IRS Publication 4557 Compliance: Complete Security Checklist for CPA Firms

1. Designation of Security Coordinator

You must designate a qualified individual to coordinate your information security program. This person (often called the Chief Information Security Officer or Security Coordinator) must have:

• Authority to implement and enforce security policies
• Adequate knowledge of information security principles
• Regular reporting relationship to senior management or ownership
• Documented responsibilities and authority in the WISP

In smaller firms, this is typically a partner or owner. Larger firms may hire dedicated security personnel or engage a virtual CISO (vCISO) to fill this role.

2. Comprehensive Risk Assessment

Your WISP must document a thorough risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information. This assessment should evaluate:

• Information Assets: Where taxpayer data is stored, transmitted, and processed
• Access Points: Who can access data and through what systems
• Third-Party Risks: Cloud providers, software vendors, subcontractors
• Technical Vulnerabilities: Unpatched software, weak configurations, outdated systems
• Human Factors: Phishing susceptibility, password practices, remote work risks
• Physical Security: Office access, device theft, document disposal
• Business Continuity: Backup failures, ransomware, natural disasters

The IRS recommends conducting this assessment annually and whenever significant changes occur (new software, office relocation, staff changes, new service offerings). Many firms complete this assessment in October as part of tax season preparation.

3. Safeguards to Control Identified Risks

Based on your risk assessment, you must design and implement appropriate safeguards organized into three categories:

4. Service Provider Oversight

Your WISP must address how you select, contract with, and oversee service providers that have access to customer information. Required elements include:

• Due diligence process before engaging vendors
• Written contracts requiring vendors to maintain appropriate safeguards
• Periodic assessments of vendor security measures
• Documentation of vendor security capabilities

This applies to tax software vendors (Drake, Intuit Lacerte, CCH, Thomson Reuters), cloud storage providers, email services, document management systems, IT support contractors, and any other third party touching taxpayer data.

5. Continuous Evaluation and Adjustment

Your WISP must include provisions for regular monitoring and testing of safeguards, including:

• Annual review and update of the security plan
• Regular vulnerability assessments and security testing
• Monitoring of safeguard effectiveness
• Updates based on changes to business operations or emerging threats
• Documentation of reviews, tests, and resulting changes

The FTC explicitly requires that your WISP be a living document, not a one-time compliance exercise. October reviews are standard practice, allowing time to address gaps before tax season.

Required Training Elements:

• Initial Security Training: Within first week of employment for all staff with data access
• Annual Refresher Training: Complete before tax season begins (October-November recommended)
• Phishing Recognition: How to identify and report suspicious emails, especially fake IRS communications
• Password Security: Creating strong passwords, using password managers, never sharing credentials
• Physical Security: Locking workstations, securing documents, visitor protocols
• Data Handling: Proper transmission of client data, approved tools, encryption requirements
• Incident Reporting: How to report suspected breaches, security incidents, or policy violations
• Work-from-Home Security: Securing home offices, using VPNs, protecting devices

Access Control Requirements:

• Role-Based Access: Define access levels by job function (tax preparer, admin, partner)
• Unique User IDs: No shared accounts or generic logins
• Strong Authentication: Complex passwords plus multi-factor authentication
• Regular Access Reviews: Quarterly audits of who has access to what systems
• Immediate Termination Procedures: Remove access within one hour of employee departure
• Temporary Access Controls: Time-limited access for contractors or seasonal staff
• Privileged Access Management: Enhanced controls for administrative accounts

Vendor Security Due Diligence Checklist:

• Request SOC 2 Type II audit reports or equivalent security certifications
• Review vendor's encryption practices (data at rest and in transit)
• Verify vendor's incident response and breach notification procedures
• Confirm vendor's backup and disaster recovery capabilities
• Ensure written contract requires vendor to maintain appropriate safeguards
• Include contractual right to audit vendor security practices
• Require vendor notification of security incidents within 24 hours
• Document vendor review annually or when significant changes occur

Incident Response Plan Components:

• Incident Classification: Define severity levels and corresponding response procedures
• Response Team: Designate specific individuals and their roles (security coordinator, legal, IT, management)
• Containment Procedures: Steps to isolate affected systems and prevent spread
• Investigation Process: How to determine scope, affected data, and root cause
• Notification Requirements: Decision tree for when and how to notify IRS, FTC, clients, and law enforcement
• Recovery Steps: System restoration, security improvements, lessons learned
• Documentation Requirements: What to record during incident response for legal and regulatory purposes

