Accounting firms are prime targets for cybercriminals because they handle sensitive financial data year-round. A single breach or audit failure can lead to client loss and reputational damage that takes years to recover from. The IRS and FTC now expect written proof—not verbal assurance—of your firm’s security posture.
In simple terms: If it isn’t written, timestamped, and reviewed, it doesn’t count as compliant.
That’s why IRS Publication 4557 makes a WISP mandatory—it’s your documented evidence that you’ve implemented, tested, and maintained the right administrative, technical, and physical safeguards.
TL;DR:
- Every tax preparer is required to maintain a Written Information Security Plan (WISP) under IRS Publication 4557.
- The regulation applies to all accounting firms, regardless of size.
- Your WISP must document how your firm prevents, detects, and responds to security threats.
- Compliance must cover all areas: people, processes, and technology.
- Use a verified checklist to confirm that your WISP meets IRS standards.
- What is compliance:
- All tax pros must have a Written Information Security Plan (WISP) under IRS Publication 4557 and the FTC Safeguards Rule
- These rules apply to every firm, regardless of size
- Compliance requires safeguards like encryption, access control, training, and breach response
- A WISP is how you prove you’re protecting taxpayer data
Table of Contents Show
What IRS Publication 4557 Requires
Every U.S. tax preparer must maintain a Written Information Security Plan (WISP) to protect taxpayer data under IRS Publication 4557. This isn’t optional—it’s a mandatory safeguard program that defines how your firm prevents, detects, and responds to security incidents.
In essence, Publication 4557 translates complex cybersecurity principles into practical steps for tax professionals. It requires firms to establish, document, and maintain administrative, technical, and physical safeguards that protect client information from unauthorized access or disclosure.
For a broader view of firm-wide protection standards, see Security Best Practices for Tax & Accounting Firms.
What is a WISP and Why It’s Mandatory for Tax Preparers
A Written Information Security Plan (WISP) is your firm’s security manual. It outlines who manages your data protection, how information is stored, what controls prevent unauthorized access, and how you’ll respond to threats.
The IRS introduced this requirement to ensure that tax preparers aren’t just secure in theory—but in documented, reviewable practice.
In other words, a WISP is your proof of diligence—the evidence that your firm takes taxpayer data security seriously.
Under IRS Publication 4557, your WISP should:
- Identify who is responsible for managing information security.
- Define what systems and data are covered.
- Document controls and procedures for safeguarding information.
- Specify how incidents are reported, investigated, and resolved.
- Be reviewed and updated annually or after any significant operational or security change.
If your firm also processes client data under the FTC Safeguards Rule, the same WISP can satisfy both frameworks when properly structured—especially if you include access control, encryption, and vendor management documentation.
A WISP is not optional for tax professionals; it’s a documented program that defines how your firm prevents, detects, responds to, and recovers from security incidents.
For a complete overview of how a WISP works, see What is a WISP?
Administrative, Technical, and Physical Safeguards (What 4557 Expects)
IRS Publication 4557 breaks down security controls into three broad categories. Let’s see how your WISP should reflect it:
Administrative Safeguards
These are your policies and procedures—the human side of security.
Your WISP should document:
- Assigned roles and responsibilities for data protection.
- Employee onboarding/offboarding processes.
- Access authorization workflows.
- Staff training schedules and attendance logs.
- Incident response steps and communication flow.
- Annual reviews and updates.
Technical Safeguards
These are your system-level protections—the technologies that secure data at rest and in transit.
Your WISP should describe:
- Encryption protocols (for servers, backups, and emails).
- Multi-Factor Authentication (MFA) enforcement.
- Endpoint security and patch management cadence.
- Backup frequency and restore testing.
- Network segmentation and firewall configurations.
- Monitoring and alerting processes for suspicious activity.
Physical Safeguards
These cover where and how data is stored or accessed—including local devices and physical offices.
Your WISP should include:
- Locked server rooms or secure access areas.
- Visitor sign-in procedures and media disposal methods.
- Remote work and device-hardening standards.
- Environmental protections (e.g., surge protection, secure disposal).
Together, these safeguards ensure that your firm’s people, systems, and facilities all contribute to one goal—protecting taxpayer data from breach or loss.
WISP Components Your CPA Firm Must Document
IRS Publication 4557 expects your firm’s Written Information Security Plan to go beyond a policy statement. It must document the exact controls, responsibilities, and evidence that prove you’re implementing those safeguards day to day.
Think of it as a living binder (digital or physical) containing your firm’s entire security program — who does what, when, and how it’s verified.
Your WISP must cover people, processes, and technology: access control, encryption, MFA, backups, patching, vendor oversight, secure disposal, training, and incident response.
