In today’s digital-first world, accounting and finance professionals face unprecedented risks from cyber threats and regulatory scrutiny. The IRS, FTC, and state agencies now require every CPA and tax practitioner in the United States to maintain a Written Information Security Plan (WISP) to protect sensitive client data, ensure compliance, and avoid costly penalties. According to the IRS, non-compliance can result in fines up to $50,000 per violation, while the average cost of a data breach in the financial sector reached $5.85 million in 2024, highlighting the urgent need for robust information security policies. This comprehensive guide breaks down the essentials of a WISP, offers a pre-filled questionnaire tailored for CPAs, accounting firm and provides practical examples and real-world facts to help your firm build trust with auditors and clients alike.
Table of contents
What Is a WISP? (Written Information Security Plan) – Explained
A Written Information Security Plan (WISP) is a formal document that outlines how your firm protects client data, manages security risks, and complies with legal requirements such as the Gramm-Leach-Bliley Act (GLBA) and the FTC Safeguards Rule. For accountants and accounting firms, a WISP is not just a best practice—it’s a legal mandate.
Key Purposes of a WISP:
- Regulatory Compliance: Satisfies IRS, FTC, and GLBA requirements.
- Client Trust: Demonstrates your commitment to safeguarding confidential information.
- Risk Management: Reduces the likelihood and impact of data breaches.
- Audit Readiness: Provides clear evidence of security protocols for auditors.
Why CPAs and Accounting Firms Must Prioritize WISP
- Mandatory for All Tax Preparers: Since 2019, all PTIN holders must have a WISP to renew their credentials.
- Rising Cyber Threats: 82% of data breaches in 2024 involved human error, making employee training and documented procedures critical.
- Severe Penalties: Non-compliance can lead to fines up to $50,000 per violation and reputational damage that’s hard to recover from.
- Client Expectations: Over 70% of clients now ask about data security practices before engaging a CPA, according to a 2024 Gartner survey.
Core Components of a WISP for CPA Firms
| WISP Section | Description | Example/Best Practice |
|---|---|---|
| Objectives, Purpose, Scope | Defines what the WISP covers and why it exists | “Protect all client PII and comply with GLBA” |
| Designated Security Officer | Names the Data Security Coordinator (DSC) and Public Information Officer (PIO) | Assign a partner as DSC, office manager as PIO |
| Risk Assessment | Identifies and evaluates risks to client data | Annual review of threats, vulnerabilities, and controls |
| Hardware Inventory | Lists all devices handling sensitive data | Laptops, servers, cloud apps, printers |
| Safety Measures | Details policies for data retention, access, encryption, and employee conduct | Password policies, MFA, shredding documents |
| Incident Response | Outlines steps for responding to data breaches | Notification plan, containment steps |
| Employee Training | Documents regular security training and awareness programs | Annual staff security workshops |
| Third-Party Oversight | Ensures vendors comply with your security standards | Require vendors to sign data protection agreements |
| Implementation Clause | Statement of compliance, signed by firm leadership | Dated and signed by owner and DSC |
Example: Pre-Filled WISP/IT Questionnaire for CPAs
Below is a sample, research-based WISP/IT questionnaire designed for CPAs to present to auditors. This WISP template aligns with IRS Publication 5708 and FTC Safeguards Rule requirements.
Section 1: Firm Information
| Field | Example Entry |
|---|---|
| Firm Name | ABC Tax & Accounting, LLC |
| Data Security Coordinator | Jane Smith, CPA (Partner) |
| Public Information Officer | John Doe (Office Manager) |
| Date of Last Review | 2025-06-01 |
Section 2: Objectives, Purpose, and Scope
- Objective: To ensure the security and confidentiality of all client Personally Identifiable Information (PII) in compliance with GLBA and FTC Safeguards Rule.
- Purpose: Protect client data from unauthorized access, loss, or disclosure.
- Scope: Applies to all employees, contractors, devices, and data-handling processes.
Sect 3: Risk Assessment
| Question | Example Answer |
|---|---|
| What types of sensitive data does your firm handle? | Tax returns, SSNs, bank info |
| How often do you assess data security risks? | Annually, or after major incidents |
| What are your top 3 data security threats? | Phishing, unauthorized access, loss of devices |
Section 4: Hardware & Systems Inventory
| Device/Asset | Location | Data Stored | Security Measures |
|---|---|---|---|
| Laptop 1 (Jane) | Office | Tax returns, emails | Full-disk encryption, MFA |
| Cloud Storage | AWS Cloud | Client documents | Encrypted at rest, access logs |
| Printer | Reception | Print jobs | Secure print release |
Section 5: Safety Measures & Policies
| Policy Area | Description/Implementation |
|---|---|
| Data Retention | Retain tax files for 7 years, then shred/delete |
| Access Control | Role-based permissions, unique logins, MFA |
| Employee Training | Annual security training, phishing simulations |
| Incident Response | Documented plan, notify clients/IRS within 30 days |
| Vendor Management | Contracts require compliance with WISP standards |
Sect 6: Incident Response & Reporting
- Incident Response Plan: In case of a breach, immediately contain the threat, notify the DSC, inform affected clients, and file required reports with the IRS and FTC within 30 days.
- Insurance: Maintain cyber liability insurance.
Section 7: Employee Acknowledgement
- All employees have received, read, and signed the WISP.
- Training records are maintained and updated annually.
Section 8: Implementation Clause
“This Written Information Security Plan is implemented as of [date], in compliance with the Gramm-Leach-Bliley Act and FTC Safeguards Rule. Signed by: [Principal/Owner] and [DSC].”
Sample Table: WISP vs. No WISP – Impact on CPA Firms
| Factor | With WISP in Place | Without WISP |
|---|---|---|
| Regulatory Compliance | Full compliance, no fines | Risk of $50,000+ fines per incident |
| Client Trust | High, proven security protocols | Low, clients may leave |
| Data Breach Response | Rapid, documented, effective | Chaotic, slow, higher losses |
| Audit Readiness | Ready with documentation | Unprepared, risk of audit failure |
| Insurance Premiums | Lower, due to risk mitigation | Higher, due to increased risk |
Frequently Asked Questions (FAQ)
Yes, the IRS and FTC require every accounting and tax firm, even sole practitioners, to maintain a WISP.
Non-compliance can result in fines up to $50,000 per violation, loss of client trust, and potential legal action.
At least annually, or after any major incident or business change
Human error, especially phishing attacks and weak passwords, accounts for over 80% of incidents in the financial sector
Templates are a great starting point, but your WISP must be tailored to your accounting firm’s unique risks, systems, and processes
Conclusion: Secure Your Practice, Build Trust, and Stay Compliant
Implementing a robust, pre-filled WISP for your accounting firm is not just about checking a compliance box—it’s about protecting your clients, your reputation, and your business’s future. By proactively addressing information security, your firm demonstrates leadership, builds trust, and stands out in a competitive marketplace. Use the pre-filled questionnaire above as a foundation, and customize it to your firm’s needs for maximum impact.
Ready to take the next step?
Download a customizable WISP template and start protecting your firm today.
Read Also:
