The CPA Firm Backup Compliance Checklist: 27 Controls to Pass FTC Safeguards & IRS WISP [UPDATED]

Short answer (as of Sept 10, 2025): CPA firms must encrypt all backup data at rest/in transit, enforce MFA on backup access, include backups in the security program/WISP, test restores on a defined cadence, and document retention & destruction. Auditors typically ask for (1) named security coordinator, (2) last risk assessment covering backups, (3) restore test logs/screenshots, (4) encryption/MFA evidence, (5) retention/destruction records, and (6) vendor oversight (SOC 2, clauses, logs). A pass = controls + proof.

---

Backups aren’t a “nice-to-have” anymore, for CPA firms, they’re federal law.

The FTC Safeguards Rule classifies CPA firms as financial institutions, meaning you’re legally required to protect client data with tested, documented safeguards. At the same time, the IRS Written Information Security Plan (WISP) mandate demands that every tax and accounting firm prove exactly how backups are created, stored, monitored, and destroyed.

Miss a step, and the consequences are brutal:

• FTC fines up to $50,120 per violation (per day).
• IRS penalties and failed audits that can halt operations.
• Ransomware costs averaging $4.88M in 2024 (Verizon DBIR), often hitting firms that never tested their restores.
• Permanent client trust loss during tax season when downtime makes you miss deadlines.

Most firms don’t discover their backup gaps until it’s too late: during a breach, an audit, or a ransomware lockout.

This guide changes that!

We’ve combined the FTC Safeguards Rule and IRS WISP Publication 5708 into one definitive checklist:

✅ 27 specific backup compliance controls every CPA firm must prove.
✅ How auditors verify compliance and where firms most often fail.
✅ Practical fixes to close gaps before regulators, clients, or attackers find them.

By the end, you’ll know exactly what auditors expect and how to make your backup strategy a compliance shield, not a liability.

Core FTC Safeguards Rule Backup Requirements

The FTC Safeguards Rule requires CPA firms to treat backups as part of their official information security program, not an isolated IT task. Auditors don’t care if you “do backups.” They want written proof that your backup systems are secure, monitored, and auditable.

If you don’t have a formal security program, start with our IRS-ready Written Information Security Plan (WISP).

Here’s what compliance demands:

1. Designate a Qualified Individual

Every firm must appoint a Designated Data Security Coordinator who oversees backup policies, vendor compliance, and incident response. Without a named individual, you cannot demonstrate compliance, even if your backups exist.

Audit reality: According to the FTC, firms must designate a qualified individual to implement and supervise their security program, a step often missed by smaller practices.

2. Include Backups in Risk Assessments

The FTC requires firms to identify where client data resides, how it is backed up, and what risks could compromise it, from ransomware to device theft to cloud misconfigurations. Risk assessments must be documented and updated annually.

Auditors will ask: “Show me your last risk assessment that includes backups.”
No document = non-compliant.

3. Encrypt Data & Require MFA for Backup Access

Backups must be encrypted at rest and in transit using strong encryption standards like AES-256. Access must be gated by multi-factor authentication (MFA). Storing unencrypted backups on external drives or cloud folders is a direct FTC violation.

Q: Do CPA firms need to encrypt backups to comply with the FTC Safeguards Rule?
A: Yes. All backups must be encrypted at rest and in transit using AES-256 or stronger. Access must also be restricted with multi-factor authentication (MFA).

Proof point: The Verizon DBIR 2024 found 44% of ransomware attacks hit professional services, with unencrypted backups being a top failure point.

4. Vendor Oversight & SOC 2 Alignment

If you use third-party backup providers, you remain legally responsible for compliance. Contracts must include safeguard clauses, and you must verify vendors meet FTC standards. Using a SOC 2 Type II–audited provider strengthens your compliance proof and reduces audit friction.

Key risk: Firms often assume “my IT vendor handles it.” Regulators see that as negligence unless you have evidence of oversight (SOC 2 reports, audit logs, compliance attestations).

Expert Take

The FTC expects evidence of control, not assumptions of safety. If it isn’t documented, tested, and provable, it doesn’t count. For CPA firms, this means: formalize, encrypt, restrict, and monitor every backup process and keep the proof ready.

---

IRS WISP and Publication 5708 Backup Controls

While the FTC sets the security standard, the IRS sets the operational proof. Under Publication 5708, every CPA firm must maintain a Written Information Security Plan (WISP) and backups sit at the center of it.

Think of the WISP as your audit playbook which documents not just that you back up data, but also how, where, how long, and who is responsible.

