{"id":5115,"date":"2026-01-14T07:58:17","date_gmt":"2026-01-14T12:58:17","guid":{"rendered":"https:\/\/verito.com\/blog\/?p=5115"},"modified":"2026-01-23T07:43:23","modified_gmt":"2026-01-23T12:43:23","slug":"irs-publication-4557-explained","status":"publish","type":"post","link":"https:\/\/verito.com\/blog\/irs-publication-4557-explained\/","title":{"rendered":"IRS Publication 4557 Explained: The Ultimate Guide to Safeguarding Taxpayer Data in 2026"},"content":{"rendered":"\n<p>If you prepare U.S. tax returns in 2026, the IRS, the FTC, and your clients all assume one thing about your firm: <strong>you already have a real cybersecurity program in place to protect taxpayer data<\/strong>.<\/p>\n\n\n\n<p>IRS Publication 4557, Safeguarding Taxpayer Data, is the document the IRS points to when it wants to show what that program should look like for tax professionals, CPA firms, enrolled agents, and Electronic Return Originators.<\/p>\n\n\n\n<p>Publication 4557 is not just <em>\u201cguidance\u201d<\/em> you can skim and forget. It is the plain language wrapper around harder obligations like the <strong>FTC Safeguards Rule<\/strong> and <strong>Gramm Leach Bliley Act<\/strong>. If your firm suffers a data breach, phishing incident, or business email compromise, regulators and <strong>attorneys will ask whether you followed the safeguards described in <\/strong><a href=\"https:\/\/verito.com\/blog\/irs-publication-4557-compliance-guide\/\" target=\"_blank\" rel=\"dofollow\" ><strong>IRS Publication 4557<\/strong><\/a><strong> and whether you had a written information security plan (WISP) in place<\/strong>.<\/p>\n\n\n\n<p>For small and mid-sized firms, this is not a theoretical risk. Criminals specifically target tax and accounting practices because you hold exactly what they need for identity theft and refund fraud. <strong>A single compromised email account, remote desktop connection, or stolen laptop can expose hundreds of Social Security numbers and bank details<\/strong>. During tax season, attackers know you are busy, understaffed, and more likely to click or approve something you should not.<\/p>\n\n\n\n<p><strong>Publication 4557 tells you what the IRS expects you to do about those risks<\/strong>. It covers:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The <strong>IRS \u201cSecurity Six\u201d technical safeguards<\/strong><\/li>\n\n\n\n<li>Administrative and physical protections<\/li>\n\n\n\n<li>Incident response<\/li>\n\n\n\n<li>Requirement to maintain a written security program that fits your firm\u2019s size and complexity.<\/li>\n<\/ul>\n\n\n\n<p>For most practices, that means a combination of stronger controls, better documentation, and more disciplined vendor selection.<\/p>\n\n\n\n<p>This guide explains IRS Publication 4557 in practical terms for 1 to 50-person tax and accounting firms. It shows who is in scope, how Publication 4557 connects to IRS Publication 5708 and the FTC Safeguards Rule, which safeguards the IRS actually expects you to implement, and how to turn all of this into a workable WISP and evidence file.<\/p>\n\n\n\n<p>It also highlights <strong>where secure cloud hosting and managed security from a specialist like Verito<\/strong> can cover large parts of the technical requirements without you building an internal IT department.<\/p>\n\n\n\n<div class=\"cnvs-block-toc cnvs-block-toc-1768481780122\" >\n\t<\/div>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-is-irs-publication-4557\"><span id=\"what-is-irs-publication-4557\"><strong>What is IRS Publication 4557?<\/strong><\/span><\/h2>\n\n\n\n<p class=\"has-gray-200-background-color has-background\">IRS Publication 4557, officially titled <strong><em>\u201cSafeguarding Taxpayer Data: A Guide for Your Business,\u201d<\/em><\/strong> is the IRS playbook for how tax professionals should protect client tax data. It was developed with the IRS Security Summit partners to help firms create and maintain a data security plan that preserves the confidentiality, integrity, and availability of taxpayer information.<\/p>\n\n\n\n<p>In practical terms, Publication 4557 <strong>explains the safeguards the IRS expects you to have in place if you handle taxpayer information<\/strong>. It walks through administrative safeguards such as:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Policies and training<\/li>\n\n\n\n<li>Technical safeguards such as antivirus, firewalls, <a href=\"https:\/\/verito.com\/blog\/importance-of-cloud-encryption\/\" target=\"_blank\" rel=\"dofollow\" ><strong>encryption<\/strong><\/a>, and multi-factor authentication<\/li>\n\n\n\n<li>Physical safeguards such as office security and secure disposal of paper and devices<\/li>\n<\/ul>\n\n\n\n<p>The document is written for tax practices, not IT departments, so it links these controls directly to <strong>everyday activities like preparing returns, storing client documents, using tax software, and exchanging information with clients and the IRS<\/strong>.<\/p>\n\n\n\n<p>The IRS also ties Publication 4557 to other resources, <strong>such as its small business security guidance and Written Information Security Plan (WISP) materials<\/strong>, to help firms turn high-level security expectations into a concrete, written program.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-who-must-follow-irs-publication-4557\"><span id=\"who-must-follow-irs-publication-4557\"><strong>Who Must Follow IRS Publication 4557?<\/strong><\/span><\/h3>\n\n\n\n<p>Publication 4557 applies to any business that handles taxpayer data in connection with preparing or filing tax returns. That includes:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>CPA firms and accounting firms that prepare individual or business tax returns<\/li>\n\n\n\n<li>Solo practitioners and small tax practices, even if they operate entirely virtually<\/li>\n\n\n\n<li>Enrolled agents<\/li>\n\n\n\n<li>Return preparers and bookkeeping firms that collect tax information for return preparation<\/li>\n\n\n\n<li>Electronic Return Originators (EROs) and other Authorized IRS e-file Providers<\/li>\n\n\n\n<li>Seasonal or part-time preparers who still store or transmit taxpayer information<\/li>\n<\/ul>\n\n\n\n<p>If you have an EFIN (Electronic Filing Identification Number), use professional tax software, or store Forms W-2, 1099s, organizers, and prior-year returns, the IRS expects you to follow the safeguards described in Publication 4557.<\/p>\n\n\n\n<p>The IRS and Security Summit partners have repeatedly warned that identity thieves specifically target tax professionals of all sizes, not only national brands.<\/p>\n\n\n\n<p><strong>It is important to stress that solo practitioners and very small firms are not exempt<\/strong>. From a regulator\u2019s perspective, a one-person virtual firm holding a few hundred client returns still represents thousands of pieces of sensitive data such as Social Security numbers and bank details. An <a href=\"https:\/\/www.irs.gov\/newsroom\/security-summit-irs-reminds-tax-pros-to-guard-against-identity-theft-as-summer-series-wraps-up\" target=\"_blank\" rel=\"nofollow\" ><strong>IRS news release<\/strong><\/a> stated that <strong>nearly 300 data breaches affecting tax professionals exposed data on up to 250,000 clients<\/strong> in the first half of 2025, which confirms that even small practices are meaningful targets.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-why-irs-publication-4557-is-non-negotiable-in-2026\"><span id=\"why-irs-publication-4557-is-non-negotiable-in-2026\"><strong>Why IRS Publication 4557 is Non-negotiable in 2026<\/strong><\/span><\/h3>\n\n\n\n<p>Technically, Publication 4557 is guidance. In reality, it reflects what regulators view as <em>\u201c<\/em><strong><em>reasonable\u201d<\/em><\/strong><strong> safeguards under enforceable laws and rules<\/strong>, including the FTC Safeguards Rule and Gramm Leach Bliley Act for financial institutions such as tax preparers.<\/p>\n\n\n\n<p>That distinction matters. When an incident occurs, enforcement agencies and plaintiff attorneys look at whether you had:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A Written Information Security Plan appropriate for your firm size and complexity<\/li>\n\n\n\n<li>A documented <a href=\"http:\/\/verito.com\/security-assessment\" target=\"_blank\" rel=\"dofollow noreferrer noopener\">risk assessment<\/a> and security program<\/li>\n\n\n\n<li>Safeguards such as access controls, encryption, and secure backups that align with what the IRS has been recommending for years<\/li>\n\n\n\n<li>Evidence that you trained staff and monitored your environment<\/li>\n<\/ul>\n\n\n\n<p>If you cannot show that your safeguards look like the ones in Publication 4557, it becomes difficult to argue that your firm took taxpayer data protection seriously.<\/p>\n\n\n\n<p>At the same time, the broader threat environment has intensified. Recent analyses show that a majority of small and mid-sized businesses now experience cyberattacks, and <strong>a successful breach can cost from the low six figures up to well over a million dollars once remediation, downtime, and recovery are included<\/strong>.<\/p>\n\n\n\n<p>Put simply, Publication 4557 is non-negotiable in 2026 because it sits at the intersection of three realities:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The IRS has publicly defined <strong>what it expects tax professionals to do to safeguard taxpayer data<\/strong>.<\/li>\n\n\n\n<li>Other regulators, including the FTC, <strong>can use those expectations when deciding whether your safeguards were adequate<\/strong>.<\/li>\n\n\n\n<li><strong>Attackers are actively targeting tax professionals<\/strong> with phishing, credential theft, and ransomware campaigns that are highly profitable at your scale.<\/li>\n<\/ul>\n\n\n\n<p>A firm that treats Publication 4557 as optional guidance is effectively choosing higher legal, financial, and reputational risk than competitors who treat it as their baseline security standard.<\/p>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-core-irs-publication-4557-requirements-the-security-six-and-other-safeguards\"><span id=\"core-irs-publication-4557-requirements-the-security-six-and-other-safeguards\"><strong>Core IRS Publication 4557 Requirements: The Security Six And Other Safeguards<\/strong><\/span><\/h2>\n\n\n\n<p><strong>Publication 4557 groups its expectations into a mix of technical, administrative, and physical safeguards<\/strong>. For small and mid-sized firms, the most visible piece is the IRS <em>\u201cSecurity Six,\u201d<\/em> but stopping there is not enough. You need all three layers working together.