Risk Management Checklist

Open the prior-quarter risk register from the firm shared drive or Karbon. Carry forward any open items, note which mitigations were closed, and flag any risks where the residual score changed materially since last review.

Walk the active client list against the AICPA Code independence rules. Flag any attest client where the firm is also performing bookkeeping, payroll, or management-decision work — that's the most common SSARS / state-board breach in cross-selling firms.

Review tax-prep workflow against Circular 230 §10.34 (positions on returns), §10.21 (knowledge of error), and §10.36 (firm procedures). Note any preparer without a current PTIN, any return positions taken without documented substantial authority, and any client who hasn't responded to a §10.21 follow-up.

Cross-check current practice against IRS Pub 4557 / Pub 5708 and the FTC Safeguards Rule. Confirm the WISP exists, is dated within the last 12 months, and that MFA is enforced on TaxDome, SmartVault, UltraTax, QBO Accountant, and email. Note any laptop without disk encryption.

Capture capacity risks heading into the next deadline cycle: PTO conflicts during March 15 / April 15, single-points-of-failure on K-1 prep or sales-tax filings, and CPE shortfalls that would block license renewal.

Each row: risk description, category (engagement / regulatory / data security / operational / financial), affected client or process, current control, and owner. Attach the populated register below.

Use the firm's 1–5 scale on both axes. For impact, anchor to dollar consequence where possible: penalty exposure, fee write-off, license action, breach-notification cost. Don't anchor to vague language like 'significant' — that's how risks score the same year over year.

For each control listed in the register, walk one current example: was the engagement letter signed before fieldwork started, was the partner review note cleared before delivery, was the deposit schedule met for the last 941 cycle. A control that exists on paper but isn't operating is a finding.

Residual = inherent score adjusted for control effectiveness. Anything residual ≥ 15 (on a 25-point scale) goes to the high-risk list and requires a named mitigation owner. Document the rationale next to each score.

Pick the tier of the most severe residual risk on the register this quarter. This drives whether the workflow continues into mitigation planning and partner escalation, or stops at routine monitoring.

Each high or critical residual risk needs a specific action, owner, and target date. Vague entries like 'improve documentation' aren't mitigations. Concrete mitigation looks like: 'Resign as bookkeeper on Client X before Q3 review engagement begins; reassign to Firm Y by Aug 1.'

Owner is a named person, not a role. Tax Partner owns Circular 230 items; Practice Coordinator owns engagement-letter and PBC items; IT lead or MSP owns WISP / Safeguards items. Target dates land before the next quarterly review, not 'ongoing.'

Pub 5708 expects the WISP to be reviewed at least annually and after any material change. If this quarter surfaced a new tool, a new staff role with client-data access, or a near-miss, revise the WISP and re-circulate for staff acknowledgment.

Critical-tier items don't wait for the quarterly review meeting. Walk the managing partner through the risk, the proposed mitigation, and any client-resignation or insurance-notification implications within two business days. Document the conversation.

Cover what changed since last quarter, who owns the new mitigations, and any process changes staff need to follow — new MFA requirement, new engagement-letter template, revised PBC tracker.

Each staff member with client-data access signs the current WISP and the data-handling policy. Capture the signed acknowledgment file — auditors and insurers ask for this on every cyber renewal.

Most malpractice policies require notification of circumstances that could give rise to a claim, not just claims themselves. If the quarter surfaced a missed filing, an independence breach, or a data incident, notify the carrier in writing this week — late notice voids coverage.

Working session with managing partner, tax partner, and audit partner if applicable. Walk the register, the residual scores, and the open mitigations. Decide which risks roll forward, which close, and which require client-level action.

Mark closed items with closure date and evidence. Add new items the partners surfaced. Reset target dates that slipped, and note the rationale — repeated slippage is itself a finding for next quarter.