IT compliance for accounting firms in 2026 is not one rule but two overlapping ones, and the firms that treat it as a single checkbox are the ones getting caught. A firm that prepares tax returns is a financial institution under the FTC Safeguards Rule, which means a written security program, and the IRS expects a Written Information Security Plan under Publication 4557 on top of that. Both duties strain hardest during tax season, when sensitive client data and staff access spike at the exact moment a firm has the least time to manage either. We work with accounting firms on this overlap year-round, and the same five gaps surface again and again. Each one is closeable well before an examiner, a client questionnaire, or a breach forces the issue.
The 5 IT Compliance Gaps That Expose Accounting Firms
IT compliance for accounting firms breaks down when a firm assumes antivirus and a locked office cover it, because the actual rules ask for a documented program with named controls. These five gaps are the ones we see turn into FTC exposure, IRS scrutiny, or a tax-season scramble, and every one is predictable if the firm looks before filing season.
- No Qualified Individual. The FTC Safeguards Rule requires a named person accountable for the security program, and many small firms have never assigned the role.
- A WISP that does not exist or does not match reality. The IRS expects a Written Information Security Plan, and a template downloaded once and never updated fails on contact with an audit.
- Missing MFA and encryption. Multi-factor authentication on email and remote access, plus encrypted devices, are baseline controls the rules name directly, yet they are still the most common gap.
- No breach-reporting plan for the 30-day clock. The FTC now requires reporting an event affecting 500 or more people within 30 days, and a firm without a plan misses a deadline it did not know applied.
- Tax-season access sprawl. Seasonal staff, shared logins, and rushed onboarding open access paths in filing season that no one closes in April.
Why IT Compliance for Accounting Firms Means Two Rules, Not One
IT compliance for accounting firms means satisfying the FTC Safeguards Rule and the IRS Publication 4557 expectation together, because a return preparer sits under both. The FTC treats tax preparation firms as financial institutions, which pulls them into the Safeguards Rule alongside banks and lenders. Separately, the IRS Publication 4557 sets the expectation that any firm handling taxpayer data maintains a Written Information Security Plan. The two rules overlap heavily, so a well-built program can serve both, but they are not identical, and a firm that meets one while ignoring the other is still exposed. This is the point most generic advice misses, and it is where our accounting-sector work starts: mapping which duty reaches your firm and how the two fit into one program.
How the FTC Safeguards Rule Reaches Accounting Firms
The FTC Safeguards Rule reaches accounting firms because the FTC classifies tax preparers as financial institutions, and the rule’s core provisions are already in force. Since June 2023, a covered firm must name a Qualified Individual, encrypt customer data, enforce multi-factor authentication, train staff, and maintain an incident-response plan. Some small-firm owners argue the rule was written for large institutions and cannot mean a three-person practice. The FTC’s own guidance is direct that the rule scales to the size and complexity of the firm, not that it exempts small ones. A small practice implements lighter controls than a national firm, but it implements them, and our FTC compliance work sizes the written program to the practice rather than bolting on enterprise overhead.
How the IRS WISP Requirement Adds a Second Duty
The IRS Written Information Security Plan requirement adds a second duty because the IRS ties a firm’s ability to handle taxpayer data to having a documented plan. Publication 4557 lays out the safeguards the IRS expects, and a WISP is the artifact that proves the firm thought them through. One view holds that a firm already meeting the FTC rule has effectively met the IRS expectation, since the controls overlap. That is largely true in substance, yet the IRS wants the plan documented in its own terms, so a firm that has controls but no written plan still falls short on paper. The honest position is that the two are close but not interchangeable, and the efficient move is one program written to satisfy both, rather than two disconnected efforts a firm cannot keep in sync.
What a Compliant Accounting Firm Actually Puts in Place
A compliant accounting firm puts a documented, named-owner security program in place, not a folder of unrelated tools, because both the FTC rule and the IRS expectation ask for a structured plan tied to real risk. The program starts with a Qualified Individual who owns it, then a risk assessment that inventories where taxpayer data lives, who can reach it, and how it moves between the firm, clients, and software. From there the plan defines the administrative, technical, and physical safeguards the rules name. Anchoring that plan to the NIST Cybersecurity Framework gives it a defensible structure an examiner recognizes, and our cybersecurity compliance team builds it so one document answers both the FTC and IRS asks.