What the IRS Expects

1. A Written Plan: not verbal promises

Your WISP must spell out backup objectives, scope, and responsibilities. That includes:

• Naming a Data Security Coordinator
• Documenting all systems that store client data
• Defining where backups are stored and how they’re protected

Auditors don’t accept “we back up daily” as an answer. If it’s not in writing, it doesn’t exist!

2. Testing & Monitoring: proving your backups work

Publication 5708 requires regular restore testing and monitoring. That means:

• Keeping event logs of backup activity
• Reviewing failures (and showing remediation steps)
• Documenting quarterly restore tests with screenshots or reports

The IRS doesn’t want “checkbox backups.” They want evidence that data can be restored when needed.

3. Retention & Destruction Policies: no endless hoarding

Backups can’t live forever. Your WISP must define:

• How long backups are retained (based on tax/legal requirements)
• How they are destroyed once the retention period ends (shredding, degaussing, secure wipe)

Firms that fail to define and follow proper data retention and destruction policies risk failing an IRS WISP audit, especially if old client data is found stored beyond acceptable timeframes.

A mid-sized CPA firm in Illinois failed an IRS review in 2023. Why? They had backups but no destruction policy. Old client data from 2014 was still sitting on servers, outside retention limits. The IRS flagged it as a compliance failure, exposing the firm to fines and potential client lawsuits.

The IRS WISP makes one thing clear: backups aren’t about convenience, they’re about accountability. Regulators don’t just want working systems, they want audit-ready evidence that your firm knows where client data lives, how it’s protected, and when it will be destroyed.

---

The checklist below can be implemented end-to-end by our managed backup & disaster recovery team.

Backup Compliance Checklist · 27 Controls for CPA Firms

Show: All Show: Pending Show: Completed Export CSV

Use this to implement and **prove** compliance. Mark items done; the state persists locally.

Loading backup controls…

Control	How to implement	Evidence for auditors	Owner	Cadence	Status

0 / 27 completed

These 27 controls are not “nice-to-have”, they’re the bare minimum. An auditor doesn’t care if 24 are perfect; if 3 are missing, you’re exposed. Treat this checklist as your compliance shield: pass it, and your firm can walk into an FTC or IRS review with confidence.

---

Audit Evidence: Exactly What to Document & Show

Auditors don’t care about your intentions. They care about artifacts.

Auditors don’t ask whether you ‘do backups.’ They ask for proof: your last restore test log, where encryption/MFA is enforced, and the retention/destruction records tied to your WISP.

Download the free WISP template and map the backup sections 1:1 before you run your first restore test.

Below is the minimum evidence package that passes FTC Safeguards & IRS WISP reviews.

1. Security Program & Ownership

• Risk Assessment – last signed assessment with a section explicitly covering backups.
• Named Data Security Coordinator – show WISP with coordinator’s name, title, and signed designation.

2. Backup Operations

• MFA Evidence – screenshot of enforced MFA on backup console; test login record.
• Restore Test Logs – quarterly logs with:
  • Date/time of test.
  • Dataset restored.
  • RTO achieved vs. target.
  • Screenshots of successful restoration.
  • Notes if objectives were missed and remediation.
  • We operate and monitor backup & DR so these logs stay current between audits.

• Encryption Proof – screenshots/config export proving AES-256 at rest & TLS 1.2+ in transit.

3. Retention & Destruction

• Legal Hold Record – evidence showing suspension of deletion when litigation hold was triggered.

• Retention Schedule – documented by data class, mapped to legal/tax obligations.

• Destruction Certificates / Logs – dated proof of when expired backups were destroyed, signed by approver.

4. Vendor Oversight

• Vendor Access Logs – records of any vendor access into backup systems with quarterly review sign-off.
• SOC 2 Type II Report (or equivalent) – cover page and attestation letter from each backup vendor.
• Contractual Safeguards – executed DPA/contract showing clauses for encryption, MFA, breach notice, and audit rights.

5. Access Controls

• RBAC Matrix – document showing roles (Admin, Operator, Auditor) and assigned users.
• Quarterly User Access Review – list of users with backup privileges, removed accounts highlighted.
• Offboarding Evidence – HR/IT ticket showing access removed on the same day of employee exit.

6. Change & Continuity

• Evidence Binder – digital folder/index updated quarterly, listing all the above with timestamps and sign-offs.

• Change Management Records – tickets/approvals for backup configuration changes.

• Incident Response Playbook – documented restore steps for ransomware or outages; tabletop exercise output.

• Business Continuity Plan – BCP section explicitly referencing backup recovery and last test date.

Tip: Put all of this in a single “Backup Evidence Binder” (digital or physical). Auditors love when they can flip to one folder and see dates, signatures, and screenshots in order.