Roles & Access Control
Define who manages security within your firm — typically the owner, IT lead, or your managed service provider.
Your WISP should clearly state:
- The Information Security Coordinator’s name and contact info.
- Which users or groups have access to taxpayer data.
- Procedures for onboarding, offboarding, and periodic access reviews.
- How least privilege is enforced — giving employees only the access they need.
- Authentication rules: MFA, password policies, and session timeouts.
Access logs and policy approvals should be retained as dated evidence.
Encryption at Rest / In Transit, MFA, and Backups
IRS Publication 4557 requires encryption across all sensitive data — both when stored and when transmitted.
Document:
- Encryption standards used (e.g., AES-256).
- Email encryption and secure client portal use.
- How MFA is enforced on cloud, remote desktop, and email systems.
- Backup frequency (e.g., nightly, weekly) and restore test results.
- Disaster recovery timelines and last successful restore date.
Your WISP should show not just that encryption exists, but that it’s tested, maintained, and logged.
Vendor Management & Remote / Work-From-Home Controls
Third-party tools and contractors can create weak links if not managed securely.
Include documentation for:
- Vendor vetting and contract terms addressing data security.
- SOC 2 or equivalent audit reports from your vendors.
- Remote work standards: VPN, device encryption, automatic locking.
- Cloud storage policies and restrictions on personal device use.
If you’re using external IT providers, ensure your WISP specifies how they’re monitored and reviewed for compliance. Check out an operational checks and assessments through Cybersecurity Audit Checklist for Accounting Firms.
Incident Response Plan (Who, When, How)
Every firm must have a documented incident response plan describing what happens if data is lost, stolen, or exposed.
Include:
- Incident categories and severity levels (minor vs critical).
- Who leads response actions and communication.
- Containment and investigation procedures.
- 24/7 contact list for internal and external reporting.
- Client and IRS notification steps.
- Post-incident reviews and updates to prevent recurrence.
The IRS expects you to test this plan periodically—documenting each drill or real-world incident review as evidence. Each of these sections forms the backbone of your WISP—and without them, your firm would fail an IRS or FTC compliance review.
The 12-Point IRS 4557 WISP Compliance Checklist
Your Written Information Security Plan isn’t complete until it’s backed by evidence. Use this checklist to verify that every control required under IRS Publication 4557 is documented, tested, and review-ready.
Keep dated training logs, MFA and encryption settings, backup reports, restore tests, vendor reviews, and incident-response drills. If it isn’t written and timestamped, it doesn’t exist.
IRS 4557 WISP: 12 Things Your Firm Must Document
Control Area | What 4557 Expects | Evidence to Keep |
---|---|---|
1. Data Classification & Inventory | Identify where taxpayer data resides—servers, endpoints, cloud, email. | Data map, device list, access locations. |
2. Role-Based Access Control | Define who can view, edit, or transmit taxpayer data. | Access lists, onboarding/offboarding logs. |
3. Multi-Factor Authentication (MFA) | Require MFA for all remote, email, and system logins. | MFA policy, enforcement screenshots. |
4. Encryption in Transit & at Rest | Encrypt data on servers, backups, and devices. | Encryption reports, key-management logs. |
5. Patch & Vulnerability Management | Regular OS/software updates with documented cadence. | Patch schedules, vulnerability scans. |
6. Backup & Restore Policy | Define backup frequency and test recovery regularly. | Backup logs, restore-test confirmations. |
7. Secure Workstation & Remote Access | Harden devices, enforce VPN and screen locks. | Device-hardening checklist, VPN logs. |
8. Email Security | Implement phishing protection, SPF/DKIM, and DLP if applicable. | Email-gateway reports, DLP settings. |
9. Vendor Due Diligence | Vet vendors and review SOC reports or contracts annually. | Signed contracts, SOC 2 summaries. |
10. Physical Security | Restrict access to offices/servers; manage disposal. | Visitor logs, disposal certificates. |
11. Security Awareness Training | Train staff at least annually; track completion. | Training agenda, attendance records. |
12. Incident Response Plan | Document severity matrix, contacts, and post-incident reviews. | Incident logs, drill results, updates. |
Tip: Attach this checklist as an appendix to your WISP and initial each item when verified. Auditors expect to see both the control and the proof that it’s active. If it checks out then get your audit-ready WISP.
Don’t risk a failed review. Get a done-with-you WISP, policies, training, and audit evidence in days.
How to Prove Compliance (Evidence Clients & Auditors Expect)
IRS Publication 4557 isn’t satisfied with a written plan alone. Your firm must show proof — the dated, reviewable evidence that your safeguards are implemented, tested, and updated.
Keep dated evidence, like policy approvals, training logs, MFA/encryption settings, backup reports, restore tests, vendor reviews, breach drills, and incident records.
