System Access Control Checklist

Export the active-user list from Microsoft 365, Google Workspace, or Okta — whichever runs as the firm's identity provider. Cross-check against the partner-approved staff list; flag any service accounts or contractor accounts that don't appear in HR.

For each user, confirm the assigned role (Partner, Manager, Senior, Staff, Bookkeeper, Admin) matches the entitlements in the WISP role matrix. Common drift: staff promoted into reviewer roles never lose their preparer permissions, accumulating standing access.

Review the HR change log for the quarter. Any termination, transfer, or role change requires access removal or adjustment within 24 hours of the event — verify each one closed on time.

For every termination or role change, attach the deactivation timestamps from the IdP, tax software, GL, and client portals. The WISP audit folder is what an IRS examiner asks to see if a data incident is later reported.

IRS Pub 4557 and Pub 5708 require paid preparers to provide ongoing security awareness training. Cover phishing recognition, client-data handling on laptops vs. portals, and the procedure for reporting a suspected breach. Capture attendance — the WISP requires it.

Every staff member — including seasonal preparers and contract bookkeepers — signs the AUP before access is provisioned and re-acknowledges annually. The AUP must reference the WISP, the prohibition on personal cloud or personal email for client data, and the rule against working on unsecured Wi-Fi.

1Password, Bitwarden, or Keeper — pick one and confirm every active user has logged in within the period. Shared client logins (still common for small bookkeeping clients) belong in shared vaults with named accountability, not in a spreadsheet.

Open the security configuration in UltraTax CS, Lacerte, ProConnect, or Drake. Confirm preparers cannot e-file without reviewer sign-off, and reviewers cannot release returns without partner approval. Watch for legacy admin accounts left from prior tax seasons.

For each client file in QuickBooks Online Accountant, review the user list and permission level. Common gotcha: a former staff accountant still holds Company Admin on three client files because the offboarding only revoked the firm-side login. Repeat for Xero and Sage Intacct clients.

Confirm that client-portal access is scoped to the engagement team only and that prior-engagement contacts have been removed. Pay attention to spouses on prior 1040 engagements — divorces are a recurring source of inappropriate document access.

BitLocker on Windows, FileVault on macOS — confirm encryption is on for every device that touches client SSNs or tax returns. State breach-notification laws (MA, NY, CA, TX) treat an unencrypted lost laptop as a reportable incident; encryption is the safe-harbor.

FTC Safeguards Rule requires MFA on any system holding customer information. Confirm MFA is enforced (not just available) on the IdP, tax software, GL platforms, email, and the client portal. Hardware keys or authenticator apps preferred over SMS.

Pull the patch report from the MDM (Intune, Jamf, Kandji). The WISP standard is 30 days for critical patches, 90 days for everything else. Flag any device more than two minor releases behind — preparers running unpatched Windows during tax season is a recurring finding.

Pull the rule set from the firewall (Meraki, SonicWall, Fortinet, etc.) and walk through inbound and outbound exceptions. Any rule without a documented business justification gets removed or recertified. Common find: an old port-forward to a retired on-prem tax server.

Hosted tax software and cloud GL should already enforce IP allow-lists or device certificates. Confirm staff working from home or coffee shops are routed through the firm VPN before they hit client data, and that split-tunnel is configured per the WISP.

Walk into the lobby with a laptop on guest Wi-Fi and try to ping the file server, the network printer, and any on-prem device. If anything responds, the VLAN segmentation is broken. Clients waiting for a meeting share that network — it must not reach production.

Export sign-in logs from the IdP, tax software, and client portal for the quarter. Look for impossible-travel events, after-hours access by staff who don't normally work late, and repeated failed-login bursts. Document each anomaly with disposition.

Append this quarter's review to the WISP audit log: date, reviewer, scope, findings, and remediation status. The IRS expects this log to be produced on request and updated at least annually; quarterly is the firm standard.

The managing partner and the WISP-designated security coordinator both sign off. If issues are found, document them and trigger remediation rather than signing a clean review. A Pass-with-issues record is more defensible than a Pass that papers over a finding.

For each finding in the review, open a ticket with named owner, due date, and severity. Critical findings (orphaned admin accounts, missing MFA, unencrypted device) close within 7 days. Track to resolution before next quarter's review opens.