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-1-the-irs-security-six-explained-for-1-to-50-person-firms\"><span id=\"1-the-irs-security-six-explained-for-1-to-50-person-firms\"><strong>1. The IRS Security Six Explained (For 1 to 50-person Firms)<\/strong><\/span><\/h3>\n\n\n\n<p>The Security Six are the <strong>minimum technical safeguards<\/strong> the IRS expects every tax professional to have in place:<\/p>\n\n\n\n<h4 class=\"wp-block-heading has-medium-font-size\" id=\"h-1-antivirus-and-anti-malware-protection\"><span id=\"1-antivirus-and-anti-malware-protection\">1. <strong>Antivirus and Anti-malware Protection<\/strong><\/span><\/h4>\n\n\n\n<ol class=\"wp-block-list\"><\/ol>\n\n\n\n<p>Every workstation and server that touches taxpayer data needs <strong>up-to-date <\/strong><a href=\"https:\/\/verito.com\/blog\/online-cybersecurity-essentials-multi-location-accounting-firms\/\" target=\"_blank\" rel=\"dofollow\" ><strong>endpoint protection<\/strong><\/a>. That includes office desktops, firm laptops, and remote machines used to access your tax applications. Relying on built-in tools without central management and alerting is a weak position. You should be able to show:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Centralized console or reporting<\/li>\n\n\n\n<li>Automatic updates and scans<\/li>\n\n\n\n<li>Alerts for detections and remediation actions<br><\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading has-medium-font-size\" id=\"h-2-firewalls\"><span id=\"2-firewalls\">2. <strong>Firewalls<\/strong><\/span><\/h4>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\"><\/ol>\n\n\n\n<p>Publication 4557 <strong>expects properly configured firewalls on all internet connections <\/strong>used for tax work, not just at the main office. That means:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>A business-grade firewall<\/strong> or secure router at the office<\/li>\n\n\n\n<li><strong>Appropriate protection on home networks<\/strong> where staff work remotely<\/li>\n\n\n\n<li><strong>Blocking unnecessary inbound connections<\/strong> and logging activity<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading has-medium-font-size\" id=\"h-3-two-factor-or-multi-factor-authentication-mfa\"><span id=\"3-two-factor-or-multi-factor-authentication-mfa\">3. <strong>Two-factor or Multi-factor Authentication (MFA)<\/strong><\/span><\/h4>\n\n\n\n<p>MFA is now a baseline expectation for:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Email accounts used for client communication<\/strong> and tax software logins<\/li>\n\n\n\n<li><strong>Remote access methods<\/strong> such as Remote Desktop, VPNs, and hosted desktops<\/li>\n\n\n\n<li><strong>Cloud services<\/strong> storing or transmitting taxpayer data<\/li>\n<\/ul>\n\n\n\n<p>Using only passwords for these systems is increasingly difficult to defend if something goes wrong.<br><\/p>\n\n\n\n<h4 class=\"wp-block-heading has-medium-font-size\" id=\"h-4-drive-encryptio-n\"><span id=\"4-drive-encryption\">4. <strong>Drive Encryptio<\/strong>n<\/span><\/h4>\n\n\n\n<ol start=\"4\" class=\"wp-block-list\"><\/ol>\n\n\n\n<p>Laptops, portable drives, and any workstation that could be stolen or lost <strong>should have<\/strong> <strong>full disk encryption enabled<\/strong>. This is particularly important if staff work from home or travel with devices that hold or can access tax data. <strong>Proper encryption can be the difference between a reportable breach and a lost device that does not trigger notification duties<\/strong>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading has-medium-font-size\" id=\"h-5-secure-backup-and-recovery\"><span id=\"5-secure-backup-and-recovery\">5. <strong>Secure Backup and Recovery<\/strong><\/span><\/h2>\n\n\n\n<ol start=\"5\" class=\"wp-block-list\"><\/ol>\n\n\n\n<p>The IRS explicitly highlights the importance of secure, tested backups to defend against <a href=\"https:\/\/verito.com\/blog\/ransomware-guide\/\" target=\"_blank\" rel=\"dofollow\" ><strong>ransomware<\/strong><\/a> and other destructive incidents. At minimum, a firm should be able to answer:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>What is backed up, how often, and where it is stored<\/li>\n\n\n\n<li>How long backups are retained<\/li>\n\n\n\n<li>When the last successful restore test was done and documented<\/li>\n<\/ul>\n\n\n\n<p><strong>Offsite or cloud backups should be encrypted and segregated<\/strong> so that an attacker who compromises a workstation cannot simply delete your backups.<\/p>\n\n\n\n<h4 class=\"wp-block-heading has-medium-font-size\" id=\"h-6-secure-remote-access\"><span id=\"6-secure-remote-access\">6. <strong>Secure Remote Access<\/strong><\/span><\/h4>\n\n\n\n<ol start=\"6\" class=\"wp-block-list\"><\/ol>\n\n\n\n<p>Remote work is now standard for many firms. Publication 4557 expects remote access to <a href=\"http:\/\/verito.com\/tax-software-hosting\" target=\"_blank\" rel=\"dofollow noreferrer noopener\">tax applications<\/a> and data to use secure methods such as VPNs, hosted desktops, or other controlled channels. <strong>Directly exposing Remote Desktop Protocol (RDP) to the internet or using weakly secured remote tools is difficult to defend<\/strong>. You should be using:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>VPNs or secure application gateways<\/li>\n\n\n\n<li>MFA on remote access tools<\/li>\n\n\n\n<li>Role-based access and logging<\/li>\n<\/ul>\n\n\n\n<p>For a 1\u201350 person firm, <strong>the easiest way to meet most of the Security Six is usually a mix of secure cloud hosting and <a href=\"http:\/\/verito.com\/managed-it-support\" target=\"_blank\" rel=\"dofollow noreferrer noopener\">managed security<\/a><\/strong>, instead of trying to assemble and monitor everything on your own hardware. We will return to that when we discuss the implementation roadmap.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-2-administrative-safeguards-under-irs-publication-4557\"><span id=\"2-administrative-safeguards-under-irs-publication-4557\"><strong>2. Administrative Safeguards Under IRS Publication 4557<\/strong><\/span><\/h3>\n\n\n\n<p>The technical controls above are only part of the picture. Publication 4557 expects firms to implement administrative safeguards that make security part of day-to-day operations, not just an IT problem:<\/p>\n\n\n\n<h4 class=\"wp-block-heading has-medium-font-size\" id=\"h-documented-policies-and-procedures\"><span id=\"documented-policies-and-procedures\">\u2022 <strong>Documented Policies and Procedures<\/strong><\/span><\/h4>\n\n\n\n<ul class=\"wp-block-list\"><\/ul>\n\n\n\n<p>Written rules for password practices, acceptable use, remote work, data handling, incident reporting, and vendor management should live inside your Written Information Security Plan, not scattered in emails.<\/p>\n\n\n\n<h4 class=\"wp-block-heading has-medium-font-size\" id=\"h-defined-roles-and-responsibilities\"><span id=\"defined-roles-and-responsibilities\">\u2022 <strong>Defined Roles and Responsibilities<\/strong><\/span><\/h4>\n\n\n\n<p>Even in a three-person practice, someone must be accountable for security decisions, vendor oversight, and WISP maintenance. In larger firms, this responsibility may be shared between a managing partner, operations manager, and external IT provider.<\/p>\n\n\n\n<h4 class=\"wp-block-heading has-medium-font-size\" id=\"h-employee-security-awareness-and-training\"><span id=\"employee-security-awareness-and-training\">\u2022 <strong>Employee Security Awareness and Training<\/strong><\/span><\/h4>\n\n\n\n<p>Staff must be trained regularly on phishing, social engineering, safe use of email and file sharing, and how to report suspicious activity. Training should be logged, with dates and attendance records, because Publication 4557 and the <a href=\"https:\/\/verito.com\/blog\/how-to-comply-with-ftc-safeguards-rule\/\" target=\"_blank\" rel=\"dofollow\" ><strong>FTC Safeguards Rule<\/strong><\/a> both emphasize ongoing education.<\/p>\n\n\n\n<h4 class=\"wp-block-heading has-medium-font-size\" id=\"h-access-management\"><span id=\"access-management\">\u2022 <strong>Access Management<\/strong><\/span><\/h4>\n\n\n\n<p>Only personnel who need taxpayer data to perform their duties should have access to it. This includes:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Unique user accounts<\/li>\n\n\n\n<li>Prompt removal of access when staff leave<\/li>\n\n\n\n<li>Segregation between tax, bookkeeping, admin, and temporary staff where appropriate<br><\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading has-medium-font-size\" id=\"h-vendor-management\"><span id=\"vendor-management\">\u2022 <strong>Vendor Management<\/strong><\/span><\/h4>\n\n\n\n<p>Tax software providers, cloud hosting vendors, payroll services, and other third parties may all touch taxpayer data. <strong>Publication 4557 expects you to exercise due diligence:<\/strong> understand how they protect data, what certifications they hold, and what happens if they suffer a breach.<\/p>\n\n\n\n<ul class=\"wp-block-list\"><\/ul>\n\n\n\n<h4 class=\"wp-block-heading has-medium-font-size\" id=\"h-incident-response-process\"><span id=\"incident-response-process\">\u2022 <strong>Incident Response Process<\/strong><\/span><\/h4>\n\n\n\n<p><strong>Firms are expected to know what to do if they suspect data theft or a ransomware attack<\/strong>, including when and how to notify the IRS, state tax agencies, and affected taxpayers. This process should be written down and rehearsed, not invented during a crisis.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-3-technical-safeguards-beyond-the-security-six\"><span id=\"3-technical-safeguards-beyond-the-security-six\"><strong>3. Technical Safeguards Beyond The Security Six<\/strong><\/span><\/h3>\n\n\n\n<p>In addition to the <a href=\"https:\/\/verito.com\/blog\/top-wisp-templates-and-security-plans-for-accounting-firms\/\" target=\"_blank\" rel=\"dofollow\" ><strong>Security Six<\/strong><\/a>, IRS guidance and related regulations point to a broader set of technical safeguards that a serious program should include:<\/p>\n\n\n\n<h4 class=\"wp-block-heading has-medium-font-size\" id=\"h-patch-and-update-management\"><span id=\"patch-and-update-management\">\u2022 <strong>Patch and Update Management<\/strong><\/span><\/h4>\n\n\n\n<ul class=\"wp-block-list\"><\/ul>\n\n\n\n<p><strong>Operating systems, tax applications, browsers, and plugins should be kept up to date<\/strong>. Many successful attacks still exploit vulnerabilities that have had patches available for months.