Free WISP Template for CPA Firms (2026): IRS & FTC-Compliant Checklist

Every paid tax preparer is required by federal law to maintain a current, signed Written Information Security Plan. Yet a surprising number of CPA firms discover this requirement for the first time when it’s already too late, during PTIN renewal, a cyber insurance application, or, worse, in the aftermath of a data breach.

If you have searched for a starting document to get ahead of the 2026 filing season, this guide walks through exactly what a compliant plan must contain, why a generic starting point is rarely enough on its own, and how to move from “we know we need one” to “we have an audit-ready plan on file.”

TechFiscal works exclusively with CPA firms, tax preparers, and accounting practices on IRS and FTC compliance, and this guide reflects the requirements our compliance specialists document for clients heading into every filing season.

What a WISP Actually Is (and Why It’s Not Optional)?

A Written Information Security Plan is a formal policy document that describes, in specific and verifiable terms, how your firm collects, stores, accesses, transmits, and disposes of client tax and financial data.

It is not a marketing brochure, and it is not a one-page acknowledgment form. Regulators, auditors, and cyber insurance underwriters treat it as the legal record of your firm’s data security program.

Three overlapping federal frameworks converge on this single requirement:

RegulationApplies ToCore WISP RequirementEnforcement Body
IRS Publication 4557All paid federal tax return preparersWritten plan covering device inventory, access controls, breach response, staff trainingIRS (PTIN/EFIN suspension)
FTC Safeguards Rule (16 C.F.R. Part 314)Financial institutions, including CPA and tax firmsDocumented program with a named Qualified Individual and annual risk assessmentFederal Trade Commission
Gramm-Leach-Bliley Act (GLBA)Any firm handling consumer financial dataWritten safeguards program with vendor oversight and review cycleFTC / state regulators

Since 2024, the IRS has folded WISP attestation directly into PTIN renewal through Form W-12.

Confirming you have a plan in place when you don’t is a false certification made under penalty of perjury, and it puts both your PTIN and your EFIN at risk, independent of whether a breach ever actually occurs.

The Core Elements Every IRS FTC Compliant WISP Must Contain

Regulators are consistent about what they expect to see documented, in writing, inside the plan itself. Before you rely on any starting document, confirm it addresses each of the following:

•             Security Program Coordinator– a named individual accountable for maintaining and enforcing the plan

•             Technology and data inventory– every device, application, and cloud platform that touches taxpayer data

•             Written risk assessment– internal and external threats evaluated and scored, not just listed

•             Access management controls– provisioning, termination, and multi-factor authentication requirements

•             Encryption standards– for data at rest and in transit

•             Vendor and third-party oversight– contractual data-security requirements for every service provider

•             Incident response and breach notification procedures– including IRS, FTC, state, and client notification timelines

•             Employee training and signed acknowledgment forms

•             Annual review documentation– proof the plan has been revisited at least once every twelve months

This structure lines up with the framework IRS Publication 5708 lays out as a sample plan, and with the nine elements the FTC Safeguards Rule specifies for a qualifying information security program.

Why Is a Free WISP Checklist Is a Starting Point, Not a Finish Line?

Such a resource is genuinely useful for understanding the shape of the requirement, it tells you what sections a compliant plan needs and gives you language to work from. What it cannot do is describe your firm’s actual environment.

Regulators have been explicit that a security plan is expected to reflect the technology, staffing, and business processes of the specific practice that signs it.

A checklist filled in with placeholder language, or a WISP template downloaded and left unedited, creates a paper trail that looks compliant on the surface but will not hold up if an examiner, insurer, or plaintiff’s attorney asks follow-up questions.

The practical gap usually shows up in three places:

1.          Risk assessments that were never actually performed– the free WISP checklist has a line for it, but no firm-specific analysis backs it up.

2.          Vendor management sections that list no real vendors– tax software, cloud storage, and IT providers go unnamed.

3.          Incident response contact lists that are blank or outdated– the exact information you need fastest during a real event.

Building Your WISP Step by Step

For firms building a plan internally, the process generally follows five stages:

1.          Inventory your data and systems. Document every device, application, and location where taxpayer data lives, from tax preparation software to shared drives and email archives.

2.          Assess your risks. Identify realistic threats, phishing, lost devices, vendor compromise, and rate each by likelihood and impact.

3.          Write your safeguards. Translate the assessment into specific, measurable policies: password requirements, MFA enforcement, encryption standards, and physical security controls.

4.          Document incident response. Define what counts as a security incident, who is notified, and the exact timelines for IRS, FTC, state, and client notification.

5.          Review annually. Set a recurring date to revisit the plan and update it whenever technology, staffing, or operations change.

Common Mistakes Firms Make

MistakeWhy It Matters
Signing a template without customizing itRegulators can identify boilerplate language during a review
Skipping the annual reviewIRS guidance requires review at least every 12 months
Leaving the Qualified Individual field blankThe FTC Safeguards Rule requires a named, accountable person
No documented employee acknowledgmentTraining without signed records does not satisfy audit requirements
Ignoring vendor oversightThird-party breaches are a leading cause of tax data compromise

How TechFiscal Builds an Audit-Ready WISP?

