WISP Compliance Guide for CPA Firms: Ensuring Security

Introduction
For CPA firms, protecting client data isn’t just good practice — it’s a legal requirement under the FTC Safeguards Rule. A Written Information Security Program (WISP) is the foundation of that compliance. It’s the first document regulators ask for during audits and the playbook your firm relies on during a security incident.

In this guide, we’ll walk CPA firms step-by-step through how to create a WISP that meets FTC expectations, aligns with GLBA requirements, and scales to firms of any size. Whether you’re a solo practitioner or a 30-person team, this guide gives you the structure, templates, and examples to stay compliant and secure.

What is a WISP (Written Information Security Program) for CPA Firms?

A Written Information Security Program (WISP) is a formal document that outlines:

• What customer information your firm collects
• How it is protected (administrative, technical, physical safeguards)
• Who is responsible for each area of security
• Your policies for vendor management, incident response, and ongoing review

Under the FTC Safeguards Rule, a WISP is mandatory for any firm handling “nonpublic personal information” (NPI).

Why CPA Firms Must Have a WISP

The FTC now classifies CPA firms, tax preparers, and financial consultants as “financial institutions.” As such, they must:

• Create and maintain a WISP
• Appoint a Qualified Individual (QI)
• Conduct annual risk assessments
• Monitor vendors and train staff

Failure to produce a WISP during an audit can result in:

• Enforcement actions
• Long-term oversight requirements
• Major reputation damage
• Potential civil penalties

WISP Components: What Your Document Must Include

1. Information Security Objectives

Start by outlining your security goals, such as:

• Ensuring client confidentiality
• Preventing unauthorized access
• Detecting and responding to incidents

2. Data Inventory and Classification

List the types of client data you handle:

• SSNs, income records, banking info, QuickBooks files
• Where data is stored (cloud, servers, laptops, backup drives)
• Classification levels (sensitive, confidential, public)

3. Roles & Responsibilities

Identify:

• Your Qualified Individual (QI)
• Internal staff roles (admin, IT, partners)
• External vendors or service providers with data access

4. Risk Assessment Summary

Include a written summary of your most recent risk assessment, such as:

• Identified threats (phishing, weak passwords, ransomware)
• Security gaps discovered
• Actions taken to mitigate those risks

5. Administrative Safeguards

Document policies such as:

• Password standards
• Employee security training
• Acceptable use policies
• Remote work security guidelines

6. Technical Safeguards

Detail the technologies used to protect data:

• Encryption (in transit and at rest)
• Multi-factor authentication (MFA)
• Firewalls, antivirus, and secure hosting platforms (e.g. AVD)

7. Physical Safeguards

Include:

• Locked file cabinets
• Secure building access
• Workstation security protocols

8. Vendor Management Policies

Specify:

• Due diligence when choosing vendors
• Contractual requirements (e.g. breach notification)
• Review frequency of vendor security practices

9. Incident Response Plan (IRP)

Your IRP should outline:

• How your firm responds to a breach
• FTC notification rules (500+ consumers)
• Internal escalation steps
• Communication strategy with affected clients

10. Program Review & Update Protocol

Define how and when your WISP is updated:

• Annual reviews
• Post-incident revisions
• Updates after significant business or technology changes

Pro Tips for CPA Firms Writing a WISP

• Use templates, but customize for your firm’s size and systems
• Keep the tone professional, clear, and readable — not overly legal
• Make it a working document, not a one-time report
• Align your WISP with your training program, vendor oversight, and internal audits

WISP Template Table of Contents (Example)

1. Information Security Policy Statement
2. Roles and Responsibilities
3. Data Inventory & Classification
4. Risk Assessment Overview
5. Safeguards: Administrative / Technical / Physical
6. Vendor Management Procedures
7. Incident Response Plan
8. Employee Training Policy
9. Monitoring & Logging Procedures
10. Annual Review and QI Reporting

Final Thoughts

Your WISP is your firm’s blueprint for securing client data and proving FTC compliance. With regulations tightening and breach risks increasing, a strong, tailored WISP is not optional — it’s essential.

Office Heroes offers:

• 📄 WISP starter kits tailored for CPA firms
• 🧑‍💼 Outsourced QI services
• 🔐 Secure QuickBooks hosting + compliance tools

✅ [Download the CPA WISP Template]
✅ [Book a Free FTC Compliance Readiness Assessment]
✅ [Explore Titan Tier for Managed Compliance & Hosting]

Your clients trust you with their most sensitive data. A strong WISP helps you earn — and keep — that trust.