IT Compliance Checklist

The Written Information Security Plan is required for every paid preparer under IRS Publication 4557 and the FTC Safeguards Rule. Confirm the qualified individual is named, the data inventory is current, and the most recent risk assessment is attached. Document any partner or staff turnover that affects access ownership.

Pull user lists from UltraTax, Lacerte, ProConnect, QuickBooks Online, Xero, and the document portal (TaxDome, SmartVault, Liscio). Cross-check against the active employee roster — seasonal preparers and departed staff are the common gotchas. Revoke any account that no longer maps to a current role.

Restore a sample workpaper, return file, and engagement folder from backup to a sandbox location and confirm the files open cleanly. Untested backups are a frequent finding in peer review and in IRS Pub 4557 self-assessments.

BitLocker on Windows, FileVault on Mac. Pull the report from your MDM (Intune, Jamf, Kandji, NinjaOne) and reconcile against the asset inventory. An unencrypted laptop holding client SSNs is a reportable breach in MA, NY, CA, and most other states the moment it leaves the office.

Pull the active rule set from the firewall (Meraki, Fortinet, SonicWall) and confirm every allow rule still maps to a documented business need. Remove rules left over from old VPN tunnels, terminated cloud apps, or one-off vendor access.

Reconcile the EDR console (CrowdStrike, SentinelOne, Defender for Endpoint, Huntress) against the asset inventory. Any endpoint missing EDR is a Safeguards Rule deficiency and a likely audit finding.

Confirm the IRS Stakeholder Liaison contact, the state CPA-board notification path, the cyber-insurance carrier hotline, and outside counsel are current. Pub 4557 requires a defined data-theft reporting procedure.

Walk a realistic scenario — a preparer's M365 account is compromised mid-tax-season and 200 client returns are downloaded. Time the response: who calls the carrier, who notifies clients, who files the FTC Safeguards Rule notification when 500+ consumers are affected.

A reportable incident under the FTC Safeguards Rule is unauthorized acquisition of unencrypted customer information affecting 500 or more consumers — notification to the FTC is due within 30 days. State thresholds may be lower. If unsure, default to Yes and consult counsel.

Pull badge or keypad logs and reconcile against the active staff list. After-hours entries and weekend access by non-partners deserve a second look — especially during tax season when seasonal staff hold credentials.

Walk the office after hours. Tax organizers, K-1s, W-2s, and prior-year returns left on desks are the most common Safeguards Rule finding in small-firm walkthroughs. Confirm shred bins are locked and pickup logs are current.

Request the latest SOC 2 Type II from Thomson Reuters, Intuit, Karbon, TaxDome, SmartVault, Bill.com, Gusto, and any cloud GL provider. Read the complementary user entity controls (CUECs) — those are the controls the firm must implement on its end for the vendor's certification to apply.

Confirm the Data Processing Addendum names the firm as controller, requires breach notification within 72 hours, and prohibits use of client data to train AI models. The last clause is new in 2024-2025 and not present in older contracts.

Walk the Pub 4557 'Safeguarding Taxpayer Data' checklist line by line — PTIN-holder responsibilities, vendor due diligence, access controls, monitoring, employee training. Document gaps with remediation owners and dates.

The amended Safeguards Rule (effective June 2023) requires nine specific elements: qualified individual, risk assessment, access controls, asset inventory, encryption, secure development, MFA, disposal procedures, and an incident response plan. Map each to a current artifact.

If the firm accepts card payment for fees through Stripe, QuickBooks Payments, or CPACharge in a way that keeps the card data outside the firm's environment, scope is usually SAQ A. Direct card entry on a firm device pushes scope to SAQ B or higher.

KnowBe4, Hoxhunt, or Curricula are common platforms. Required topics under Pub 4557 and Safeguards: phishing, BEC against partners requesting wire transfers, secure handling of W-2s and SSNs, and incident reporting. Seasonal preparers must complete training before they touch a return.

Use a current-season lure — fake DocuSign of an engagement letter, a spoofed client portal login, an urgent K-1 request from the partner. Click rates above 10% trigger a remedial training round before tax season.

UltraTax, Lacerte, and ProConnect each push mid-season updates that affect calculations and e-file. Record version numbers, date applied, and who validated a known-good return after the update — silent regressions are the operational risk.

QuickBooks Desktop major-version upgrades, NetSuite quarterly releases, and Sage Intacct upgrades can change permission models and API tokens. Re-validate role-based access after every release.

Tax software audit logs, M365 unified audit log, document-portal access logs, and GL change logs should all be enabled and retained for at least 12 months. Default retention in M365 is 180 days unless an upgraded SKU is in place.

Sample-test one control in each domain — pick a recent terminated employee and trace de-provisioning across all systems, pick a recent change and trace the approval, pick a recent client onboarding and trace the document-portal invitation. Document evidence in the workpaper.