WISP Builder: What a Cloud Host Covers vs. What Your CPA Firm Still Owns

CPA firm security and compliance concept showing the relationship between cloud hosting infrastructure and WISP responsibilities for accounting firms.
  • Home
  • Cybersecurity
  • WISP Builder: What a Cloud Host Covers vs. What Your CPA Firm Still Owns
Quick answer: Your cloud hosting provider handles the technical infrastructure — encryption, server-side backups, MFA enforcement, and SOC 2-certified data centers. But the Written Information Security Plan (WISP) itself, your firm’s risk assessment, employee training, vendor contracts, and incident response procedures? Those belong to you.

There’s a conversation that comes up almost every time we onboard a new CPA firm at OneUp Networks. It usually goes something like this: A firm principal — often someone who’s been preparing tax returns for twenty years and has never had a data incident — asks us, “So once we move to your cloud, we’re covered for the IRS security stuff, right?”

It’s a fair question. And the honest answer is: partly, yes — but not completely.

Most CPA practices leave themselves exposed in the gap between what their cloud host covers and what their firm still owns personally. Not because they’re careless. Because nobody has spelled it out clearly.

This article does exactly that. By the end, you’ll know precisely which parts of your WISP your hosting provider is responsible for, which parts fall on your firm, and what you need to document to be genuinely audit-ready in 2026 — not just technically compliant on paper.

Why This Matters More Than It Did Three Years Ago

The WISP requirement isn’t new. IRS Publication 4557 has required tax preparers to maintain a Written Information Security Plan for years. What changed is enforcement — and the teeth behind it.

As of May 2024, the FTC Safeguards Rule now requires your firm to notify the FTC within 30 days of discovering a security breach involving 500 or more consumers’ unencrypted information. That report becomes public record. Penalties under the rule run up to $51,744 per violation per day, with no cap on total fines. And the IRS, through Publication 4557, layers additional reporting requirements on top — including notification through the SPOS portal and coordination with your state Stakeholder Liaison.

The average cost of a data breach hitting a small accounting practice — forensic investigation, legal fees, client notification, credit monitoring, and the FTC fines — now exceeds $2.98 million for small businesses according to IBM’s 2025 Cost of Data Breach Report. Most CPA firms hold Social Security numbers, bank account details, full income histories, and EINs for hundreds or thousands of clients. In the eyes of a cybercriminal, that’s a treasure chest.

What does all of this have to do with your cloud host?

Because when regulators and insurance underwriters come looking after an incident, the first thing they’ll ask isn’t “do you have a cloud host?” — it’s “show me your WISP.” And then they’ll check whether the controls documented in that WISP actually existed and functioned. Your hosting provider’s SOC 2 certificate matters. But it doesn’t substitute for a written plan your firm owns and maintains.

First: What Exactly Is a WISP?

A WISP — Written Information Security Plan — is a formal, living document that describes how your firm protects client data. Not how you intend to protect it. How you actually do.

Under IRS Publication 5708 and the FTC Safeguards Rule (16 CFR Part 314), a compliant WISP must cover all three of the following layers:

Administrative safeguards — your firm’s policies, training records, and designated security officer
Technical safeguards — encryption, access controls, MFA, backups, and monitoring
Physical safeguards — who can physically access your office, devices, and paper records

Think of it as your firm’s security constitution. It has to be written (not verbal). It has to be current (reviewed at least annually). And it has to reflect what your firm actually does — not a template you downloaded and filed away.

The IRS requires you to designate a “Qualified Individual” — a specific named person responsible for overseeing your information security program. For a solo practitioner, that’s you. For a ten-person firm, it might be a managing partner or an IT coordinator. This person is required to report in writing to firm leadership at least once per year with an assessment of compliance.

The Big Misconception: “The Cloud Handles It”

Here’s the mistake many firms make: they switch to a reputable, SOC 2-certified cloud hosting provider, encrypt their data in transit and at rest, run nightly backups, enforce MFA, and maintain reliable server uptime. You feel secure. And technically, your infrastructure is secure.

But infrastructure security and program compliance are two different things.

The IRS and FTC aren’t auditing your server. They’re auditing your program — the documentation, the policies, the training records, the vendor contracts, and the incident response procedures. A cloud host provides the technical foundation. The compliance program is your firm’s to own.

