IRS Publication 4557 Explained: The Ultimate Guide to Safeguarding Taxpayer Data in 2026

If you think Publication 4557 is “just guidance,” this is where that assumption quietly falls apart.

If you prepare U.S. tax returns in 2026, the IRS, the FTC, and your clients all assume one thing about your firm: you already have a real cybersecurity program in place to protect taxpayer data.

IRS Publication 4557, Safeguarding Taxpayer Data, is the document the IRS points to when it wants to show what that program should look like for tax professionals, CPA firms, enrolled agents, and Electronic Return Originators.

Publication 4557 is not just “guidance” you can skim and forget. It is the plain language wrapper around harder obligations like the FTC Safeguards Rule and Gramm Leach Bliley Act. If your firm suffers a data breach, phishing incident, or business email compromise, regulators and attorneys will ask whether you followed the safeguards described in IRS Publication 4557 and whether you had a written information security plan (WISP) in place.

For small and mid-sized firms, this is not a theoretical risk. Criminals specifically target tax and accounting practices because you hold exactly what they need for identity theft and refund fraud. A single compromised email account, remote desktop connection, or stolen laptop can expose hundreds of Social Security numbers and bank details. During tax season, attackers know you are busy, understaffed, and more likely to click or approve something you should not.

Publication 4557 tells you what the IRS expects you to do about those risks. It covers:

• The IRS “Security Six” technical safeguards
• Administrative and physical protections
• Incident response
• Requirement to maintain a written security program that fits your firm’s size and complexity.

For most practices, that means a combination of stronger controls, better documentation, and more disciplined vendor selection.

This guide explains IRS Publication 4557 in practical terms for 1 to 50-person tax and accounting firms. It shows who is in scope, how Publication 4557 connects to IRS Publication 5708 and the FTC Safeguards Rule, which safeguards the IRS actually expects you to implement, and how to turn all of this into a workable WISP and evidence file.

It also highlights where secure cloud hosting and managed security from a specialist like Verito can cover large parts of the technical requirements without you building an internal IT department.

What is IRS Publication 4557 and Who Must Comply

What is IRS Publication 4557?

IRS Publication 4557, officially titled “Safeguarding Taxpayer Data: A Guide for Your Business,” is the IRS playbook for how tax professionals should protect client tax data. It was developed with the IRS Security Summit partners to help firms create and maintain a data security plan that preserves the confidentiality, integrity, and availability of taxpayer information.

In practical terms, Publication 4557 explains the safeguards the IRS expects you to have in place if you handle taxpayer information. It walks through administrative safeguards such as:

• Policies and training
• Technical safeguards such as antivirus, firewalls, encryption, and multi-factor authentication
• Physical safeguards such as office security and secure disposal of paper and devices

The document is written for tax practices, not IT departments, so it links these controls directly to everyday activities like preparing returns, storing client documents, using tax software, and exchanging information with clients and the IRS.

The IRS also ties Publication 4557 to other resources, such as its small business security guidance and Written Information Security Plan (WISP) materials, to help firms turn high-level security expectations into a concrete, written program.

Who Must Follow IRS Publication 4557?

Publication 4557 applies to any business that handles taxpayer data in connection with preparing or filing tax returns. That includes:

• CPA firms and accounting firms that prepare individual or business tax returns
• Solo practitioners and small tax practices, even if they operate entirely virtually
• Enrolled agents
• Return preparers and bookkeeping firms that collect tax information for return preparation
• Electronic Return Originators (EROs) and other Authorized IRS e-file Providers
• Seasonal or part-time preparers who still store or transmit taxpayer information

If you have an EFIN (Electronic Filing Identification Number), use professional tax software, or store Forms W-2, 1099s, organizers, and prior-year returns, the IRS expects you to follow the safeguards described in Publication 4557.

The IRS and Security Summit partners have repeatedly warned that identity thieves specifically target tax professionals of all sizes, not only national brands.

It is important to stress that solo practitioners and very small firms are not exempt. From a regulator’s perspective, a one-person virtual firm holding a few hundred client returns still represents thousands of pieces of sensitive data such as Social Security numbers and bank details. An IRS news release stated that nearly 300 data breaches affecting tax professionals exposed data on up to 250,000 clients in the first half of 2025, which confirms that even small practices are meaningful targets.