<\/p>\n\n\n\n<h2 class=\"wp-block-heading has-medium-font-size\" id=\"h-email-security-controls\"><span id=\"email-security-controls\">\u2022 <strong>Email Security Controls<\/strong><\/span><\/h2>\n\n\n\n<ul class=\"wp-block-list\"><\/ul>\n\n\n\n<p>Combining MFA with spam filtering, attachment scanning, and link protection <strong>significantly reduces the risk of credential theft and malware arriving through email<\/strong>.<\/p>\n\n\n\n<h4 class=\"wp-block-heading has-medium-font-size\" id=\"h-configuration-and-hardening\"><span id=\"configuration-and-hardening\">\u2022 <strong>Configuration and Hardening<\/strong><\/span><\/h4>\n\n\n\n<p><strong>Default configurations are often insecure<\/strong>. Systems that handle taxpayer data should be hardened by disabling unused services, closing unnecessary ports, and aligning settings with security best practices.<\/p>\n\n\n\n<h4 class=\"wp-block-heading has-medium-font-size\" id=\"h-network-segmentation-and-least-privilege\"><span id=\"network-segmentation-and-least-privilege\">\u2022 <strong>Network Segmentation and Least Privilege<\/strong><\/span><\/h4>\n\n\n\n<ul class=\"wp-block-list\"><\/ul>\n\n\n\n<p>Where possible, <strong>internal networks should separate sensitive systems from general office devices<\/strong>. Staff should have only the access they need, not full administrator rights on everything by default.<\/p>\n\n\n\n<h4 class=\"wp-block-heading has-medium-font-size\" id=\"h-monitoring-and-loggin-g\"><span id=\"monitoring-and-logging\">\u2022 <strong>Monitoring and Loggin<\/strong>g<\/span><\/h4>\n\n\n\n<p>You should be able to see when logins occur from unusual locations, when repeated failed login attempts happen, or when systems are disabled. For most small firms, this means either a managed detection and response service or security tooling provided by a hosting partner.<\/p>\n\n\n\n<h4 class=\"wp-block-heading has-medium-font-size\" id=\"h-data-loss-prevention-basics\"><span id=\"data-loss-prevention-basics\">\u2022 <strong>Data Loss Prevention Basics<\/strong><\/span><\/h4>\n\n\n\n<p>Even if you do not deploy a full data loss prevention platform, you should restrict the use of USB drives, public file sharing tools, and personal email for transmitting tax documents.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-4-physical-safeguards-for-offices-and-home-offices\"><span id=\"4-physical-safeguards-for-offices-and-home-offices\">4. <strong>Physical Safeguards For Offices And Home Offices<\/strong><\/span><\/h3>\n\n\n\n<p>Publication 4557 also expects firms to address the physical side of safeguarding taxpayer data:<\/p>\n\n\n\n<h4 class=\"wp-block-heading has-medium-font-size\" id=\"h-office-access-contro-l\"><span id=\"office-access-control\">\u2022 <strong>Office Access Contro<\/strong>l<\/span><\/h4>\n\n\n\n<ul class=\"wp-block-list\"><\/ul>\n\n\n\n<p><strong>Limit access to areas where taxpayer data is processed or stored<\/strong>. Lock doors and file rooms when left unsupervised. Do not leave client files in conference rooms or public areas.<\/p>\n\n\n\n<h4 class=\"wp-block-heading has-medium-font-size\" id=\"h-secure-storage-for-paper-records\"><span id=\"secure-storage-for-paper-records\">\u2022 <strong>Secure Storage for Paper Records<\/strong><\/span><\/h4>\n\n\n\n<ul class=\"wp-block-list\"><\/ul>\n\n\n\n<p>Filing cabinets containing tax returns, source documents, and prior year archives should be lockable. Access should be restricted and logged informally at minimum.<\/p>\n\n\n\n<h4 class=\"wp-block-heading has-medium-font-size\" id=\"h-clean-desk-practices\"><span id=\"clean-desk-practices\">\u2022 <strong>Clean Desk Practices<\/strong><\/span><\/h4>\n\n\n\n<p>Staff should not leave printed returns, organizers, or notes with taxpayer information on desks overnight or in shared spaces.<\/p>\n\n\n\n<h4 class=\"wp-block-heading has-medium-font-size\" id=\"h-secure-disposal\"><span id=\"secure-disposal\">\u2022 <strong>Secure Disposal<\/strong><\/span><\/h4>\n\n\n\n<ul class=\"wp-block-list\"><\/ul>\n\n\n\n<p><strong>Paper records should be shredded or destroyed using secure methods<\/strong>, not placed in regular trash. Old hard drives, USB sticks, and other media must be wiped or physically destroyed before disposal or reuse.<\/p>\n\n\n\n<h4 class=\"wp-block-heading has-medium-font-size\" id=\"h-home-office-expectations\"><span id=\"home-office-expectations\">\u2022 <strong>Home Office Expectations<\/strong><\/span><\/h4>\n\n\n\n<ul class=\"wp-block-list\"><\/ul>\n\n\n\n<p>If staff work from home, you still own the risk. Devices used for firm work should not be shared with family members. Paper printouts at home must be stored and disposed of securely. <strong>Home Wi-Fi should be secured with strong encryption and passwords<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-quick-irs-publication-4557-safeguards-checklist\"><span id=\"quick-irs-publication-4557-safeguards-checklist\"><strong>Quick IRS Publication 4557 Safeguards Checklist<\/strong><\/span><\/h3>\n\n\n\n<p>This checklist is not a substitute for a full Written Information Security Plan, but it is a quick way to see whether you are broadly aligned with Publication 4557 expectations:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Antivirus and <a href=\"https:\/\/verito.com\/blog\/ai-malware-accountants-kryptonite\/\" target=\"_blank\" rel=\"dofollow\" ><strong>anti-malware<\/strong><\/a> running and centrally managed on all firm devices<\/li>\n\n\n\n<li>Business-grade firewalls in place for office and remote locations used for firm work<\/li>\n\n\n\n<li>MFA enabled on email, tax applications, remote access, and cloud systems<\/li>\n\n\n\n<li>Full disk encryption on laptops and other mobile devices that handle taxpayer data<\/li>\n\n\n\n<li>Encrypted, offsite, or cloud backups tested and documented at regular intervals<\/li>\n\n\n\n<li>Secure, MFA protected remote access methods only &#8211; no open RDP (Remote Desktop Protocol) to the internet<\/li>\n\n\n\n<li>Written policies covering passwords, remote work, incident response, and vendor management<\/li>\n\n\n\n<li>Defined security roles, even if combined with other responsibilities<\/li>\n\n\n\n<li>Regular, logged security awareness training for all staff and contractors<\/li>\n\n\n\n<li>Vendor due diligence performed and documented for key providers<\/li>\n\n\n\n<li>Physical controls in place for both office and home office environments<\/li>\n<\/ul>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-written-information-security-plan-wisp-and-irs-publication-5708\"><span id=\"written-information-security-plan-wisp-and-irs-publication-5708\"><strong>Written Information Security Plan (WISP) and IRS Publication 5708<\/strong><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading has-medium-font-size\" id=\"h-what-a-written-information-security-plan-wisp-really-is\"><span id=\"what-a-written-information-security-plan-wisp-really-is\"><strong>What a Written Information Security Plan (WISP) Really Is<\/strong><\/span><\/h3>\n\n\n\n<p>A <strong>Written Information Security Plan<\/strong> is simply <strong>your firm\u2019s playbook for how you protect taxpayer data<\/strong>. <strong>It describes, in one place, what information you hold, where it lives, who can access it, what safeguards you use, and how you respond if something goes wrong<\/strong>. It is not just a policy binder for a shelf. It is the central document regulators, insurers, and auditors expect to see when they ask how you safeguard client information.<\/p>\n\n\n\n<p>Publication 4557 points repeatedly to the need for a written security program that is appropriate for your firm\u2019s size and complexity. The IRS then goes further and publishes <strong>Publication 5708, a dedicated WISP guide for tax and accounting practices<\/strong>. Publication 5708 is a 28-page template designed for firms, especially small ones, to build a WISP that fits their practice, rather than copying a generic enterprise document.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-how-publication-4557-publication-5708-and-the-ftc-safeguards-rule-fit-together\"><span id=\"how-publication-4557-publication-5708-and-the-ftc-safeguards-rule-fit-together\"><strong>How Publication 4557, Publication 5708 And The FTC Safeguards Rule Fit Together<\/strong><\/span><\/h3>\n\n\n\n<p>It helps to think of these documents and rules as layers:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>IRS Publication 4557<\/strong> describes the safeguards the IRS expects tax professionals to use to protect taxpayer data. It talks about the Security Six, administrative, physical controls, and incident response.<\/li>\n\n\n\n<li><strong>IRS Publication 5708<\/strong> gives you a structured way to write those safeguards down in a WISP that fits a tax or accounting practice. It is essentially a fillable framework for building your own plan.<\/li>\n\n\n\n<li><strong>The FTC Safeguards Rule (16 CFR Part 314)<\/strong> is the binding regulation that requires covered financial institutions, including many tax preparers, to maintain a comprehensive written information security program. It requires you to:\n<ul class=\"wp-block-list\">\n<li>Designate a qualified individual to oversee the program<\/li>\n\n\n\n<li>Perform written risk assessments<\/li>\n\n\n\n<li>Limit and monitor who can access customer information<\/li>\n\n\n\n<li>Encrypt sensitive data<\/li>\n\n\n\n<li>Train staff and oversee service providers<\/li>\n\n\n\n<li>Maintain an incident response plan and keep management informed of material issues<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p>In other words, Publication 4557 tells you what the safeguards should look like, Publication 5708 helps you write them into a WISP, and the FTC Safeguards Rule is the legal requirement that makes having a written information security program non-optional for covered firms.<\/p>\n\n\n\n<p>If your WISP does not exist, is outdated, or is a generic template that does not match how your firm actually works, it will be very hard to argue that you complied with these expectations.