WISP Template for Accounting Firms: Build Yours Right

Your firm had a laptop stolen last quarter. Or a staff member clicked a phishing link. Or you’re staring down an IRS e-file application renewal and the agent asks whether you have a Written Information Security Plan. If any of those hit close to home, you need a WISP — and you need one that actually holds up, not a two-page PDF you downloaded and forgot.

This guide walks through how to build a WISP that satisfies the FTC Safeguards Rule (which applies to tax preparers and accounting firms as financial institutions under Gramm-Leach-Bliley), passes IRS scrutiny, and actually changes how your team handles client data.

Why the IRS Cares About Your WISP

The IRS began requiring tax professionals to maintain a WISP as part of its broader push on data security for preparers. The requirement isn’t buried in obscure guidance — Publication 5293 and the broader Security Summit materials spell it out. The FTC Safeguards Rule reinforces it: firms that prepare returns or handle taxpayer financial data are covered financial institutions and must maintain a written security plan.

Skipping this isn’t a minor oversight. A data breach without a documented plan on file puts your PTIN, your e-file authorization, and your client relationships at risk. For a solo or small firm, one breach can end the practice.

What a WISP Must Cover

A compliant WISP isn’t free-form. It needs to address specific areas. Here’s what to include:

1. Firm and Scope Information Name the firm, the person responsible for the plan (your designated information security coordinator), and the scope — which systems, locations, and data types fall under the plan. If you host QuickBooks Desktop, Lacerte, or Drake on a third-party server, name those environments.

2. Risk Assessment Identify where client data lives: local drives, cloud storage, hosted environments, email, portable media. Then identify threats — unauthorized access, ransomware, insider misuse, physical theft. You don’t need a 40-page risk matrix. A honest one-to-two page inventory that your staff will actually read beats a comprehensive document no one opens.

3. Safeguards in Place Document your actual controls:

• Multi-factor authentication on all systems holding client data
• Password policy (minimum length, rotation, no shared credentials)
• Encryption on laptops and portable drives
• Firewall and endpoint protection software (name the product)
• Access controls — who can access which client files and why
• Physical security for any on-site servers or workstations

4. Employee Training Name who gets trained, how often, and on what. Phishing awareness, password hygiene, and what to do if a device is lost are the three non-negotiables. Document that training occurred — a sign-off sheet or LMS record is enough.

5. Vendor Management List any third-party service providers that touch client data. For each vendor, confirm they have their own security program. This matters especially for cloud-hosted software environments, payroll processors, and document management services. The authoritative source IRS Security Summit resource page has sample vendor assessment language you can adapt.

6. Incident Response Procedures This is the section most firms skip and most regret. Document:

• Who to call internally when a breach is suspected
• How to isolate the affected system
• How to notify clients (and state attorneys general — most states have breach notification laws)
• How to notify the IRS (use the IRS identity theft hotline for practitioners)
• How to document the incident

7. Plan Review Schedule The Safeguards Rule requires annual review, or review when material changes occur — new software, new staff, new office location, new services offered.

Building From a Template vs. Writing From Scratch

The IRS provides a sample WISP template through the Security Summit. It’s a reasonable starting point, but treat it as a skeleton. The firms that get into trouble use generic templates verbatim — a document that says “we use [SOFTWARE NAME]” with the brackets still in is not a compliant plan.

Customize every section to reflect your actual tools, your actual staff count, and your actual workflows. If you run five users on hosted QuickBooks Enterprise and two staff use Drake remotely, say that. If your receptionist doesn’t have access to tax files, document that access restriction. Specificity is what makes the plan defensible.

For a 10-person firm, a WISP that runs eight to twelve pages is realistic and sufficient. Solo practitioners can often cover everything in five to six pages if they’re concrete.

Common Mistakes That Sink WISP Audits

Naming controls you don’t actually use. If your plan says all laptops are encrypted but three aren’t, you’ve created a liability, not a safeguard. Audit your actual environment before writing the plan.

No version history. Every time you update the WISP, save the old version with a date. Regulators and insurers want to see that you maintained the plan over time, not that you created it last week.

