Tax practices are no longer just about accuracy and deadlines, they’re custodians of high-value financial data. In 2025, small and mid-sized accounting firms face the same cyber threats as Fortune 500s, but with fewer resources to fight back.
The stakes are real:
- The Verizon Data Breach Investigations Report (DBIR 2024) shows that 74% of breaches involve the human element- phishing, stolen credentials, or misused accounts.
- The FTC Safeguards Rule (16 CFR Part 314) and IRS Publication 4557 now make data protection a regulatory requirement, not a “best practice.”
- Regulators have already fined firms- in 2024, the FTC penalized a tax preparation company for failing to encrypt client data under the Safeguards Rule.
For CPAs, that means cybersecurity isn’t optional. It’s about protecting client trust, staying compliant, and ensuring uptime during tax season.
This guide gives you a practical cybersecurity audit checklist built specifically for small accounting firms. You’ll see:
- How IRS 4557 and the FTC Safeguards Rule apply to everyday CPA workflows.
- A step-by-step checklist with roles and evidence you can actually use in an audit.
- How to spot weak links (software patches, access control, backups) before attackers do.
By the end, you’ll have a framework that keeps your firm compliant, resilient, and client-ready.
Table of contents
Why Compliance Matters for Accounting Firms
Small accounting firms aren’t just service providers, they’re custodians of sensitive financial and personally identifiable information (PII). Regulators expect you to prove you can protect that data. Three frameworks dominate in 2025:
- IRS Publication 4557- Safeguarding Taxpayer Data Requires all tax preparers to secure taxpayer information with written security plans, access restrictions, encryption, and incident response readiness. (Source: IRS Pub. 4557 (PDF))
- FTC Safeguards Rule (16 CFR Part 314) Applies to firms handling consumer financial data, including CPAs. It requires risk assessments, multi-factor authentication (MFA), encryption, vendor due diligence, and regular testing. (Source: FTC Safeguards Rule)
- SOC 2 (Trust Services Criteria) A third-party attestation used to demonstrate to clients and partners that you meet security, availability, processing integrity, confidentiality, and privacy standards. While voluntary, many firms use SOC 2 as a competitive differentiator when courting enterprise clients.
Compliance Mapping Table
| Requirement | IRS Pub. 4557 | FTC Safeguards | SOC 2 (CPA Firm Use Case) | Audit Evidence |
|---|---|---|---|---|
| Written Information Security Plan (WISP) | ✅ Required | ✅ Required | ✅ Evaluated under “Security” | Copy of WISP, board approval minutes |
| Access Control (MFA, least privilege) | ✅ | ✅ | ✅ | MFA policy screenshot, Active Directory role audit |
| Encryption of client data | Strongly recommended | ✅ | ✅ | Backup logs showing AES-256 encryption |
| Incident Response Plan | ✅ | ✅ | ✅ | Documented playbook, tabletop exercise notes |
| Vendor Risk Management | Required for e-filing providers | ✅ | ✅ | Signed vendor security agreements, SOC 2 reports from vendors |
| Training & Awareness | ✅ | ✅ | ✅ | Attendance logs, phishing simulation results |
| Regular Testing | Not explicit | ✅ | ✅ | Penetration test report, vulnerability scan results |
Why this matters?
The IRS and FTC rules are non-negotiable for firms handling tax data. SOC 2 isn’t mandatory, but clients increasingly see it as proof your firm takes data security seriously.
For audits, evidence is everything- not just having a policy, but being able to show proof (logs, reports, screenshots).
The Cybersecurity Audit Framework (Step-by-Step)
Think of a cybersecurity audit as a recurring health check for your accounting firm. The goal isn’t just to spot problems, it’s to document controls, assign accountability, and prove compliance when regulators or clients ask.
Below is a practical, CPA-specific audit framework. Each step includes the responsible role and the evidence you should collect.
Step 1: Inventory All Systems & Data
- What to check: All servers, desktops, cloud apps (QuickBooks, Drake, Lacerte), mobile devices, and client databases.
- Responsible: IT admin / firm owner.
- Audit Evidence: Asset inventory list, screenshots of accounting software license dashboards.
Step 2: Review Access Controls
- What to check: Multi-factor authentication (MFA) on tax apps, least-privilege access in staff accounts, vendor portal logins.
- Responsible: IT lead / security officer.
- Audit Evidence: MFA policy screenshots, Active Directory export, list of disabled accounts.
