Security Planning for Small Accounting and Tax Firms

IT Security for your Tax Data

The Internal Revenue Service recently released a simplified version of the Written Information Security Plan (WISP) designed to help tax and accounting professionals develop plans to protect critical business data and information.

All businesses that offer accounting or tax preparation services are required to have a WISP document in place. Consequently, the IRS, state tax agencies and the tax industry continue to urge tax and accounting firms to develop and implement a security plan.

Even if you don’t operate an accounting and tax firm, you’ll be interested to know about the efforts your provider is required to put in place to protect your information.

A WISP document contains an organization’s security controls, procedures, and policies. In addition, it details how confidential client data is protected by the organization, including which members of the organization are responsible for safeguarding digital data. Ultimately, the WISP document serves as guide or roadmap for the security of a firm’s data, information architecture, and IT management.

Every firm is unique and enlisting the support of a technology partner can help with identifying and sourcing necessary cybersecurity protections. The development and implementation of a WISP document requires considerable expertise in data security and information systems, in addition to knowledge about the latest IRS guidelines.

Protecting client privacy and highly valuable business data

In today’s complex digital landscape, business and client data are valuable, yet increasingly vulnerable assets. Recently, the IRS reported that many tax professionals continue to struggle with developing a written security plan.

It can be difficult to know where to start when developing a WISP. There are many factors that should be taken into consideration, but above all, tax and accounting professionals must take steps to protect their business data and comply with federal law.

The IRS reported that many businesses delay or overlook creating a WISP due to the complexity of information technology and systems and inexperience with cybersecurity. To encourage more uptake of WISP planning, the IRS rolled out the “Protect Your Clients; Protect Yourself” campaign to help educate tax professionals on data security and other topics relevant to the WISP.

“We have tried to stay away from complex jargon and phrases so that the document can have meaning to a larger section of the tax professional community,” said Carol Campbell, Director of the IRS Return Preparer Office and Co-Lead of the Summit tax professional group.

The new WISP guidelines are detailed in a 28-page sample document that illustrates how smaller practices can create data security plans that include data protection initiatives, from risk management to security breach procedures.

Get Support Developing Your WISP

To get started, the simplified WISP guidelines highlight five Federal Trade Commission (FTC) guidelines for firms:


  • Designate one or more employees to coordinate the information security program


  • Identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of the current safeguards for controlling the risks


  • Design and implement a safeguards program, and regularly monitor and test it


  • Select service providers that can maintain appropriate safeguard by ensuring your contract requires them to maintain safeguards and oversee handling of customer information


  • Evaluate and adjust the program considering relevant circumstances, including changes in the firm’s business or operations, or the results of securing testing and monitoring

An effective data security plan requires regular upkeep and maintenance. Whether you’re developing a WISP for the first time, or you need to update your plan to align with your current business operations, Carmichael Consulting is available to lend our expertise and up-to-date knowledge about data protection and cybersecurity monitoring.

We help accounting and tax firms tackle data security planning to protect critical client data over the long term, so that smaller firms can retain their focus on tax and accounting tasks, especially during peak tax season.

Ensure you have a comprehensive WISP in place that will flex and scale with your business throughout 2023 and beyond. If you’d like to walk through the nuances of how to set up a security plan, including cybersecurity monitoring and safeguards that make the most sense for your firm, give us a call at 678-719-9671 (choose Option 2) or email [email protected].

Share This :