IRS WISP: Your Required Written Information Security Plan, Explained
Every paid tax preparer is legally required to have a Written Information Security Plan. Here’s what it must include, who’s enforcing it, and the templates we use with our CPA firm clients to satisfy IRS Publication 4557.
If you're a paid tax preparer with a PTIN, you are legally required to have a Written Information Security Plan (WISP). This isn't optional, and it isn't aspirational — the IRS has been enforcing this since 2023, and the FTC Safeguards Rule expansion put accountants squarely in scope.
Yet in nearly every CPA firm we onboard, the answer to "Where's your WISP?" is one of three things: blank stares, a generic template downloaded from somewhere that has the previous firm's name still in it, or a 100-page document that was clearly written by a lawyer and never read by anyone.
What a WISP Is (and Isn't)
A WISP is a written plan describing how your firm protects taxpayer data. It's required under the Gramm-Leach-Bliley Act, it's enforced by the FTC under the Safeguards Rule, and the IRS expects you to have one to maintain your PTIN.
When you renew your PTIN, you now attest that you have a WISP in place. That attestation is a sworn statement to the IRS. If you check the box without actually having a plan, you've already created a problem.
What Your WISP Must Include
The IRS Publication 4557 guidance and the FTC Safeguards Rule together specify nine elements your WISP needs to cover. Skipping any of them creates audit risk:
- Designated security coordinator. A real person, named in the document, with the authority to enforce the plan.
- Risk assessment. Documented analysis of where taxpayer data is stored and how it could be exposed.
- Safeguards. Administrative, technical, and physical controls — what you're actually doing to protect data.
- Service provider oversight. If you use a cloud tax prep platform or virtual receptionist, you need to vet them.
- Multi-factor authentication. Required, not optional, on any system touching taxpayer data.
- Encryption. Data at rest and in transit.
- Workforce training. Documented, with completion records.
- Incident response plan. What you do when something goes wrong.
- Annual review and update. The plan is alive, not a museum exhibit.
The Tax Season Reality
Most CPA firms we work with don't have time to draft a WISP between January and April. We do the heavy lifting for them in the off-season — typically May through August — and then maintain it through quarterly reviews. By the time tax season hits, the firm is in compliance and the WISP is being followed without anyone having to think about it.
The plan is operational, not theoretical. When MFA is in your WISP, MFA is on your client portal. When endpoint encryption is in your WISP, every laptop is encrypted. When your incident response plan says "call your IT partner immediately," that contact info is current.
What Happens If You Get Audited?
FTC enforcement actions have included six-figure fines for tax preparers and accountants found without a working WISP. More commonly, what kills firms isn't the fine — it's the disclosure obligation after a breach. Without a WISP, you can't prove reasonable security, which means you can't claim safe harbor under Florida's data breach notification law. The notification cost alone often exceeds $50,000.
A real WISP, applied operationally, is the cheapest insurance you'll buy this year.
Don't have a WISP? We'll build one with you.
ITva's CPA firm clients all have a WISP that satisfies IRS Pub 4557 and FTC Safeguards Rule. We'll do the same for your firm.