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-core-sections-every-tax-and-accounting-wisp-should-include\"><span id=\"core-sections-every-tax-and-accounting-wisp-should-include\"><strong>Core Sections Every Tax and Accounting WISP Should Include<\/strong><\/span><\/h3>\n\n\n\n<p><a href=\"https:\/\/verito.com\/blog\/irs-publication-4557-vs-5708\/\" target=\"_blank\" rel=\"dofollow\" ><strong>Publication 5708<\/strong><\/a> and FTC guidance do not force a single format, but most strong WISPs for 1 to 50-person tax and accounting firms contain at least these sections:<\/p>\n\n\n\n<h4 class=\"wp-block-heading has-medium-font-size\" id=\"h-1-purpose-and-scope\"><span id=\"1-purpose-and-scope\">1. <strong>Purpose and Scope<\/strong><\/span><\/h4>\n\n\n\n<p><strong>What the plan covers<\/strong>, which entities and locations are in scope, and which systems and data classes (for example, individual returns, business returns, payroll, portals).<\/p>\n\n\n\n<h4 class=\"wp-block-heading has-medium-font-size\" id=\"h-2-roles-and-governance\"><span id=\"2-roles-and-governance\">2. <strong>Roles and Governance<\/strong><\/span><\/h4>\n\n\n\n<p><strong>Identification of the qualified individual responsible for the information security program<\/strong>, along with partners or managers who support decisions and review reports.<\/p>\n\n\n\n<h4 class=\"wp-block-heading has-medium-font-size\" id=\"h-3-data-inventory-and-classification\"><span id=\"3-data-inventory-and-classification\">3. <strong>Data Inventory and Classification<\/strong><\/span><\/h4>\n\n\n\n<ol start=\"3\" class=\"wp-block-list\"><\/ol>\n\n\n\n<p><strong>A high-level description of what taxpayer and firm data you hold<\/strong>, where it is stored (on premises, hosted, cloud applications), and how sensitive different categories are.<\/p>\n\n\n\n<h4 class=\"wp-block-heading has-medium-font-size\" id=\"h-4-risk-assessment\"><span id=\"4-risk-assessment\">4. <strong>Risk Assessment<\/strong><\/span><\/h4>\n\n\n\n<ul class=\"wp-block-list\"><\/ul>\n\n\n\n<p><strong>A written summary of likely threats to your firm<\/strong> (phishing, credential theft, ransomware, lost devices, vendor breaches), the likelihood and impact of each, and the safeguards you use to mitigate them.<\/p>\n\n\n\n<h4 class=\"wp-block-heading has-medium-font-size\" id=\"h-5-safeguard-catalog\"><span id=\"5-safeguard-catalog\">5. <strong>Safeguard Catalog<\/strong><\/span><\/h4>\n\n\n\n<ul class=\"wp-block-list\"><\/ul>\n\n\n\n<p><strong>A structured list of your administrative, technical, and physical controls<\/strong>. This is where the Security Six, password rules, access management, training, vendor due diligence, <a href=\"https:\/\/verito.com\/blog\/backup-maturity-score-accounting-firms-quiz\/\" target=\"_blank\" rel=\"dofollow\" ><strong>backup strategy<\/strong><\/a>, and monitoring are described, along with who owns each control.<\/p>\n\n\n\n<h4 class=\"wp-block-heading has-medium-font-size\" id=\"h-6-access-control-and-user-management\"><span id=\"6-access-control-and-user-management\">6. <strong>Access Control and User Management<\/strong><\/span><\/h4>\n\n\n\n<ul class=\"wp-block-list\"><\/ul>\n\n\n\n<p><strong>How accounts are created, changed, and disabled<\/strong>, how least privilege is enforced, and how remote access is controlled.<\/p>\n\n\n\n<h4 class=\"wp-block-heading has-medium-font-size\" id=\"h-7-vendor-and-service-provider-management\"><span id=\"7-vendor-and-service-provider-management\">7. <strong>Vendor and Service Provider Management<\/strong><\/span><\/h4>\n\n\n\n<ul class=\"wp-block-list\"><\/ul>\n\n\n\n<p><strong>How you select, review, and monitor tax software vendors<\/strong>, cloud hosting providers, and other third parties that receive taxpayer data.<\/p>\n\n\n\n<h4 class=\"wp-block-heading has-medium-font-size\" id=\"h-8-incident-response-and-business-continuity\"><span id=\"8-incident-response-and-business-continuity\">8. <strong>Incident Response and Business Continuity<\/strong><\/span><\/h4>\n\n\n\n<ul class=\"wp-block-list\"><\/ul>\n\n\n\n<p><strong>What happens if you suspect a breach or ransomware incident<\/strong>, who is notified, how you decide whether to contact the IRS and state agencies, and how you keep operating while systems are investigated or restored.<\/p>\n\n\n\n<h4 class=\"wp-block-heading has-medium-font-size\" id=\"h-9-backup-and-disaster-recovery\"><span id=\"9-backup-and-disaster-recovery\">9. <strong>Backup and Disaster Recovery<\/strong><\/span><\/h4>\n\n\n\n<p><strong>Where backups live, how often they run, how long you retain them<\/strong>, and how often you test restores.<\/p>\n\n\n\n<h4 class=\"wp-block-heading has-medium-font-size\" id=\"h-10-training-testing-and-review-cadence\"><span id=\"10-training-testing-and-review-cadence\">10. <strong>Training, Testing, and Review Cadence<\/strong><\/span><\/h4>\n\n\n\n<ul class=\"wp-block-list\"><\/ul>\n\n\n\n<p><strong>How often you train staff, test controls, and review and update the WISP itself<\/strong>. Many firms choose an annual formal review plus ad-hoc updates after major changes or incidents.<\/p>\n\n\n\n<p><strong>A central idea in both Publication 5708 and FTC guidance is simple:<\/strong> If a control is not written down, assigned to an owner, and reviewed, it will not be treated as <a href=\"https:\/\/verito.com\/blog\/true-cost-of-irs-wisp-compliance\/\" target=\"_blank\" rel=\"dofollow\" ><strong>real compliance<\/strong><\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-common-gaps-that-hurt-firms-during-reviews-or-incidents\"><span id=\"common-gaps-that-hurt-firms-during-reviews-or-incidents\"><strong>Common Gaps That Hurt Firms During Reviews or Incidents<\/strong><\/span><\/h3>\n\n\n\n<p>When examiners, insurers, or outside consultants look at small-firm WISPs, the same gaps appear again and again:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The WISP exists, but is a <strong>stock template with another firm\u2019s name<\/strong> still visible in places.<\/li>\n\n\n\n<li><strong>The document has not been updated in years<\/strong>, even though the firm migrated to new software, added remote staff, or moved to hosted servers.<\/li>\n\n\n\n<li><strong>There is little or no description of incident response<\/strong>, even though the FTC Safeguards Rule explicitly calls for it. In a <a href=\"https:\/\/www.shredit.com\/en-us\/blog\/what-puts-a-law-firm-at-risk-for-a-data-breach\" target=\"_blank\" rel=\"nofollow\" ><strong>recent survey by Shred-it<\/strong><\/a>, an information security firm, states that <strong>roughly two thirds of small U.S. businesses reported that they do not have any incident response plan<\/strong>, which is exactly the kind of weakness regulators expect financial firms to avoid.<\/li>\n\n\n\n<li><strong>Vendor oversight is described at a high level, but there is no evidence of actual reviews<\/strong>, contracts, or security questionnaires.<\/li>\n\n\n\n<li>Controls such as MFA, encryption, and backups are mentioned, <strong>but there are no references to supporting reports or screenshots<\/strong>.<\/li>\n<\/ul>\n\n\n\n<p>A WISP that has these gaps will leave you exposed, even if some technical safeguards are in place behind the scenes.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-where-verito-s-wisp-resources-fit-in\"><span id=\"where-veritos-wisp-resources-fit-in\"><strong>Where Verito\u2019s WISP Resources Fit In<\/strong><\/span><\/h3>\n\n\n\n<p>At this point many firms realize they need a better WISP, but do not have time to draft one from scratch or to map it carefully to IRS 4557 and the FTC Safeguards Rule. That is why Verito provides two practical options:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A <a href=\"https:\/\/verito.com\/written-information-security-plan\" target=\"_blank\" rel=\"dofollow\" ><strong>free WISP template<\/strong><\/a> you can adapt to your own practice, aligned with IRS Publication 5708 and small firm realities.<\/li>\n\n\n\n<li><strong>VeritShield WISP<\/strong>, a customized or audit-ready WISP offering that is built specifically for tax and accounting firms and designed to align with IRS Publication 4557, Publication 5708, and the FTC Safeguards Rule. If you want a pre-structured WISP or help building one that will stand up to regulatory and insurance scrutiny, Verito\u2019s <a href=\"https:\/\/verito.com\/buy-wisp-d\" target=\"_blank\" rel=\"dofollow\" ><strong>VeritShield WISP<\/strong><\/a> will help you streamline your WISP preparation.<\/li>\n<\/ul>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-a-practical-irs-publication-4557-compliance-roadmap-for-small-firms\"><span id=\"a-practical-irs-publication-4557-compliance-roadmap-for-small-firms\"><strong>A Practical IRS Publication 4557 Compliance Roadmap for Small Firms<\/strong><\/span><\/h2>\n\n\n\n<p>IRS Publication 4557 can feel abstract until you translate it into specific tasks. The goal of this roadmap is simple: if you follow these steps, you can show that:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You understand your risks<\/li>\n\n\n\n<li>Have chosen reasonable safeguards<\/li>\n\n\n\n<li>Have a Written Information Security Plan that reflects how your firm actually works.<\/li>\n<\/ul>\n\n\n\n<p>Think in terms of quarters, not days. You do not have to fix everything this week, but you do need a plan that you can defend.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-1-confirm-your-scope-and-data-flows\"><span id=\"1-confirm-your-scope-and-data-flows\"><strong>1. Confirm Your Scope and Data Flows<\/strong><\/span><\/h3>\n\n\n\n<p><strong>Start by defining what is in scope<\/strong>. You cannot protect, or document, what you have not mapped.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>List every system that stores or processes taxpayer data<\/strong>\n<ul class=\"wp-block-list\">\n<li>Tax preparation software<\/li>\n\n\n\n<li>Practice management and document management tools<\/li>\n\n\n\n<li>Portals and e-signature platforms<\/li>\n\n\n\n<li>Email accounts used with clients<\/li>\n\n\n\n<li>File servers, hosted desktops, and cloud drives<br><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Identify where people work<\/strong>\n<ul class=\"wp-block-list\">\n<li>Office locations<\/li>\n\n\n\n<li>Home offices<\/li>\n\n\n\n<li>Offshore or remote staff<br><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Identify all third parties that touch taxpayer data<\/strong>\n<ul class=\"wp-block-list\">\n<li>Tax and accounting software vendors<\/li>\n\n\n\n<li>Cloud hosting providers<\/li>\n\n\n\n<li>Outsourced bookkeeping or seasonal prep support<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p>Document this in a simple data flow description inside your WISP. <strong>Examiners care less about polished diagrams and more about whether you clearly understand where taxpayer information actually lives<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-2-run-a-practical-risk-assessment\"><span id=\"2-run-a-practical-risk-assessment\"><strong>2. Run a Practical Risk Assessment<\/strong><\/span><\/h3>\n\n\n\n<p>Next, identify the realistic ways in which taxpayer data could be exposed or made unavailable.