Why IRS Publication 4557 is Non-negotiable in 2026

Technically, Publication 4557 is guidance. In reality, it reflects what regulators view as “reasonable” safeguards under enforceable laws and rules, including the FTC Safeguards Rule and Gramm Leach Bliley Act for financial institutions such as tax preparers.

That distinction matters. When an incident occurs, enforcement agencies and plaintiff attorneys look at whether you had:

• A Written Information Security Plan appropriate for your firm size and complexity
• A documented risk assessment and security program
• Safeguards such as access controls, encryption, and secure backups that align with what the IRS has been recommending for years
• Evidence that you trained staff and monitored your environment

If you cannot show that your safeguards look like the ones in Publication 4557, it becomes difficult to argue that your firm took taxpayer data protection seriously.

At the same time, the broader threat environment has intensified. Recent analyses show that a majority of small and mid-sized businesses now experience cyberattacks, and a successful breach can cost from the low six figures up to well over a million dollars once remediation, downtime, and recovery are included.

Put simply, Publication 4557 is non-negotiable in 2026 because it sits at the intersection of three realities:

• The IRS has publicly defined what it expects tax professionals to do to safeguard taxpayer data.
• Other regulators, including the FTC, can use those expectations when deciding whether your safeguards were adequate.
• Attackers are actively targeting tax professionals with phishing, credential theft, and ransomware campaigns that are highly profitable at your scale.

A firm that treats Publication 4557 as optional guidance is effectively choosing higher legal, financial, and reputational risk than competitors who treat it as their baseline security standard.

Core IRS Publication 4557 Requirements: The Security Six And Other Safeguards

Publication 4557 groups its expectations into a mix of technical, administrative, and physical safeguards. For small and mid-sized firms, the most visible piece is the IRS “Security Six,” but stopping there is not enough. You need all three layers working together.

1. The IRS Security Six Explained (For 1 to 50-person Firms)

The Security Six are the minimum technical safeguards the IRS expects every tax professional to have in place:

1. Antivirus and Anti-malware Protection

Every workstation and server that touches taxpayer data needs up-to-date endpoint protection. That includes office desktops, firm laptops, and remote machines used to access your tax applications. Relying on built-in tools without central management and alerting is a weak position. You should be able to show:

• Centralized console or reporting
• Automatic updates and scans
• Alerts for detections and remediation actions
  

2. Firewalls

Publication 4557 expects properly configured firewalls on all internet connections used for tax work, not just at the main office. That means:

• A business-grade firewall or secure router at the office
• Appropriate protection on home networks where staff work remotely
• Blocking unnecessary inbound connections and logging activity

3. Two-factor or Multi-factor Authentication (MFA)

MFA is now a baseline expectation for:

• Email accounts used for client communication and tax software logins
• Remote access methods such as Remote Desktop, VPNs, and hosted desktops
• Cloud services storing or transmitting taxpayer data

Using only passwords for these systems is increasingly difficult to defend if something goes wrong.

4. Drive Encryption

Laptops, portable drives, and any workstation that could be stolen or lost should have full disk encryption enabled. This is particularly important if staff work from home or travel with devices that hold or can access tax data. Proper encryption can be the difference between a reportable breach and a lost device that does not trigger notification duties.

5. Secure Backup and Recovery

The IRS explicitly highlights the importance of secure, tested backups to defend against ransomware and other destructive incidents. At minimum, a firm should be able to answer:

• What is backed up, how often, and where it is stored
• How long backups are retained
• When the last successful restore test was done and documented

Offsite or cloud backups should be encrypted and segregated so that an attacker who compromises a workstation cannot simply delete your backups.

6. Secure Remote Access

Remote work is now standard for many firms. Publication 4557 expects remote access to tax applications and data to use secure methods such as VPNs, hosted desktops, or other controlled channels. Directly exposing Remote Desktop Protocol (RDP) to the internet or using weakly secured remote tools is difficult to defend. You should be using:

• VPNs or secure application gateways
• MFA on remote access tools
• Role-based access and logging

For a 1–50 person firm, the easiest way to meet most of the Security Six is usually a mix of secure cloud hosting and managed security, instead of trying to assemble and monitor everything on your own hardware. We will return to that when we discuss the implementation roadmap.

