents your firm's structure, personnel, systems, and every category of client data you collect and store.
Hardware & software inventory Staff roles and data access levels Data classification mapping
Included
02
Risk Assessment
A documented evaluation of internal and external threats to taxpayer data per IRS Pub. 4557 requirements.
Threat & vulnerability analysis Risk scoring matrix Mitigation strategies
Included
03
Access Controls & Authentication
Policies defining who can access what data, how access is granted or revoked, and MFA requirements.
User provisioning policy MFA & password standards Privileged access management
Included
04
Incident Response Plan
Step-by-step breach procedures including IRS notification obligations and client communication templates.
Detection & containment steps IRS reporting protocol Client notification templates
Included
05
Employee Training & Acknowledgment
Training requirements, sign-off forms, and phishing awareness guidelines for all firm personnel.
Annual training requirements Staff acknowledgment forms Phishing awareness guidelines
Included
06
Annual Review & Update
The IRS requires yearly WISP updates. TechFiscal reviews and revises your plan annually — before tax season.
Policy review & revision Regulatory change monitoring Pre-season delivery
Annual Add-on
How It Works

Delivered in 5 Business Days

A simple engagement — no lengthy questionnaires, no jargon. We do the heavy lifting.

Day 1
Discovery Call
A 20-minute call with a TechFiscal compliance specialist to understand your firm's size, software, and current security setup.
~20 min
Day 1–2
Firm Assessment
We review your systems, access controls, and data handling practices to map all policy requirements for your specific firm.
Async intake form
Day 2–4
WISP Drafting
Our compliance team builds your complete WISP — fully custom, every section meeting IRS, FTC, and GLBA standards.
Custom — not a template
Day 5
Review & Delivery
You review the draft, request any revisions, and receive your signed, audit-ready WISP document — ready to file.
Satisfaction guaranteed
The Stakes

What Happens If You Don't Have a WISP

Non-compliance isn't a technicality — it's an active enforcement risk that the IRS and FTC are increasingly pursuing.

IRS License & PTIN Suspension
The IRS can suspend or revoke your Preparer Tax Identification Number (PTIN) and e-file privileges for failure to maintain a current WISP. Without these, you cannot legally prepare or file federal returns.
IRS Publication 4557 — Sections 5 & 6
FTC Civil Penalties
The FTC actively enforces Safeguards Rule violations against financial firms including CPA practices. Civil penalties can reach $50,000 per violation — and each day of non-compliance can count as a separate violation.
16 CFR Part 314 — FTC Safeguards Rule
State Regulatory Fines
Most states layer their own data security laws on top of federal requirements — California, New York, and Massachusetts each have distinct compliance obligations with separate penalty structures.
State-level enforcement varies by jurisdiction
Client Liability & Lawsuits
Without documented security policies, a data breach exposes your firm to negligence claims from affected clients. No WISP = no documentation that you took reasonable precautions.
Professional liability & E&O exposure
Penalty Exposure Summary

A CPA firm operating without a WISP faces compounded exposure from multiple regulatory bodies simultaneously. Here's how it adds up:

IRS — PTIN/e-file revocation Loss of practice
FTC — per-day civil penalties Up to $50K/day
GLBA state violations $100K+ per incident
Client data breach lawsuit Unlimited exposure
TechFiscal WISP — one-time Full protection
IRS Requirements

What the IRS Looks for in Your WISP

TechFiscal ensures every required element is documented, auditable, and ready for IRS or FTC review.

IRS Publication 4557 Requirements
Designated Security Coordinator
A named person responsible for implementing and overseeing the WISP at your firm.
Device & Software Inventory
Complete list of all hardware, software, and cloud services used to store or transmit taxpayer data.
Data Encryption Standards
Documented requirements for encrypting data at rest and in transit across firm systems.
Breach Response Procedures
Written step-by-step actions for detecting, containing, and reporting a data security incident.
Annual Review Documentation
Proof your WISP was reviewed and updated within the past 12 months.
FTC Safeguards Rule Requirements
Qualified Individual
A designated individual (internal or external) who oversees the information security program.
Periodic Risk Assessments
Documented risk evaluation process covering all threats to the confidentiality of customer information.
Multi-Factor Authentication
Written policy requiring MFA for any system or application that accesses customer financial information.
Service Provider Oversight
Vendor management policy covering selection, monitoring, and contractual security obligations for all third parties.
Incident Response Plan
Written procedures for responding to security events, including notification timelines and responsible parties.
Common Questions

Frequently Asked Questions

Still have questions?

Our compliance specialists are happy to walk you through what's required for your specific firm — with no sales pressure and no obligation.

Talk to a Specialist
Does every CPA firm really need a WISP?
Yes. Any tax preparer who prepares or assists with federal tax returns is required by IRS Publication 4557 and the FTC Safeguards Rule to maintain a current WISP — regardless of firm size or how many clients you serve.
Can I just use a free WISP template from the IRS website?
The IRS does provide a template as a starting point — but it's generic. Auditors expect a WISP that reflects your firm's actual technology stack, personnel, and workflows. A generic template filled with placeholder text is a red flag during any compliance review.
How often does the WISP need to be updated?
At minimum, annually — and also whenever there's a significant change to your firm's technology, staff, or operations. The IRS requires you to document when and by whom the WISP was last reviewed.
Do I need to be a TechFiscal managed IT client?
No. WISP Compliance is a standalone service. However, firms on TechFiscal managed IT plans receive discounted WISP services and the annual review as part of their package.
What if I already have some security policies documented?
Great — we'll incorporate what you have. Our assessment identifies any gaps and ensures the final document meets all current requirements, regardless of where you're starting from.
Will TechFiscal train my staff on the WISP?
Yes. We provide employee acknowledgment forms and can conduct a brief staff training session covering your firm's key security policies, password requirements, and how to respond to a suspected breach or phishing attempt.
Client Feedback

What CPA Firms Say

"We went through an IRS data security review last spring and passed without issues. The TechFiscal WISP had every document they asked for, organized exactly right. Worth every penny — this is one thing you don't want to wing."

RM
Rachel M., CPA
Owner, Regional Tax & Accounting Firm

"TechFiscal had our WISP drafted and delivered in under a week. The document actually reflects how our firm works — not some generic template. We're audit-ready for the first time ever."

DK
David K., CPA
Managing Partner, 4-person CPA firm

"I had no idea how many gaps we had. TechFiscal walked me through the whole thing and the annual update service means I never have to worry about falling out of compliance again."

SP
Sarah P., EA
Enrolled Agent, Solo Practice
Get Started Today

Your WISP, Done Right — Before Tax Season

Don't wait for an audit notice. TechFiscal delivers a fully custom, IRS-compliant WISP in 5 business days — built around how your firm actually operates, not a downloadable template.

IRS Pub. 4557 FTC Safeguards Rule GLBA Compliant 5-Day Delivery
Schedule Free Consultation View All CPA IT Services No obligation. Speak with a compliance specialist — not a salesperson.