<br><br>For most small tax and accounting firms, the top risks are:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/verito.com\/blog\/what-should-you-do-if-you-click-on-a-phishing-link\/\" target=\"_blank\" rel=\"dofollow\" ><strong>Phishing<\/strong><\/a> that leads to compromised email accounts<\/li>\n\n\n\n<li>Ransomware that encrypts servers or hosted desktops<\/li>\n\n\n\n<li>Lost or stolen laptops and phones<\/li>\n\n\n\n<li>Misconfigured remote access or cloud storage<\/li>\n\n\n\n<li>A vendor breach that spills your client files<\/li>\n<\/ul>\n\n\n\n<p>For each risk, write down:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>How likely it is for your firm, given your size and technology stack<\/li>\n\n\n\n<li>What the impact would be in terms of downtime, notifications, and client harm<\/li>\n\n\n\n<li>Which safeguards from Publication 4557 you already have in place<\/li>\n\n\n\n<li>Which gaps clearly need attention in the next 3 to 12 months<\/li>\n<\/ul>\n\n\n\n<p>This does not need to be a multi week consulting project. A focused half-day with the managing partner, operations lead, and your <a href=\"http:\/\/verito.com\/it-support-for-accounting-firms\" target=\"_blank\" rel=\"dofollow noreferrer noopener\">IT or hosting provider<\/a> can produce a useful risk assessment that satisfies both Publication 5708 and FTC expectations, as long as you write it up and keep it updated.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-3-establish-your-security-six-baseline\"><span id=\"3-establish-your-security-six-baseline\"><strong>3. Establish Your Security Six Baseline<\/strong><\/span><\/h3>\n\n\n\n<p>With your systems and risks identified, compare your current controls to the IRS Security Six and related technical safeguards:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Do all firm devices that touch taxpayer data have centrally managed endpoint protection<\/li>\n\n\n\n<li>Are firewalls business-grade and properly configured on all firm locations and remote setups<\/li>\n\n\n\n<li>Is multi-factor authentication enforced on email, tax applications, remote access, and cloud services<\/li>\n\n\n\n<li>Are all laptops and portable devices encrypted<\/li>\n\n\n\n<li>Are offsite backups encrypted and regularly tested<\/li>\n\n\n\n<li>Is remote access secured and logged, without exposed RDP or weak remote tools<\/li>\n<\/ul>\n\n\n\n<p>Create a simple table inside your WISP:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Column 1: Security Six control<\/li>\n\n\n\n<li>Column 2: Current state at your firm<\/li>\n\n\n\n<li>Column 3: Gaps or exceptions<\/li>\n\n\n\n<li>Column 4: Planned remediation with an owner and timeline<\/li>\n<\/ul>\n\n\n\n<p>That table becomes a core part of your written information security program and shows anyone reviewing your WISP that you have treated the Security Six as non-negotiable.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-4-draft-or-update-your-wisp-using-publication-5708-and-a-template\"><span id=\"4-draft-or-update-your-wisp-using-publication-5708-and-a-template\"><strong>4. Draft or Update Your WISP Using Publication 5708 and a Template<\/strong><\/span><\/h3>\n\n\n\n<p>At this stage you know what you have, where your risks are, and how the Security Six applies. Now you need a WISP that reflects this reality.<\/p>\n\n\n\n<p>Use Publication 5708 as the structure and a practical template as your starting point. For each section:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Replace generic language with how your firm actually operates<\/li>\n\n\n\n<li>Insert the results of your risk assessment, not examples<\/li>\n\n\n\n<li>Describe your real safeguards and monitoring, even if they are still a work in progress<\/li>\n\n\n\n<li>Reference concrete evidence such as reports, logs, or vendor attestations where appropriate<\/li>\n<\/ul>\n\n\n\n<p>If you already have a WISP, treat this as an update cycle, not a total rewrite. <strong>Update the scope, <\/strong><a href=\"https:\/\/verito.com\/blog\/risk-management-for-accountants\/\" target=\"_blank\" rel=\"dofollow\" ><strong>risk assessment<\/strong><\/a><strong>, safeguards, and vendor list so that they match your current systems<\/strong>, especially if you have moved to cloud hosting or changed tax software in the last year.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-5-train-staff-and-enforce-your-policies\"><span id=\"5-train-staff-and-enforce-your-policies\"><strong>5. Train Staff and Enforce Your Policies<\/strong><\/span><\/h3>\n\n\n\n<p>A WISP with no training evidence looks weak in any review.<\/p>\n\n\n\n<p>Publish 4557 expects tax professionals to train staff on:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Recognizing phishing and social engineering<\/li>\n\n\n\n<li>Secure use of email, portals, and file sharing<\/li>\n\n\n\n<li>How to handle taxpayer documents in the office and at home<\/li>\n\n\n\n<li>How to report suspicious activity or suspected incidents<\/li>\n<\/ul>\n\n\n\n<p>For a 1 to 50-person firm, aim for:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>At least one focused security training session per year<\/strong> for all staff who touch taxpayer data<\/li>\n\n\n\n<li><strong>Short reminders during tax season<\/strong> when phishing risk peaks<\/li>\n\n\n\n<li><strong>Signed or electronic acknowledgements<\/strong> that staff have read key policies<\/li>\n<\/ul>\n\n\n\n<p>Record dates, topics, attendance, and any follow-up actions. Insert a brief training log into your WISP or keep it as an appendix. When regulators and insurers talk about a <em>\u201csecurity aware culture,\u201d<\/em> this is the kind of basic evidence they expect to see.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-6-test-backups-and-incident-response-before-you-need-them\"><span id=\"6-test-backups-and-incident-response-before-you-need-them\"><strong>6. Test Backups and Incident Response Before You Need Them<\/strong><\/span><\/h3>\n\n\n\n<p>Publication 4557 emphasizes <a href=\"http:\/\/verito.com\/managed-backup-services\" target=\"_blank\" rel=\"dofollow noreferrer noopener\">secure backups <\/a>and having a plan for what to do when something goes wrong. It is not enough to assume your backups are working or that your team knows how to react.<\/p>\n\n\n\n<p>At least annually, and ideally more often:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Perform a test restore from your backups<\/strong> into a non-production environment<\/li>\n\n\n\n<li><strong>Time how long it takes to restore a representative sample of client data<\/strong> or a key application<\/li>\n\n\n\n<li><strong>Document<\/strong> the test, the result, and any problems uncovered<\/li>\n<\/ul>\n\n\n\n<p>Separately, walk through a simple incident response scenario. For example:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A staff member reports a suspicious email that they clicked<\/li>\n\n\n\n<li>A hosted desktop session shows signs of ransomware<\/li>\n\n\n\n<li>A laptop containing taxpayer data is lost or stolen<\/li>\n<\/ul>\n\n\n\n<p>For each scenario, practice:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Who is called first inside the firm<\/li>\n\n\n\n<li>Who contacts your IT or hosting provider<\/li>\n\n\n\n<li>How you decide whether to shut systems down temporarily<\/li>\n\n\n\n<li>When you involve legal counsel and insurance<\/li>\n\n\n\n<li>When and how you would notify the IRS and affected clients<\/li>\n<\/ul>\n\n\n\n<p>Write these expectations into your WISP. If you use a <a href=\"https:\/\/verito.com\/industries\/tax\" target=\"_blank\" rel=\"dofollow\" ><strong>secure hosting provider<\/strong><\/a> like Verito for your tax applications, clarify in your plan which parts of incident response and recovery are handled by Verito and which are handled by your firm.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-7-review-vendors-and-document-their-safeguards\"><span id=\"7-review-vendors-and-document-their-safeguards\"><strong>7. Review Vendors and Document Their Safeguards<\/strong><\/span><\/h3>\n\n\n\n<p>Publication 4557 and the FTC Safeguards Rule both require you to oversee service providers that handle taxpayer data. This does not mean you need to re-engineer their controls, but you do need to show that you asked appropriate questions and made informed choices.<\/p>\n\n\n\n<p>For each key vendor:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Keep copies of contracts or service agreements<\/strong> that reference security and confidentiality<\/li>\n\n\n\n<li><strong>Request security documentation, such as <\/strong><a href=\"https:\/\/verito.com\/blog\/soc1-vs-soc2\/\" target=\"_blank\" rel=\"dofollow\" ><strong>SOC 2 reports<\/strong><\/a> or equivalent attestations where available<\/li>\n\n\n\n<li><strong>Confirm use of encryption<\/strong>, access controls, and segregation of client data<\/li>\n\n\n\n<li><strong>Understand what the vendor will do<\/strong>, and what they expect from you, if they suffer a breach<\/li>\n<\/ul>\n\n\n\n<p><strong>Record a brief vendor review summary in your WISP<\/strong> or in a separate vendor management log. Update it when you renew contracts or change providers. This is particularly important for tax software vendors, cloud hosting platforms, and outsourced prep teams.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-8-schedule-regular-reviews-and-prepare-for-potential-audits\"><span id=\"8-schedule-regular-reviews-and-prepare-for-potential-audits\"><strong>8. Schedule Regular Reviews and Prepare for Potential Audits<\/strong><\/span><\/h3>\n\n\n\n<p>Finally, <strong>turn your one-time project into a repeatable process<\/strong>.