Required Physical Access Controls:

• Controlled Entry: Locked doors requiring keys, cards, or codes
• Visitor Management: Sign-in procedures, escort requirements, visible badges
• After-Hours Security: Alarm systems, locked file rooms, secured workstations
• Workspace Visibility: Position monitors away from public view, privacy screens on client-facing workstations
• Secure Storage: Locked file cabinets or rooms for physical tax documents
• Clean Desk Policy: No client documents left visible when workspace unattended
• Printer and Copier Security: Secure release printing, immediate retrieval of sensitive documents

Device Security Requirements:

• Asset Inventory: Maintain complete list of all devices with access to taxpayer data
• Full Disk Encryption: Encrypt all devices that store or access client information (BitLocker, FileVault, etc.)
• Screen Lock Requirements: Automatic lock after 10 minutes of inactivity, password/PIN to unlock
• Anti-Theft Measures: Cable locks for desktops, laptop locks, GPS tracking for mobile devices
• Lost/Stolen Procedures: Immediate reporting, remote wipe capabilities, password reset protocols
• Disposal Procedures: Secure data wiping before device disposal, certificate of destruction for hard drives
• Removable Media Controls: Limit USB drive use, encrypt external drives, prohibit personal devices

Paper Document Security Requirements:

• Secure Receipt: Lock client documents immediately upon receipt, never leave in open areas
• Access Controls: Restrict access to file rooms and cabinets to authorized personnel only
• Workspace Management: No client documents on desks overnight or when staff away from workstation
• Fax Security: Immediate retrieval of faxed documents, secure disposal of cover sheets
• Shredding Requirements: Cross-cut shredders (minimum), locked shred bins, scheduled destruction services
• Never Standard Trash: All documents containing PII must be shredded, never thrown in regular garbage
• Client Document Return: Secure methods for returning original documents (encrypted email, certified mail, in-person pickup)

Home Office Security Requirements:

• Dedicated Workspace: Separate area with door that locks when not occupied
• Family Member Restrictions: No access to work devices or documents by household members
• Secure Storage: Locked drawer or cabinet for physical client documents
• Device Security: Never leave work laptop, tablet, or phone accessible to others
• Screen Privacy: Position monitors away from windows and common areas
• Visitor Protocols: No work discussions or visible documents during service visits or guests
• Secure Disposal: Personal shredders for home offices or secure transport of documents to office for destruction

Encryption Implementation Requirements:

• Full Disk Encryption: All laptops, desktops, and mobile devices (BitLocker for Windows, FileVault for Mac, device encryption for mobile)
• File-Level Encryption: Individual client files when stored on network drives or cloud storage
• Email Encryption: Encrypted email for transmitting tax documents and PII (TLS 1.2 minimum, consider S/MIME or PGP for sensitive attachments)
• Secure File Transfer: SFTP, HTTPS, or encrypted client portals—never unencrypted FTP or email attachments without encryption
• Database Encryption: If you maintain client databases, encrypt at the database level
• Backup Encryption: All backup media must be encrypted (especially offsite backups)
• VPN Requirements: Encrypted VPN for remote access to office systems and when using public Wi-Fi

MFA Implementation Checklist:

• Enable MFA on tax preparation software (Drake, Lacerte, ProSeries, UltraTax, CCH all support MFA)
• Require MFA for email accounts (Microsoft 365, Google Workspace have built-in MFA)
• Implement MFA for remote access and VPN connections
• Enable MFA on cloud storage (Dropbox, OneDrive, SharePoint, etc.)
• Use MFA for administrative access to servers, firewalls, and network equipment
• Consider hardware security keys (YubiKey, Titan) for highest-privilege accounts
• Document MFA requirements in your WISP and security policies

Required Network Security Controls:

• Firewall Protection: Hardware firewall at network perimeter, software firewalls on all endpoints
• Network Segmentation: Separate guest Wi-Fi from business network, isolate sensitive systems
• Wireless Security: WPA3 encryption, strong Wi-Fi passwords changed quarterly, hidden SSIDs for business networks
• Intrusion Detection: Systems to detect and alert on suspicious network activity
• VPN Requirements: Mandatory VPN for remote access, never direct RDP or VNC exposure to internet
• Port Security: Close unnecessary ports, restrict access to required services only
• Regular Reviews: Quarterly review of firewall rules and network access controls

Endpoint Security Requirements:

• Antivirus/Anti-Malware: Enterprise-grade protection on all devices, automatic updates, regular scans
• Endpoint Detection and Response (EDR): Advanced threat detection beyond signature-based antivirus
• Patch Management: Security updates installed within 30 days of release, critical patches within 7 days
• Operating System Updates: Keep Windows, macOS, iOS, Android current with security patches
• Application Updates: Update tax software, browsers, PDF readers, and all other applications regularly
• Vulnerability Scanning: Monthly scans to identify missing patches and security weaknesses
• End-of-Life Management: Replace or isolate systems that no longer receive security updates

Monitoring and Logging Requirements:

• Authentication Logging: Record all login attempts (successful and failed), track privileged account use
• Access Logging: Log who accessed what client files and when
• Change Logging: Track system configuration changes, software installations, security setting modifications
• Network Monitoring: Monitor network traffic for unusual patterns, data exfiltration attempts
• Log Retention: Maintain logs for minimum one year (longer for regulated data)
• Alert Configuration: Automated alerts for failed logins, after-hours access, large data transfers
• Regular Review: Weekly review of security logs during tax season, monthly during off-season

Backup Requirements for Tax Data:

• 3-2-1 Rule: Three copies of data, on two different media types, with one copy offsite
• Backup Frequency: Daily during tax season, at minimum weekly year-round
• Encryption: All backup media must be encrypted (especially cloud and offsite backups)
• Immutable Backups: Protection against ransomware deleting or encrypting backups
• Regular Testing: Monthly backup restoration tests to verify recoverability
• Documented Procedures: Step-by-step recovery procedures for different scenarios
• Retention Policies: Maintain backups for seven years to match tax record retention requirements

Drake Security Best Practices:

• Enable Two-Factor Authentication: Drake supports 2FA for e-file accounts—enable it for all users
• Data File Encryption: Drake encrypts data files automatically, but verify encryption is enabled
• User Access Controls: Create individual user accounts, never share login credentials
• Audit Trail: Enable Drake's audit log to track who accesses which returns
• Secure Document Storage: Use Drake's document management with encryption rather than separate file storage
• Regular Updates: Install Drake updates promptly—they include security patches
• Network Security: If using Drake on a network, ensure network-level security and access controls
• Backup Procedures: Follow Drake's backup recommendations, encrypt backup files

Resource: Drake publishes a WISP compliance guide in their knowledge base. Reference article KB17826 for Drake-specific security configuration.

Intuit Platform Security Best Practices:

• Intuit Account Protection: Enable 2-step verification on Intuit accounts (required for e-file)
• User Permissions: Use role-based access controls to limit user privileges
• Mobile Device Management: If using mobile apps, configure MDM policies
• Client Data Protection: Leverage Intuit's built-in encryption for data at rest and in transit
• Integration Security: Review security of third-party app integrations (QuickBooks, etc.)
• Cloud vs. Desktop: ProConnect Tax (cloud) has different security controls than desktop Lacerte/ProSeries
• Safeguard Hub: Use Intuit's Security & Compliance Center for compliance resources
• Activity Monitoring: Review user activity logs available in account settings

Resource: Intuit provides comprehensive security documentation at accountants.intuit.com/taxprocenter under Security & Compliance section.

CCH Platform Security Best Practices:

• Single Sign-On (SSO): Implement SSO with MFA for Axcess platform access
• Role-Based Security: Configure granular permissions based on job functions
• Audit and Compliance Reports: Use CCH's built-in compliance reporting tools
• Data Center Security: Review CCH's SOC 2 reports for cloud infrastructure security
• Client Portal Security: Configure secure client portal settings for document exchange
• Integration Controls: Manage security for integrations with other CCH products
• Session Management: Configure automatic session timeout for inactive users
• IP Restrictions: Consider IP whitelisting for access from known locations only

Resource: CCH provides security best practices documentation through the CCH Support Portal and annual security webinars for clients.

Thomson Reuters Security Best Practices:

• Multi-Factor Authentication: Enable MFA for all UltraTax CS user accounts
• Virtual Office CS Security: If using cloud hosting, leverage Virtual Office CS security features
• Database Security: Implement SQL Server security best practices for CS Professional Suite database
• Document Management: Use FileCabinet CS with encryption for secure document storage
• Network Architecture: Follow Thomson Reuters network security recommendations for on-premise deployments
• User Activity Tracking: Enable and review audit logs in database
• Backup Encryption: Ensure database backups are encrypted
• Annual Security Review: Participate in Thomson Reuters security training and updates

Resource: Thomson Reuters publishes security configuration guides and maintains a Security Resource Center for CS Professional Suite customers.