When auditors or clients ask for verification, they’re not just looking for policies — they want to see operational proof that your controls are active.
Here’s how to make your WISP audit-ready:
1. Policy Documentation
Maintain the latest version of all policies listed in your WISP:
- Information Security Policy
- Access Control Policy
- Backup and Recovery Policy
- Vendor Security Policy
- Incident Response Plan
Each should include version numbers, approval dates, and review frequency.
2. Training Records
Keep attendance logs and digital confirmations for all employee security awareness training.
Auditors often ask for:
- Training completion rates
- Course materials or agendas
- Names of employees who completed sessions
This demonstrates compliance with both IRS Publication 4557 and the FTC Safeguards Rule.
3. Technical Evidence
Auditors expect to see proof that your security systems are active and enforced:
- MFA settings and enforcement reports
- Encryption configurations for servers, backups, and emails
- Patch management logs or vulnerability scan reports
- Backup verification and last restore test results
- Device-hardening or antivirus deployment reports
You don’t need enterprise tools—just consistent documentation.
4. Incident Logs and Post-Mortems
Every incident—big or small—should have a dated log entry.
Include:
- Description, date, and time of the event
- Impact summary
- Actions taken and resolutions
- Follow-up improvements
This shows regulators that your firm doesn’t just respond reactively but continuously improves.
5. Vendor Review Records
Vendor compliance is part of your responsibility. Keep a file for each vendor with:
- Signed contracts that define data security obligations
- SOC 2 or ISO 27001 reports (if available)
- Annual performance or compliance reviews
Even if you outsource IT, your firm remains responsible for demonstrating vendor oversight. For guidance on aligning your hosting and infrastructure to these requirements, read Cloud Hosting Security for Accounting Firms.
Control → What 4557 Expects → Evidence to Keep (Quick Reference Table)
Control | What 4557 Expects | Evidence to Keep |
---|---|---|
Access Control | Restrict and review data access regularly | User list, MFA settings, review logs |
Encryption | Encrypt data at rest and in transit | Encryption keys, screenshots, audit logs |
Backups | Maintain and test backups | Logs of backups and restore tests |
Vendor Oversight | Vet vendors for security | SOC reports, contract copies |
Training | Educate staff annually | Attendance sheets, training materials |
Incident Response | Document and review breaches | Incident logs, post-mortems |
Verito’s infrastructure is built on the same principles which enables firms to maintain ongoing compliance without managing complex security layers themselves.
Fast-Track Options
IRS Publication 4557 doesn’t give you a grace period, your WISP must exist and be functional now. If your firm hasn’t yet created one, there are two practical ways to get compliant quickly depending on your size, staffing, and audit exposure.
Free IRS WISP Template (When It’s Enough)
If you’re a solo practitioner or small firm (1–3 staff) with limited systems, the free WISP template can help you get started immediately.
It’s designed for firms that:
- Have minimal local infrastructure (mostly using cloud-based tax software).
- Don’t handle client data across multiple office locations or remote servers.
- Are preparing for basic IRS Publication 4557 compliance rather than full FTC audit readiness.
You can use the Free IRS WISP Template to:
- Create your baseline documentation.
- Fill in roles, encryption methods, and vendor lists.
- Quickly identify gaps that may require professional review later.
This approach works if you just need foundational coverage before tax season and plan to manage updates in-house.
Buy VeritShield WISP (When You Need Done-With-You + Audit-Ready)
For firms with 5+ users, remote teams, or exposure to larger audit or FTC inquiries, a self-managed template isn’t enough. You’ll need audit-grade documentation, verified evidence templates, and ongoing policy updates.
That’s where VeritShield WISP comes in.
It’s a done-with-you compliance solution built specifically for accounting firms, offering:
- Custom WISP creation mapped to your firm’s exact workflows.
- Pre-built administrative, technical, and physical control templates.
- Policy approvals, logs, training modules, and restoration drill tracking.
- Audit evidence documentation pre-formatted for review.
- Expert guidance to ensure you meet both IRS Publication 4557 and FTC Safeguards Rule expectations.
Short on time? Get a done-with-you WISP, policies, training, and audit evidence in days with VeritShield WISP.
This not only satisfies compliance requirements but builds operational confidence during peak season — ensuring your systems are both secure and review-ready.
Make sure, that your WISP must cover people, processes, and technology with access control, encryption, MFA, backups, patching, vendor oversight, secure disposal, training, and incident response.
Security That Supports 4557 in Production
IRS 4557 compliance doesn’t end once you’ve written a WISP. Your controls need to function every day — during backups, remote sessions, vendor logins, and peak tax season traffic.
That’s where your firm’s infrastructure becomes the difference between paper compliance and operational compliance.