2. Administrative Safeguards Under IRS Publication 4557

The technical controls above are only part of the picture. Publication 4557 expects firms to implement administrative safeguards that make security part of day-to-day operations, not just an IT problem:

• Documented Policies and Procedures

Written rules for password practices, acceptable use, remote work, data handling, incident reporting, and vendor management should live inside your Written Information Security Plan, not scattered in emails.

• Defined Roles and Responsibilities

Even in a three-person practice, someone must be accountable for security decisions, vendor oversight, and WISP maintenance. In larger firms, this responsibility may be shared between a managing partner, operations manager, and external IT provider.

• Employee Security Awareness and Training

Staff must be trained regularly on phishing, social engineering, safe use of email and file sharing, and how to report suspicious activity. Training should be logged, with dates and attendance records, because Publication 4557 and the FTC Safeguards Rule both emphasize ongoing education.

• Access Management

Only personnel who need taxpayer data to perform their duties should have access to it. This includes:

• Unique user accounts
• Prompt removal of access when staff leave
• Segregation between tax, bookkeeping, admin, and temporary staff where appropriate
  

• Vendor Management

Tax software providers, cloud hosting vendors, payroll services, and other third parties may all touch taxpayer data. Publication 4557 expects you to exercise due diligence: understand how they protect data, what certifications they hold, and what happens if they suffer a breach.

• Incident Response Process

Firms are expected to know what to do if they suspect data theft or a ransomware attack, including when and how to notify the IRS, state tax agencies, and affected taxpayers. This process should be written down and rehearsed, not invented during a crisis.

3. Technical Safeguards Beyond The Security Six

In addition to the Security Six, IRS guidance and related regulations point to a broader set of technical safeguards that a serious program should include:

• Patch and Update Management

Operating systems, tax applications, browsers, and plugins should be kept up to date. Many successful attacks still exploit vulnerabilities that have had patches available for months.

• Email Security Controls

Combining MFA with spam filtering, attachment scanning, and link protection significantly reduces the risk of credential theft and malware arriving through email.

• Configuration and Hardening

Default configurations are often insecure. Systems that handle taxpayer data should be hardened by disabling unused services, closing unnecessary ports, and aligning settings with security best practices.

• Network Segmentation and Least Privilege

Where possible, internal networks should separate sensitive systems from general office devices. Staff should have only the access they need, not full administrator rights on everything by default.

• Monitoring and Logging

You should be able to see when logins occur from unusual locations, when repeated failed login attempts happen, or when systems are disabled. For most small firms, this means either a managed detection and response service or security tooling provided by a hosting partner.

• Data Loss Prevention Basics

Even if you do not deploy a full data loss prevention platform, you should restrict the use of USB drives, public file sharing tools, and personal email for transmitting tax documents.

4. Physical Safeguards For Offices And Home Offices

Publication 4557 also expects firms to address the physical side of safeguarding taxpayer data:

• Office Access Control

Limit access to areas where taxpayer data is processed or stored. Lock doors and file rooms when left unsupervised. Do not leave client files in conference rooms or public areas.

• Secure Storage for Paper Records

Filing cabinets containing tax returns, source documents, and prior year archives should be lockable. Access should be restricted and logged informally at minimum.

• Clean Desk Practices

Staff should not leave printed returns, organizers, or notes with taxpayer information on desks overnight or in shared spaces.

• Secure Disposal

Paper records should be shredded or destroyed using secure methods, not placed in regular trash. Old hard drives, USB sticks, and other media must be wiped or physically destroyed before disposal or reuse.

• Home Office Expectations

If staff work from home, you still own the risk. Devices used for firm work should not be shared with family members. Paper printouts at home must be stored and disposed of securely. Home Wi-Fi should be secured with strong encryption and passwords.