Here’s the clearest way to understand it:

Your cloud host is like a secure bank vault. They built it, they maintain it, they certify it. But they can’t write the policies for who has a key, train your staff on how to handle what’s inside, or decide what happens if a key goes missing. That’s your job.

The Definitive Split: What OneUp Networks Covers vs. What Your Firm Owns

The table below isn’t a rough guide. It’s the operational reality for any CPA firm using a dedicated accounting cloud host. Use it as a starting point for your WISP documentation conversations.

What OneUp Networks Handles on Your Behalf

1. Encrypting data storage and transmission

We encrypt all client data on our infrastructure both at rest and in transit, using AES-256 and TLS 1.2+ standards referenced in IRS Publication 4557. You don’t need to configure these protections manually because we build them directly into the environment.

2. Enforcing multi-factor authentication (MFA)

We require MFA for every user and every remote session accessing your hosted environment. Instead of asking your firm to create and enforce this policy internally, we apply it directly at the infrastructure level.

3. Maintaining SOC 2 Type II certified data centers

Independent auditors regularly assess and certify our data centers. These audits verify that we actively maintain encryption, access controls, availability safeguards, and processing integrity — rather than simply claiming them. Your firm can reference this certification in its WISP as a documented technical safeguard for the hosted environment..

4. Automated daily backups with versioned recovery

Nightly encrypted backups run automatically. Versioned snapshots mean you can restore to a specific point — not just the last backup. Backup integrity is tested on our end. You can document this in your WISP as your backup control.

5. Infrastructure patching and vulnerability management

Operating system patches, security updates, and server-level vulnerability management happen on our side. Additionally, your software stays current at the infrastructure layer without requiring your staff to manage it.

6. Role-based access controls at the server level

We provision users with access limited to what they need. Our architecture supports least-privilege access — a specific FTC Safeguards Rule requirement — at the environment level.

7. Uptime and business continuity infrastructure

Redundant systems, failover, and disaster recovery at the data center level mean the infrastructure keeps running even during hardware failures. Our SLA covers this. It belongs in your WISP as your business continuity control for hosted systems.

8. Activity logging and audit trails

Every login, file access, and session on our infrastructure is logged. These logs are available to you. They’re the evidence you need for monitoring compliance documentation.

What Your CPA Firm Still Owns

This is the part that surprises most people. Your cloud host can’t do any of the following for you — legally or practically.

1. Writing and maintaining the WISP itself

The document doesn’t write itself. You have to document your policies, assign your Qualified Individual, describe your safeguards, and review the WISP at least annually. A template is a starting point — not a finished WISP.

2. Naming your hosting provider in the WISP

This sounds obvious, but it’s one of the most common compliance gaps we see. If your SOC 2-certified cloud host isn’t named in your WISP — with their data protection obligations specifically documented — you have a gap, regardless of how strong their infrastructure is. The FTC Safeguards Rule requires vendor oversight documentation. That means naming the vendor, describing their controls, and keeping their SOC 2 report on file.

3. Conducting and documenting your annual risk assessment

The Safeguards Rule requires a documented risk assessment that identifies threats to client information and evaluates your safeguards against those threats. Your hosting environment is one piece of the picture. The assessment also has to cover your endpoints, your staff behaviors, your physical office, and how your client data flows in and out of your firm.

4. Employee security training — documented and repeated
Your staff are your biggest vulnerability. Phishing attacks, weak passwords on personal devices, and sharing client files through personal email are the most common causes of accounting firm data incidents — not infrastructure failures. IRS Publication 4557 requires documented, recurring security awareness training. Your cloud host can’t train your employees. You own that.

5. Written vendor agreements with security provisions

Every third-party vendor that touches your client data — including your cloud host, document management system, client portal, and tax software provider — needs a written agreement with specific data security provisions. In fact, a generic terms-of-service agreement does not satisfy the Safeguards Rule. Instead, your contracts should clearly address breach notification timelines, encryption standards, and your firm’s right to audit.

