Blog

wisp

Building a Compliant WISP: IRS Expectations for Tax & CPA Firms

Work Smarter
February 16, 20263 min read

What the IRS looks for in a WISP, which elements must be included, and why CPA firms need a custom, human-built security plan

A WISP (Written Information Security Plan) is a documented roadmap explaining how your organization protects sensitive client data, and what actions are taken to prevent, detect, and respond to security incidents.

Under the FTC Safeguards Rule and IRS Publication 4557, every CPA and tax firm that handles taxpayer information must maintain an accurate, up-to-date WISP:

  • It proves your firm follows required data-security procedures.

  • It outlines the safeguards protecting SSNs, tax returns, banking data, and PII.

  • It protects your e-file privileges.

  • It ensures you’re prepared for a potential breach.

In 2025, the IRS increased enforcement, and firms without a valid WISP are at high risk of compliance findings, penalties, or forced corrective action.

WISP

What the IRS Looks for When Requesting a WISP

The IRS can ask CPA & Tax firms to submit their Written Information Security Plan for compliance review. These inquiries are authentic and part of standard IRS oversight.

When the IRS asks for your WISP, they expect:

A complete Written Information Security Plan that includes:

  • How your firm protects sensitive client information (secure file storage, encryption of tax documents, restricted access to client folders etc)

  • Who is responsible for data-security oversight

  • What technical safeguards are in place (MFA, encryption, backups, firewalls)

  • How you restrict and monitor access to data

  • What steps you take to prevent breaches (vulnerability scanning, patch management, password policies, and endpoint protection.)

  • How you respond if an incident occurs

  • Vendor and third-party security controls

  • How staff is trained on cybersecurity

A plan that reflects your real operations

The IRS looks for accuracy, so your WISP must match:

  • Your actual software tools

  • Your actual data-storage locations

  • Your actual access-control policies

  • Your actual incident-response process

  • Your actual vendors and responsibilities

If your WISP is outdated or generic, the IRS will see it immediately.

Why CPAs Should NOT Use AI Tools to Write Their WISPs

An emerging pattern across the accounting profession is the use of AI-generated or template-based WISPs. Although convenient, these approaches often fail to meet regulatory expectations and can expose firms to material compliance risk.

AI

AI-generated WISPs are not tailored to your firm. AI cannot accurately describe:

  • Your architecture

  • Your staff roles

Your data flows

  • Your applications

  • Your vendor agreements

  • Your incident-response steps

A generic WISP = non-compliance.

They often contain incorrect or missing controls. IRS Publication 4557 and FTC Safeguards Rule require specific sections. AI tools frequently miss:

  • Proper risk assessment documentation

  • Designated “Security Program Coordinator”

  • Written vendor oversight procedures

  • Multi-layered technical safeguards

  • Incident notification requirements

They may contain contradictory or inaccurate language. This can be seen as a red flag during an IRS review or audit.

What Your WISP MUST Include

(According to IRS / FTC)

Security Program Coordinator

A named individual responsible for maintaining and updating the plan.

Risk Assessment

Identifying risks to the confidentiality of client data based on your systems, people, vendors, and environments.

Administrative Safeguards

  • Access controls

  • Strong passwords

  • MFA

  • Staff training

  • Acceptable-use policies

Technical Safeguards

  • Encryption

  • Patch management

  • Secure backups

  • Firewalls / EDR

  • Email security

  • Network segmentation

Physical Safeguards

  • Locked offices

  • Secure workstations

  • Clean desk policy

  • Device tracking

Vendor & Third-Party Management

Documented security requirements and oversight for all external providers.

Incident Response & Breach Plan

Clear steps for:

  • Detection

  • Containment

  • Recovery

  • Client notification

  • Regulatory reporting

Annual Review and Updates

WISP must be reviewed at least every 12 months – and after major business or technology changes.

How CyDo Tech Helps CPA Firms Build an Audit-Ready WISP

CyDo Tech develops fully customized, IRS-aligned WISPs based on your real workflows, systems, vendors, and security controls — not generic templates.

Our process includes:

  • Full cyber risk assessment

  • Data-flow mapping

  • Technical and administrative safeguard documentation

  • Vendor-security review

  • Incident response plan creation

  • Annual update cycle

  • Optional implementation support

We create WISPs that actually protect your firm and satisfy IRS examiners!

If you’d like a review of your current WISP or help building a compliant one,

we’re always here to support your team.

Back to Blog