Quick IRS Publication 4557 Safeguards Checklist

This checklist is not a substitute for a full Written Information Security Plan, but it is a quick way to see whether you are broadly aligned with Publication 4557 expectations:

• Antivirus and anti-malware running and centrally managed on all firm devices
• Business-grade firewalls in place for office and remote locations used for firm work
• MFA enabled on email, tax applications, remote access, and cloud systems
• Full disk encryption on laptops and other mobile devices that handle taxpayer data
• Encrypted, offsite, or cloud backups tested and documented at regular intervals
• Secure, MFA protected remote access methods only – no open RDP (Remote Desktop Protocol) to the internet
• Written policies covering passwords, remote work, incident response, and vendor management
• Defined security roles, even if combined with other responsibilities
• Regular, logged security awareness training for all staff and contractors
• Vendor due diligence performed and documented for key providers
• Physical controls in place for both office and home office environments

Written Information Security Plan (WISP) and IRS Publication 5708

What a Written Information Security Plan (WISP) Really Is

A Written Information Security Plan is simply your firm’s playbook for how you protect taxpayer data. It describes, in one place, what information you hold, where it lives, who can access it, what safeguards you use, and how you respond if something goes wrong. It is not just a policy binder for a shelf. It is the central document regulators, insurers, and auditors expect to see when they ask how you safeguard client information.

Publication 4557 points repeatedly to the need for a written security program that is appropriate for your firm’s size and complexity. The IRS then goes further and publishes Publication 5708, a dedicated WISP guide for tax and accounting practices. Publication 5708 is a 28-page template designed for firms, especially small ones, to build a WISP that fits their practice, rather than copying a generic enterprise document.

How Publication 4557, Publication 5708 And The FTC Safeguards Rule Fit Together

It helps to think of these documents and rules as layers:

• IRS Publication 4557 describes the safeguards the IRS expects tax professionals to use to protect taxpayer data. It talks about the Security Six, administrative, physical controls, and incident response.
• IRS Publication 5708 gives you a structured way to write those safeguards down in a WISP that fits a tax or accounting practice. It is essentially a fillable framework for building your own plan.
• The FTC Safeguards Rule (16 CFR Part 314) is the binding regulation that requires covered financial institutions, including many tax preparers, to maintain a comprehensive written information security program. It requires you to:
  • Designate a qualified individual to oversee the program
  • Perform written risk assessments
  • Limit and monitor who can access customer information
  • Encrypt sensitive data
  • Train staff and oversee service providers
  • Maintain an incident response plan and keep management informed of material issues

In other words, Publication 4557 tells you what the safeguards should look like, Publication 5708 helps you write them into a WISP, and the FTC Safeguards Rule is the legal requirement that makes having a written information security program non-optional for covered firms.

If your WISP does not exist, is outdated, or is a generic template that does not match how your firm actually works, it will be very hard to argue that you complied with these expectations.

Core Sections Every Tax and Accounting WISP Should Include

Publication 5708 and FTC guidance do not force a single format, but most strong WISPs for 1 to 50-person tax and accounting firms contain at least these sections:

1. Purpose and Scope

What the plan covers, which entities and locations are in scope, and which systems and data classes (for example, individual returns, business returns, payroll, portals).

2. Roles and Governance

Identification of the qualified individual responsible for the information security program, along with partners or managers who support decisions and review reports.

3. Data Inventory and Classification

A high-level description of what taxpayer and firm data you hold, where it is stored (on premises, hosted, cloud applications), and how sensitive different categories are.

4. Risk Assessment

A written summary of likely threats to your firm (phishing, credential theft, ransomware, lost devices, vendor breaches), the likelihood and impact of each, and the safeguards you use to mitigate them.

5. Safeguard Catalog

A structured list of your administrative, technical, and physical controls. This is where the Security Six, password rules, access management, training, vendor due diligence, backup strategy, and monitoring are described, along with who owns each control.

6. Access Control and User Management

How accounts are created, changed, and disabled, how least privilege is enforced, and how remote access is controlled.

7. Vendor and Service Provider Management

How you select, review, and monitor tax software vendors, cloud hosting providers, and other third parties that receive taxpayer data.

8. Incident Response and Business Continuity

What happens if you suspect a breach or ransomware incident, who is notified, how you decide whether to contact the IRS and state agencies, and how you keep operating while systems are investigated or restored.

9. Backup and Disaster Recovery

Where backups live, how often they run, how long you retain them, and how often you test restores.

10. Training, Testing, and Review Cadence

How often you train staff, test controls, and review and update the WISP itself. Many firms choose an annual formal review plus ad-hoc updates after major changes or incidents.

A central idea in both Publication 5708 and FTC guidance is simple: If a control is not written down, assigned to an owner, and reviewed, it will not be treated as real compliance.