Rather than starting from a generic document, TechFiscal’s compliance specialists build a fully customized plan around your firm’s actual technology stack, staffing structure, and workflows, delivered in a few business days.

The process starts with a short discovery consultation, moves through a compliance assessment of your current systems and access controls, and ends with a finished, signed, audit-ready plan mapped to IRS Publication 4557, the FTC Safeguards Rule, and GLBA requirements. You can review the full scope of what’s included on TechFiscal’s WISP Compliance page.

Who This Requirement Actually Covers?

One of the most persistent misunderstandings among tax professionals is that the WISP mandate scales with firm size. It does not. Federal guidance ties the obligation to activity, not headcount: a practice that prepares roughly 11 or more federal returns in a year falls squarely within the FTC Safeguards Rule’s definition of a covered financial institution.

That threshold captures the overwhelming majority of active preparers, from solo practitioners working out of a home office to multi-partner regional firms.

The plan itself should scale, a one-person practice does not need the same volume of documentation as a fifty-employee firm, but the underlying obligation to have a written, signed plan does not disappear because a firm is small.

What’s at Stake Without a Documented Plan?

The consequences of operating without a current WISP are not limited to a hypothetical future breach. Because PTIN renewal now requires an affirmative certification, the exposure exists the moment the form is signed inaccurately.

Beyond the immediate compliance risk, the financial stakes of an actual incident are severe: IBM Security’s 2025 Cost of a Data Breach Report puts the average cost of a breach at $4.88 million, and even a contained incident involving a few hundred client records routinely runs past $100,000 once forensic review, legal fees, notification costs, and lost clients are factored in.

A documented WISP does not make a firm immune to attack, but it is the difference between a firm that can demonstrate reasonable care and one that cannot.

Summing Up,

A downloadable starting point can help you understand the shape of the requirement, but the document that actually protects your PTIN, your EFIN, and your clients’ data is the one that reflects how your firm really operates.

Whether you build that plan internally using the checklist above or bring in a compliance specialist to deliver a custom, audit-ready version before the next filing season, the important step is making sure a signed, current WISP exists, not just the intention to write one.

Frequently Asked Questions

Does a solo practitioner need the same WISP as a large firm?

No. The plan should be proportional to your firm’s size and complexity, but every required section, coordinator, risk assessment, safeguards, incident response, training, and annual review, still needs to be addressed, even if briefly.

How long does it take to put a compliant plan in place?

Building one internally from a checklist can take anywhere from a few hours to several weeks, depending on how much of your environment is already documented. A professionally built plan, like the one TechFiscal delivers, is typically completed within five business days.

Is one WISP enough for a firm with multiple office locations?

Yes, provided the plan explicitly addresses the systems, staff, and risks specific to each location rather than treating the firm as a single undifferentiated environment.

Do Solo CPAs and Small Tax Firms Need a WISP? (2026 Requirements)

If you run a one-person tax practice or a small firm with just a handful of preparers, it is easy to assume that federal data security mandates were written with large institutions in mind, banks, insurance companies, national accounting networks. It is one of the most common and most costly misconceptions in the profession.

The requirement to maintain a Written Information Security Plan does not scale down to zero because your practice is small. This guide breaks down exactly who the rule covers, why the idea of a WISP exemption for small operators is largely a myth, and what solo and small-firm practitioners specifically need to do about it.

The Short Answer

Yes. If you prepare federal tax returns for compensation, hold a PTIN, or handle client financial data in any capacity, you are required to maintain a current, signed WISP, regardless of how many employees you have or how many returns you file in a season.

The Internal Revenue Service does not distinguish between a solo enrolled agent working from a home office and a fifty-person regional firm when it comes to the existence of the requirement. What differs is the scale and complexity of the plan itself, not whether one must exist.

Where the Confusion Comes From?

The misunderstanding around WISP for solo CPA practices generally traces back to one of three sources:

•          Confusing the FTC’s activity threshold with an exemption.

The FTC Safeguards Rule applies to institutions “significantly engaged” in financial activities, and the agency has confirmed that preparing roughly 11 or more federal returns annually meets that bar.

Practitioners sometimes read this threshold as a size cutoff below which the rule does not apply, it is not. It is closer to a floor than a ceiling, and the overwhelming majority of active preparers, including part-time and seasonal ones, clear it easily.

•          Assuming informal security habits count as a plan.

Using a password manager, backing up files, and being generally careful with client data are good practices, but none of that constitutes a written plan unless it is documented, dated, and signed.

•          Believing PTIN renewal is a formality.

Since 2024, Form W-12 has included a direct attestation question about maintaining a data security plan. Answering it without an actual plan in place is a false certification made under penalty of perjury.