6. Governing personal device and remote work policies

Your hosting environment enforces MFA for sessions within it. But what happens when a staff member’s personal laptop — the one they use to connect to the cloud from home — has malware on it? Your firm needs a written policy on approved devices, VPN use, and remote work security. That’s not something a hosting provider controls.

7. Your incident response plan

Your firm also needs a documented incident response plan. Who determines whether an incident is reportable? Which team member contacts the IRS Stakeholder Liaison or files the FTC breach notification within the required 30-day window? Client communication, legal coordination, and law enforcement involvement should also be clearly assigned. These decisions cannot be improvised during a crisis — they must be documented in advance.

8. Physical security at your office

Even if everything lives in the cloud, your office still has risks — client documents printed and left on desks, former employees who know where the spare key is, visitors who can see a client’s information on a monitor. Physical safeguards are required by IRS Pub. 4557. Your hosting provider can’t enforce them.

9. Offboarding and access revocation

When a staff member leaves your firm — especially if they depart on bad terms — you need a documented process for revoking their access immediately. Your cloud host can deprovision a user quickly when you request it. The policy and the process for triggering that request are yours to own.

10. Annual review and updates

The threat landscape changes. Regulations evolve. The FTC breach notification requirement didn’t exist three years ago. Your WISP has to be updated when significant changes occur — in your business, your technology, or the regulatory environment. This is an ongoing obligation, not a one-time project.

The Compliance Gap Most Firms Don’t Catch

After working with CPA firms of all sizes, the most common gap we see isn’t a technology failure. It’s this:

A firm has a cloud host with strong infrastructure. They have a WISP they created two years ago — maybe from a template. But the WISP doesn’t name their current cloud provider. It doesn’t reference the vendor’s SOC 2 certification. It doesn’t include the new FTC breach notification procedure (which has been required since May 2024). And nobody has reviewed it since it was filed.

That firm isn’t protected by their cloud host’s security. And they’re not protected by the WISP either — because the WISP doesn’t reflect reality.

The IRS and FTC aren’t looking for a perfect document. They’re looking for evidence that your firm takes data security seriously, that someone owns it, and that the plan actually matches what you do. A dated, generic WISP that doesn’t mention your current infrastructure is worse than no WISP in some audit scenarios, because it signals that compliance is purely performative.

What a Defensible WISP Actually Contains in 2026

Here’s what a WISP that holds up to scrutiny — under an IRS examination, an insurance underwriting review, or an FTC investigation — needs to include:

  • Cover section: Firm name, effective date, named Qualified Individual, and review schedule
  • Risk assessment summary: Documented threats, current controls, and identified gaps
  • Data inventory: What sensitive data your firm holds, where it lives, and how it flows
  • Technical safeguards section: MFA, encryption, backups — with your hosting provider named specifically and their SOC 2 certification referenced
  • Administrative safeguards section: Training records, access provisioning process, password policy, device policy
  • Physical safeguards section: Office access controls, clean desk policy, secure disposal procedures
  • Vendor management section: List of third parties touching client data, with contract references and oversight documentation
  • Incident response plan: Step-by-step procedures including FTC notification within 30 days, IRS Stakeholder Liaison contact, client notification process, and forensic documentation requirements
  • Breach notification log: A place to record any incidents and the actions taken
  • Annual review log: Signature and date of each annual review, with a summary of changes made

If your current WISP is missing any of these sections, you have gaps that need to be addressed before the next filing season.

The Honest Reality: Most Firms Can’t Build This Alone

Writing a WISP isn’t legally complicated. The IRS even provides a template through Publication 5708. But filling it in accurately — in a way that reflects your actual infrastructure, your actual vendors, and your actual procedures — takes expertise most firm principals don’t have the time to develop while also running a practice.

The firms that have genuinely compliant WISPs almost always have one of two things: dedicated internal IT staff, or an outside partner who understands both accounting workflows and the regulatory requirements.

The firms that have a WISP on file but couldn’t defend it in an audit? They typically have a template with placeholder language, a filing date from two or three years ago, and no vendor names or specific controls documented.

How OneUp Networks Helps with Your WISP Compliance

Our job is to handle the technical infrastructure that goes into your WISP — and to help you document it accurately. Here’s what that means in practice:

We provide a hosting infrastructure summary — a document you can directly reference in your WISP that describes our encryption standards, MFA enforcement, backup schedule, SOC 2 Type II certification status, and incident notification procedures. This is the vendor documentation the FTC Safeguards Rule requires you to maintain on file.

We can walk you through a free WISP readiness audit — a structured conversation where we review your current security posture, identify what’s documented, what’s missing, and what needs to change. This isn’t a sales call. It’s a practical compliance review.

We help you understand exactly what we log and what evidence is available to you — so when your WISP says “activity monitoring is in place,” you know exactly what you can produce if asked to prove it.

What we can’t do — and what no ethical cloud host should claim to do — is write the portions of your WISP that belong to your firm. Your risk assessment, your training program, your incident response contacts, your physical security policies — those are yours. We can help you understand what needs to go in them. We can point you to the right resources. But we can’t sign your name to them.

If you need help with those elements, we can connect you with qualified compliance consultants who specialize in CPA firm WISPs. That’s a service we think every firm working with us should have access to.

Frequently Asked Questions

Does my hosting provider’s SOC 2 certification count as my WISP?

No. A SOC 2 certification is an independent audit of your hosting provider’s controls. It’s an important document to keep on file and reference in your WISP as evidence of vendor oversight. But it’s not a WISP. The IRS requires your firm to have its own written information security plan, separate from any vendor certifications.

If my hosting provider manages backups, do I still have to document it?

Yes. The FTC Safeguards Rule requires you to document that the control exists, who performs it, how often it’s tested, and what your recovery objectives are. The fact that your hosting provider performs the backups needs to be written into your WISP’s technical safeguards section — including naming the provider and referencing your contract with them.

What happens if I have a breach and I don’t have a compliant WISP?

The absence of a WISP — or a WISP that doesn’t reflect your actual controls — is treated as an aggravating factor in both IRS and FTC investigations. Penalties up to $51,744 per violation per day apply to FTC Safeguards Rule violations, with no cap on total fines. Beyond regulatory penalties, your cyber insurance carrier may deny your claim if your WISP documentation doesn’t demonstrate that required controls were in place.

How often does my WISP need to be updated?

The IRS and FTC require a review at least annually, or whenever significant changes occur — in your technology, your staff, your services, or the regulatory environment. The FTC breach notification requirement that took effect in May 2024 is one example of a regulatory change that should have triggered a WISP update for every accounting firm. If your WISP predates that change, it needs to be updated.

Does the WISP requirement apply to my firm even if we’re small?

Yes. IRS Publication 4557 and the FTC Safeguards Rule apply to all tax preparers, regardless of firm size. There is no minimum client threshold or revenue exemption. A solo CPA preparing 50 returns per year is subject to the same WISP requirement as a 40-person firm.

What’s the difference between IRS Publication 4557 and the FTC Safeguards Rule?

They overlap significantly but come from different authorities. IRS Publication 4557 is IRS guidance specific to tax professionals and adds IRS-specific requirements like use of IRS e-Services and breach reporting via the SPOS portal. The FTC Safeguards Rule is a federal regulation under the Gramm-Leach-Bliley Act that applies broadly to financial institutions — including tax preparers. Compliance with both is required for authorized e-file providers. In practice, a well-written WISP addresses both frameworks simultaneously.

Can my cloud host write my WISP for me?

No cloud host should write your WISP for you — that’s your firm’s legal obligation and requires knowledge of your specific operations, staff, physical environment, and risk profile. However, a good cloud host can provide the technical documentation you need to populate the infrastructure sections accurately while also helping you understand which controls the hosted environment already covers. For everything else, a qualified compliance consultant is typically the most appropriate resource.

The Bottom Line

If you take one thing from this article, let it be this: Moving to a secure, compliant cloud hosting environment is one of the most important things your CPA firm can do for data security. It handles your technical safeguards — the encryption, the backups, the MFA, the certified infrastructure. That’s substantial.

But your WISP is your firm’s written commitment to client data security. The IRS requires it. The FTC requires it. And if something ever goes wrong, it’s the document that either protects you or exposes you. No cloud host can own that for you.

The good news is that for firms already operating on a proper accounting cloud infrastructure — with real encrypted backups, MFA, and SOC 2 certification — the technical sections of a WISP become much easier to complete. In other words, the infrastructure already exists. You simply need to document it accurately, add the firm-specific components, and keep the plan current over time. That’s something we help our clients navigate every day.

Ready to Understand Exactly What Your Cloud Covers?

If you’re not sure whether your current WISP reflects your actual hosting environment — or if you don’t have a WISP yet — let’s start with a free WISP readiness audit.

In a 30-minute call, we’ll review your current setup, tell you exactly what infrastructure documentation OneUp Networks can provide, and identify what your firm still needs to address. No pressure, no sales pitch — just clarity on where you stand.

Schedule Your Free WISP Readiness Audit →

Or if you’d prefer to start with a live environment test, our 15-day free trial lets you run your QuickBooks, UltraTax, or CCH environment on our infrastructure before committing — so you can see the security controls in action, not just on paper.

Start Your Free 15-Day Trial →

OneUp Networks provides dedicated cloud hosting for CPA firms, tax preparers, and accounting practices. Our infrastructure is SOC 2 Type II certified, supports IRS Publication 4557 technical safeguards, and is staffed 24/7 by engineers who understand accounting software workflows. Questions about your firm’s compliance posture? Contact our team.

Related reading:

Tags: WISP for CPA firms, IRS Publication 4557, FTC Safeguards Rule, cloud hosting compliance, accounting firm data security, Written Information Security Plan, QuickBooks cloud hosting, UltraTax hosting, SOC 2 Type II, CPA cybersecurity, FTC breach notification, tax preparer data security, GLBA compliance, CPA firm WISP checklist

LinkedIn
Email
Print
Arun Singh

Arun Singh

Arun is a B2B technology and marketing professional with 2 years of experience creating content around cloud hosting, cybersecurity, virtual desktop infrastructure, and digital solutions for accounting and tax-focused businesses. At OneUp Networks, he focuses on simplifying complex hosting and IT topics for CPAs, accountants, tax professionals, and business owners who need secure, reliable, and performance-driven cloud environments.

His writing is shaped by real client challenges such as remote team access, QuickBooks hosting performance, data security, compliance concerns, server speed, backup reliability, and tax-season workload pressure. Arun works closely with industry insights, client requirements, and technical solution knowledge to create practical, easy-to-understand content that helps businesses make informed decisions about cloud hosting and managed IT services.

OneUp Networks is Rated & Recommended by the Best -

G2 Award or badge for High Performer as cloud hosting partner
G2 Award or badge for easiest to do business with as cloud hosting partner
G2 Award or badge for most likely to recommend as cloud hosting partner
G2 Award or badge for easiest to use as cloud hosting partner
Upcity badge as managed service provider given to OneUp Networks
Qb Intuit affiliate badge for OneUp Networks
Capterra badge provided to OneUp networks as 5 star rating
Serchen Logo used for review platform
QuickBooks logo by intuit
Design Rush Badge 2 black
goodfirms rating badge given to OneUp Networks
Proven expert badge for OneUp Networks
saashub verified OneUp Networks
G2 logo with a round circle along with OneUp Networks partnership
alignable logo with text

Discover How!

Newsletter

Sign up our newsletter to get update information, news and free insight.

Latest Blogs

Get Your Quote for Hosting Thomson Reuters Apps in the Cloud!

Get a customized quote in seconds! Experience blazing-fast performance, 24/7 expert support, and seamless Thomson Reuters hosting—all at the best price.

🔹 Transparent Pricing | ⚡ No Hidden Fees | 💯 Hassle-Free Setup

Get Started with QuickBooks Cloud Hosting – Buy Now!

  • Lightning-fast performance with zero downtime
  • Free migration & expert setup—no effort needed
  • 24/7 real human support—whenever you need help
  • No hidden fees | Month-to-month billing | Cancel anytime
  • Start Your 15-Day Free Trial – No Commitment!

Get Your Quote for Hosting QuickBooks in the Cloud!

Get a customized quote in seconds! Experience blazing-fast performance, 24/7 expert support, and seamless QuickBooks Enterprise hosting—all at the best price.

🔹 Transparent Pricing | ⚡ No Hidden Fees | 💯 Hassle-Free Setup