Forgetting remote access. If staff log into tax software from home or use a hosted desktop environment, that access path needs to be in the plan — what authentication is required, who provisions access, and how terminated employees are removed.

Treating the plan as a one-time project. A WISP written in January that’s never touched again is a liability by December. Set a calendar reminder for the annual review and assign someone to own it.

How Sagenext Helps

One of the harder sections to write in your WISP is the part about third-party hosted environments — because most small firms don’t know exactly what controls their hosting provider applies to their data.

our cloud hosting Sagenext’s managed cloud hosting removes that uncertainty for the applications you’re already using. When your firm runs QuickBooks Desktop, Lacerte, Drake, ProSeries, UltraTax, or Sage 50 through Sagenext, the managed environment handles provisioning, automated data backups, software updates, and security infrastructure — so your WISP vendor section can accurately document a managed, secured environment rather than a self-administered server closet.

For a solo or small firm that doesn’t have a dedicated IT person, this matters directly: you can name a credible third-party managed host in your WISP instead of trying to document a patchwork of local controls. Multi-user access through a remote desktop session means your staff-access controls are consistent and auditable. Sagenext offers a free trial with no credit card required if you want to evaluate the environment before committing.

Building a WISP Into Daily Operations

A WISP lives or dies by whether your staff know it exists. After you finalize the document:

1. Hold a 30-minute team meeting to walk through the incident response section specifically.
2. Post the incident response contact list somewhere visible — not buried in a shared drive.
3. Add WISP review to your annual firm planning calendar, not just tax season prep.
4. When you onboard a new employee, include the WISP in their orientation materials and get a signed acknowledgment.

The firms that treat the WISP as a living document — not a compliance checkbox — are the ones that actually catch problems early. Review your related guide cloud security practices annually alongside the WISP to make sure your documented controls match your actual hosted environment.

Key Takeaways

• A WISP is required for tax preparers under both IRS guidance and the FTC Safeguards Rule — it’s not optional.
• Use the IRS Security Summit sample as a starting skeleton, but customize every section to your actual tools, staff, and workflows.
• The incident response section is the one most firms skip and most need — document exactly who does what when a breach occurs.
• Name your third-party vendors, including hosted software providers, and document their security practices.
• A WISP needs an annual review and a version history; a plan written once and never updated creates liability.
• Moving to a managed hosting environment for your tax and accounting software simplifies the vendor section of your WISP and reduces the self-administered security burden on small firms.

Frequently Asked Questions

Does every accounting firm need a WISP, or only large practices?

Every firm that prepares federal tax returns or handles taxpayer financial data is covered — size doesn’t matter. The IRS and FTC Safeguards Rule apply to solo practitioners and large CPA firms alike. A solo preparer working from home still needs a written plan, though it can be shorter and more direct than a multi-office firm’s document. There’s no revenue or headcount threshold that exempts you.

Can I use the IRS sample WISP template as-is?

You can use it as a starting point, but submitting it verbatim is a mistake. The sample template contains placeholders and generic language that must be replaced with your firm’s actual software, staff roles, access policies, and vendor relationships. A document with unfilled brackets or controls that don’t match your real environment is worse than no plan, because it demonstrates you didn’t complete the process.

How often does a WISP need to be updated?

At minimum, annually. The FTC Safeguards Rule also requires review whenever a material change occurs — adding a new service line, onboarding a new cloud application, hiring or terminating staff with system access, or moving offices. Treat those events as automatic triggers for a WISP review, not just a once-a-year exercise.

What happens if my firm has a data breach and no WISP?

The absence of a WISP compounds every other problem. State breach notification laws still apply, IRS notification is still required, and clients still need to be informed — but without a documented incident response plan, you’re improvising under pressure. Regulators and courts view the absence of a written plan as evidence of negligence, which affects both liability exposure and any professional insurance claim you file.

Does hosting tax software in the cloud satisfy WISP requirements automatically?

No — but it simplifies them. A managed cloud host handles infrastructure-level security that you’d otherwise need to document and maintain yourself. You still need to document the vendor relationship, your own access controls, staff training, and incident response procedures. The managed environment reduces what you’re responsible for, but it doesn’t eliminate the need for a firm-level written plan.