It’s March 14, and Your Only IT Person Is on Call Three
It’s 8:47 p.m. on a Thursday in mid-March. Two weeks to the corporate filing deadline. Your senior partner is finishing a multi-state return, and the e-file portal she’s been using all day suddenly throws a session timeout. She tries to log back in. Multi-factor authentication loops. The code arrives, she types it, the screen reloads, and the prompt comes up again.
While she’s troubleshooting that, the front-desk manager flags an email that just hit three inboxes. Subject line: “Updated W-2 file from your client.” It’s branded to look like a real client. The attachment is a .zip. One staff member already clicked it before she caught it.
Your one IT person is on call three of the night. Two endpoints have gone offline because Windows Update kicked in at the worst possible time. He’s two hours past when he was supposed to be home.
The patch he’s been deferring since January? It just got applied to a workstation that was actively running tax software. The reboot interrupted four open returns. None of them auto-saved.
You don’t need a survey to know what tax season looks like in the trenches. You need help that scales when the calendar hits January and stays scaled until April 15. That’s what co-managed IT actually solves, and that’s what this guide covers.
If your firm has been running on one internal IT person plus hope, this is the playbook for getting tax-season-ready without firing anyone or replacing your whole stack.
What Breaks First When In-House-Only IT Hits Tax Season
Most CPA firms running internal-only IT operate at roughly 70 to 80 percent capacity from May through December. That’s manageable. One IT person, maybe a junior tech, and a handful of vendor relationships keep the firm running.
Then January 1 arrives. Workload shifts. Client portal traffic spikes. E-file portals come online. Tax software releases its annual update. The same internal team that was comfortable in October is now drowning by the third week of January.
Here’s where the cracks show up first, in the order they usually appear.
1. Patch cycles get postponed and security debt piles up
The pattern is predictable. In January, your IT person decides the Windows feature update can wait until April. Same with the tax software’s mid-season patch. Same with the firewall firmware. Same with the EDR agent rollout that was supposed to finish in Q1.
By March, the firm is running 60-day-old patches on every endpoint. The unpatched window matters because phishing payloads and ransomware tools target known, patched vulnerabilities. Every postponed patch is a door that’s still open.
This isn’t a hypothetical. The IRS Security Summit reported in July 2024 that “nearly 200 tax professional data incidents potentially affecting up to 180,000 clients” had been recorded through the spring filing season. IRS Commissioner Danny Werfel said directly: “Security threats against tax professionals and their sensitive taxpayer information continue to evolve, and it’s critical to stay on top of the latest developments to protect their business and their clients.”
Patch deferrals during tax season are how those incidents start.
2. Helpdesk volume spikes 3 to 5x and one person can’t keep up
October helpdesk traffic is light. New laptop setup, occasional printer issue, a quarterly patch that broke something. Your internal IT person handles 15 to 25 tickets a week without strain.
February helpdesk traffic looks nothing like that. MFA lockouts, password resets, e-file portal connection issues, dual-monitor setups for new seasonal staff, tax software import errors, scanner failures during document intake, VPN drops when partners work weekends. The same person now sees 60 to 100 tickets a week.
Tickets that took 15 minutes in October take 45 minutes in February because everything is more urgent and every interruption breaks a partner’s flow on a return. Your IT person isn’t slow. They’re outnumbered.
3. Phishing volume rises sharply against tax pros
Tax season is the most predictable phishing window in the calendar. Attackers know your inbox volume is up, your staff are busy, and your firm is moving sensitive PII at scale.
CISA publishes an annual “Preparing for Tax Season” advisory for exactly this reason. The federal cybersecurity agency calls out the same playbook every year: phishing emails impersonating clients, fake IRS notices, fraudulent e-file portal login pages, and AI-assisted social engineering targeting tax professionals.
The IRS also maintains a “signs of a data breach” page specifically for tax professionals. The list reads like a tax-season threat playbook because it is one.
If your in-house IT person is buried in MFA tickets, who’s reviewing email security alerts, investigating quarantined messages, and confirming whether that .zip attachment is really from a client?
