Cybersecurity Checklist for CPA Firms

Your client hands you a signed Form 8879 and a folder of bank statements. Somewhere on your network, that data sits alongside dozens of other clients’ SSNs, EINs, and balance sheets. If your firm has never formally mapped where all of that lives — or tested what happens if ransomware encrypts it at 2 a.m. — you have a material risk problem, not just an IT problem.

This checklist is built around AICPA guidance and practical advice from several firm-focused security resources. Work through it section by section. Where you find gaps, fix them before the next busy season.

Step 1: Know What You’re Protecting

You cannot secure data you haven’t inventoried. AICPA guidance is explicit: identify the nature and type of data stored on firm IT systems, inventory sensitive data, and establish procedures to protect and dispose of it properly.

In practice that means building a plain spreadsheet that lists:

• Every device (workstations, laptops, mobile phones, servers)
• Every application that touches client data (QuickBooks, Lacerte, Drake, your practice management tool)
• Where data is stored — local drive, mapped network share, cloud sync folder, or hosted environment
• Who has access to each location

CPACharge’s accounting cybersecurity guidance adds hardware, software, data storage locations, and users with network access to this asset inventory. That full picture is what you hand a security assessor — or use yourself to close obvious gaps.

Step 2: Harden Authentication Across Every Entry Point

Weak credentials are the most common way attackers get in. Two controls matter most.

Strong passwords, enforced by policy. AICPA guidance calls for requiring strong passwords and training staff in proper password selection. In 2025 that means a minimum of 12–16 characters, no dictionary words, and a password manager so nobody reuses credentials across sites. Set this in Active Directory group policy or your identity provider — don’t rely on a memo.

Multi-factor authentication everywhere. Per Tech Advisors’ 2026 cybersecurity checklist for accounting firms, MFA should be required on email, VPN, remote applications, and accounting software. If a staff member’s password leaks in an unrelated breach, MFA is the control that stops it from becoming your firm’s breach. Enable it on Microsoft 365 or Google Workspace first, then on your remote desktop environment, then on every accounting application that supports it.

The AICPA & CIMA checklist also flags visitor management — only trusted, validated users and equipment should access your systems. That applies to temp staff, contractors, and any device plugged into your office network.

Step 3: Limit Privileged Access

Admin rights are a force multiplier for attackers. AICPA guidance says to limit the number of people with IT administration privileges to as few as possible.

For most five- to fifteen-person CPA firms, that means one named admin account and one emergency backup — not every senior accountant. Standard user accounts should not be able to install software or change network settings. If someone needs elevated access for a specific task, grant it temporarily and revoke it when the task is done. Log every privileged action.

Step 4: Patch and Update on a Schedule

The AICPA cybersecurity checklist recommends setting computers to automatically update the operating system and key applications. Unpatched software is one of the most reliable entry points attackers use, and it’s entirely preventable.

For Windows workstations, enable Windows Update with automatic installation. For third-party applications — Adobe Reader, browser plugins, Java — use a patch management tool or check manually on a documented weekly schedule. If you host QuickBooks Desktop or Sage 50 yourself, you own the update cycle; if it’s managed-hosted, your provider handles OS and platform patches for you.

Step 5: Monitor Your Environment

AIPA guidance recommends implementing security monitoring that includes intrusion detection and log review for servers, databases, key applications, and firewalls. For small firms without a dedicated IT team, this sounds intimidating — but the floor is low.

At minimum:

• Enable Windows Event Log and set alerts for failed login attempts and privilege escalation
• Review firewall logs monthly — most business-grade routers surface this in a dashboard
• If you use Microsoft 365, turn on Defender for Business; it covers endpoint detection without requiring a security operations center
• For firms with higher risk profiles or regulatory exposure, engage a managed security service provider for continuous monitoring

Monitoring is also how you catch insider threats — a departing employee exfiltrating client files shows up as anomalous large downloads if you’re watching.

Step 6: Build and Test an Incident Response Plan

The Invisus cybersecurity compliance checklist for CPA firms recommends a formal data breach incident response plan that is tested periodically. Most firms have no plan at all, which means when something happens, they improvise — and improvisation under pressure is expensive.

