IT Security Audit Checklist

Pull the current firewall ruleset and confirm only required ports are open to the internet — typically 443 outbound for client-portal sync and the VPN concentrator. Flag any legacy 'any/any' rules from prior tax seasons; they are the most common dismissal finding in a peer review.

Confirm every network device runs current firmware. Vendor-issued CVEs from the last 12 months are the priority; document any device left at an older version with a written exception and a planned replacement date.

Use Nessus, Qualys, or Rapid7 against your published static IPs and any cloud assets in scope. Save the full report to the audit folder; the WISP requires retained scan evidence for the IRS Pub 4557 self-assessment.

Pull the active user list from UltraTax, Lacerte, ProConnect, or Drake; from QuickBooks Online and any client GL access; and from the client portal (TaxDome, SmartVault, Liscio). Match against the current staff roster — orphaned PTIN-bearing accounts are a common finding.

The FTC Safeguards Rule requires MFA on any system holding customer information, which for an accounting firm includes M365 / Google Workspace, the tax engine, the GL, the portal, and remote access. App-based authenticators or hardware keys only — SMS does not satisfy.

Set conditional access to require MFA at next sign-on for every gap identified. Coordinate with partners before flipping the switch on shared service accounts so a tax-season filing flow is not interrupted.

Verify BitLocker (Windows) or FileVault (Mac) is enabled and keys are escrowed in your MDM. An unencrypted laptop with a single client's SSN triggers state breach-notification obligations in MA, NY, CA, TX, and most others.

Test the upload flow end to end on TaxDome, SmartVault, ShareFile, or Liscio. Confirm TLS 1.2 or higher and that any legacy email-attachment workflow for source documents has been retired in favor of the portal.

Restore a sample of last week's UltraTax / Lacerte data files and a QBO company file to a sandbox. A backup that has never been restored is not a backup; this is the single most common finding during a ransomware tabletop.

If the restore failed, open a P1 with the vendor and pause any planned data-rotation that would overwrite recoverable backups. Notify the managing partner; do not close this audit until restore is verified clean.

Walk the partner-in-charge through the response playbook — detection, containment, eradication, recovery, notification. Confirm the IRS Stakeholder Liaison phone number for the firm's region is current; reporting a data theft to the IRS is a Pub 4557 obligation.

Use KnowBe4, Hoxhunt, or your M365 Attack Simulation tooling. Lures should mirror real tax-season pressure: fake e-file rejections, fake client K-1 attachments, fake e-Services password resets. Track click rate and route repeat clickers to remediation training.

Refresh the Written Information Security Plan against the current Pub 4557 and Pub 5708 templates. Every paid preparer with a PTIN is required to have a WISP, and the IRS now asks for confirmation on the PTIN renewal — a missing or stale WISP is a real finding.

Request current SOC 2 Type II reports from the tax-software vendor, the document portal, the payroll provider, and the cloud-hosting partner. Note any qualifications or carve-outs that touch client data; the FTC Safeguards Rule requires documented vendor oversight.

Walk every space holding paper returns, prior-year archives, or network equipment. Cipher-lock codes should be unique per role and rotated when staff depart; a shared code from three tax seasons ago is the typical finding.

Confirm certificates of destruction from the shred vendor for every pickup in the last 12 months. Loose 1040 source docs in a recycling bin during the April rush is the single highest-likelihood physical-security incident at most firms.