IT Compliance Checklist

The Written Information Security Plan is required for every paid preparer under IRS Publication 4557 and the FTC Safeguards Rule. Confirm the qualified individual is named, the data inventory is current, and the most recent risk assessment is attached. Document any partner or staff turnover that affects access ownership.

Pull user lists from UltraTax, Lacerte, ProConnect, QuickBooks Online, Xero, and the document portal (TaxDome, SmartVault, Liscio). Cross-check against the active employee roster — seasonal preparers and departed staff are the common gotchas. Revoke any account that no longer maps to a current role.

For each control area — backups, encryption, MFA, patching, training — name a single owner. Firms with shared MSP/internal-IT arrangements often have controls assumed by both sides and executed by neither.

Restore a sample workpaper, return file, and engagement folder from backup to a sandbox location and confirm the files open cleanly. Untested backups are a frequent finding in peer review and in IRS Pub 4557 self-assessments.

BitLocker on Windows, FileVault on Mac. Pull the report from your MDM (Intune, Jamf, Kandji, NinjaOne) and reconcile against the asset inventory. An unencrypted laptop holding client SSNs is a reportable breach in MA, NY, CA, and most other states the moment it leaves the office.

List the states where clients reside and where SSNs, financial-account numbers, or driver's-license numbers are stored. MA 201 CMR 17, NY SHIELD Act, CA CCPA, and TX BC §521 each have their own notification windows. Update the response matrix in the WISP appendix.

Pull the active rule set from the firewall (Meraki, Fortinet, SonicWall) and confirm every allow rule still maps to a documented business need. Remove rules left over from old VPN tunnels, terminated cloud apps, or one-off vendor access.

Reconcile the EDR console (CrowdStrike, SentinelOne, Defender for Endpoint, Huntress) against the asset inventory. Any endpoint missing EDR is a Safeguards Rule deficiency and a likely audit finding.

Filter Microsoft 365 / Google Workspace sign-in logs for impossible travel, legacy-auth attempts, and MFA fatigue patterns. Cross-reference against the tax-software audit log for the same users — credential theft typically shows up in the email tenant first.

Confirm the IRS Stakeholder Liaison contact, the state CPA-board notification path, the cyber-insurance carrier hotline, and outside counsel are current. Pub 4557 requires a defined data-theft reporting procedure.

Walk a realistic scenario — a preparer's M365 account is compromised mid-tax-season and 200 client returns are downloaded. Time the response: who calls the carrier, who notifies clients, who files the FTC Safeguards Rule notification when 500+ consumers are affected.

A reportable incident under the FTC Safeguards Rule is unauthorized acquisition of unencrypted customer information affecting 500 or more consumers — notification to the FTC is due within 30 days. State thresholds may be lower. If unsure, default to Yes and consult counsel.

Notification windows: FTC (30 days, 500+ consumers), MA (as soon as practicable), NY SHIELD (most expedient time possible), CA (most expedient, no unreasonable delay). Coordinate with cyber counsel before sending — premature notice can create liability. File Form 14039-B with the IRS for tax-related identity theft.

Pull badge or keypad logs and reconcile against the active staff list. After-hours entries and weekend access by non-partners deserve a second look — especially during tax season when seasonal staff hold credentials.

Walk the office after hours. Tax organizers, K-1s, W-2s, and prior-year returns left on desks are the most common Safeguards Rule finding in small-firm walkthroughs. Confirm shred bins are locked and pickup logs are current.

Confirm temperature and humidity readings, UPS battery health, and that the smoke/water sensors are reporting. Even cloud-first firms still have an on-prem NAS or scanner that holds client data.

Request the latest SOC 2 Type II from Thomson Reuters, Intuit, Karbon, TaxDome, SmartVault, Bill.com, Gusto, and any cloud GL provider. Read the complementary user entity controls (CUECs) — those are the controls the firm must implement on its end for the vendor's certification to apply.

Confirm the Data Processing Addendum names the firm as controller, requires breach notification within 72 hours, and prohibits use of client data to train AI models. The last clause is new in 2024-2025 and not present in older contracts.

Rate each vendor on data sensitivity (PII / PHI / financial), volume, and replaceability. Anything tier-1 (tax software, document portal, payroll) gets annual review; tier-3 vendors (single-user SaaS) every two years.

Walk the Pub 4557 'Safeguarding Taxpayer Data' checklist line by line — PTIN-holder responsibilities, vendor due diligence, access controls, monitoring, employee training. Document gaps with remediation owners and dates.

The amended Safeguards Rule (effective June 2023) requires nine specific elements: qualified individual, risk assessment, access controls, asset inventory, encryption, secure development, MFA, disposal procedures, and an incident response plan. Map each to a current artifact.

If the firm accepts card payment for fees through Stripe, QuickBooks Payments, or CPACharge in a way that keeps the card data outside the firm's environment, scope is usually SAQ A. Direct card entry on a firm device pushes scope to SAQ B or higher.

Identify the correct SAQ (A, A-EP, B, B-IP, C, or D) based on how cards are accepted. Sign and retain the SAQ; merchant banks request it on demand and during annual attestation cycles.

KnowBe4, Hoxhunt, or Curricula are common platforms. Required topics under Pub 4557 and Safeguards: phishing, BEC against partners requesting wire transfers, secure handling of W-2s and SSNs, and incident reporting. Seasonal preparers must complete training before they touch a return.

Use a current-season lure — fake DocuSign of an engagement letter, a spoofed client portal login, an urgent K-1 request from the partner. Click rates above 10% trigger a remedial training round before tax season.

Export the completion roster from the training platform and store it in the WISP evidence folder. Auditors and cyber-insurance underwriters both ask for this; partial completion creates an exclusion in some carrier policies.

UltraTax, Lacerte, and ProConnect each push mid-season updates that affect calculations and e-file. Record version numbers, date applied, and who validated a known-good return after the update — silent regressions are the operational risk.

QuickBooks Desktop major-version upgrades, NetSuite quarterly releases, and Sage Intacct upgrades can change permission models and API tokens. Re-validate role-based access after every release.

Even a small firm benefits from a 15-minute weekly CAB during off-season and a freeze during active filing windows (Mar 1–Mar 15, Apr 1–Apr 15). Document the approver and the rollback plan for every change.

Tax software audit logs, M365 unified audit log, document-portal access logs, and GL change logs should all be enabled and retained for at least 12 months. Default retention in M365 is 180 days unless an upgraded SKU is in place.

Sample-test one control in each domain — pick a recent terminated employee and trace de-provisioning across all systems, pick a recent change and trace the approval, pick a recent client onboarding and trace the document-portal invitation. Document evidence in the workpaper.

Managing partner and qualified individual sign jointly. Outstanding findings carry to the next quarter's risk register with named owners and dates. Required as evidence under the Safeguards Rule annual report.