Common Gaps That Hurt Firms During Reviews or Incidents

When examiners, insurers, or outside consultants look at small-firm WISPs, the same gaps appear again and again:

• The WISP exists, but is a stock template with another firm’s name still visible in places.
• The document has not been updated in years, even though the firm migrated to new software, added remote staff, or moved to hosted servers.
• There is little or no description of incident response, even though the FTC Safeguards Rule explicitly calls for it. In a recent survey by Shred-it, an information security firm, states that roughly two thirds of small U.S. businesses reported that they do not have any incident response plan, which is exactly the kind of weakness regulators expect financial firms to avoid.
• Vendor oversight is described at a high level, but there is no evidence of actual reviews, contracts, or security questionnaires.
• Controls such as MFA, encryption, and backups are mentioned, but there are no references to supporting reports or screenshots.

A WISP that has these gaps will leave you exposed, even if some technical safeguards are in place behind the scenes.

Where Verito’s WISP Resources Fit In

At this point many firms realize they need a better WISP, but do not have time to draft one from scratch or to map it carefully to IRS 4557 and the FTC Safeguards Rule. That is why Verito provides two practical options:

• A free WISP template you can adapt to your own practice, aligned with IRS Publication 5708 and small firm realities.
• VeritShield WISP, a customized or audit-ready WISP offering that is built specifically for tax and accounting firms and designed to align with IRS Publication 4557, Publication 5708, and the FTC Safeguards Rule. If you want a pre-structured WISP or help building one that will stand up to regulatory and insurance scrutiny, Verito’s VeritShield WISP will help you streamline your WISP preparation.

A Practical IRS Publication 4557 Compliance Roadmap for Small Firms

IRS Publication 4557 can feel abstract until you translate it into specific tasks. The goal of this roadmap is simple: if you follow these steps, you can show that:

• You understand your risks
• Have chosen reasonable safeguards
• Have a Written Information Security Plan that reflects how your firm actually works.

Think in terms of quarters, not days. You do not have to fix everything this week, but you do need a plan that you can defend.

1. Confirm Your Scope and Data Flows

Start by defining what is in scope. You cannot protect, or document, what you have not mapped.

• List every system that stores or processes taxpayer data
  
  • Tax preparation software
  • Practice management and document management tools
  • Portals and e-signature platforms
  • Email accounts used with clients
  • File servers, hosted desktops, and cloud drives
    
• Identify where people work
  
  • Office locations
  • Home offices
  • Offshore or remote staff
    
• Identify all third parties that touch taxpayer data
  
  • Tax and accounting software vendors
  • Cloud hosting providers
  • Outsourced bookkeeping or seasonal prep support

Document this in a simple data flow description inside your WISP. Examiners care less about polished diagrams and more about whether you clearly understand where taxpayer information actually lives.

2. Run a Practical Risk Assessment

Next, identify the realistic ways in which taxpayer data could be exposed or made unavailable.

For most small tax and accounting firms, the top risks are:

• Phishing that leads to compromised email accounts
• Ransomware that encrypts servers or hosted desktops
• Lost or stolen laptops and phones
• Misconfigured remote access or cloud storage
• A vendor breach that spills your client files

For each risk, write down:

• How likely it is for your firm, given your size and technology stack
• What the impact would be in terms of downtime, notifications, and client harm
• Which safeguards from Publication 4557 you already have in place
• Which gaps clearly need attention in the next 3 to 12 months

This does not need to be a multi week consulting project. A focused half-day with the managing partner, operations lead, and your IT or hosting provider can produce a useful risk assessment that satisfies both Publication 5708 and FTC expectations, as long as you write it up and keep it updated.

3. Establish Your Security Six Baseline

With your systems and risks identified, compare your current controls to the IRS Security Six and related technical safeguards:

• Do all firm devices that touch taxpayer data have centrally managed endpoint protection
• Are firewalls business-grade and properly configured on all firm locations and remote setups
• Is multi-factor authentication enforced on email, tax applications, remote access, and cloud services
• Are all laptops and portable devices encrypted
• Are offsite backups encrypted and regularly tested
• Is remote access secured and logged, without exposed RDP or weak remote tools

Create a simple table inside your WISP:

• Column 1: Security Six control
• Column 2: Current state at your firm
• Column 3: Gaps or exceptions
• Column 4: Planned remediation with an owner and timeline

That table becomes a core part of your written information security program and shows anyone reviewing your WISP that you have treated the Security Six as non-negotiable.