Federal Requirements That Apply Regardless of Firm Size

RequirementWho It Applies ToWhat Changes With Firm Size
IRS Publication 4557 written planAll paid federal return preparersDepth of documentation, not whether a plan is required
FTC Safeguards Rule Qualified IndividualAny firm meeting the “significantly engaged” thresholdIn a solo practice, the preparer typically fills this role personally
Annual risk assessmentAll covered firmsScope of the assessment reflects the size of the technology environment
Employee training recordsFirms with any staff, including part-time or seasonalSolo practitioners document their own training and awareness instead
Vendor oversightAny firm using outside software, cloud storage, or IT supportFewer vendors to document, not zero

What a Right-Sized Compliance Plan Looks Like?

The good news for solo and small practitioners is that a compliant plan does not need to resemble the security documentation of a national accounting firm. A right-sized approach to small tax firm compliance typically includes:

1.          A single named coordinator– usually the owner or managing preparer, responsible for the plan.

2.          A concise technology inventory covering the tax software, laptops, email, and cloud storage actually in use.

3.          A focused risk assessment built around realistic threats: phishing emails, a lost or stolen laptop, or a compromised software vendor.

4.          Documented core controls: multi-factor authentication on tax software and email, an encrypted device policy, and a password manager requirement.

5.          A short, specific incident response plan listing exactly who to call, the IRS Stakeholder Liaison, the firm’s cyber insurance carrier, and any affected clients, and within what timeframe.

6.          An annual review date, even if the review itself takes less than an hour for a simple practice.

None of this requires a dedicated IT department or a six-figure security budget. It requires a plan that is honest about a small environment and specific about how that environment is protected.

The Real Risk of Assuming You’re Exempt

Operating on the assumption that a small practice falls outside the requirement carries the same consequences as ignoring the requirement outright, because there is no size-based exemption to fall back on. The exposure includes:

•             PTIN and EFIN risk tied directly to the W-12 attestation question

•             FTC civil penalties that apply per violation, independent of firm size

•             Denied cyber insurance claims, since most carriers now require a documented plan as a condition of coverage

•             Client liability exposure, since courts have consistently recognized a duty of care owed to clients regardless of practice size

A solo practitioner handling two hundred returns a year holds the same category of sensitive data, Social Security numbers, bank routing information, dependent details, as a much larger firm, just in smaller volume.

Cybercriminals do not discriminate by firm size, and increasingly target solo and small practices precisely because they assume security maturity is lower.

Practical Next Steps for Small Practices?

For most solo and small-firm practitioners, the fastest path to compliance is to treat plan-building as a defined, bounded project rather than an open-ended obligation.

Start with an honest inventory of every system that touches client data, identify the handful of realistic risks specific to a small operation, and document the controls already in place alongside the ones that still need to be added.

Firms that want a faster, audit-ready outcome without dedicating internal hours to the process can have a plan custom-built around their exact setup through TechFiscal’s WISP Compliance service, which is scaled appropriately whether the client is a solo enrolled agent or a ten-person practice.

Why Small Practices Are an Attractive Target?

There is a persistent assumption that cybercriminals focus their efforts on large, high-profile targets because that is where the biggest payoff lies. Threat intelligence from the tax and accounting sector tells a different story.

Solo practitioners and small firms are frequently targeted precisely because attackers expect fewer technical safeguards, no dedicated IT staff, and less rigorous oversight of email and account access.

A single compromised email account at a small practice can expose every client file that preparer has ever handled, often going undetected for weeks because there is no monitoring system in place to flag unusual activity.

The concentration of Social Security numbers, banking details, and income documentation in a small practice’s systems makes it just as valuable a target, return for return, as a much larger operation.

How This Differs From State-Level Small Business Exemptions?

Some state consumer protection and data security statutes include carve-outs or reduced obligations for small businesses based on employee count or revenue. This has occasionally led practitioners to assume something similar exists at the federal level for tax preparers.

It does not. The FTC Safeguards Rule’s 2023 amendments specifically removed the informal distinction that previously allowed some smaller entities to operate under lighter documentation standards.

Every financial institution meeting the “significantly engaged” threshold, tax preparers included, is now held to the same baseline written security program requirements, whether the firm has one employee or one hundred. State-level rules may add obligations on top of the federal floor; they do not lower it.

To Sum Up,

Size is not a shield. Every paid tax preparer, solo, seasonal, or small-firm, falls under the same federal obligation to maintain a written, signed, and current data security plan. The scope of the document should reflect the size of the practice, but the requirement itself does not shrink along with it.

Addressing this now, ahead of the next filing season, is considerably less costly than discovering the gap during a PTIN renewal review or after a security incident.

Frequently Asked Questions

I only prepare taxes part-time during the season. Does that change anything?

No. Seasonal or part-time status does not affect the requirement. If you hold a PTIN and prepare returns for compensation, the obligation applies for as long as you are actively practicing.

What if I use a large, well-known tax software platform, doesn’t that cover security for me?

Your software vendor’s security practices are one component of your overall risk picture, but they do not substitute for your firm’s own written plan. Vendor oversight is itself one of the required sections of a compliant WISP.

Can I write my own plan without hiring a consultant?

Yes, particularly for a straightforward solo practice with a simple technology environment. The key is making sure every required section is addressed honestly and specifically, rather than filled in with generic language that does not reflect how the practice actually operates.

Tags :
Share This :

Have Any Question?

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod