Your only IT person quits. No successor, limited documentation, and they are the only ones who really understands your tax software hosting, remote access, backups, and passwords.
For most small businesses that is disruptive. For an accounting firm, it directly hits three areas that keep the firm alive:
- Security: You hold Social Security numbers, bank details, payroll data, and full financial histories. If the person who managed admin access, MFA, patching, and monitoring leaves, you may not know who can reach what, which tools are still working, or whether alerts are being reviewed at all.
- Uptime: Almost every billable task depends on stable systems: tax software, bookkeeping platforms, document management, portals, and remote desktops. When there is no clear owner for “keep this system running,” small issues stack into outages and missed deadlines.
- Compliance: IRS Publication 4557, the FTC Safeguards Rule, and your Written Information Security Plan (WISP) all assume someone is implementing and maintaining controls. If policies, risk assessments, and logs live in your IT person’s inbox or head, their departure leaves you with tools but no proof and no clear owner.
This article is written for partners and firm administrators in that situation, or close to it. You will get a clear picture of what actually breaks when your internal IT person walks out, a practical 24 to 72 hour checklist that focuses on security, uptime, and compliance, a comparison of your real options of either hiring another IT generalist, rely on a generic MSP, or move to managed IT built specifically for accounting firms, and finally, a realistic view of how a specialized managed IT partner can take over without repeating the same single point of failure.
If your IT person has already resigned or you suspect they might, this is the time to baseline where you stand. If you are looking to conduct a focused cybersecurity and IT assessment, you can opt for Verito’s free IT security assessment to get an idea of where your internal systems stand and what can be done to further optimize them.
Table of Contents Show
Why Losing an IT Person Hits Accounting Firms Hard
Most small businesses feel the repercussions when IT fails. Accounting firms feel it faster and more severely because almost everything they do touches three sensitive areas at once:
- Client financial and tax data
- Fixed, unforgiving deadlines
- Regulatory expectations around data security
Day-to-day work depends on a tight set of systems: tax software, bookkeeping and GL, engagement and workpaper tools, portals, email, and remote access. If any of these stalls, billable work usually stops.
You are also holding the kind of data attackers actively target: Social Security numbers, bank details, payroll, ownership structures, and client financials. From the IRS and FTC perspective, you are closer to a financial institution than a typical small business. That is why frameworks like IRS Publication 4557, the FTC Safeguards Rule, and WISP requirements exist in the first place.
In many firms with 5 to 50 staff, one internal IT person ends up quietly running most of this stack.
What Level of Firm-level Knowledge Your IT Person Actually Holds
On an organisation chart, the IT role may look simple: “manage servers and support IT-related requirements.” In reality, they also hold institutional knowledge the firm depends on.
Here is a concise view of what your IT person actually holds:
| What your IT Person Holds | How it usually exists | What happens when they leave |
|---|---|---|
| Admin passwords | Personal password manager or private notes | No one can safely change configurations or cut off access |
| Email, domain, remote access | Old tickets, their memory, scattered screenshots | DNS, VPN, RDS changes become risky guesswork |
| Application knowledge and shortcuts | Hands-on knowledge, hallway conversations | Staff waste hours or create unsafe workarounds |
| Vendor relationships | Direct contact numbers and personal email threads | You are stuck in generic support queues during issues |
| Backup and DR assumptions | “IT will check it” | Partners cannot confirm if data is recoverable |
| Compliance evidence | Reports and exports on their laptop | You cannot easily prove what controls exist |
Add accounting specifics on top of this:
- Which tax and accounting applications are hosted where
- How seasonal staff are onboarded and then removed
- Which legacy systems cannot be rebooted at 4 p.m. on a filing deadline
If this information is not written down and owned by the firm, it walks out with the IT person.
The Single Point of Failure
The core issue is not that just another employee left the organisation. It is that your whole IT function depended on one human being.
Typical patterns in accounting firms:
- Every technical question flows to the same person, so nothing gets standardized or documented.
- Partners assume “IT has it covered” for backups, MFA, patching, logging, and compliance.
- No one else has enough context to challenge tradeoffs like skipping updates or deferring hardware refreshes.
The result: On a good day, the environment feels stable, but it has low resilience. If the IT person quits, takes leave, or simply disengages, your risk across security, uptime, and compliance jumps at once.
The goal is not to swap one name for another in the same fragile model. It is to remove the single point of failure completely and treat IT as a managed function with shared knowledge, documented processes, and coverage that does not depend on one employee.
Immediate Risk to Security When Your IT Person Quits
When the employee who runs your IT and security leaves, you should assume control gaps, not brush past the void and expect smooth continuity. In most firms, the IT person owns:
- Admin rights in Microsoft 365 or Google Workspace
- MFA setup and reset
- Antivirus or EDR, patching, and firewall rules
This combination creates attractive conditions for attackers. Recent data points are blunt:
- Stolen or weak passwords are involved in a large share of breaches, with credentials still one of the top initial access methods reported in the Verizon Data Breach Investigations Report.
- IBM’s Cost of a Data Breach reports consistently put average breach costs in the millions of dollars, with higher averages in the United States and for regulated sectors like financial services.
You cannot control global trends, but you do control how exposed your firm is while IT ownership is in flux. Treat the resignation as a trigger for a short, focused security review, not just an exit interview.
In practical terms: Assume access and monitoring are untrusted until you validate them.
The Access Control Problem
The fastest way firms get hurt after an IT departure is poor access control. Many accounting firms still rely on a patchwork of shared admin logins and accounts tied to the IT person’s email.
| Area | Typical reality when IT leaves | Risk | Minimum action in first week |
|---|---|---|---|
| Email and identity | One or two global admins, often just IT | Cannot lock or reset accounts quickly | Add a partner as global admin, rotate admin creds |
| Tax and accounting apps | Admin tied to IT person’s email or shared login | Blocked from changing users or permissions | Move admin to shared firm email, change passwords |
| Remote access (VPN, RDS) | Old configs, limited documentation | Hard to cut off ex-staff or spot suspicious use | Review users, disable stale accounts, enable MFA |
| Servers, firewalls, switches | Credentials in IT’s password vault or personal notes | No safe way to change configs or respond to issues | Centralize in-firm-owned password manager |
| Third-party vendors | Invoices and alerts go only to IT | Missed security notices, unpaid renewals | Add finance and a partner as contacts for each vendor |
If you cannot answer “who has admin rights and how do we change them today” for email, remote access, and tax systems, you have an immediate security problem.
In the first 24 to 72 hours:
- Identify all admin accounts in Microsoft 365 or Google Workspace and remote access platforms.
- Ensure at least one partner has working global admin access and MFA.
- Rotate credentials and MFA tokens that were controlled solely by the departing IT person.
- Move critical accounts away from personal email addresses to shared addresses like it@firmname.
Gaps in Cybersecurity Controls
Even if passwords are under control, many firm-level protections depend on someone actively watching them. When that person disappears, tools keep running until they fail silently.
Typical weak points:
1. Endpoint protection
Agents fall behind on updates, or remote staff devices have not checked in for months. No one is reviewing central dashboards.
2. Patching
Servers, remote desktop hosts, and workstations stop receiving regular security updates because patching was never fully automated or governed.
3. Email and phishing protection
Filtering rules are not tuned to avoid phishing emails leading to targeted phishing at partners.
4. Backups
Backup jobs still run, but no one checks success reports or performs restore tests. Failures can go unnoticed for weeks.
The impact for a CPA firm is straightforward:
- Higher probability of a successful ransomware or business email compromise attack
- Longer outages if a core server or hosted environment fails
- Weak footing with cyber insurers or regulators if you cannot show basic security hygiene
Your short-term objective is not to rebuild your entire security program. It is to make sure someone is actually on the hook for:
- Reviewing security alerts and backup status daily
- Ensuring all computers and systems have working protection
- Coordinating patching and maintenance windows around busy season
If you do not have that capability internally, this is where an interim engagement with a managed IT provider for accounting firms can pay-off quickly. They can validate that controls are running, patch obvious holes, and provide insightful reporting to partners while you decide on a long-term model.
Operational Risk: Impact on Uptime and Productivity After Your IT Person Walks Out
When your IT person leaves, all the day-to-day IT maintenance work does not stop. It just stops having an owner.
In a typical firm, core activities look like this:
| Firm activity | What systems must be active | Who used to own it |
|---|---|---|
| Preparing and filing returns | Tax software, e filing, portals, email | Internal IT person |
| Client bookkeeping and write-up | QuickBooks or similar, bank feeds, file storage | Internal IT person |
| Audit, review, and compilation work | Workpaper systems, file servers, RDS | Internal IT person |
| Remote and hybrid work | VPN or RDS, cloud hosting, MFA | Internal IT person |
| Client communication and delivery | Email, DMS, e signature tools | Internal IT person |
Remove the last column and you have queues of issues with no clear escalation path. That shows up as:
- Slower response to outages or performance issues
- Staff repeatedly retrying broken workflows instead of escalating
- Maintenance and upgrades postponed because no one wants to touch fragile systems
The environment might keep running, but it becomes brittle. The first serious incident exposes that brittleness and can have a severe impact on your firm’s productivity, efficiency, and reputation.
The Real Cost of Downtime For CPA Firms
Downtime is not just an inconvenience. For firms that bill by the hour against hard deadlines, it is direct financial loss.
ITIC’s 2024 Hourly Cost of Downtime survey found that over 90 percent of organisations, including small and mid-size businesses up to 200 employees, estimate downtime at more than 300,000 dollars per hour, with many putting it closer to 1 million dollars per hour.
For micro SMBs with fewer than 25 employees and a single server, ITIC notes that even a conservative estimate can still be around 100,000 dollars per hour when you include lost productivity and opportunities.
Accounting firms sit squarely in that risk profile:
- Work is deadline-driven, so you cannot easily move it to another day
- Staff often work extended hours during tax season, so evening and weekend outages are still expensive
- Missed filings bring penalties, interest, and tough conversations with clients
A simple example:
- 15 billable staff at an average of 150 dollars per hour
- A three hour outage of remote desktops hosting tax software during March
Direct lost billable time alone is 15 x 150 x 3 = 6,750 dollars. That ignores catch up time, overtime, and any write offs partners take to preserve client relationships. A few such incidents in a season can quietly erase a significant share of partner profit.
This is why downtime should be treated as a financial and client service risk, not just an IT metric.
When Staff Start Bypassing Controls to Get Work Done
Once uptime becomes unreliable and there is no clear IT owner, staff will do whatever it takes to move work. That often means bypassing the very controls partners think are protecting the firm.
Common behavior in firms without stable IT support:
- Saving client documents to personal laptops or consumer cloud storage because the DMS or portal is slow
- Emailing returns or financial statements unencrypted because the secure system is down
- Sharing logins to bottleneck systems so several people can work at once
- Disabling antivirus, VPN clients, or other security tools that appear to slow machines
Each of these choices may feel reasonable at the moment, especially under deadline pressure. Collectively, they:
- Spread sensitive data across devices and services the firm does not control
- Break the link between user accounts and individuals, which undermines audit trails
- Directly contradict WISP norms, IRS Publication 4557 expectations, and what you told your cyber insurer
This is why uptime and security are tightly connected. If systems are not usable, security controls will be worked around. When your IT person quits and nobody is responsible for both performance and protection, the risk of that drift increases.
A managed IT model that understands accounting firms treats uptime, user experience, and security as one problem. The mandate is simple: Keep systems fast and available so that staff do not feel forced to create their own shortcuts.
Compliance Risk: IRS 4557, FTC Safeguards, and Your WISP After Your IT person Leaves
Most firms think of compliance as policies and paperwork. Regulators DO NOT. They expect working controls plus proof, and your IT person is usually the one translating policy into real settings.
At a high level, your firm is subject to these three compliance norms:
| Framework / document | Who it hits in practice | What it expects in plain language |
|---|---|---|
| IRS Publication 4557 | Anyone preparing tax returns | Have and follow a data security plan that protects taxpayer data, including tech controls, training, and incident response. |
| FTC Safeguards Rule | Non-bank financial institutions, including many CPA and tax firms | Maintain a written security program with admin, technical, and physical safeguards, plus risk assessments and vendor oversight. |
| WISP | All tax pros handling taxpayer data | A written, implemented, and maintained information security plan, not a one time document. |
Recent IRS and Security Summit messages are explicit: a WISP is a federal mandate for tax professionals, not an optional best practice.
The amended Safeguards Rule now adds breach notification duties. As of May 2024, covered firms must notify the FTC when certain breaches affecting 500 or more individuals occur.
Someone has to:
- Keep the WISP and risk assessments current
- Collect basic evidence that controls are actually running
- Turn these requirements into practice through MFA, backups, logging, and vendor checks
In many firms, that “someone” is the internal IT person. When they leave, the program is often still on paper, but the operator is gone.
Who Owns Your WISP and Evidence Once The IT Guy Quits
Even firms with decent documentation tend to centralize the details in IT. If and when the IT person quits, three things commonly go missing at once: the latest WISP, a recent risk assessment, and day-to-day evidence of compliance.
You can see the fragility if you map where key items usually live.
| Item | Where it often lives today | Problem when IT leaves |
|---|---|---|
| WISP file | IT laptop or a poorly labeled shared folder | No one is sure what version is current |
| Risk assessment | Spreadsheet or PDF in an IT folder | Partners cannot describe current risks or priorities |
| Backup and patch reports | RMM console, scripts, email alerts | No independent proof systems are protected |
| User and admin access records | AD exports, old lists, IT’s own notes | No clean view of who has access to what |
| Vendor security questionnaires | PDF attachments and email chains in IT mailbox | Hard to show you did basic third-party due diligence |
| Incident history | Tickets and ad hoc emails | No consistent record of past issues and lessons learned |
Regulators and insurers care about two questions:
- Are reasonable controls in place?
- Can you prove it over time?
If the honest answer today is “IT handled that” and IT is gone, your compliance story is weak even if your tools are decent.
A quick check for partners:
- Can you locate your current WISP without asking the former IT person?
- Can you show a risk assessment or similar review from the last 12 months?
- Can you produce basic logs or reports for backups, patching, and access reviews?
If any of those are “no” or “not sure,” your compliance risk shoots up the day your IT person resigns.
Why Not Meeting Compliance Norms Hurts in The Real World
Accounting firms that don’t meet compliance norms have consequences with three core stakeholders:
1. IRS and regulators
- Publication 4557 and recent IRS releases state clearly that tax professionals must have and maintain a WISP.
- PTIN renewal asks you to attest that you have an adequate data security plan. That is hard to justify if you cannot even find it.
- Under the updated FTC Safeguards Rule, certain breaches must be reported to the FTC, which will naturally look at whether you ran a reasonable security program.
2. Cyber insurance
- Applications and renewals ask about MFA, backups, WISP, and incident response. If previous answers depended on your IT person’s assurances and you cannot now produce evidence, claims and renewals become more fragile.
- After an incident, insurers will expect you to show that the controls you claimed were actually in place.
3. Clients and larger counterparties
- Mid-sized businesses, banks, and PE-backed clients have started to treat CPA firms as vendors subject to security questionnaires. They will ask who owns your information security program and will expect to see a WISP and high-level controls in place.
- “Our IT guy used to handle that, but he left” is not a credible answer when you are asking them to send you their most sensitive financial data.
The point is not that one resignation makes you automatically non-compliant. It is that your ability to prove and maintain compliance can disappear overnight if it was concentrated with one person.
A more mature model, usually through managed IT for accounting firms, spreads that knowledge and responsibility across:
- A dedicated contact for security and compliance operations
- Repeatable processes for WISP maintenance, risk assessments, and evidence collection
- Regular reporting to partners in plain language, tied directly to IRS 4557 and Safeguards expectations
First 24 to 72 hours: An Emergency Checklist For Accounting Firms
When your IT person quits, you are not trying to redesign your whole environment in three days. You are trying to stop anything critical from breaking or leaking while you figure out your long term IT management plan.
Think in five moves.
1. Stabilize Access and Ownership
Objective: Make sure the firm, not a former employee, controls the keys.
Priorities:
- Email and identity (Microsoft 365 or Google Workspace)
- List all global admins.
- Add at least one partner-level admin account with MFA.
- Change passwords and MFA on any admin accounts that were controlled by the IT person.
- Domains and DNS
- Confirm who can log in to the domain registrar.
- Ensure at least one partner or owner has credentials and MFA.
- Core tax and accounting systems
- Identify the primary admin for tax software, GL, payroll, DMS and portals.
- Move ownership from personal mailboxes to shared addresses (for example it@firmname, ops@firmname).
- Vendors and hosting
- List key vendors: hosting provider, backup vendor, internet provider, firewall or RDS provider, major SaaS.
- Add finance and a partner as named contacts on each account.
You do not need a perfect IAM strategy in 72 hours. That said, you do need to know who can change what, today.
2. Inventory Systems and Critical Dependencies
Objective: Know what software and systems you are actually running and what depends on it.
Use a simple table like this and fill it quickly:
| System or service | Purpose | Where it runs | Who uses it most |
|---|---|---|---|
| Tax software A | Individual and entity returns | Hosted / RDS / on premises | Tax team |
| Tax software B | Business or state returns | Hosted / RDS / on premises | Tax team |
| GL / bookkeeping | Write-up and client accounting | Cloud / server | CAS / bookkeeping team |
| DMS or file storage | Client documents and workpapers | File server / cloud DMS | All staff |
| Remote access | Staff access to apps and files | VPN / RDS / cloud desktops | All remote and hybrid staff |
| Backup solution | Protects servers and key datasets | Local appliance / cloud | Entire firm |
Then:
- Add legacy servers and any “mystery boxes” the IT person mentioned.
- Note any single vendor where only IT had the relationship.
This is your starting point for any managed IT or interim support. Without it, every incident becomes detective work.
3. Lock Down Immediate Security Risks
Objective: Close the easiest and most dangerous holes in your data security apparatus.
Focus on four items:
- MFA coverage
- Confirm MFA is on for:
- Email and global admin accounts
- Remote access (VPN, RDS, cloud desktops)
- If it is missing anywhere public-facing, fix that first.
- Confirm MFA is on for:
- Endpoint and server protection
- Verify that firm-owned laptops, desktops, and servers have active antivirus or EDR.
- Look for computers that have not checked in to the console recently. Treat them as blind spots.
- Backups and restores
- Identify what is being backed up, where, and how often.
- Confirm there is at least one recent backup for:
- Tax servers or hosted data
- File storage or DMS
- Perform a small test restore. Do not assume the job “running” means data is recoverable.
- Account cleanup
- In email, remote access, and core apps:
- Disable former staff accounts that were never removed.
- Remove obvious tests or shared accounts that no one can justify.
- In email, remote access, and core apps:
None of this is optional in an accounting firm. Until it is done, your risk window stays wide open.
4. Document What You Know
Objective: Turn passive and verbatim knowledge into a usable handover document.
Create a single document or spreadsheet with, at minimum, for each key system:
- System name
- Business owner (person, not “IT”)
- Where it runs and who the vendor is
- How users log in (local accounts, AD, SSO, MFA)
- How it is backed up
- Who to call when it breaks
If the departing IT person is still available, use a structured one-hour handover process to fill gaps:
- Ask for any network diagram, password manager export into a firm-owned vault, vendor list, and a quick “top 5 concerns” list.
- Ask which systems they considered most fragile or overdue for upgrade.
- Ask where security alerts currently go and which ones they watched most closely.
You will not get everything. You do not need everything. You need enough information that can help a new internal hire or managed IT provider not start from the beginning.
5. Decide on an Interim Support Provider
Objective: Ensure someone competent is accountable for IT while you choose a long-term model.
Realistic options:
- Internal coordinator
- Appoint a tech-savvy staff member as the single point of contact.
- Their job is coordination: logging issues, talking to vendors, following checklists.
- Do not expect them to design security or rebuild infrastructure.
- Short term outside help
- Bring in a local IT firm or independent consultant for 30 to 90 days.
- Ask them specifically to:
- Validate backups and MFA
- Review health of critical servers and RDS
- Help finish your basic documentation process
- Accelerated move to managed IT
- If you are not eager to continue the one-person model, start a structured assessment with a managed IT provider for accounting firms.
- Ask for a clear onboarding plan that covers:
- Taking over monitoring and backups
- Standardizing access and MFA
- Comparing your current environment to IRS 4557 and Safeguards expectations
Once this is in place, you have bought time to weigh out your long-term options. The next question is what model replaces the one that just failed. That is where the choice between another internal IT hire, a generic MSP, and reliable managed IT providers for accounting firms comes into play.
Side-by-side Comparison: Internal IT vs. Generic MSP vs. Managed IT
We have already touched upon the risks of relying on a single or a small team of in-house IT professionals and how their exit from the firm can impact your IT infrastructure. To further exemplify the advantages of moving to a managed IT partner, here is a comparison between managing IT in-house, opting for a generic MSP, and handing over these responsibilities to a managed IT partner:
| Option | Main strengths | Main limitations for CPA firms | Best fit when |
|---|---|---|---|
| Hire internal IT person | Culture fit, on-site help, deep firm-level context | Single point of failure, limited skills, weak off-hours cover | Very small firms with simple environments |
| Generic MSP | Larger team, predictable pricing | Limited tax app knowledge, generic compliance, weak alignment in the busy season | Firms that can handle compliance and tax season planning internally |
| Managed IT for accounting firms | Industry-fluent support, security and compliance built-in, no single point of failure | Requires structured onboarding and mindset shift about IT ownership | Firms that see IT as regulated infrastructure tied to revenue and risk |
The key question for partners is blunt:
Do you want to rebuild the same fragile model that failed when your IT person quit, or use this as the point where IT becomes a documented, managed function that survives through staff changes.
How a Managed IT Partner Takes Over After Your IT Person Quits
A good managed IT provider should not just “add a help desk.” They should replace a person-dependent setup with a system: clear phases, ownership, and documentation.
You can think of handing IT to a managed partner in four steps.
| Phase | Main goal | What you should see in the firm |
|---|---|---|
| Assessment | See what the IT person left behind | No more black boxes or mystery servers |
| Stabilization | Lock down security and uptime | Fewer surprises, known response paths |
| Compliance | Align controls with IRS and FTC rules | WISP and evidence that match reality |
| Ongoing management | Deliver IT as a repeatable function | No single point of failure, predictable support |
1. Assessment: Discovering What You Actually Have
The provider starts by validating, not guessing.
Typical work in this phase:
- Scan and map servers, workstations, remote desktop hosts, cloud services, and network devices
- Review how staff connect: VPN, RDS, cloud desktops, direct SaaS access
- Check identity and access: Microsoft 365 or Google admin, MFA coverage, admin accounts in key apps
- Confirm where tax, accounting, and DMS data physically lives and how it is protected
Output should be a short, written baseline that covers:
- Systems and applications list
- Identity and access picture
- First-pass risk summary across security, uptime, and compliance
Partners should get a direct briefing, not a technical dump.
2. Stabilization: Securing and Stabilizing The Environment
Once the environment is visible, the provider focuses on gradual and structured stabilization of the IT infrastructure that matters most for an accounting firm.
Security stabilization usually includes:
- Centralizing endpoint protection with a managed console
- Enforcing MFA on email, remote access, and administrator accounts
- Cleaning up user lists and removing stale or orphaned accounts
- Setting a basic patching schedule for servers and endpoints with agreed maintenance windows
Uptime stabilization typically covers:
- Monitoring remote desktop hosts, tax servers, and key services for performance and availability
- Defining severity levels and response times for incidents like “nobody can log in to tax software”
- Fixing obvious bottlenecks such as under-sized RDS hosts or storage issues
Within a few weeks, you should see:
- Tickets logged and closed through a help desk instead of ad hoc emails
- Clear communication when issues occur and when they are resolved
- Fewer recurring problems with the same systems
3. Compliance Alignment: Rebuilding Your Data Security
After critical risks are under control, the provider helps re-attach your IT infrastructure to IRS Publication 4557 requirements, the FTC Safeguards Rule, and your WISP.
Expect concrete work like:
- Reviewing your existing WISP and updating it to reflect actual systems and controls
- Running a focused risk assessment that highlights gaps in access control, backup, monitoring, and vendor management
- Setting a cadence for backup tests, access reviews, and security reporting
- Organizing evidence so you can answer three questions quickly:
- What controls do we have?
- Are they working?
- Where is the proof?
A competent provider will speak directly about how controls map to IRS and FTC expectations, not hide behind generic buzzwords. That is what you need for PTIN attestation, cyber insurance, and client due diligence.
4. Ongoing Management: No More Single Point of Failure
Once assessment, stabilization, and initial compliance work are done, the relationship should shift into a steady rhythm.
Day-to-day processes you should see:
- 24×7 monitoring of key systems and security events
- Help desk support that understands tax season pressure and common accounting workflows
- Planned hardware refreshes and software upgrades, not last minute scrambles
- Regular reports to partners on uptime, tickets, security posture, and upcoming risks
Importantly, none of this depends on a single individual inside your firm. The provider brings a team with overlapping skills and documented procedures. If one engineer leaves, your passwords, vendor relationships, and institutional knowledge stay put.
From a partner’s point of view, IT becomes:
- Measurable: uptime, ticket metrics, security checks, and audit trails
- Explainable: a program you can describe to regulators, insurers, and clients
- Resilient: able to survive staff changes without putting busy season at risk
A managed IT provider like Verito goes further by combining:
- Secure cloud hosting for tax and accounting applications on hardened private servers
- VeritGuard managed IT services that cover endpoints, networks, backups, and help desk under one contract
- Industry-fluent support that treats tax season uptime and regulatory compliance as non-negotiable
Instead of betting the firm on one internal IT employee, you get a team, tested processes, and a platform that does not walk out the door.
