
Cloud Infrastructure Audit Checklist for CPAs & Firms
Your firm just received a peer review notice. The reviewer wants documentation of how client data is segregated in your cloud environment, who had access during the engagement period, and whether your hosting arrangement covers IRS Publication 1075 requirements. If you can’t answer those questions in under ten minutes, your cloud audit posture needs work.
This checklist is built for US CPA firms and accounting practice owners who host tax software, workpapers, or client financial data in the cloud—and need to demonstrate that the environment holds up under professional standards scrutiny.
Why Generic IT Security Audits Fall Short for CPAs
A standard IT security audit checks whether your firewall rules are current and your antivirus is licensed. That’s necessary but nowhere near sufficient for an accounting firm. You also need to prove:
- Client data is isolated so other tenants sharing infrastructure cannot access it
- Every access, modification, deletion, and movement of Federal Tax Information (FTI) is logged per unique user
- Your hosting arrangement is governed by a legally binding SLA that references IRS Publication 1075
- You notified the IRS Office of Safeguards at least 45 days before transmitting FTI into any cloud environment
- A designated qualified individual oversees information security and reports annually to your board, as required by the FTC Safeguards Rule
None of those appear on a generic SOC 2 checklist. They’re specific to firms handling taxpayer data, and the IRS Office of Safeguards can and does review them.
The Core Checklist: Eight Control Domains
1. Identity and Access Management
- MFA enforced on every account that can reach client data or FTI—no exceptions for partners or senior staff
- Role-based access so staff see only the clients and engagements relevant to their work
- Access reviews conducted at least quarterly; terminated-employee accounts disabled same day
- Privileged access (admin rights) assigned to named individuals, not shared service accounts
- Session timeouts configured; idle remote desktop sessions lock after a defined interval
The minimum bar here is MFA plus documented access controls. Anything less fails the IRS Safeguards standard and the FTC Safeguards Rule simultaneously.
2. Data Segregation and Tenant Isolation
Cloud infrastructure must isolate taxpayer data and services so other cloud customers sharing physical or virtual space cannot access them. In practice, verify:
- Each client’s data sits in a logically separated environment (separate databases, folders, or virtual machines)
- Your hosting provider can produce documentation showing how tenant isolation is enforced at the hypervisor or storage layer
- Data classification policies identify which data is FTI versus general business data, with different handling rules for each
For multi-entity practices running group audits, this also means per-entity evidence segregation—component auditors should only reach data relevant to their component.
3. Encryption—At Rest and In Transit
- All FTI and client financial records encrypted at rest using current standards (AES-256 is the practical baseline)
- All data in transit encrypted via TLS 1.2 or higher; verify this covers the remote desktop connection your staff use daily
- Encryption keys managed and rotated; document who holds key management responsibility
- Your SLA with the hosting provider explicitly addresses encryption standards
4. Audit Logging and Monitoring
Cloud auditing must be enabled to capture access, modification, deletion, and movement of FTI by each unique user within the application. That sentence from the IRS Office of Safeguards Technical Assistance Memorandum is your audit log requirement in plain language.
Your checklist items:
- Logs capture user-level actions, not just system-level events
- Log retention period is defined and meets your professional standards obligations
- Logs are stored in a location separate from the systems they monitor (so an attacker can’t erase the trail)
- Someone reviews logs on a scheduled basis—weekly at minimum for high-privilege accounts
- Anomalous access (after-hours login from new geography, bulk data exports) triggers an alert
5. Backup Integrity and Recovery Testing
Backups must be encrypted, isolated (offsite), versioned to allow rollback after ransomware, and tested regularly for recovery. “Tested” means you’ve actually restored a backup to verify it works—not just confirmed the backup job completed.
- Backup schedule documented; RPO and RTO defined for each system category
- Backups stored offsite or in a geographically separate cloud region
- Versioning enabled so you can roll back to a point before a ransomware event
- Recovery test conducted at least annually; results documented
- Backup access restricted to authorized personnel only
6. Vendor Oversight and SLA Compliance
Firms must establish a legally binding SLA with cloud providers based on IRS Publication 1075 for how FTI is stored, handled, and accessed. Review your current provider agreement against this standard.
If your SLA doesn’t mention FTI handling, Publication 1075, or data breach notification timelines, that’s a gap. IRS covers the Publication 1075 requirements in detail and is worth bookmarking before your next vendor renewal.
Additional vendor checklist items:
- Provider’s subcontractor chain documented (who else touches your data?)
- Provider’s own security certifications on file and current
- Breach notification clause specifies how quickly you’ll be notified and in what form
- Exit clause allows you to retrieve all data in a usable format
7. Written Information Security Plan (WISP)
A WISP is not optional. Firms must maintain one that covers governance, risk assessment, access control, employee training, vendor oversight, incident response, backup, and annual review. The IRS and FTC both reference it.
