What is a WISP, and Does Your Tax Practice Actually Need One?

If you renew a PTIN, the IRS now asks you a yes/no question: do you have a written security plan? Most paid preparers click yes without thinking about it. The IRS knows that, and the FTC has been telling them it’s a problem for several years now.

This post is for the solo CPA, the EA, the small tax shop in Lubbock or anywhere else, who suspects the answer might actually be no. Here’s what a Written Information Security Plan (WISP) is, who has to have one, and what’s at stake if you don’t.

What a WISP actually is

A WISP is a document. It describes how your practice protects taxpayer information. That’s it. It’s not a piece of software you buy. It’s not a service you outsource. It’s a written record of:

• Who owns information security in your firm (a designated coordinator).
• What information you have and where it lives.
• The administrative, technical, and physical safeguards you use.
• How you train your team.
• How you handle vendors who touch taxpayer data.
• What you do when something goes wrong.

The WISP exists so that on any given Tuesday morning, you can hand a copy to an auditor, an examiner, or a client, and say: this is how we run. Most practices that don’t have one couldn’t do that.

Who has to have one

Two pieces of federal regulation make this required, not optional:

The FTC Safeguards Rule (16 CFR Part 314). This rule applies to “financial institutions” — and in 2003 the FTC explicitly defined paid tax preparers as financial institutions for the purposes of the rule. If you take money to prepare a tax return, you fall under it.

IRS Publication 4557 (“Safeguarding Taxpayer Data”). This is the IRS’s plain-language companion to the Safeguards Rule. It’s not law; it’s the IRS telling you exactly what they expect a compliant security program to look like. Pub 4557 explicitly says you need a written plan and lists what should be in it.

Both apply to solo practitioners. Both apply to firms with two staff. There is no small-firm exemption.

What’s actually at risk

Three layers:

Direct penalties. The FTC can pursue civil penalties for Safeguards Rule violations. Numbers like $43,000 per violation get cited. In practice, the FTC mostly investigates after a breach, but the authority is real.

PTIN risk. Misrepresenting compliance on a PTIN renewal is a misrepresentation to the IRS. The IRS has been clear that this matters and that the question is not a formality.

The breach scenario. This is the one that actually shuts firms down. A staff member clicks a phishing email, the attacker pivots to your file server, and 800 client tax returns get exfiltrated. You have to notify every client, the IRS, possibly the state attorney general, and your E&O carrier. If you have a WISP and followed it, the conversation is “we were doing the right things and got hit anyway.” If you don’t, the conversation is “we were never doing what the regulations required.”

That second conversation tends to end careers.

What a real WISP contains

The IRS gives a template in Pub 4557. The structure most firms end up with is:

1. Designated security coordinator — a real person, by name. Even if it’s the firm owner.
2. Information inventory — what taxpayer data you collect, where it’s stored, who can access it.
3. Risk assessment — documented, refreshed annually.
4. Administrative safeguards — hiring, training, onboarding, offboarding, vendor oversight.
5. Technical safeguards — MFA on all systems with taxpayer data, full-disk encryption, endpoint protection, secure backups, current patches.
6. Physical safeguards — locked cabinets, badge access, surveillance where appropriate, secure disposal.
7. Incident response plan — what you do in the first 24 hours of a breach, who you call, what you tell whom.
8. Training program — annual at minimum, more often is better.
9. Review cadence — when the document gets reviewed and re-signed.

A WISP is not a marketing document. It does not need to be polished. It needs to be true, and it needs to be followed.

The fastest way to get one

There are three reasonable paths:

1. Use the IRS template. Pub 4557 contains one. It’s serviceable. It works best if you already understand the underlying technology and just need a structure.
2. Hire it out. A CPA-firm-focused MSP or a security consultant can produce one for a few thousand dollars.
3. Bundle it with managed IT. If you’re already paying for a Managed IT plan, the documentation should be part of the engagement. Ours is on Carbon clients by default and available as an add-on at Steel and Titanium.

The wrong path is the fourth one: writing “yes” on the PTIN renewal and hoping no one ever asks to see the document.

Two-minute compliance check

If you want to know roughly where you stand right now, take our free WISP Compliance Check. It walks the same nine control areas the IRS covers in Pub 4557 and emails you a written gap report. No charge, no obligation, no marketing list.

If you want to talk to a human, our number is at the bottom of every page on this site.