<\/p>\n\n\n\n<p>At minimum, you should:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Review and update your WISP at least annually<\/strong><\/li>\n\n\n\n<li><strong>Update the risk assessment<\/strong> whenever you adopt new software, move to or from cloud hosting, or significantly change how you work<\/li>\n\n\n\n<li><strong>Re-check the Security Six and related safeguards<\/strong> at least once a year<\/li>\n\n\n\n<li><strong>Update vendor reviews<\/strong> when contracts renew or when a provider experiences a known incident<\/li>\n<\/ul>\n\n\n\n<p>Create a simple calendar entry or task list that covers:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>WISP annual review<\/li>\n\n\n\n<li>Training and phishing awareness schedule<\/li>\n\n\n\n<li>Backup test schedule<\/li>\n\n\n\n<li>Vendor review schedule<\/li>\n<\/ul>\n\n\n\n<p>Keep an <em>\u201caudit file\u201d<\/em> where you collect:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The current and prior versions of your WISP<\/li>\n\n\n\n<li>Risk assessment summaries<\/li>\n\n\n\n<li>Training logs<\/li>\n\n\n\n<li>Backup and incident response test records<\/li>\n\n\n\n<li>Vendor documentation<\/li>\n\n\n\n<li>Key screenshots or reports that show MFA, encryption, and monitoring are in place<\/li>\n<\/ul>\n\n\n\n<p>If you ever face questions from the IRS, the FTC, state regulators, cyber insurers, or plaintiff attorneys, <strong>having this file ready is far better than trying to reconstruct proof under pressure<\/strong>.<\/p>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-proving-compliance-what-to-document-for-irs-4557-and-ftc-safeguards\"><span id=\"proving-compliance-what-to-document-for-irs-4557-and-ftc-safeguards\"><strong>Proving Compliance: What to Document for IRS 4557 And FTC Safeguards<\/strong><\/span><\/h2>\n\n\n\n<p>Publication 4557 and the FTC Safeguards Rule both talk about safeguards, plans, and programs. In practice, <strong>what matters when something goes wrong is what you can prove<\/strong>. That means <strong>having dated, organized evidence that you actually did what your Written Information Security Plan says you do<\/strong>.<\/p>\n\n\n\n<p>Think of this as building an <em>\u201caudit file\u201d<\/em> in parallel with your security program.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-the-minimum-evidence-set-a-small-firm-should-maintain\"><span id=\"the-minimum-evidence-set-a-small-firm-should-maintain\"><strong>The Minimum Evidence Set a Small Firm Should Maintain<\/strong><\/span><\/h3>\n\n\n\n<p>For a 1 to 50-person tax or accounting firm, regulators and insurers are usually looking for the same core categories of proof.<\/p>\n\n\n\n<p>You should be able to put your hands on, without scrambling:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Current and Prior Versions of Your WISP<\/strong>\n<ul class=\"wp-block-list\">\n<li>With version numbers or dates<\/li>\n\n\n\n<li>Showing when it was last reviewed and by whom<\/li>\n\n\n\n<li>Reflecting your real systems and vendors<br><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Risk Assessment Documentation<\/strong>\n<ul class=\"wp-block-list\">\n<li>A short written summary of key risks, likelihood, and impact<\/li>\n\n\n\n<li>Notes on which controls mitigate each risk<\/li>\n\n\n\n<li>Dates of review and any changes since the prior year<br><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Security Six Baseline and Remediation Log<\/strong>\n<ul class=\"wp-block-list\">\n<li>The table you built earlier that shows where you stood on each of the Security Six<\/li>\n\n\n\n<li>Entries showing when you closed gaps or changed <a href=\"https:\/\/verito.com\/industries\/bookkeepers\" target=\"_blank\" rel=\"dofollow\" ><strong>vendors<\/strong><br><\/a><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Access Control and User Management Records<\/strong>\n<ul class=\"wp-block-list\">\n<li>Onboarding and offboarding checklists for staff<\/li>\n\n\n\n<li>Logs or exports showing active accounts in key systems<\/li>\n\n\n\n<li>Evidence that former employees and contractors have been deprovisioned<br><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Backup and Disaster Recovery Evidence<\/strong>\n<ul class=\"wp-block-list\">\n<li>Backup configuration summaries or reports<\/li>\n\n\n\n<li>Records of at least one restore test per year<\/li>\n\n\n\n<li>Any issues found during tests and how they were fixed<br><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Security Awareness Training Logs<\/strong>\n<ul class=\"wp-block-list\">\n<li>Dates and topics of <a href=\"https:\/\/verito.com\/security-awareness-training\" target=\"_blank\" rel=\"dofollow\" ><strong>training sessions<\/strong><\/a><\/li>\n\n\n\n<li>Attendance or completion records<\/li>\n\n\n\n<li>Copies of phishing simulations or awareness materials, if used<br><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Vendor Due Diligence Files<\/strong>\n<ul class=\"wp-block-list\">\n<li>Copies of contracts that address confidentiality and security<\/li>\n\n\n\n<li>Security documentation from key vendors (for example, SOC 2 reports or security whitepapers)<\/li>\n\n\n\n<li>Notes from your last review and any red flags you addressed<br><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Incident and Near Miss Records<\/strong>\n<ul class=\"wp-block-list\">\n<li>A simple log of suspected incidents, investigations, and outcomes<\/li>\n\n\n\n<li>Any notifications made to the IRS, state agencies, clients, or insurers<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p>A firm that can produce this material on request looks very different from a firm that says <em>\u201cwe take security seriously\u201d<\/em> but cannot show how.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-how-to-organize-your-audit-file\"><span id=\"how-to-organize-your-audit-file\"><strong>How to Organize Your \u201cAudit File\u201d<\/strong><\/span><\/h3>\n\n\n\n<p>You do not need a complex GRC platform to be ready for questions. For most small firms, a simple folder structure works:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>WISP<\/strong><\/li>\n\n\n\n<li><strong>Risk Assessment<\/strong><\/li>\n\n\n\n<li><strong>Security Six Baseline<\/strong><\/li>\n\n\n\n<li><strong>Access and User Management<\/strong><\/li>\n\n\n\n<li><strong>Backups and DR<\/strong><\/li>\n\n\n\n<li><strong>Training<\/strong><\/li>\n\n\n\n<li><strong>Vendors<\/strong><\/li>\n\n\n\n<li><strong>Incidents<\/strong><\/li>\n<\/ol>\n\n\n\n<p>Keep this in a secure <a href=\"https:\/\/verito.com\/smart-vault\" target=\"_blank\" rel=\"dofollow\" ><strong>document management system<\/strong><\/a>, not on a random desktop. Within each folder, include a short <em>\u201creadme\u201d<\/em> document that explains what is in the folder and how often it is updated. That alone can make external reviews much smoother.<\/p>\n\n\n\n<p>It is also useful to add a one or two-page <strong>compliance mapping<\/strong> in the WISP appendix that shows:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Which WISP sections and evidence align with key points in IRS Publication 4557<\/li>\n\n\n\n<li>How your controls map to the major elements of the FTC Safeguards Rule (qualified individual, risk assessment, safeguards, training, vendor oversight, incident response)<\/li>\n<\/ul>\n\n\n\n<p>This does not need to be exhaustive, but it should be clear enough that a reviewer can see you have thought about alignment, not just collected documents.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-screenshots-reports-and-other-small-pieces-of-evidence\"><span id=\"screenshots-reports-and-other-small-pieces-of-evidence\"><strong>Screenshots, Reports, and Other \u201cSmall\u201d Pieces of Evidence<\/strong><\/span><\/h3>\n\n\n\n<p><strong>Many firms underestimate the value of simple screenshots and exports<\/strong>. Used properly, they are a fast way to show that controls exist and are monitored. Examples include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>MFA configuration screens for email, tax software, and remote access<\/li>\n\n\n\n<li>Device encryption status summaries for firm laptops<\/li>\n\n\n\n<li>Firewall configuration overviews that show remote access rules and logging enabled<\/li>\n\n\n\n<li><a href=\"https:\/\/verito.com\/it-support-for-growing-firms\" target=\"_blank\" rel=\"dofollow\" ><strong>Endpoint protection<\/strong><\/a> dashboards showing coverage and recent detections<\/li>\n\n\n\n<li>Backup job summaries showing schedules and last successful run<\/li>\n<\/ul>\n\n\n\n<p>Capture these on a reasonable cadence, such as quarterly or after major changes, and file them in the relevant folders. They complement, but do not replace, your WISP and higher level policies.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-irs-publication-4557-vs-publication-5708-vs-ftc-safeguards-rule\"><span id=\"irs-publication-4557-vs-publication-5708-vs-ftc-safeguards-rule\"><strong>IRS Publication 4557 vs. Publication 5708 vs. FTC Safeguards Rule<\/strong><\/span><\/h2>\n\n\n\n<p>Many firms get stuck because they see multiple acronyms and are not sure which one to follow. In reality, these documents and rules are different pieces of the same picture. You do not need three separate security programs. <strong>You need one security program and one WISP that aligns with all of them<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-what-each-document-or-rule-does\"><span id=\"what-each-document-or-rule-does\"><strong>What Each Document or Rule Does<\/strong><\/span><\/h3>\n\n\n\n<p>At a high level:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th><strong>Item<\/strong><\/th><th><strong>Who issues it<\/strong><\/th><th><strong>What it does for your firm<\/strong><\/th><\/tr><\/thead><tbody><tr><td><strong>IRS Publication 4557<\/strong><\/td><td>IRS<\/td><td>Explains how tax professionals should safeguard taxpayer data, including the Security Six, policies, training, vendor oversight, and incident response.<\/td><\/tr><tr><td><strong>IRS Publication 5708<\/strong><\/td><td>IRS<\/td><td>Provides a structured Written Information Security Plan (WISP) template tailored to tax and accounting practices.<\/td><\/tr><tr><td><a href=\"https:\/\/verito.com\/blog\/how-to-comply-with-ftc-safeguards-rule\/\" target=\"_blank\" rel=\"dofollow\" ><strong>FTC Safeguards Rule (GLBA)<\/strong><\/a><\/td><td>Federal Trade Commission<\/td><td>Legally requires covered financial institutions, including many tax preparers, to maintain a written information security program with specific elements.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>If you handle taxpayer information in connection with return preparation, you sit at the intersection of all three. Publication 4557 describes the safeguards, Publication 5708 helps you write them down in a WISP, and the FTC Safeguards Rule is the regulation that makes having an effective written security program a legal obligation.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-key-requirements-lined-up-side-by-side\"><span id=\"key-requirements-lined-up-side-by-side\"><strong>Key Requirements Lined up Side-by-side<\/strong><\/span><\/h3>\n\n\n\n<p>The overlap becomes clearer if you line up the major expectations:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Risk Assessment<\/strong><br>\n<ul class=\"wp-block-list\">\n<li><strong>Publication 4557:<\/strong> Expects you to understand your risks and choose safeguards accordingly.