How MFA, Encryption, and Backups Anchor the Program
MFA, encryption, and tested backups anchor the program because they are the controls both rules name and the ones examiners check first. Multi-factor authentication on email and remote access blocks the credential theft that drives most firm breaches, encryption protects data on lost or stolen devices, and a tested backup is the difference between a ransomware event and a ransomware disaster. A firm might argue these controls slow busy staff during filing season. The counterpoint is that a breach during filing season is far slower, since it can freeze client work at the worst possible time and trigger the reporting clock on top. The controls cost minutes; the incident costs the season.
How to Handle the 500-Person Breach-Reporting Clock
Handling the FTC breach-reporting clock means having a plan ready before an event, because the rule now requires reporting a security event affecting 500 or more people to the FTC no later than 30 days from discovery. A firm with a tested incident-response plan already knows who investigates, who counts affected individuals, and who files with the FTC. Some owners assume they will never cross the 500 threshold, and for the smallest practices that may hold. The risk is that a single compromised email account at a firm holding years of returns can reach that number fast, and a firm discovering the duty mid-incident burns days it does not have. Our emergency cybersecurity compliance support keeps that path documented so the 30-day clock does not start on a plan that does not exist.
How Accounting Firms Stay Compliant Through Tax Season
Accounting firms stay compliant through tax season by closing the access paths that filing season opens, because the sensitive-data spike and the staffing surge collide exactly when attention is thinnest. Seasonal preparers, shared portals, and rushed onboarding create access that no one revokes when the season ends, and that lingering access is a standing gap the rules hold the firm accountable for. A firm that provisions seasonal staff with individual logins, removes access on a schedule, and keeps its WISP current through the spike carries far less risk than one that improvises in March. Our tax-season IT guidance for accounting firms walks the operational side of this, and the compliance side runs on the same principle: the program has to hold when the firm is busiest, not just when it is quiet.
Frequently Asked Questions
Does the FTC Safeguards Rule apply to small accounting firms?
Yes, the FTC Safeguards Rule applies to accounting and tax preparation firms of any size, because the FTC classifies them as financial institutions. The rule scales to the firm’s size and complexity rather than exempting small practices, so a small firm implements lighter controls but still names a Qualified Individual, encrypts data, and enforces multi-factor authentication. Size changes the depth of the controls, not whether the rule applies.
What is a WISP and does my accounting firm need one?
A WISP is a Written Information Security Plan, the documented safeguards the IRS expects any firm handling taxpayer data to maintain under Publication 4557. Your accounting firm needs one if it prepares returns or holds taxpayer information, which covers nearly every practice. A template downloaded once is not enough, since the plan has to match how your firm actually handles data and stay current as that changes.
How do the FTC rule and the IRS WISP requirement differ?
The FTC Safeguards Rule and the IRS WISP requirement overlap heavily but are not interchangeable. The FTC rule names specific controls like a Qualified Individual, encryption, and MFA, while the IRS expects a documented plan in its own terms under Publication 4557. A firm with strong controls but no written plan can still fall short of the IRS expectation, which is why one program written to satisfy both is the efficient approach.
What is the FTC breach-reporting deadline for accounting firms?
The FTC requires a covered firm to report a security event affecting 500 or more people no later than 30 days from the date of discovery. An accounting firm holding years of client returns can reach that threshold from a single compromised account, so the deadline is not only a large-firm concern. A tested incident-response plan is what lets a firm meet the clock rather than discover the duty during the event.
How does tax season affect an accounting firm’s IT compliance?
Tax season raises an accounting firm’s compliance risk because sensitive data volume and staff access both spike when the firm has the least time to manage them. Seasonal preparers, shared portals, and rushed onboarding open access paths that often stay open after filing ends. A firm that provisions individual logins, revokes access on a schedule, and keeps its WISP current through the surge carries far less risk than one improvising during the busiest weeks.
Close the Gaps Before an Examiner or a Breach Finds Them
IT compliance for accounting firms rewards the practices that treat the FTC rule and the IRS WISP as one connected duty, built to hold through the season that strains it most. The five gaps here, no Qualified Individual, a missing or stale WISP, absent MFA and encryption, no plan for the 30-day breach clock, and tax-season access sprawl, are all predictable and all closeable before they turn into a fine or a frozen filing season. A firm that names an owner, writes one program to a recognized framework, and keeps a partner on the moving parts spends far less than one that discovers its obligations mid-incident. If you want a clear read on which duties reach your firm and where the gaps sit today, our team will walk your systems, flag the exposures generic advice misses, and build a program sized for a practice that lives and dies by tax season. Book a free strategy call and we will start with the assessment that keeps the surprises out.

