System Access Control Checklist

Export the active-user list from Microsoft 365, Google Workspace, or Okta — whichever runs as the firm's identity provider. Cross-check against the partner-approved staff list; flag any service accounts or contractor accounts that don't appear in HR.

For each user, confirm the assigned role (Partner, Manager, Senior, Staff, Bookkeeper, Admin) matches the entitlements in the WISP role matrix. Common drift: staff promoted into reviewer roles never lose their preparer permissions, accumulating standing access.

Review the HR change log for the quarter. Any termination, transfer, or role change requires access removal or adjustment within 24 hours of the event — verify each one closed on time.

IRS Pub 4557 and Pub 5708 require paid preparers to provide ongoing security awareness training. Cover phishing recognition, client-data handling on laptops vs. portals, and the procedure for reporting a suspected breach. Capture attendance — the WISP requires it.

Every staff member — including seasonal preparers and contract bookkeepers — signs the AUP before access is provisioned and re-acknowledges annually. The AUP must reference the WISP, the prohibition on personal cloud or personal email for client data, and the rule against working on unsecured Wi-Fi.

Open the security configuration in UltraTax CS, Lacerte, ProConnect, or Drake. Confirm preparers cannot e-file without reviewer sign-off, and reviewers cannot release returns without partner approval. Watch for legacy admin accounts left from prior tax seasons.

For each client file in QuickBooks Online Accountant, review the user list and permission level. Common gotcha: a former staff accountant still holds Company Admin on three client files because the offboarding only revoked the firm-side login. Repeat for Xero and Sage Intacct clients.

BitLocker on Windows, FileVault on macOS — confirm encryption is on for every device that touches client SSNs or tax returns. State breach-notification laws (MA, NY, CA, TX) treat an unencrypted lost laptop as a reportable incident; encryption is the safe-harbor.

FTC Safeguards Rule requires MFA on any system holding customer information. Confirm MFA is enforced (not just available) on the IdP, tax software, GL platforms, email, and the client portal. Hardware keys or authenticator apps preferred over SMS.

Pull the rule set from the firewall (Meraki, SonicWall, Fortinet, etc.) and walk through inbound and outbound exceptions. Any rule without a documented business justification gets removed or recertified. Common find: an old port-forward to a retired on-prem tax server.

Hosted tax software and cloud GL should already enforce IP allow-lists or device certificates. Confirm staff working from home or coffee shops are routed through the firm VPN before they hit client data, and that split-tunnel is configured per the WISP.

Export sign-in logs from the IdP, tax software, and client portal for the quarter. Look for impossible-travel events, after-hours access by staff who don't normally work late, and repeated failed-login bursts. Document each anomaly with disposition.

Append this quarter's review to the WISP audit log: date, reviewer, scope, findings, and remediation status. The IRS expects this log to be produced on request and updated at least annually; quarterly is the firm standard.

The managing partner and the WISP-designated security coordinator both sign off. If issues are found, document them and trigger remediation rather than signing a clean review. A Pass-with-issues record is more defensible than a Pass that papers over a finding.