<\/li>\n\n\n\n<li><strong>Publication 5708<\/strong>: Includes a section to document threats, likelihood, and impact.<\/li>\n\n\n\n<li><strong>FTC Safeguards:<\/strong> Explicitly requires written risk assessments as the foundation of your program.<br><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Written Security Program (WISP)<\/strong><br>\n<ul class=\"wp-block-list\">\n<li><strong>Publication 4557:<\/strong> Repeatedly references the need for a written data security plan.<\/li>\n\n\n\n<li><strong>Publication 5708:<\/strong> Provides a fillable WISP structure tailored to tax firms.<\/li>\n\n\n\n<li><strong>FTC Safeguards:<\/strong> Requires a written information security program that is appropriate to your size and complexity.<br><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Qualified Individual and Governance<\/strong><br>\n<ul class=\"wp-block-list\">\n<li><strong>Publication 4557:<\/strong> Implies that someone must be responsible for security decisions and oversight.<\/li>\n\n\n\n<li><strong>Publication 5708:<\/strong> Includes sections for roles and responsibilities.<\/li>\n\n\n\n<li><strong>FTC Safeguards:<\/strong> Requires you to designate a qualified individual to oversee the information security program and report to leadership.<br><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Administrative, Technical, and Physical Safeguards<\/strong><br>\n<ul class=\"wp-block-list\">\n<li><strong>Publication 4557:<\/strong> Details the Security Six plus policy, access control, training, vendor oversight, and physical protections.<\/li>\n\n\n\n<li><strong>Publication 5708:<\/strong> Gives you the places in the WISP to describe these controls.<\/li>\n\n\n\n<li><strong>FTC Safeguards:<\/strong> Requires controls that cover access, encryption, secure development and change management, monitoring, and more, appropriate to your risk profile.<br><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Vendor and Service Provider Oversight<\/strong><br>\n<ul class=\"wp-block-list\">\n<li><strong>Publication 4557:<\/strong> Clearly states that tax pros must vet and oversee service providers that handle taxpayer data.<\/li>\n\n\n\n<li><strong>Publication 5708:<\/strong> Includes a vendor management section.<\/li>\n\n\n\n<li><strong>FTC Safeguards:<\/strong> Requires you to take reasonable steps to select and oversee service providers and to require them by contract to protect customer information.<br><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Incident Response and Testing<\/strong><br>\n<ul class=\"wp-block-list\">\n<li><strong>Publication 4557:<\/strong> Explains what to do if you suspect data theft and how to report to the IRS and law enforcement.<\/li>\n\n\n\n<li><strong>Publication 5708:<\/strong> Provides a place to describe your incident response and business continuity plans.<\/li>\n\n\n\n<li><strong>FTC Safeguards:<\/strong> Requires a written incident response plan and ongoing monitoring and testing of safeguards.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p>When you design your WISP with these overlaps in mind, you avoid duplicate work and you make it much easier to answer questions from any regulator or insurer.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-turning-irs-publication-4557-into-a-practical-data-security-plan\"><span id=\"turning-irs-publication-4557-into-a-practical-data-security-plan\"><strong>Turning IRS Publication 4557 Into a Practical Data Security Plan<\/strong><\/span><\/h2>\n\n\n\n<p>IRS Publication 4557, Publication 5708, and the FTC Safeguards Rule are not three separate projects. For a 1 to 50-person tax or accounting firm, they all point to one outcome: <strong>a realistic security program, written down in a WISP, backed by safeguards you can prove are in place<\/strong>.<\/p>\n\n\n\n<p>If you strip the jargon out, the essentials are straightforward:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Know what taxpayer data you hold<\/strong>, where it lives, and which vendors touch it.<\/li>\n\n\n\n<li><strong>Identify your main risks<\/strong> and document them in a simple risk assessment.<\/li>\n\n\n\n<li><strong>Implement the Security Six plus basic administrative and physical safeguards<\/strong> that match how your firm actually works.<\/li>\n\n\n\n<li><strong>Build or update a WISP using Publication 5708<\/strong> and keep it current as your technology and staffing change.<\/li>\n\n\n\n<li><strong>Train people, test backups, rehearse incident response, and keep evidence organized<\/strong> so you can show what you did if anyone asks.<\/li>\n<\/ul>\n\n\n\n<p>You do not have to handle everything alone. The heavy lifting around secure infrastructure, backups, encryption, and monitoring is often better handled by a specialist platform like Verito that already aligns with IRS 4557 expectations.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-tl-dr\"><span id=\"tldr\"><strong>TL;DR:<\/strong><\/span><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>IRS Publication 4557 is the IRS playbook for how tax professionals must safeguard taxpayer data and aligns closely with FTC Safeguards and GLBA expectations.<\/li>\n\n\n\n<li>It applies to solo practitioners, small CPA and EA firms, EROs, and any business that handles taxpayer information for tax preparation.<\/li>\n\n\n\n<li>The IRS Security Six plus administrative and physical safeguards form the practical baseline for small and mid sized firms.<\/li>\n\n\n\n<li>A Written Information Security Plan (WISP), structured with IRS Publication 5708, is now effectively mandatory in 2026 for firms that want to withstand regulatory and insurance scrutiny.<\/li>\n\n\n\n<li>A defensible program includes a risk assessment, WISP, training, vendor oversight, backups, incident response, and organized audit evidence.<\/li>\n\n\n\n<li>Cloud hosting and managed security can cover most technical controls, but firms still own policies, training, vendor oversight, and incident decisions.<\/li>\n\n\n\n<li>Verito\u2019s secure hosting, WISP template, and VeritShield WISP help firms move from loose controls to an audit ready security program that aligns with IRS 4557 and FTC Safeguards.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-faq\"><span id=\"faq\"><strong>FAQ:<\/strong><\/span><\/h2>\n\n\n<div class=\"saswp-faq-block-section\"><ol style=\"list-style-type:none\"><li style=\"list-style-type: none\"><h5 id=\"1-does-irs-publication-4557-legally-require-a-written-information-security-plan\" class=\"saswp-faq-question-title \"><strong>1. Does IRS Publication 4557 legally require a Written Information Security Plan?<\/strong><\/h5><p class=\"saswp-faq-answer-text\">Publication 4557 itself is guidance, but in 2026 a WISP is effectively required. The IRS explicitly points firms to a written security plan, Publication 5708 provides a WISP template, and the FTC Safeguards Rule legally requires a written information security program for covered financial institutions, which includes many tax preparers. If you handle taxpayer data, operating without a WISP is very difficult to defend.<\/p><li style=\"list-style-type: none\"><h5 id=\"2-who-does-irs-publication-4557-apply-to\" class=\"saswp-faq-question-title \"><strong>2. Who does IRS Publication 4557 apply to?<\/strong><\/h5><p class=\"saswp-faq-answer-text\">It applies to any business that handles taxpayer information for return preparation. That includes solo practitioners, small and mid sized CPA firms, enrolled agents, EROs, Authorized IRS e-file Providers, virtual firms, and bookkeeping practices that collect tax data. Size does not exempt you. The expectations scale with your complexity, not your headcount.<\/p><li style=\"list-style-type: none\"><h5 id=\"3-what-are-the-irs-security-six-controls\" class=\"saswp-faq-question-title \"><strong>3. What are the IRS \u201cSecurity Six\u201d controls?<\/strong><\/h5><p class=\"saswp-faq-answer-text\">The Security Six are the core technical safeguards Publication 4557 expects every tax professional to have:<br><br>&#8211; Antivirus and anti malware on all firm devices<br>&#8211; Properly configured firewalls<br>&#8211; Multi-factor authentication (MFA)<br>&#8211; Drive encryption on laptops and other mobile devices<br>&#8211; Secure, tested backups<br>&#8211; Secure remote access (for example VPNs or hosted desktops with MFA)<br><br>These are a baseline, not a complete program. You still need policies, training, vendor oversight, and physical safeguards.<\/p><li style=\"list-style-type: none\"><h5 id=\"4-how-is-publication-5708-different-from-publication-4557\" class=\"saswp-faq-question-title \"><strong>4. How is Publication 5708 different from Publication 4557?<\/strong><\/h5><p class=\"saswp-faq-answer-text\">Publication 4557 describes what safeguards the IRS expects. Publication 5708 shows you how to write those safeguards into a WISP. It is essentially a structured template for tax and accounting firms that helps you document scope, risks, controls, vendor oversight, and incident response in one place.<\/p><li style=\"list-style-type: none\"><h5 id=\"5-is-moving-to-cloud-or-hosted-solutions-enough-to-satisfy-irs-publication-4557\" class=\"saswp-faq-question-title \"><strong>5. Is moving to cloud or hosted solutions enough to satisfy IRS Publication 4557?<\/strong><\/h5><p class=\"saswp-faq-answer-text\">No. Cloud or hosted solutions can make it much easier to meet technical expectations, but they do not replace your responsibilities. A provider can handle backups, encryption, MFA, and monitoring, but you still own your WISP, risk assessment, staff training, vendor oversight, and how you handle paper records and client communications.<\/p><li style=\"list-style-type: none\"><h5 id=\"6-how-often-should-a-tax-or-cpa-firm-update-its-wisp\" class=\"saswp-faq-question-title \"><strong>6. How often should a tax or CPA firm update its WISP?<\/strong><\/h5><p class=\"saswp-faq-answer-text\">A practical standard is:<br><br>&#8211; A formal review at least once per year<br>&#8211; An update whenever you make a significant change, such as switching tax software, moving to or from cloud hosting, adding new offices or offshore staff, or responding to an incident<br><br>Each review should update your risk assessment, Security Six status, vendor list, and any changes in procedures, and should be dated and approved by leadership.