4. After-hours and weekend incidents go unanswered
Tax-firm work doesn’t end at 5 p.m. between February and April. Partners review returns at 9 p.m. Senior staff catch up on Saturday mornings. Junior preparers wrap up after dinner.
If your only IT person is asleep, the EDR alert that fired at 11:47 p.m. waits until tomorrow. The locked-out partner who needs to finish a return at midnight on April 14 waits until tomorrow. The backup job that failed silently at 2 a.m. doesn’t get re-run.
Tomorrow is too late when tomorrow is the filing deadline.
5. Backup verification slips because everyone is heads-down on returns
The fastest way to learn your backups don’t work is to need them. The slowest way to learn it is to not check for 90 days because you were busy.
Backup verification is a small task. Restore a test file, confirm it’s intact, log the result, move on. It takes 15 minutes if your tooling is in place. But during tax season, “15 minutes for backup verification” gets pushed to next week, and next week, and next week, until something breaks and the most recent good backup is from December.
Your firm’s data integrity sits on a routine that gets ignored exactly when you need it most.
Where Co-Managed IT Absorbs the Spike
Co-managed IT is not “outsource your IT person.” It’s a layered model where your internal team keeps owning what they’re good at, and a partner provider absorbs the surge capacity, the after-hours coverage, and the specialist work that one person can’t reasonably cover alone.
The NIST Cybersecurity Framework 2.0 Small Business Quick-Start Guide frames this as shared responsibility. NIST is explicit that small firms can use the framework “as a discussion prompt between a business owner and whomever they have chosen to help them reduce their cybersecurity risks, such as a managed security service provider.” That shared model is exactly what co-managed IT delivers.
Here’s what it absorbs in practice during tax season.
Helpdesk overflow (Tier 1 and Tier 2)
Password resets, MFA lockouts, basic printer troubleshooting, VPN reconnects, new staff workstation setup. These are Tier 1 tickets. They are also 70 percent of February helpdesk volume.
Routing them to a co-managed partner’s helpdesk frees your internal IT person for the Tier 3 work only they can do: tax software configuration, firm-specific scripts, your accounting platform integrations, vendor relationships.
The math is simple. If your partner handles 60 percent of inbound tickets and resolves them in under 15 minutes, your internal person is no longer the bottleneck.
After-hours and weekend monitoring
Co-managed providers run 24/7 monitoring infrastructure that’s already been paid for at the platform level. Your firm doesn’t need to staff a night shift or pay overtime for weekend coverage. You buy into a service that’s already watching.
That covers EDR alerts at 2 a.m., backup verification on Sunday mornings, patch deployment outside business hours, and emergency incident response if something serious fires. The on-call rotation is the partner’s problem, not yours.
Patch automation with controlled reboot windows
The reason patches get deferred during tax season isn’t that your IT person doesn’t want to apply them. It’s that there’s no safe window. Reboot a workstation mid-day in February and you interrupt four open returns. Reboot it Saturday at 6 a.m. and the partner who comes in at 9 finds a logged-out session.
Co-managed providers run RMM platforms that schedule patches and reboots inside narrow, pre-approved windows. Patches deploy. Endpoints reboot. Tax software sessions are protected by conditional logic that says “don’t interrupt this user if they’re actively working.” Patch debt doesn’t accumulate.
SOC and EDR for tax-season phishing campaigns
A Security Operations Center is people watching telemetry around the clock and triaging alerts before they reach you. EDR (Endpoint Detection and Response) is the agent on every workstation that surfaces those alerts.
During tax season, the SOC investigates suspicious .zip attachments, flags the lookalike domain registered to mimic your client’s email last week, and isolates the laptop that just executed an unsigned binary. Your internal IT person doesn’t need to learn malware reverse-engineering. The SOC handles it. They escalate to your team only when a real decision needs to be made.
Backup verification and restore-readiness checks on a fixed cadence
The work itself is small. The discipline is what fails during tax season. Co-managed providers make backup verification a scheduled task on their own calendar, not yours. They restore test files weekly. They run quarterly disaster recovery simulations. They produce a report you can show your insurance carrier or your auditor.