When Your IT Person Quits, It Is Time To Fix The IT Model, Not Just Fill The Seat
When your only IT person quits, the real problem is not a vacancy. It is discovering how much of your security, uptime, and compliance was concentrated in one head.
By now you have a clear picture of what is at stake:
- Security risk jumps because admin access, MFA, monitoring, and backups may not be fully documented or supervised.
- Uptime becomes fragile because no one clearly owns remote access, hosted tax and accounting systems, or quick fixes during busy seasons.
- Compliance gets shaky because the person who tied your WISP, IRS Publication 4557 requirements, and FTC Safeguards obligations to real controls has left.
Your response has three layers.
In the present moment, treat this as a heightened risk window: Make sure the firm holds all admin keys, MFA is enforced on public-facing systems, backups are tested, and obvious stray accounts are removed. Capture the systems and vendors you rely on in a simple inventory.
This quarter, remove the single point of failure: Decide whether you want to rebuild the same one-person IT model, lean on a generic MSP and keep compliance work in-house, or shift to managed IT for accounting firms so IT becomes a shared, documented function.
Longer term, treat IT as regulated infrastructure, not background support: Plan lifecycle upgrades, keep your WISP and evidence current, and expect IT to survive staff changes without risking tax season or client trust.
If you want a reality check before you decide, start with an external cybersecurity and IT assessment focused on tax and accounting firms. Verito can review your environment against IRS Publication 4557 and FTC Safeguards expectations, verify backups and hosting setups, and give partners a direct answer on how exposed the firm really is. If you are ready to move away from the one-person model, you can also talk to Verito about combining secure cloud hosting for tax and accounting applications with VeritGuard managed IT, so security, uptime, and compliance rest on a dedicated platform and team, not a single employee who might leave.
FAQ:
1. What should we do on the day our IT person quits?
Treat it as a security and continuity event, not just a staffing issue. Same day, you should:
• Confirm and document all global admin accounts in Microsoft 365 or Google Workspace
• Add at least one partner as global admin with MFA
• Change passwords and MFA for any admin account controlled only by the IT person
• Verify backups for tax servers, file storage, and key apps are running and test at least one small restore
• Start a simple system and vendor inventory, even if it is incomplete
If you only do these five actions, you have already reduced your immediate risk significantly.2. Are we still compliant with IRS Publication 4557 and the FTC Safeguards Rule if our IT person leaves?
Not automatically non compliant, but often weaker than you think. You have a problem if:
• You cannot locate your WISP without the former IT person
• You have no recent risk assessment or access review you can show
• You cannot produce basic evidence of backups, patching, and MFA coverage
Regulators and insurers care about controls and proof. When the person who implemented and documented those controls leaves, your ability to prove compliance drops until someone else or a managed IT provider takes formal ownership.3. Can a managed IT provider take over if our IT person left with almost no documentation?
Yes, if they know accounting environments and you are willing to let them do structured discovery. A capable provider will:
• Use tools to map servers, workstations, and network devices
• Interview partners and key staff about workflows and pain points
• Identify where tax, accounting, and DMS data actually lives
• Prioritize closing obvious gaps such as missing MFA, stale accounts, and unverified backups
You still need to answer questions and sign off on changes, but you do not have to reverse engineer everything yourself.4. We are a small firm. Is managed IT overkill compared to a part time local IT person?
A small headcount does not mean low risk. Even a three to five person tax practice:
• Handles thousands of Social Security numbers and bank details
• Is expected to have a WISP under IRS guidance
• Often relies on one server or hosting environment for nearly all revenue producing work
A part time local IT person can help with break fix work, but they rarely provide 24×7 monitoring, structured security and compliance alignment, or team coverage if they are unavailable. For many small firms, a focused managed IT plan plus secure hosting is more predictable and defensible than relying on one individual who has no obligation to be available when you need them most.5. What should we ask a managed IT provider before signing, especially after an IT resignation?
At minimum, ask:
• How many CPA or accounting firms do you support today
• Which tax and accounting applications you work with regularly
• How you help clients comply with IRS Publication 4557, the FTC Safeguards Rule, and WISP expectations
• What your guaranteed response times are during evenings and weekends in busy season
• Where our documentation lives and how we get it if we ever leave
If the answers are vague, generic, or not specific to accounting firms, you are likely buying basic IT support, not a managed IT function that can replace the single point of failure you just lost.