<\/p><li style=\"list-style-type: none\"><h5 id=\"7-what-evidence-should-i-keep-to-prove-irs-4557-and-ftc-safeguards-compliance\" class=\"saswp-faq-question-title \"><strong>7. What evidence should I keep to prove IRS 4557 and FTC Safeguards compliance?<\/strong><\/h5><p class=\"saswp-faq-answer-text\">At minimum, maintain:<br><br>Current and past versions of your WISP<br><br>&#8211; A written risk assessment<br>&#8211; A Security Six baseline and remediation log<br>&#8211; Training records<br>&#8211; Backup and restore test logs<br>&#8211; Vendor contracts and security documentation<br>&#8211; Incident and near miss records<br><br>Organize these in a simple \u201caudit file\u201d so you can produce them quickly if regulators, insurers, or attorneys ask how you safeguard taxpayer data.<\/p><\/ul><\/div>\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"If you prepare U.S. tax returns in 2026, the IRS, the FTC, and your clients all assume one&hellip;\n","protected":false},"author":12,"featured_media":5116,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[523,280,241,525,524,522,383,387,457],"class_list":{"0":"post-5115","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-knowledge-base","8":"tag-cpa-firm-cybersecurity","9":"tag-ftc-safeguards-rule","10":"tag-irs-publication-4557","11":"tag-secure-cloud-hosting","12":"tag-tax-firm-data-protection","13":"tag-taxpayer-data-security","14":"tag-veritshield-wisp","15":"tag-wisp-template","16":"tag-written-information-security-plan"},"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.1 (Yoast SEO v27.1.1) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>IRS Publication 4557 Explained: What Tax Firms Must Do to Protect Client Data<\/title>\n<meta name=\"description\" content=\"IRS Publication 4557 explained in plain terms. Understand what the IRS expects from tax firms, where most firms fall short, and how these safeguards are actually evaluated after an incident.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/verito.com\/blog\/irs-publication-4557-explained\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"IRS Publication 4557 Explained: The Ultimate Guide to Safeguarding Taxpayer Data in 2026\" \/>\n<meta property=\"og:description\" content=\"If you prepare U.S. tax returns in 2026, the IRS, the FTC, and your clients all assume one thing about your firm: you already have a real cybersecurity\" \/>\n<meta property=\"og:url\" content=\"https:\/\/verito.com\/blog\/irs-publication-4557-explained\/\" \/>\n<meta property=\"og:site_name\" content=\"Verito Technologies | Blog\" \/>\n<meta property=\"article:published_time\" content=\"2026-01-14T12:58:17+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-01-23T12:43:23+00:00\" \/>\n<meta property=\"og:image\" content=\"http:\/\/verito.com\/blog\/wp-content\/uploads\/2026\/01\/IRS-Publication-4557-Explained_-The-Ultimate-Guide-to-Safeguarding-Taxpayer-Data-in-2026.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1500\" \/>\n\t<meta property=\"og:image:height\" content=\"837\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Camren Majors\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Camren Majors\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"29 minutes\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"IRS Publication 4557 Explained: What Tax Firms Must Do to Protect Client Data","description":"IRS Publication 4557 explained in plain terms. Understand what the IRS expects from tax firms, where most firms fall short, and how these safeguards are actually evaluated after an incident.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/verito.com\/blog\/irs-publication-4557-explained\/","og_locale":"en_US","og_type":"article","og_title":"IRS Publication 4557 Explained: The Ultimate Guide to Safeguarding Taxpayer Data in 2026","og_description":"If you prepare U.S. tax returns in 2026, the IRS, the FTC, and your clients all assume one thing about your firm: you already have a real cybersecurity","og_url":"https:\/\/verito.com\/blog\/irs-publication-4557-explained\/","og_site_name":"Verito Technologies | Blog","article_published_time":"2026-01-14T12:58:17+00:00","article_modified_time":"2026-01-23T12:43:23+00:00","og_image":[{"width":1500,"height":837,"url":"http:\/\/verito.com\/blog\/wp-content\/uploads\/2026\/01\/IRS-Publication-4557-Explained_-The-Ultimate-Guide-to-Safeguarding-Taxpayer-Data-in-2026.jpg","type":"image\/jpeg"}],"author":"Camren Majors","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Camren Majors","Est. reading time":"29 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/verito.com\/blog\/irs-publication-4557-explained\/#article","isPartOf":{"@id":"https:\/\/verito.com\/blog\/irs-publication-4557-explained\/"},"author":{"name":"Camren Majors","@id":"https:\/\/verito.com\/blog\/#\/schema\/person\/865ad0905f2ef35c7587605a88ab6c1e"},"headline":"IRS Publication 4557 Explained: The Ultimate Guide to Safeguarding Taxpayer Data in 2026","datePublished":"2026-01-14T12:58:17+00:00","dateModified":"2026-01-23T12:43:23+00:00","mainEntityOfPage":{"@id":"https:\/\/verito.com\/blog\/irs-publication-4557-explained\/"},"wordCount":6285,"publisher":{"@id":"https:\/\/verito.com\/blog\/#organization"},"image":{"@id":"https:\/\/verito.com\/blog\/irs-publication-4557-explained\/#primaryimage"},"thumbnailUrl":"https:\/\/verito.com\/blog\/wp-content\/uploads\/2026\/01\/IRS-Publication-4557-Explained_-The-Ultimate-Guide-to-Safeguarding-Taxpayer-Data-in-2026.jpg","keywords":["CPA firm cybersecurity","FTC safeguards rule","IRS publication 4557","secure cloud hosting","tax firm data protection","taxpayer data security","VeritShield WISP","WISP template","Written Information Security Plan"],"articleSection":["Knowledge Base"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/verito.com\/blog\/irs-publication-4557-explained\/","url":"https:\/\/verito.com\/blog\/irs-publication-4557-explained\/","name":"IRS Publication 4557 Explained: What Tax Firms Must Do to Protect Client Data","isPartOf":{"@id":"https:\/\/verito.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/verito.com\/blog\/irs-publication-4557-explained\/#primaryimage"},"image":{"@id":"https:\/\/verito.com\/blog\/irs-publication-4557-explained\/#primaryimage"},"thumbnailUrl":"https:\/\/verito.com\/blog\/wp-content\/uploads\/2026\/01\/IRS-Publication-4557-Explained_-The-Ultimate-Guide-to-Safeguarding-Taxpayer-Data-in-2026.jpg","datePublished":"2026-01-14T12:58:17+00:00","dateModified":"2026-01-23T12:43:23+00:00","description":"IRS Publication 4557 explained in plain terms. Understand what the IRS expects from tax firms, where most firms fall short, and how these safeguards are actually evaluated after an incident.","breadcrumb":{"@id":"https:\/\/verito.com\/blog\/irs-publication-4557-explained\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/verito.com\/blog\/irs-publication-4557-explained\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/verito.com\/blog\/irs-publication-4557-explained\/#primaryimage","url":"https:\/\/verito.com\/blog\/wp-content\/uploads\/2026\/01\/IRS-Publication-4557-Explained_-The-Ultimate-Guide-to-Safeguarding-Taxpayer-Data-in-2026.jpg","contentUrl":"https:\/\/verito.com\/blog\/wp-content\/uploads\/2026\/01\/IRS-Publication-4557-Explained_-The-Ultimate-Guide-to-Safeguarding-Taxpayer-Data-in-2026.jpg","width":1500,"height":837,"caption":"IRS Publication 4557 Explained_ The Ultimate Guide to Safeguarding Taxpayer Data in 2026"},{"@type":"BreadcrumbList","@id":"https:\/\/verito.com\/blog\/irs-publication-4557-explained\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/verito.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Knowledge Base","item":"https:\/\/verito.com\/blog\/category\/knowledge-base\/"},{"@type":"ListItem","position":3,"name":"IRS Publication 4557 Explained: The Ultimate Guide to Safeguarding Taxpayer Data in 2026"}]},{"@type":"WebSite","@id":"https:\/\/verito.com\/blog\/#website","url":"https:\/\/verito.com\/blog\/","name":"Verito Technologies | Blog","description":"Verito Technologies Blog","publisher":{"@id":"https:\/\/verito.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/verito.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/verito.com\/blog\/#organization","name":"Verito Technologies","url":"https:\/\/verito.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/verito.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/verito.com\/blog\/wp-content\/uploads\/2020\/01\/logo_blue.png","contentUrl":"https:\/\/verito.com\/blog\/wp-content\/uploads\/2020\/01\/logo_blue.png","width":625,"height":208,"caption":"Verito Technologies"},"image":{"@id":"https:\/\/verito.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/verito.com\/blog\/#\/schema\/person\/865ad0905f2ef35c7587605a88ab6c1e","name":"Camren Majors","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/verito.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/77bfceda618286bd3464259eedc244dda94e71f2d7782a878cb75fd25c966426?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/77bfceda618286bd3464259eedc244dda94e71f2d7782a878cb75fd25c966426?s=96&d=mm&r=g","caption":"Camren Majors"},"description":"Camren Majors is co-founder and Chief Revenue Officer of Verito Technologies, a cloud hosting and managed IT company built exclusively for tax and accounting firms. He is the co-author of Beyond Best Practices: Modernizing the Successful Accounting Firm (2026). His work has been featured in NATP TAXPRO Magazine and he has presented for NATP, NAEA, and NSA."}]}},"_links":{"self":[{"href":"https:\/\/verito.com\/blog\/wp-json\/wp\/v2\/posts\/5115","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/verito.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/verito.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/verito.com\/blog\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/verito.com\/blog\/wp-json\/wp\/v2\/comments?post=5115"}],"version-history":[{"count":10,"href":"https:\/\/verito.com\/blog\/wp-json\/wp\/v2\/posts\/5115\/revisions"}],"predecessor-version":[{"id":5338,"href":"https:\/\/verito.com\/blog\/wp-json\/wp\/v2\/posts\/5115\/revisions\/5338"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/verito.com\/blog\/wp-json\/wp\/v2\/media\/5116"}],"wp:attachment":[{"href":"https:\/\/verito.com\/blog\/wp-json\/wp\/v2\/media?parent=5115"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/verito.com\/blog\/wp-json\/wp\/v2\/categories?post=5115"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/verito.com\/blog\/wp-json\/wp\/v2\/tags?post=5115"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}