You don’t have to remember to check. They check, and tell you if something broke.
The 10-Point Pre-Season Audit (Run This in November or December)
Don’t wait until January 5 to find out your backups don’t work. The right time to audit is mid-November through mid-December, before the holiday season slows things down and well before tax season starts.
Here’s the checklist your firm or your co-managed partner should run together.
| # | Audit Item | Pass Criteria |
|---|---|---|
| 1 | MFA enabled on every critical account | Email, RDP, VPN, accounting software cloud accounts, e-file portal logins, password manager. Hardware tokens or app-based, not SMS. |
| 2 | Endpoint backup tested with a real restore | A real file restored from backup in the last 90 days. Document the date, who restored, and the restore time. |
| 3 | All endpoints on supported OS and patched within 30 days | No Windows 10 endpoints past Microsoft’s support date. Every laptop within 30 days of latest cumulative patch. |
| 4 | WISP reviewed and current | Your Written Information Security Plan reviewed in the last 12 months. Aligns with IRS Publication 4557 and FTC Safeguards Rule requirements. |
| 5 | EDR or antivirus alerts reach a monitored inbox | Not a deceased employee’s mailbox. Not an unmonitored alias. A real inbox someone reads daily, or routed to a SOC. |
| 6 | Email security flags external senders and impersonations | External-sender banners on every inbound message. Lookalike-domain detection enabled. Attachments sandboxed before delivery. |
| 7 | Helpdesk SLA confirmed for January through April volume | Written response time commitment from your provider. After-hours coverage confirmed. Escalation contacts documented. |
| 8 | After-hours escalation path documented and tested | The phone number, email, or ticket queue for an 11 p.m. emergency. Tested with a real (low-stakes) ticket. |
| 9 | Vendor and portal credentials in a password manager | 1Password, Bitwarden, or equivalent. No shared passwords in spreadsheets or sticky notes. Recovery codes saved separately. |
| 10 | Incident response contact list ready | Your provider’s after-hours line, your cyber insurance carrier, your AICPA or state board reporting contact, and the FTC Safeguards Rule Security Event Reporting Form URL. |
If you can’t pass items 1, 2, 3, 5, and 9 today, you have a tax-season risk problem. Items 4, 6, 7, 8, and 10 are operational quality gates. A firm that passes all 10 enters tax season with a meaningful safety margin.
Real-World Peak Numbers: What Actually Happens in Tax Season
The IRS publishes weekly filing-season statistics for every recent tax year. The IRS Filing Season Statistics page shows the volume your infrastructure absorbs, even if you only handle a fraction of it directly.
Tax professionals submit a large share of those returns electronically. The IRS counts e-filed returns by category each week. Practice management software, tax software, e-file portals, and your firm’s network all carry that load in real time.
And during that volume window, attacks rise. The IRS Security Summit’s July 2024 reporting was direct: “nearly 200 tax professional data incidents potentially affecting up to 180,000 clients” had been logged through that filing season alone.
The pattern of those incidents is consistent. Accounting Today’s coverage of the Wojeski & Co. settlement with the New York Attorney General laid it out: an Albany CPA firm, two ransomware attacks, 4,700+ people’s PII exposed, $60,000 settlement, root cause was a phishing email to an employee. Initial breach July 28, 2023. Clients not notified until November 2024.
That timeline is the consequence of a firm that didn’t have layered IT support. The breach was discoverable. The notification was delayed. The penalty followed.
This is the operating reality. High volume, high stress, elevated attack rates, and a regulatory environment that now requires FTC notification within 30 days of a qualifying breach.
What to Set Up in November and December for a Tax-Season-Ready Posture
If you’re going to add co-managed IT, the calendar matters. October is too early for some firms. February is too late for everyone. Here’s a 60-day setup plan that takes a firm from “internal IT only” to “tax-season-ready.”
Week 1 to 2: Discovery and baseline
- Inventory every endpoint, server, and SaaS platform in use.