4. Draft or Update Your WISP Using Publication 5708 and a Template

At this stage you know what you have, where your risks are, and how the Security Six applies. Now you need a WISP that reflects this reality.

Use Publication 5708 as the structure and a practical template as your starting point. For each section:

• Replace generic language with how your firm actually operates
• Insert the results of your risk assessment, not examples
• Describe your real safeguards and monitoring, even if they are still a work in progress
• Reference concrete evidence such as reports, logs, or vendor attestations where appropriate

If you already have a WISP, treat this as an update cycle, not a total rewrite. Update the scope, risk assessment, safeguards, and vendor list so that they match your current systems, especially if you have moved to cloud hosting or changed tax software in the last year.

5. Train Staff and Enforce Your Policies

A WISP with no training evidence looks weak in any review.

Publish 4557 expects tax professionals to train staff on:

• Recognizing phishing and social engineering
• Secure use of email, portals, and file sharing
• How to handle taxpayer documents in the office and at home
• How to report suspicious activity or suspected incidents

For a 1 to 50-person firm, aim for:

• At least one focused security training session per year for all staff who touch taxpayer data
• Short reminders during tax season when phishing risk peaks
• Signed or electronic acknowledgements that staff have read key policies

Record dates, topics, attendance, and any follow-up actions. Insert a brief training log into your WISP or keep it as an appendix. When regulators and insurers talk about a “security aware culture,” this is the kind of basic evidence they expect to see.

6. Test Backups and Incident Response Before You Need Them

Publication 4557 emphasizes secure backups and having a plan for what to do when something goes wrong. It is not enough to assume your backups are working or that your team knows how to react.

At least annually, and ideally more often:

• Perform a test restore from your backups into a non-production environment
• Time how long it takes to restore a representative sample of client data or a key application
• Document the test, the result, and any problems uncovered

Separately, walk through a simple incident response scenario. For example:

• A staff member reports a suspicious email that they clicked
• A hosted desktop session shows signs of ransomware
• A laptop containing taxpayer data is lost or stolen

For each scenario, practice:

• Who is called first inside the firm
• Who contacts your IT or hosting provider
• How you decide whether to shut systems down temporarily
• When you involve legal counsel and insurance
• When and how you would notify the IRS and affected clients

Write these expectations into your WISP. If you use a secure hosting provider like Verito for your tax applications, clarify in your plan which parts of incident response and recovery are handled by Verito and which are handled by your firm.

7. Review Vendors and Document Their Safeguards

Publication 4557 and the FTC Safeguards Rule both require you to oversee service providers that handle taxpayer data. This does not mean you need to re-engineer their controls, but you do need to show that you asked appropriate questions and made informed choices.

For each key vendor:

• Keep copies of contracts or service agreements that reference security and confidentiality
• Request security documentation, such as SOC 2 reports or equivalent attestations where available
• Confirm use of encryption, access controls, and segregation of client data
• Understand what the vendor will do, and what they expect from you, if they suffer a breach

Record a brief vendor review summary in your WISP or in a separate vendor management log. Update it when you renew contracts or change providers. This is particularly important for tax software vendors, cloud hosting platforms, and outsourced prep teams.

8. Schedule Regular Reviews and Prepare for Potential Audits

Finally, turn your one-time project into a repeatable process.

At minimum, you should:

• Review and update your WISP at least annually
• Update the risk assessment whenever you adopt new software, move to or from cloud hosting, or significantly change how you work
• Re-check the Security Six and related safeguards at least once a year
• Update vendor reviews when contracts renew or when a provider experiences a known incident

Create a simple calendar entry or task list that covers:

• WISP annual review
• Training and phishing awareness schedule
• Backup test schedule
• Vendor review schedule

Keep an “audit file” where you collect:

• The current and prior versions of your WISP
• Risk assessment summaries
• Training logs
• Backup and incident response test records
• Vendor documentation
• Key screenshots or reports that show MFA, encryption, and monitoring are in place

If you ever face questions from the IRS, the FTC, state regulators, cyber insurers, or plaintiff attorneys, having this file ready is far better than trying to reconstruct proof under pressure.