Step 3: Patch & Update Management
- What to check: Operating systems, accounting/tax software, and plugins are fully patched.
- Responsible: IT admin / outsourced MSP.
- Audit Evidence: Patch logs, vendor update confirmation reports, screenshots from Windows Update or RMM tool.
Step 4: Data Encryption & Backup
- What to check: All client tax records encrypted at rest and in transit; backups automated and tested.
- Responsible: IT admin.
- Audit Evidence: Backup restore reports, encryption settings (AES-256), cloud provider SOC 2 report.
Step 5: Employee Training & Phishing Simulations
- What to check: Annual training on IRS 4557 and Safeguards Rule; simulated phishing tests.
- Responsible: HR / firm manager.
- Audit Evidence: Training attendance logs, phishing test results, signed acknowledgment forms.
Step 6: Vendor & Cloud Risk Assessment
- What to check: Hosting providers, e-signature platforms, and outsourced bookkeepers.
- Responsible: Partner in charge of IT/vendor contracts.
- Audit Evidence: Vendor SOC 2 reports, signed security addenda, proof of due diligence.
Step 7: Incident Response Plan (IRP)
- What to check: Written plan for ransomware, data theft, and tax-season outages. Must include escalation steps, law enforcement reporting, and client communication.
- Responsible: Managing partner + IT/security lead.
- Audit Evidence: IRP document, tabletop exercise notes, incident log template.
Step 8: Test, Review & Report
- What to check: Annual penetration test, quarterly vulnerability scans, and documented audit reports.
- Responsible: External security firm / IT admin.
- Audit Evidence: Pen test report, vulnerability scan results, signed auditor review.
Tip: Keep all audit evidence in a centralized binder or secure drive- regulators, insurance providers, and enterprise clients often ask for proof on the spot.
Real-World Risks & Common Weak Links
Cyberattacks against accounting firms rarely start with “Hollywood-style” hacks. They exploit everyday weak links in tools CPAs use daily. Here are the top risks small firms face in 2025:
Phishing & Stolen Credentials
- Why it matters: The Verizon DBIR 2024 found that 68% of breaches in financial services involved stolen credentials or phishing.
- Accounting weak point: Staff clicking fake IRS emails, phishing invoices disguised as client communications, or fake QuickBooks login pages.
- Example: In 2024, a three-partner CPA firm in Texas lost access to its e-filing account when attackers phished an admin login. The IRS temporarily froze their EFIN, delaying dozens of client filings.
Ransomware & Data Lockouts
- Why it matters: Ransomware remains the #1 cause of downtime for SMBs, according to Coveware’s Q4 2024 report.
- Accounting weak point: Firms often keep all client returns on a shared server or external drive with no offsite backup. When ransomware hits, the firm is locked out days before filing deadlines.
- Example: A Midwest tax practice was offline for 9 days in 2023 because their local backup was also encrypted, they hadn’t tested an offsite restore.
Unpatched Software & Outdated Tools
- Why it matters: The CISA Known Exploited Vulnerabilities (KEV) catalog lists hundreds of attacks targeting outdated Windows Server builds and old software plugins.
- Accounting weak point: Many firms run old versions of QuickBooks Desktop or legacy tax apps without timely patches.
- Evidence: A 2024 Ponemon/IBM study showed that firms with automated patching programs reduced breach costs by $1M+ compared to those without.
Tax-Season Uptime Failures
- Why it matters: For most firms, 80%+ of revenue is concentrated in tax season. Even a 48-hour outage can derail dozens of returns.
- Accounting weak point: Hosting providers without SOC 2 / IRS 4557 compliance or single points of failure in IT infrastructure.
- Example: During April 2023, several regional CPA hosting providers experienced outages due to DDoS attacks, leaving firms unable to access Drake or Lacerte for days.
Third-Party Vendor Risks
- Why it matters: The FTC Safeguards Rule holds firms responsible for the security of their vendors.
- Accounting weak point: Outsourced bookkeepers using personal laptops, or e-signature vendors without encryption at rest.
- Example: In 2024, the FTC fined a financial services provider after a contractor’s laptop breach exposed client SSNs.
The pattern is clear: most breaches aren’t about “sophisticated hackers”, they’re about basic gaps: weak passwords, missed patches, poor vendor oversight. That’s why a structured audit checklist is essential.