- Document your current IT person’s responsibilities and which ones a partner could absorb.
- Run the 10-point pre-season audit. Note what fails.
- Identify your three most painful tax-season IT memories from the last two years. Plan around them.
Week 3 to 4: Tooling and coverage
- Deploy or verify EDR on every endpoint. Every endpoint, including the partner’s home laptop.
- Confirm email security flags external senders and runs attachment sandboxing.
- Onboard helpdesk overflow with your co-managed partner. Test with three real tickets.
- Confirm after-hours and weekend escalation paths in writing.
Week 5 to 6: Backup and resilience
- Run a full restore from your most recent backup. Document the result.
- Set up backup verification on a weekly cadence with your co-managed partner.
- Document your incident response plan. Print it. Put it in a binder. The PDF is for your IT system. The printed copy is for the day the IT system is the problem.
- Test your cyber insurance contact path. Don’t wait to learn at 2 a.m. that the policy expired.
Week 7 to 8: Final prep and handoff
- Review and re-sign your WISP. The IRS Security Summit reminds tax professionals annually that this isn’t optional. WISP is required by federal law for tax professionals.
- Run a 30-minute team-wide phishing awareness refresh. Use real examples your firm has caught.
- Confirm patch automation is configured with reboot windows that protect tax software sessions.
- Set a January 7 review meeting with your co-managed partner. Adjust thresholds based on the first week of real load.
Eight weeks isn’t long. The point is to start before the volume hits, not after.
How Verito Fits This Model
Verito built VeritGuard for exactly this scenario: small to mid-sized CPA and tax firms with one or two internal IT staff who need a co-managed partner to absorb tax-season surge.
The stack is purpose-built. Datto RMM for endpoint management and patch automation. Datto EDR for endpoint detection and response. RocketCyber 24/7 SOC on the Elite tier for around-the-clock alert investigation. INKY for email security and phishing detection. 1Password for credential management. NordLayer for VPN. BullPhish ID for security awareness training. IT Glue for documentation that survives staff turnover.
The support model is built around a one-hour response SLA, with after-hours escalation paths documented at onboarding.
Verito is SOC 2 Type II certified, which matters because the Journal of Accountancy’s CPA-firm guidance on the FTC Safeguards Rule is explicit: CPA firms providing tax planning and preparation are financial institutions under the Safeguards Rule, and Section 314.4(f) requires them to oversee service providers and select providers capable of safeguarding customer information. SOC 2 Type II is the audit report that proves it.
Verito has maintained 100 percent uptime since 2016.
For tax-firm leaders evaluating their options, Verito’s co-managed IT page walks through how the model overlays your existing internal team without forcing a rip-and-replace. And the managed backup services add a separate verification cadence that runs whether your internal team is buried or not.
The Post-Season Transition: May and June
Tax season ends April 15 (or October 15 for extensions). The IT work doesn’t end with it. The four weeks after the rush are when firms catch up on everything they deferred.
Patch catch-up and firmware updates
If your firm deferred any updates from January through April, May is when they get applied. Workstations, servers, firewalls, switches, the wireless access points in the conference room. All of it. Schedule the catch-up window in the first two weeks of May while the team is still in office mode but no longer at peak load.
Post-incident reviews
Every helpdesk ticket, every alert that fired, every after-hours incident from January through April. Pull the data and review it with your co-managed partner. Where did response times slip? Which alerts were noise? Which were real? What category of ticket dominated and how do we automate it for next year?
Document the findings. They become your November 2026 audit baseline.
Contract renegotiation if the SLA was missed
If your co-managed partner missed their response SLA repeatedly during tax season, May is when you renegotiate. Tighter SLAs. Higher coverage tiers. More dedicated support during peak weeks. The leverage is highest when the season’s pain is fresh and the next contract renewal is six months away.
If they hit the SLA cleanly, May is also when you renew with confidence and lock in pricing for another 12 months.
Team debrief and staff training refresh
Your team learned things during tax season they didn’t know in January. New phishing patterns. New software quirks. New process gaps. Capture them in a 45-minute team debrief. Then refresh security awareness training for everyone before summer onboarding starts.
