Log in
Resources & News

IRS WISP Compliance: How to Effectively Record and Store for Proof

January 23, 2025
IRS WISP Builder Tool | IRS WISP Compliance: How to Effectively Record and Store for Proof

Proving IRS WISP Compliance

Realizing the security of your client’s personal information has been compromised is something every tax and accounting pro wants to avoid at all costs. Whether your client’s data is stolen due to a negligent employee who wrongly transfers information, unauthorized access to your firm’s encrypted documents is made, or a phishing attack gets into your company’s system – the Federal Trade Commission (FTC) will come knocking ready to evaluate your business for IRS WISP compliance. In order to prove your firm’s compliance, you will be asked to prove that preventative measures had been put into place through a Written Information Security Plan, or WISP.

Creating a Written Information Security Plan, or WISP, as a tax and accounting professional is required by the Gramm-Leach-Bliley Act (GLBA) and the Federal Trade Commission Financial Privacy and Safeguards Rule. There are specific requirements you should include in your security plan from physical and technical safeguards meant to help keep your client’s sensitive personal information safe along with administrative safeguards to train your employees to do the same. As a tax accountant, or any business that handles confidential client information, you need a WISP to be compliant with the FTC, but you are also required to record acknowledgement of the plan and store the document properly in order to be able to stay compliant with the Safeguard Rule.

What is an IRS WISP?

A Written Information Security Plan, or IRS WISP, is an evergreen document mapping out your firm’s policies and procedures around how you plan to safely handle client data and other sensitive information. The goal of this required document is to help protect your client’s personal information from being stolen by identity thieves and cyber threats. The IRS WISP does not ensure protection, but it does create a plan to be aware of risks and prepared to handle them efficiently. Your IRS WISP should also include details on how your firm would respond in the case of a data breach, so that every employee knows their role in quickly stopping the leak and communicating the incident to authorities and clients.

Changes made to employees, like new hires in the busy tax season, or changes made to service providers who are monitoring the company’s systems should be updated promptly in order to stay compliant. The IRS requires each tax and accounting firm to update its WISP at least annually, and as needed when changes happen within the company in order to stay compliant with the FTC.

When a tax and accounting firm would need to prove compliance.

Proof of WISP compliance is key in starting a practice in the tax and accounting industry and is required to be maintained and evergreen to continue to stay in good standing. Proving that you have taken all steps required for compliance may also help you reduce charges and fines that lawsuits and investigations could bring in the case of a data breach.

To legally operate in the United States, every business that handles financial data such as tax and accounting professionals, are required by the IRS and the FTC to create, maintain, and safely store a Written Information Security Plan.

Every year, or any time there are changes in personnel, tax and accounting firms are required to update your security plan in order to stay compliant.

In the case of a data breach resulting in a lawsuit, your IRS WISP helps you to prove compliance by demonstrating that your firm has taken steps such as encryption, multi-factor authentication, monitoring systems, and ongoing employee training on security best practices. Lawsuits can be detrimental to client relationships and the health of the business which is why being able to prove that you had a protection plan in place is important to help you stay in business.

If an employee causes a data leak with negligence to follow protocol, your firm will be able to prove compliance by sharing detailed acknowledgement of ongoing employee training and awareness about how to best handle data security.

How to record and store to prove IRS WISP compliance

  • Create a paper trail that documents that every employer and contractor has acknowledged an understanding of the policies created in your IRS WISP;
  • Have employees and contractors sign and date each ongoing training and update made to your WISP, so you can keep their acknowledgement on file;
  • Keep your IRS WISP easily accessible for employees to read and review often such as Word or PDF documents;
  • Digitally store a copy of your WISP using the cloud in the case of physical disasters;
  • Keep your WISP evergreen and editable for regular reviews and updates when changes to your business are made.

Resources to help train employees and easily store your IRS WISP

WISP Builder provides resources to help you train employees on your company’s protocols created in your Written Information Security Plan. Updates and ongoing employee training are easy to implement with the evergreen format inside WISP Builder. The electronic auditable sign offs make recording your employee’s acknowledgement simple while safely storing your IRS WISP offsite as required for compliance. Compliance can be complicated, but creating, recording, and storing your WISP don’t have to be.

do i need a wispIRS WISPirs wisp complianceirs wisp planpub 5709written information security plan
Previous
IRS Mandated WISP: What Happens if Your Business Lacks a WISP?
Next
What is the IRS WISP and Why Is It Crucial for Your Practice?
Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Youtube
Consent to display content from - Youtube
Vimeo
Consent to display content from - Vimeo
Google Maps
Consent to display content from - Google
Spotify
Consent to display content from - Spotify
Sound Cloud
Consent to display content from - Sound
Save