Proving Compliance: What to Document for IRS 4557 And FTC Safeguards

Publication 4557 and the FTC Safeguards Rule both talk about safeguards, plans, and programs. In practice, what matters when something goes wrong is what you can prove. That means having dated, organized evidence that you actually did what your Written Information Security Plan says you do.

Think of this as building an “audit file” in parallel with your security program.

The Minimum Evidence Set a Small Firm Should Maintain

For a 1 to 50-person tax or accounting firm, regulators and insurers are usually looking for the same core categories of proof.

You should be able to put your hands on, without scrambling:

• Current and Prior Versions of Your WISP
  • With version numbers or dates
  • Showing when it was last reviewed and by whom
  • Reflecting your real systems and vendors
    
• Risk Assessment Documentation
  • A short written summary of key risks, likelihood, and impact
  • Notes on which controls mitigate each risk
  • Dates of review and any changes since the prior year
    
• Security Six Baseline and Remediation Log
  • The table you built earlier that shows where you stood on each of the Security Six
  • Entries showing when you closed gaps or changed vendors
    
• Access Control and User Management Records
  • Onboarding and offboarding checklists for staff
  • Logs or exports showing active accounts in key systems
  • Evidence that former employees and contractors have been deprovisioned
    
• Backup and Disaster Recovery Evidence
  • Backup configuration summaries or reports
  • Records of at least one restore test per year
  • Any issues found during tests and how they were fixed
    
• Security Awareness Training Logs
  • Dates and topics of training sessions
  • Attendance or completion records
  • Copies of phishing simulations or awareness materials, if used
    
• Vendor Due Diligence Files
  • Copies of contracts that address confidentiality and security
  • Security documentation from key vendors (for example, SOC 2 reports or security whitepapers)
  • Notes from your last review and any red flags you addressed
    
• Incident and Near Miss Records
  • A simple log of suspected incidents, investigations, and outcomes
  • Any notifications made to the IRS, state agencies, clients, or insurers

A firm that can produce this material on request looks very different from a firm that says “we take security seriously” but cannot show how.

How to Organize Your “Audit File”

You do not need a complex GRC platform to be ready for questions. For most small firms, a simple folder structure works:

1. WISP
2. Risk Assessment
3. Security Six Baseline
4. Access and User Management
5. Backups and DR
6. Training
7. Vendors
8. Incidents

Keep this in a secure document management system, not on a random desktop. Within each folder, include a short “readme” document that explains what is in the folder and how often it is updated. That alone can make external reviews much smoother.

It is also useful to add a one or two-page compliance mapping in the WISP appendix that shows:

• Which WISP sections and evidence align with key points in IRS Publication 4557
• How your controls map to the major elements of the FTC Safeguards Rule (qualified individual, risk assessment, safeguards, training, vendor oversight, incident response)

This does not need to be exhaustive, but it should be clear enough that a reviewer can see you have thought about alignment, not just collected documents.

Screenshots, Reports, and Other “Small” Pieces of Evidence

Many firms underestimate the value of simple screenshots and exports. Used properly, they are a fast way to show that controls exist and are monitored. Examples include:

• MFA configuration screens for email, tax software, and remote access
• Device encryption status summaries for firm laptops
• Firewall configuration overviews that show remote access rules and logging enabled
• Endpoint protection dashboards showing coverage and recent detections
• Backup job summaries showing schedules and last successful run

Capture these on a reasonable cadence, such as quarterly or after major changes, and file them in the relevant folders. They complement, but do not replace, your WISP and higher level policies.

IRS Publication 4557 vs. Publication 5708 vs. FTC Safeguards Rule

Many firms get stuck because they see multiple acronyms and are not sure which one to follow. In reality, these documents and rules are different pieces of the same picture. You do not need three separate security programs. You need one security program and one WISP that aligns with all of them.

What Each Document or Rule Does

At a high level:

Item	Who issues it	What it does for your firm
IRS Publication 4557	IRS	Explains how tax professionals should safeguard taxpayer data, including the Security Six, policies, training, vendor oversight, and incident response.
IRS Publication 5708	IRS	Provides a structured Written Information Security Plan (WISP) template tailored to tax and accounting practices.
FTC Safeguards Rule (GLBA)	Federal Trade Commission	Legally requires covered financial institutions, including many tax preparers, to maintain a written information security program with specific elements.