SOC 2 Type II Hosting and Continuous Monitoring
Hosting your applications and files on a SOC 2 Type II certified environment ensures that your technical safeguards are validated by independent auditors. This certification verifies that your hosting provider actively enforces:
- Multi-Factor Authentication (MFA) on all remote access
- Encryption in transit and at rest
- Continuous monitoring for unauthorized activity
- Secure access segregation between firms
This alignment not only simplifies your WISP documentation but demonstrates to auditors that your systems meet a recognized national security standard.
Isolated Private Servers with Peak-Season Reliability
Generic public cloud environments often share resources between hundreds of clients — a risk for any CPA firm managing confidential data.
Verito’s architecture eliminates that risk by providing isolated private servers, meaning your data and performance aren’t impacted by other users.
With 99.999% uptime, firms can run QuickBooks, Drake, or Lacerte securely throughout tax season — no lag, no downtime.
This ensures that compliance controls (like encryption and logging) are always active, even under heavy workload.
Integrated IT Oversight and Application Support
Compliance doesn’t just rely on secure servers — it relies on consistent, expert monitoring.
With 24/7 managed IT support, Verito ensures that patching, updates, and backup verifications happen on schedule.
That means your IRS Publication 4557 WISP isn’t theoretical — it’s maintained continuously by professionals who understand accounting workflows.
This unified model of hosting + IT management reduces audit risk and removes the burden of day-to-day security maintenance for small firms.
FAQs: IRS Publication 4557 & WISP for Accounting Firms
1. Do I legally need a WISP under IRS Publication 4557?
Yes. Every U.S. tax preparer is required to maintain a Written Information Security Plan (WISP) to protect taxpayer data under IRS Publication 4557. This rule applies to all firms that handle or store client tax information — even solo practitioners. Without a WISP, your firm risks noncompliance, penalties, and increased exposure to data breaches.
2. What’s the difference between IRS Publication 4557 and the FTC Safeguards Rule?
IRS Publication 4557 sets security expectations for tax preparers, while the FTC Safeguards Rule applies to financial institutions and businesses handling sensitive client data. Both require a WISP, encryption, MFA, and vendor oversight. The key difference: IRS 4557 is issued by the IRS for tax professionals; the FTC rule is broader but overlaps heavily in its security controls.
3. What counts as acceptable “evidence” of compliance during an audit or inquiry?
Acceptable evidence includes policy approvals, employee training logs, MFA enforcement reports, backup and restore tests, vendor SOC reviews, and incident logs. Auditors look for timestamped, verifiable records showing that your firm’s safeguards are implemented and monitored continuously — not just written down.
4. Can a template alone make me compliant? When do I need a managed WISP?
A template helps establish the foundation of your WISP, but true compliance depends on execution and documentation. Small firms may use the Free IRS WISP Template, but larger or multi-office practices typically need a managed, audit-ready WISP like VeritShield WISP to meet both IRS 4557 and FTC Safeguards Rule standards.
5. How often should I review or update my WISP?
At least once per year — and immediately after any major operational change, breach, or software migration. The IRS expects your WISP to be a living document, continuously updated to reflect new risks, technologies, and vendors. Most firms schedule a quarterly mini-review and an annual full audit to stay compliant.
6. How does SOC 2 Type II hosting support IRS 4557 requirements in practice?
SOC 2 Type II certification verifies that your hosting provider enforces MFA, encryption, access controls, and continuous monitoring — all required under IRS 4557. Hosting on such infrastructure (like Verito’s isolated private servers) gives your firm built-in compliance advantages and simplifies documentation for your WISP and audit logs.
7. What’s the fastest path to get audit-ready before tax season?
Use the IRS 4557 WISP Checklist in this guide and start with the Free IRS WISP Template. If you need policies, training, and pre-built audit documentation fast, upgrade to VeritShield WISP. This done-with-you program provides a complete, compliant WISP package — ready to show auditors within days.
Conclusion
IRS Publication 4557 has made one thing clear — protecting taxpayer data is no longer optional or theoretical. Every accounting firm, regardless of size, must have a documented Written Information Security Plan (WISP) that proves security isn’t just promised but practiced daily.
For firms already stretched thin by client deadlines, compliance may feel overwhelming — but it doesn’t have to be. By documenting clear roles, controls, and evidence, and running on SOC 2 Type II infrastructure with isolated private servers, your firm can stay secure, compliant, and audit-ready all year long.
A well-built WISP doesn’t just meet IRS standards — it builds client trust, strengthens resilience, and safeguards the reputation your firm worked years to earn.
Non-legal disclaimer:
This resource is informational and not legal advice. Confirm requirements with your advisor before implementing your firm’s compliance plan.