Data Backup and Recovery Checklist

List every system that holds client data — tax prep (UltraTax, Lacerte, ProSystem fx, Drake), GL (QuickBooks Online, Xero, Sage Intacct), document management (SmartVault, TaxDome, ShareFile, Liscio), and payroll (Gusto, ADP, Paychex). Note where each stores SSNs, EINs, and bank account numbers; this classification drives the WISP and the encryption requirements downstream.

IRS Publication 4557 and the FTC Safeguards Rule require paid preparers to retain and protect client records. Most firms hold 7 years for federal returns and longer for fixed-asset basis schedules and shareholder basis (Form 7203). Cross-check state-board retention rules and any engagement-letter commitments before setting expiration policies.

RPO (recovery point objective) caps tolerable data loss; RTO (recovery time objective) caps tolerable downtime. During tax season, tax-software RPO/RTO should be tighter (1 hour / 4 hours) than off-season. Document targets per system so the backup schedule is driven by a number, not a guess.

Pick the mix per system: full weekly plus incremental nightly is common for GL data; image-level backups protect tax workstations against ransomware. Cloud-only is cheaper but check egress costs and confirm the provider's SOC 2 Type II coverage period before committing client data.

Configure tax and GL platforms for off-hours backup. UltraTax and Lacerte have built-in backup utilities; QBO Advanced has native backup, lower tiers do not. For QuickBooks Desktop, schedule QBB backups outside business hours and confirm they aren't blocked by company-file locks left open by overnight users.

Pull a random recent backup and restore it to a sandbox. A backup that runs nightly without errors but can't restore is the most common DR failure mode — corrupt files, missing media, expired credentials. Log the test result before moving on.

Tag backups by client engagement (or firm-wide system), period (monthly close, quarterly, year-end), and retention class. During an IRS examination or a client audit response, you need to pull a specific period's backup quickly — not scroll through 400 unlabeled archive files.

Use AES-256 at rest and TLS 1.2+ in transit. The FTC Safeguards Rule requires encryption of customer information, and state laws (MA 201 CMR 17.00, NY SHIELD Act, TX BC §521) layer additional standards on top. Store keys in a separate vault from the backup itself — encryption is meaningless if the key sits next to the ciphertext.

Off-site means a different metro area or cloud region — a NAS in the same building as the office is not off-site. Common patterns are AWS S3 cross-region replication, Backblaze B2 with geographic redundancy, or a paid Datto/Axcient image-replication service.

Request the provider's most recent SOC 2 Type II. Check the coverage period (must not be expired), the trust services criteria included (Security at minimum; Confidentiality if you store returns), and any qualified opinions or carve-outs of subservice organizations. File the report with the WISP supporting documentation.

Write a per-system runbook: how to restore UltraTax client files from backup, how to recover a QBO company from a backup, how to rehydrate a SmartVault portal. Reference exact menu paths; keep credentials in the password vault and reference the vault entry, never the password itself.

Name a recovery coordinator (usually the managing partner or IT director), a tax software lead, a GL/bookkeeping lead, and a client communications lead. During tax season the coordinator role should rotate to a backup if the managing partner is mid-return on April 14.

Walk the team through a realistic incident — ransomware on a tax workstation March 1, or a flooded server closet April 10. Time how long each role takes to execute their part of the runbook. Capture gaps so they can be fixed before the live test or the next tax season.

A tabletop is cheaper but doesn't catch corrupted backups, expired service-account credentials, or broken integrations. Plan a live restore at least annually, or after any major system upgrade or vendor change. Mark Yes to trigger the live-restore steps; otherwise the tabletop is this quarter's test of record.

Spin up an isolated VM or cloud sandbox. Restore the most recent backup of the largest tax-software dataset and confirm clients open without error. Never test against production — a botched restore can overwrite live engagement data mid-season.

Reconcile a sample of restored returns or trial balances against production. For tax data, compare e-file confirmations and refund amounts on three sampled returns; for GL data, compare trial balance totals at a known prior month-end. Attach the validation workpaper.

Record wall-clock time from restore start to validated data — that's your real RTO, not the planned one. Note gaps: missing backups, expired service-account passwords, broken third-party integrations (bank feeds, Avalara connector). Feed the gap list into the WISP update step.

For a tabletop or test, identify what would have failed in a real incident. For an actual incident, run a 5-Whys against the failure mode. Keep the review no-blame so staff surface the real causes — it's the only way the WISP improves.

State breach-notification laws (MA 93H, NY SHIELD, CA CCPA, TX BC §521 — roughly all 50 states) trigger when client PII is accessed without authorization. Even if the backup itself wasn't breached, a recovered system that was compromised pre-backup may have already exposed SSNs. Consult counsel before deciding.

Send notice within the state-specific window — typically 30 to 60 days from discovery. Include what data was affected, when, and remediation offered (credit monitoring is standard for SSN exposure). Many states also require notice to the state Attorney General and the three consumer reporting agencies above defined thresholds.

Revise the WISP to reflect any changes in systems, vendors, or controls discovered during the test. IRS Pub 5708 expects the WISP to be a living document, reviewed at least annually. File the updated version with firm compliance records and re-train staff on any changed procedures.