Your WISP audit items:
- Document exists and is dated within the last 12 months
- Covers all eight domains above—not just a generic template you downloaded and never edited
- A designated qualified individual is named as responsible for information security oversight
- That individual reports annually to your board or equivalent governing body (FTC Safeguards Rule requirement)
- All staff have completed the training the WISP describes; training completion is logged
8. Annual Risk Assessment
Agencies must conduct an annual risk assessment of security controls for all information systems used for FTI, explicitly including the cloud environment. This assessment should:
- Identify new risks introduced since last year (new software, new staff, new hosting arrangements)
- Rate existing controls against current threat landscape
- Produce a written remediation plan for gaps
- Be completed before the assessment period ends—not after a breach
IRS Office of Safeguards: The 45-Day Rule
One item deserves its own section because firms regularly miss it: you must notify the IRS Office of Safeguards at least 45 days before transmitting FTI into any cloud environment. This applies when you first move to cloud hosting and when you change providers or materially change your configuration.
If your firm migrated to cloud hosting without that notification, document the gap, consult your professional liability carrier, and submit the notification retroactively with an explanation. Ignoring it doesn’t make the obligation disappear.
How Sagenext Helps
For firms that don’t want to own the infrastructure complexity described above, managed hosting removes the heaviest operational burden. Sagenext provides fully managed cloud hosting for the applications most CPA firms already use—QuickBooks Desktop, QuickBooks Enterprise, Sage 50, Sage 100, Drake, Lacerte, ProSeries, UltraTax, ATX, and others.
Provisioning, security updates, data backups, and software maintenance are handled for your firm. Staff connect via remote desktop from any location, with multi-user access configured per your structure. Because the environment is managed, the controls your WISP needs to document—encryption, access management, backup isolation, vendor SLA—are built into the service rather than assembled piecemeal by your IT generalist.
For firms that need a concrete starting point before their next peer review or risk assessment, a free trial is available with no credit card required.
Connecting Cloud Audits to Engagement-Level Standards
For firms conducting group audits under ISA 600 (Revised), cloud infrastructure controls feed directly into how you document direction, supervision, and review across components. Component auditors accessing shared cloud platforms need evidence that their access was scoped to their component and logged at the user level—both checklist items above.
AU-C 402 (service organizations) also applies when you rely on a cloud provider’s controls as part of your own control environment. Understanding which controls belong to the provider versus your firm—the shared responsibility model—determines what you need to test versus what you can rely on through the provider’s SOC report. Soc 2 Compliance For Accounting Firms A How To
Key Takeaways
- Notify the IRS Office of Safeguards at least 45 days before transmitting FTI to any cloud environment; this is a hard deadline, not a suggestion.
- Your WISP must be current, staff-trained, and signed off by a designated security officer who reports to your board annually.
- Audit logs must capture user-level access, modification, deletion, and movement of FTI—system-level logs alone don’t satisfy IRS Safeguards requirements.
- Backups need encryption, offsite isolation, versioning for ransomware rollback, and documented recovery testing.
- Vendor SLAs must be legally binding and reference IRS Publication 1075 if the provider handles FTI.
- Conduct and document an annual risk assessment that explicitly includes your cloud environment—don’t rely on last year’s assessment if you’ve changed providers or configurations.
Frequently Asked Questions
What triggers a cloud infrastructure audit for a CPA firm?
Three common triggers: a peer review that flags IT controls as a finding, an IRS Office of Safeguards inquiry into FTI handling, or a cybersecurity incident like a ransomware attack. Proactive firms also self-trigger annually as part of their WISP review cycle. If you’ve changed cloud providers, added a new hosted application, or onboarded a remote workforce in the past year, those changes alone justify a fresh audit of your current environment.
Does the IRS actually check whether firms notified the Office of Safeguards before moving FTI to the cloud?
Yes. The IRS Office of Safeguards conducts reviews of agencies and firms that handle FTI, and the 45-day pre-notification requirement appears in their Technical Assistance Memoranda. Failure to notify can jeopardize your authorization to receive and process FTI. The notification itself is straightforward—the risk of skipping it is not.
What’s the difference between a SOC 2 report and what the IRS requires for cloud environments?
SOC 2 evaluates a provider’s controls against the AICPA Trust Services Criteria (security, availability, confidentiality, processing integrity, privacy). The IRS Safeguards standard requires additional specifics: user-level audit logging of FTI access, tenant isolation documentation, a compliant SLA referencing Publication 1075, and your firm’s own WISP covering the cloud environment. A clean SOC 2 report helps but doesn’t substitute for the IRS-specific requirements.
Who is responsible for information security under the FTC Safeguards Rule?
The FTC Safeguards Rule requires firms to designate a qualified individual responsible for overseeing the information security program. That person must report to the board of directors—or equivalent governing body—at least annually on the state of the program. For small firms, this is often a senior partner or an outsourced CISO. The key is that the designation is documented and the annual reporting actually happens.
How often should a CPA firm test its cloud backups?
At minimum, annually—and that means an actual restoration test, not just confirming the backup job ran successfully. For firms with high transaction volumes or multiple client engagements running simultaneously, quarterly restoration tests of a representative sample are more defensible. Document each test: what was restored, from which backup, the date, and whether the restored data was verified as complete and usable.






