IRS WISP Compliance for CPA Firms: Your 2026 Written Information Security Plan Guide

If you prepare tax returns professionally, federal law requires you to have a Written Information Security Plan (WISP). This isn't optional guidance—it's a legal mandate under the Gramm-Leach-Bliley Act, enforced through the FTC Safeguards Rule. Non-compliance can result in FTC penalties up to $46,517 per violation per day, IRS revocation of your PTIN, and voided professional liability insurance.

What Is a WISP and Why Is It Required?

A WISP is a documented cybersecurity framework that describes how your firm protects client data. Under federal law, tax preparers and CPA firms are classified as "financial institutions"—the same category as banks and investment firms—subjecting you to identical data protection standards.

The requirement applies to every professional tax preparer regardless of practice size. Solo practitioners, small firms, and large practices all face identical WISP requirements with no exemptions based on size or client volume.

PTIN Renewal Compliance

Beginning with the 2023 tax year, the IRS integrated security compliance into PTIN renewal requirements through Form W-12, Question 11. When you renew your PTIN, you must certify under penalty of perjury that you maintain a compliant security plan. If you don't have a WISP, you're making a false statement on a federal form.

The Three Core Areas of Your WISP

According to IRS guidance, a comprehensive WISP must address three fundamental areas:

1. Physical Safeguards

Physical safeguards protect client data from physical threats:

• Secure office access with locks, alarms, or access control systems
• Workstation positioning to prevent unauthorized viewing
• Secure storage for physical documents containing client data
• Visitor policies and escort procedures
• Clean desk policies for sensitive information
• Secure disposal of paper documents (shredding)
• Protection of portable devices (laptops, USB drives)

2. Technical Safeguards

Technical safeguards ensure your digital systems and network are secure:

• Encryption for data at rest and in transit
• Multi-factor authentication for all systems accessing client data
• Firewall protection and network security
• Antivirus and anti-malware software
• Secure password policies (complexity, expiration, unique passwords)
• Access controls limiting data access to authorized personnel
• Audit logging to track who accesses what data
• Secure backup systems with tested recovery procedures
• Patch management for software updates

3. Administrative Safeguards

Administrative safeguards ensure your team is trained and informed:

• Designated security coordinator responsible for the WISP
• Written policies and procedures for data handling
• Employee security awareness training
• Background checks for employees with data access
• Incident response procedures
• Vendor management and due diligence
• Annual risk assessments
• Regular review and updates to the WISP

FTC Safeguards Rule Requirements

The FTC Safeguards Rule adds specific requirements for your information security program:

Qualified Individual

You must designate a "Qualified Individual" responsible for overseeing your information security program. This person must have appropriate training and authority to implement security measures. For small firms, this may be the owner; larger firms may designate an IT manager or hire external expertise.

Risk Assessment

You must conduct a thorough risk assessment to identify potential threats to customer information. This assessment must be documented and updated regularly.

Annual Reporting

The Qualified Individual must report in writing, at least annually, to the firm's leadership with an overall assessment of compliance with the information security program.

MFA Requirement

The FTC specifically requires multi-factor authentication for any individual accessing any information system, unless your Qualified Individual has approved in writing the use of reasonably equivalent or more secure access controls.

Breach Notification Requirements

If your firm experiences a security event affecting 500 or more people, you must:

• Report to the FTC within 30 days of discovery (electronically via FTC's website)
• Report to your IRS Stakeholder Liaison
• Notify state tax authorities as required
• Notify affected individuals according to state breach notification laws

Building Your WISP: Step-by-Step

Step 1: Inventory Your Data

Document what client data you collect, where it's stored, how it's transmitted, and who has access. You can't protect what you don't know you have.

Step 2: Assess Current Risks

Evaluate your current security posture against potential threats. Where are the gaps? What would happen if an employee clicked a phishing link? What if a laptop were stolen?

Step 3: Implement Safeguards

Address identified risks with appropriate physical, technical, and administrative controls. Prioritize based on risk severity and likelihood.

Step 4: Document Everything

Your WISP must be written. Document your policies, procedures, and the rationale behind security decisions. Include evidence of implementation.

Step 5: Train Your Team

Security awareness training isn't optional. All employees must understand their role in protecting client data and the consequences of security failures.

Step 6: Test and Update

Regularly test your security measures. Conduct phishing simulations. Review and update your WISP at least annually or when significant changes occur.

IRS Resources for WISP Development

The IRS provides several publications to help tax professionals develop their WISPs:

• Publication 5708: Creating a Written Information Security Plan for your Tax & Accounting Practice
• Publication 5709: How to Create a Written Information Security Plan for Data Safety
• Publication 4557: Safeguarding Taxpayer Data: A Guide for Your Business
• Publication 5293: Data Security Resource Guide for Tax Professionals

Penalties for Non-Compliance

The consequences of operating without a compliant WISP are severe:

• FTC penalties: Up to $46,517 per violation per day
• PTIN revocation: Inability to prepare tax returns professionally
• Insurance issues: Many E&O policies exclude coverage for firms without documented security programs
• Client liability: Breach victims may have legal claims against firms that failed to implement reasonable security
• Reputation damage: Client trust is essential to accounting practices

Get Expert Help with Your WISP

Building a compliant WISP requires both security expertise and understanding of tax practice operations. Smith Network Solutions helps CPA firms throughout Atlanta develop and implement Written Information Security Plans that meet federal requirements while remaining practical for day-to-day operations.

Contact us today for a free WISP compliance assessment and ensure your firm meets its federal security obligations.