The post-season window is also when your WISP gets its annual review. IRS Publication 5708 gives you the WISP template structure. Update it with anything new from tax season. Re-sign it. File it.
Frequently Asked Questions
What IT problems do CPA firms see most in tax season?
The top five, in order of frequency: MFA lockouts and password resets, e-file portal connection issues, tax software import or printing errors, phishing emails impersonating clients, and after-hours incidents that one internal IT person can’t cover. Helpdesk volume typically runs 3 to 5 times higher than off-season, and that’s the point at which an in-house-only model breaks.
Is it too late to add co-managed IT mid-tax-season?
It’s late, but it’s not too late. A focused co-managed onboarding can be live in two to three weeks if the scope is narrow: helpdesk overflow, after-hours coverage, and email security. Don’t try to swap your full stack in February. Add the layer that absorbs the most pain (helpdesk and after-hours), then expand in May.
How does co-managed IT handle tax-season phishing?
Three layers. First, an email security platform (like INKY) flags external senders, sandboxes attachments, and detects lookalike domains before the message reaches the inbox. Second, EDR on every endpoint catches anything that gets clicked anyway. Third, a 24/7 SOC investigates flagged messages and isolates compromised endpoints in real time. Your internal IT person doesn’t have to triage every suspicious email at 11 p.m.
What does co-managed IT cost for a CPA firm?
Pricing is structured per-user or per-device monthly. The actual price depends on coverage tier, number of users, and whether you need Tier 1 helpdesk overflow only or full SOC and EDR coverage. Request a scoping call rather than rely on third-party “average” numbers, which often don’t reflect tax-firm-specific requirements.
Do I have to fire my internal IT person to add a co-managed partner?
No. The point of co-managed is the opposite. Your internal person keeps the work that requires firm-specific knowledge: tax software config, vendor relationships, partner-level support, anything that requires understanding your processes. The partner absorbs the surge work and the specialist work (SOC, after-hours, patch automation, backup verification). Internal IT roles usually become more strategic, not less.
Will co-managed IT help with FTC Safeguards Rule compliance?
Yes, in two specific ways. First, co-managed providers operate the technical safeguards (MFA, encryption, EDR, monitoring) that the rule requires. Second, the rule requires you to oversee service providers and select providers capable of safeguarding customer information. A SOC 2 Type II certified co-managed partner satisfies the oversight requirement with documentation you can show an auditor or the FTC if a notification event ever happens.
What happens if my co-managed partner fails during tax season?
Your co-managed IT contract should cover this in writing. Specifically: response time SLA, escalation path when the SLA is breached, financial credit for missed SLAs, and the right to terminate without penalty if the partner fails repeatedly. Read the SLA section before you sign, not after. And test the after-hours escalation path with a low-stakes ticket in November so you know it works before January.
Do I need co-managed IT if I only have three staff?
For a three-person firm, the question shifts. You probably don’t have an internal IT person at all. In that case, a fully managed model (where the partner handles everything) is more common than a co-managed model. Co-managed makes the most sense when you have one or two internal IT staff and need to extend their capacity, not replace them.
The Bottom Line for Tax Firms
Tax season exposes IT models that ran fine the rest of the year. Patch deferrals. Helpdesk pile-ups. Phishing volumes spiking against tax pros specifically. After-hours coverage that doesn’t exist. Backup verification that slipped to next month, then the month after that.
Co-managed IT is the model that absorbs the spike without replacing your team. Your internal person stays in the role they’re good at. The partner takes the surge, the after-hours, the SOC work, and the discipline tasks that get deferred when everyone is heads-down on returns.
The pre-season audit is the lever. Run it in November or December, fix what fails, onboard a co-managed partner if your audit shows you need surge capacity, and walk into January with a documented incident response plan and a real after-hours number to call.
If your firm wants a starting point, you can book a free security assessment to see where your current posture stands before tax season. It’s a 30-minute scoping conversation that surfaces the gaps that matter before they become incidents.