Cybersecurity Audit Checklist for Small Accounting Firms (2025)
Here’s your at-a-glance audit checklist. It’s structured so a partner, IT admin, or auditor can quickly see what to check, who owns it, and what proof to collect.
Cybersecurity Audit Checklist (2025 Edition)
| Audit Area | What to Check | Responsible Role | Audit Evidence |
|---|---|---|---|
| System Inventory | List all devices, servers, accounting/tax apps (QuickBooks, Drake, Lacerte, etc.) | IT Admin / Firm Owner | Asset inventory sheet, screenshots of software license portals |
| Access Control | MFA enabled, role-based access, terminated staff accounts removed | IT Lead / Security Officer | MFA policy screenshots, Active Directory export, login logs |
| Patch Management | OS + accounting/tax software fully patched, updates scheduled | IT Admin / Outsourced MSP | Patch logs, RMM reports, vendor update notes |
| Encryption & Backups | Client data encrypted at rest + transit, backups automated + tested | IT Admin | Backup restore reports, encryption settings screenshots, cloud vendor SOC 2 attestation |
| Employee Training | Annual IRS 4557 / Safeguards Rule training, phishing simulations | HR / Managing Partner | Training logs, quiz results, signed acknowledgment forms |
| Vendor Security | Vendors under FTC Safeguards, SOC 2 reports collected, e-signature encryption verified | Partner in charge of IT/vendors | Vendor SOC 2 reports, security addenda, proof of due diligence |
| Incident Response | Written IR plan, client comms, law enforcement escalation steps | Managing Partner + IT | IR playbook, tabletop exercise notes, incident log template |
| Testing & Review | Pen tests (annual), vulnerability scans (quarterly), policy reviews (annual) | External security firm / IT Admin | Pen test reports, vulnerability scan results, signed auditor reviews |
Tip: Export this checklist as a PDF or spreadsheet and update it quarterly. Regulators (IRS, FTC) and cyber insurance providers often request proof on the spot. Having this binder-ready keeps your firm compliant and client-ready.
Frequently Asked Questions (FAQs)
Do small accounting firms really need a cybersecurity audit?
Yes. If you handle taxpayer or financial data, you’re covered by the IRS Publication 4557 and the FTC Safeguards Rule. Both require written security plans, risk assessments, and controls, which a cybersecurity audit helps verify. Even firms with fewer than 10 staff are expected to comply.
How often should accounting firms conduct cybersecurity audits?
At minimum:
→ Annual full audit to review controls, policies, and vendor risk.
→ Quarterly mini-audits to verify backups, patching, and MFA logs.
→ After major changes- e.g., moving to a new hosting provider or adding new tax software.What’s the difference between IRS Pub. 4557 and the FTC Safeguards Rule?
IRS Pub. 4557: Guidance specific to tax preparers. Focuses on safeguarding taxpayer data and maintaining a written information security plan.
FTC Safeguards Rule: Broader regulation for financial institutions (including CPAs). Requires encryption, MFA, vendor oversight, and annual risk assessments.
Most firms must comply with both.Is SOC 2 compliance required for CPA firms?
No. SOC 2 is voluntary, but it’s increasingly expected by enterprise clients and larger SMBs as proof of strong security. Many small firms pursue SOC 2 to win bigger clients or stand out in RFPs.
Making Cybersecurity a CPA Priority
Cybersecurity isn’t a “big firm” issue anymore, it’s a daily reality for every accounting practice. Clients trust you with their most sensitive financial data, and regulators now demand proof that you’re protecting it.
The good news? With a structured audit checklist, clear responsibilities, and documented evidence, small firms can reach the same security standards as larger practices — without breaking the bank.
The key takeaways from this 2025 checklist:
- Map your controls to IRS 4557 and the FTC Safeguards Rule.
- Assign roles and collect audit-ready evidence for every control.
- Test regularly — backups, incident response, vendor security.
- Treat cybersecurity as an ongoing process, not a once-a-year task.
How Verito Helps
If you want an easier path, Verito provides:
- SOC 2 audited cloud hosting for accounting and tax apps (QuickBooks, Drake, Lacerte).
- Built-in compliance alignment with IRS Pub. 4557 and FTC Safeguards Rule.
- 24/7 monitoring, backups, and MFA enforcement — ready for audits or cyber insurance reviews.
With Verito, your cybersecurity audit isn’t just a paper exercise — it’s baked into your day-to-day operations.
👉 Learn more at Verito.com.