Your plan needs at minimum:

1. Who declares an incident and has authority to act
2. Immediate containment steps (isolate affected machine, revoke compromised credentials)
3. Who notifies clients, state regulators, and the IRS authoritative source
4. How you restore from backup
5. A post-incident review to close the gap that was exploited

Test it with a tabletop exercise once a year. Walk your team through a ransomware scenario. Find out where the plan breaks before an attacker does.

Step 7: Run Regular Compliance Assessments

The Invisus checklist recommends regular cyber risk and compliance assessments reviewed against AICPA, FTC/GLBA, IRS, and state cybersecurity standards. CPA firms holding client financial data are covered by the FTC Safeguards Rule under GLBA, which means you have legal obligations, not just professional ones.

Schedule an annual assessment. Compare your controls against the current IRS Publication 4557 (Safeguarding Taxpayer Data) requirements and your state’s data security rules. Document the results. Remediate findings on a tracked timeline. This documentation also matters if you ever face a regulatory inquiry or client dispute.

How Sagenext Helps

A meaningful share of the attack surface for accounting firms lives in the infrastructure around their software — the server it runs on, the backup process, the remote access layer. our cloud hosting

Sagenext provides fully managed cloud hosting for the applications most CPA firms already use: QuickBooks Desktop, Enterprise, Premier, and Pro; Sage 50 and Sage 100; Drake, Lacerte, ProSeries, UltraTax, ATX, and others. Because the hosting is managed, provisioning, data backups, security controls, and software updates are handled on the infrastructure side — your team connects via a remote desktop session and works, without owning the patching and server hardening burden.

For a five- to fifteen-person firm without dedicated IT staff, that shift is material. It doesn’t eliminate the checklist items above — you still own passwords, MFA, access policy, and your incident response plan — but it removes the infrastructure layer where many small firms are most exposed. A free trial is available with no credit card required.

Key Takeaways

• Inventory every device, application, and data location before you try to secure anything — you can’t protect what you haven’t mapped.
• MFA on email, VPN, remote applications, and accounting software is non-negotiable; a single compromised password should never be enough to reach client data.
• Limit admin privileges to the minimum number of people; most staff accounts should never have elevated rights.
• Automated patching plus a documented manual check for third-party applications closes the most common technical entry point.
• A written, tested incident response plan is the difference between a contained breach and a regulatory and reputational crisis.
• Annual compliance assessments against AICPA, FTC/GLBA, IRS, and state standards keep your obligations visible and defensible.

Frequently Asked Questions

What cybersecurity standards apply specifically to CPA firms?

CPA firms that hold client financial data are subject to the FTC Safeguards Rule under the Gramm-Leach-Bliley Act, IRS Publication 4557 requirements for safeguarding taxpayer data, AICPA cybersecurity guidance, and applicable state data security laws. The Invisus checklist recommends reviewing controls against all four frameworks annually. Some states have additional breach notification and data security rules that layer on top of the federal baseline. related guide

How often should a CPA firm update its cybersecurity checklist?

At minimum, review your checklist annually and after any material change — new software, a staff departure, a new remote work arrangement, or a security incident. The threat environment changes faster than most firms update their policies, so a once-a-year formal assessment with a documented remediation log is the practical floor. Tie it to a fixed calendar date so it doesn’t slip.

Is multi-factor authentication required for accounting software?

Regulatory requirements vary, but the practical answer is yes. Tech Advisors’ 2026 cybersecurity checklist for accounting firms recommends MFA on email, VPN, remote applications, and accounting software. Most major accounting applications and hosting environments now support MFA. If yours doesn’t, that’s a significant risk and a migration conversation worth having.

What should a CPA firm’s incident response plan include?

At minimum: who has authority to declare an incident and act, immediate containment steps, a notification protocol for clients and regulators, a tested backup restoration process, and a post-incident review. The Invisus checklist recommends testing the plan periodically — annually at minimum. A plan that exists only as a document no one has practiced will break under pressure.

How does managed cloud hosting affect a firm’s security posture?

Managed hosting shifts responsibility for server patching, backup management, and infrastructure-level security to the hosting provider. That removes a large category of tasks that small firms often handle inconsistently. The firm still owns access control, MFA policy, staff training, and its incident response plan — but the infrastructure attack surface shrinks considerably compared to running software on a local server or unmanaged cloud instance.