If you handle taxpayer information in connection with return preparation, you sit at the intersection of all three. Publication 4557 describes the safeguards, Publication 5708 helps you write them down in a WISP, and the FTC Safeguards Rule is the regulation that makes having an effective written security program a legal obligation.

Key Requirements Lined up Side-by-side

The overlap becomes clearer if you line up the major expectations:

• Risk Assessment
  
  • Publication 4557: Expects you to understand your risks and choose safeguards accordingly.
  • Publication 5708: Includes a section to document threats, likelihood, and impact.
  • FTC Safeguards: Explicitly requires written risk assessments as the foundation of your program.
    
• Written Security Program (WISP)
  
  • Publication 4557: Repeatedly references the need for a written data security plan.
  • Publication 5708: Provides a fillable WISP structure tailored to tax firms.
  • FTC Safeguards: Requires a written information security program that is appropriate to your size and complexity.
    
• Qualified Individual and Governance
  
  • Publication 4557: Implies that someone must be responsible for security decisions and oversight.
  • Publication 5708: Includes sections for roles and responsibilities.
  • FTC Safeguards: Requires you to designate a qualified individual to oversee the information security program and report to leadership.
    
• Administrative, Technical, and Physical Safeguards
  
  • Publication 4557: Details the Security Six plus policy, access control, training, vendor oversight, and physical protections.
  • Publication 5708: Gives you the places in the WISP to describe these controls.
  • FTC Safeguards: Requires controls that cover access, encryption, secure development and change management, monitoring, and more, appropriate to your risk profile.
    
• Vendor and Service Provider Oversight
  
  • Publication 4557: Clearly states that tax pros must vet and oversee service providers that handle taxpayer data.
  • Publication 5708: Includes a vendor management section.
  • FTC Safeguards: Requires you to take reasonable steps to select and oversee service providers and to require them by contract to protect customer information.
    
• Incident Response and Testing
  
  • Publication 4557: Explains what to do if you suspect data theft and how to report to the IRS and law enforcement.
  • Publication 5708: Provides a place to describe your incident response and business continuity plans.
  • FTC Safeguards: Requires a written incident response plan and ongoing monitoring and testing of safeguards.

When you design your WISP with these overlaps in mind, you avoid duplicate work and you make it much easier to answer questions from any regulator or insurer.

Turning IRS Publication 4557 Into a Practical Data Security Plan

IRS Publication 4557, Publication 5708, and the FTC Safeguards Rule are not three separate projects. For a 1 to 50-person tax or accounting firm, they all point to one outcome: a realistic security program, written down in a WISP, backed by safeguards you can prove are in place.

If you strip the jargon out, the essentials are straightforward:

• Know what taxpayer data you hold, where it lives, and which vendors touch it.
• Identify your main risks and document them in a simple risk assessment.
• Implement the Security Six plus basic administrative and physical safeguards that match how your firm actually works.
• Build or update a WISP using Publication 5708 and keep it current as your technology and staffing change.
• Train people, test backups, rehearse incident response, and keep evidence organized so you can show what you did if anyone asks.

You do not have to handle everything alone. The heavy lifting around secure infrastructure, backups, encryption, and monitoring is often better handled by a specialist platform like Verito that already aligns with IRS 4557 expectations.

TL;DR:

• IRS Publication 4557 is the IRS playbook for how tax professionals must safeguard taxpayer data and aligns closely with FTC Safeguards and GLBA expectations.
• It applies to solo practitioners, small CPA and EA firms, EROs, and any business that handles taxpayer information for tax preparation.
• The IRS Security Six plus administrative and physical safeguards form the practical baseline for small and mid sized firms.
• A Written Information Security Plan (WISP), structured with IRS Publication 5708, is now effectively mandatory in 2026 for firms that want to withstand regulatory and insurance scrutiny.
• A defensible program includes a risk assessment, WISP, training, vendor oversight, backups, incident response, and organized audit evidence.
• Cloud hosting and managed security can cover most technical controls, but firms still own policies, training, vendor oversight, and incident decisions.
• Verito’s secure hosting, WISP template, and VeritShield WISP help firms move from loose controls to an audit ready security program that aligns with IRS 4557 and FTC Safeguards.

FAQ: