IT Security Audit Checklist

Pull the current firewall ruleset and confirm only required ports are open to the internet — typically 443 outbound for client-portal sync and the VPN concentrator. Flag any legacy 'any/any' rules from prior tax seasons; they are the most common dismissal finding in a peer review.

Confirm every network device runs current firmware. Vendor-issued CVEs from the last 12 months are the priority; document any device left at an older version with a written exception and a planned replacement date.

Use Nessus, Qualys, or Rapid7 against your published static IPs and any cloud assets in scope. Save the full report to the audit folder; the WISP requires retained scan evidence for the IRS Pub 4557 self-assessment.

Patch, reconfigure, or compensate for every critical and high finding from the scan. Re-scan after remediation and attach the clean report; partial remediation needs a written exception with the responsible owner and a target date.

Pull the active user list from UltraTax, Lacerte, ProConnect, or Drake; from QuickBooks Online and any client GL access; and from the client portal (TaxDome, SmartVault, Liscio). Match against the current staff roster — orphaned PTIN-bearing accounts are a common finding.

The FTC Safeguards Rule requires MFA on any system holding customer information, which for an accounting firm includes M365 / Google Workspace, the tax engine, the GL, the portal, and remote access. App-based authenticators or hardware keys only — SMS does not satisfy.

Set conditional access to require MFA at next sign-on for every gap identified. Coordinate with partners before flipping the switch on shared service accounts so a tax-season filing flow is not interrupted.

Cross-check HR's termination list against every system from the prior step. Seasonal preparers from last filing season are the usual stragglers — their tax-software logins, portal accounts, and shared-mailbox delegations all need to be removed.

Verify BitLocker (Windows) or FileVault (Mac) is enabled and keys are escrowed in your MDM. An unencrypted laptop with a single client's SSN triggers state breach-notification obligations in MA, NY, CA, TX, and most others.

Test the upload flow end to end on TaxDome, SmartVault, ShareFile, or Liscio. Confirm TLS 1.2 or higher and that any legacy email-attachment workflow for source documents has been retired in favor of the portal.

Restore a sample of last week's UltraTax / Lacerte data files and a QBO company file to a sandbox. A backup that has never been restored is not a backup; this is the single most common finding during a ransomware tabletop.

If the restore failed, open a P1 with the vendor and pause any planned data-rotation that would overwrite recoverable backups. Notify the managing partner; do not close this audit until restore is verified clean.

Confirm the firm's retention policy — typically 7 years for income-tax workpapers and copies of returns — and that purge automation actually fires on the right schedule. Indefinite retention is its own breach risk.

Walk the partner-in-charge through the response playbook — detection, containment, eradication, recovery, notification. Confirm the IRS Stakeholder Liaison phone number for the firm's region is current; reporting a data theft to the IRS is a Pub 4557 obligation.

Use KnowBe4, Hoxhunt, or your M365 Attack Simulation tooling. Lures should mirror real tax-season pressure: fake e-file rejections, fake client K-1 attachments, fake e-Services password resets. Track click rate and route repeat clickers to remediation training.

List every state where the firm has clients with PII and the corresponding notification clock — MA is 'as soon as practicable', CA is no later than 60 days, NY SHIELD requires 'in the most expedient time'. The clock starts on discovery, not confirmation.

Refresh the Written Information Security Plan against the current Pub 4557 and Pub 5708 templates. Every paid preparer with a PTIN is required to have a WISP, and the IRS now asks for confirmation on the PTIN renewal — a missing or stale WISP is a real finding.

Request current SOC 2 Type II reports from the tax-software vendor, the document portal, the payroll provider, and the cloud-hosting partner. Note any qualifications or carve-outs that touch client data; the FTC Safeguards Rule requires documented vendor oversight.

Map where client SSNs, EINs, and bank info live: portal, tax engine, GL, email, archives, paper. Score each flow for likelihood and impact. The Safeguards Rule requires this in writing and a refresh on material change.

Walk every space holding paper returns, prior-year archives, or network equipment. Cipher-lock codes should be unique per role and rotated when staff depart; a shared code from three tax seasons ago is the typical finding.

Confirm certificates of destruction from the shred vendor for every pickup in the last 12 months. Loose 1040 source docs in a recycling bin during the April rush is the single highest-likelihood physical-security incident at most firms.

Confirm the UPS battery passes its self-test, the AC unit holds the room under spec, and any water sensor under the rack still alarms. A flooded closet during a long-weekend filing deadline can take the firm offline through Tax Day.