---

Common Backup Compliance Failures in FTC Safeguards & IRS WISP Audits

Here’s where most CPA firms stumble and it’s rarely about “forgetting” to back up. It’s about the gaps they don’t notice until an auditor does.

• Take unwritten policies.
  A firm might proudly say, “We back up daily.” But when the IRS examiner asks to see that in the Written Information Security Plan (WISP), there’s silence. In compliance terms, if it’s not written down, it doesn’t exist. That single blind spot has cost firms thousands in fines.
• Or consider unencrypted backups.
  External hard drives sitting in the office. Client files in plain-text folders. Even Dropbox accounts used as “backup.” To an auditor, that’s an FTC violation waiting to happen. In fact, the Verizon DBIR found that nearly half of ransomware incidents in professional services involved unencrypted or poorly secured data.

Q: Are Dropbox or unencrypted external drives acceptable for CPA firm backups?
A: No. Regulators treat unencrypted or personal storage solutions as non-compliance under FTC Safeguards Rule.

• Another trap? Restore testing or rather, the lack of it.
  Firms assume that because the backup job runs every night, they’re safe. But when they finally try to restore during a ransomware lockout, the files are corrupted. Regulators see it the same way: a backup that doesn’t work is treated as no backup at all.
• Retention and destruction policies are also a quiet killer.
  Many firms hoard old client data far beyond IRS retention schedules because “deleting feels risky.” But keeping expired records doesn’t just waste storage, it’s a compliance violation. One Illinois CPA firm learned this the hard way when auditors flagged 10 years of outdated backups.
• Then there’s the vendor problem.
  Too many firms assume their outsourced IT provider “handles everything.” But unless you have SOC 2 reports, oversight logs, and signed safeguard agreements in hand, regulators pin liability on you, not your vendor.
• And let’s not forget access control.
  Shared logins, missing MFA, or ex-employees whose credentials were never revoked. Each one is an open invitation for auditors to fail you and for attackers to exploit you.
• Finally, the simplest but most devastating oversight: single points of failure.
  One backup, in one location. If that server goes down or gets encrypted in an attack, the firm has nothing left to fall back on.

These aren’t small oversights, they’re exactly what regulators look for first. Firms often think “we’re fine, we back up daily.” But to the FTC and IRS, that’s meaningless unless you can prove encryption, testing, retention, and oversight. Compliance isn’t about having backups, it’s about having evidence that they’re secure, resilient, and under control.

Note: Outsourcing doesn’t outsource liability. Your firm must keep SOC 2 evidence, safeguard clauses, and a dated vendor review in the WISP.

---

The Final Audit-Ready Backup Checklist

You’ve now seen the 27 controls across administrative, technical, and physical safeguards. Together, they form the compliance wall that protects your firm against FTC fines, IRS failures, and ransomware disasters.

The fastest way to check where you stand? Imagine an auditor walking into your office tomorrow and asking for proof of each item:

• Can you show a signed WISP naming your Data Security Coordinator?
• Do you have logs of your last restore test?
• Can you produce evidence of encrypted storage and MFA access?
• Do you have signed certificates of destruction for old backup media?

If even one of those answers makes you hesitate, your compliance posture is at risk.

Backup compliance isn’t optional anymore. The FTC Safeguards Rule and IRS WISP are explicit: no evidence = no compliance.

Firms that get this wrong face:

• Daily fines from the FTC
• IRS penalties for missing WISP requirements
• Client lawsuits after ransomware downtime
• Permanent reputational damage in the middle of tax season

Firms that get it right sleep better at night knowing they can pass any audit.

Where Verito Fits In?

Verito doesn’t just store your data, we make sure you can prove compliance across all 27 controls. With VeritSpace (private server hosting), VeritGuard (24/7 IT & security), and VeritComplete (end-to-end compliance bundle), you get:

• SOC 2–audited environments
• Audit-ready documentation
• Continuous monitoring and restore testing
• IRS Publication 5708 alignment

So when the next auditor asks, you won’t scramble. You’ll hand them a checklist with every box ticked.

If your firm runs tax apps in the cloud, review our secure tax software hosting recommendations.

Schedule a VeritSpace Demo to see how your backups can move from “IT task” to “compliance shield.”

---

FAQs

Sources

• AICPA surveys → https://www.aicpa.org/
• FTC Safeguards Rule → https://www.ftc.gov/business-guidance/resources/ftc-safeguards-rule
• IRS Publication 5708 (WISP requirements) → https://www.irs.gov/pub/irs-pdf/p5708.pdf
• Verizon DBIR 2024 → https://www.verizon.com/business/resources/reports/dbir/