FAQs

What is WISP Builder?

WISP Builder is a web-based tool designed to help tax and accounting professionals create, manage, and maintain an IRS-compliant Written Information Security Plan (WISP). It simplifies the process of meeting IRS and FTC cybersecurity requirements using guided templates and secure digital tools.

Who needs a WISP?

Any business that handles sensitive client information—especially tax preparers, accountants, and financial professionals—is required by the IRS and FTC to have a Written Information Security Plan in place.

What does WISP Builder include?

• An editable IRS WISP template based on IRS Publication 5708
• Secure storage for your plan
• Electronic sign-off and user acknowledgment features
• User permissions and access control
• Annual reminders for updates
• Required training resources

Is WISP Builder compliant with IRS and FTC regulations?

Yes. WISP Builder is specifically designed to meet the requirements outlined in IRS Publication 5708 and FTC Safeguards Rule, helping you stay compliant and avoid penalties.

How does WISP Builder help protect my business?

By guiding you through the creation of a comprehensive security plan, WISP Builder helps identify and mitigate risks to client data, reducing the likelihood of data breaches and ensuring regulatory compliance.

Can I customize my WISP?

Absolutely. WISP Builder provides a flexible template that you can tailor to the size, structure, and specific needs of your business.

What happens if I don't have a WISP?

Failure to implement a WISP can result in fines, penalties, and increased risk of data breaches. It may also jeopardize your ability to legally operate under IRS and FTC guidelines.

Is training included?

Yes. WISP Builder includes training resources to ensure your team understands and adheres to your security plan.

How do I get started?

Sign up to begin building your IRS-compliant WISP today.

Can I add users?

Yes, once you sign up, an account administrator can add or remove users. If you go beyond your contract plan for number of users, you will be automatically moved to the next level plan.

Do I control what each user can see?

Yes. The administrator is the only one that can add or delete users and establish what parts of the WISP builder they have access to.

Does each sign off create a new user?

No. Acknowledgement and review of the plan is a required function of an IRS WISP. So if you need employees to review and acknowledge your published plan, it is done electronically and these users are not given permanent logins, unless you set them up.

Can I cancel my service?

Of course. But given the nature of the service, the annual fee is not refundable. So, use the tool until you move your service elsewhere.

What is a Written Information Security Plan (WISP) for tax preparers?

A Written Information Security Plan (WISP) is a documented framework that outlines how your accounting or tax preparation business protects sensitive client data from unauthorized access, use, or disclosure. It includes policies, procedures, and safeguards to meet IRS Publication 4557 and FTC Safeguards Rule requirements. For tax preparers, a WISP is a compliance and cybersecurity necessity—not just a best practice.

Is a WISP mandatory for all accountants and tax preparers, regardless of size?

Yes. The FTC Safeguards Rule and IRS Publication 4557 require all tax preparers, accountants, and firms—whether you're a solo practitioner or a large multi-office operation—to have a current and compliant WISP in place.

When was the WISP mandate for accountants and tax preparers effective?

While the IRS has long recommended data protection, the FTC Safeguards Rule updates effective June 9, 2023 made a written security plan a mandatory compliance requirement for all tax preparers.

What is the primary goal of having a WISP?

The main goal is to protect sensitive taxpayer data, maintain regulatory compliance, and reduce the risk of data breaches. A WISP ensures your business can detect, respond to, and recover from cybersecurity incidents.

What specific regulations does a WISP help me comply with?

A WISP helps tax professionals comply with:

• IRS Publication 4557 – Safeguarding Taxpayer Data
• FTC Safeguards Rule under the Gramm-Leach-Bliley Act (GLBA)
• Certain state-level data protection laws (varies by state)

What are the essential components that must be included in my WISP?

A compliant WISP should include:

• A designated Qualified Individual or Security Coordinator
• A risk assessment identifying potential threats
• Administrative, technical, and physical safeguards
• An incident response plan
• Vendor and third-party security policies
• Regular employee training requirements
• Documentation and review procedures

How do I conduct a proper risk assessment for my accounting practice's WISP?

A risk assessment involves:

• Identifying the data you store and process
• Mapping where and how that data is stored
• Evaluating potential threats (cyberattacks, insider threats, physical theft)
• Reviewing existing security measures
• Documenting vulnerabilities and corrective actions

What are “safeguards” in the context of a WISP, and what are examples?

Safeguards are the measures you put in place to protect client information. Examples include encryption, firewalls, multi-factor authentication, locked file cabinets, restricted user access, and secure shredding of physical documents.

Do I need a separate Incident Response Plan (IRP), or is it part of the WISP?

The Incident Response Plan is typically included within your WISP. It outlines steps to take if a data breach occurs—who to contact, how to contain the breach, and required notifications.

What kind of employee training is required for WISP compliance?

Employees must be trained on identifying phishing attempts, handling sensitive information securely, following internal policies, and reporting suspicious activity. Training should be documented and conducted at least annually.

Can I use a WISP template, or does it need to be custom-built?

Templates can help you start, but the FTC requires your WISP to be customized to your firm's size, services, and risks. WISPBuilder.com creates customized, IRS-compliant plans tailored to your operations.

How often should I review and update my WISP?

At least annually—or sooner if there are major changes to your technology, staff, or regulatory requirements. Many firms review quarterly to stay ahead of threats.

Who should be designated as the “Qualified Individual” or “Security Coordinator” for my WISP?

This should be a knowledgeable person within your firm (or an outsourced professional) who oversees data security, vendor management, and compliance with your WISP. If you are a sole owner you will fill all roles.

How do I ensure my third-party vendors (e.g., cloud software providers) are WISP compliant?

Include vendor compliance verification in your WISP. Request proof of security measures, review contracts for data protection clauses, and ensure they meet IRS and FTC standards.

What are the best practices for documenting WISP implementation and ongoing compliance?

Keep records of:

• Risk assessments
• Employee training logs
• Incident reports
• Vendor security reviews
• Annual WISP updates and approvals

How does the IRS verify WISP compliance? What should I expect in an audit?

The IRS may request to review your WISP during an audit or security-related inquiry. They will check for required components, recent updates, and proof of training and incident response planning.

What are the penalties for not having an up-to-date WISP?

Penalties can include fines, loss of e-file privileges, reputational damage, and in severe cases, legal action. For accountants, the risk of losing client trust is equally significant.

Does having a WISP protect me from data breaches entirely?

No plan can guarantee zero breaches, but a WISP greatly reduces your risk and limits damage. It also demonstrates compliance, which is critical in mitigating penalties if an incident occurs.

If I use tax software (e.g., Lacerte, UltraTax, QuickBooks Online), do I still need a WISP?

Yes. Software providers secure their platforms, but your firm is still responsible for how client data is accessed, stored, and transmitted within your environment.

Is there a specific form I need to file my WISP with the IRS or FTC?

No filing is required. However, you must have a documented plan readily available for inspection during audits or investigations.

How does a WISP apply to remote or hybrid accounting firms?

Your WISP should include policies for secure remote access, encrypted devices, VPN usage, and data handling procedures outside the office.

What are key WISP considerations for firms using cloud-based accounting solutions?

Include vendor security vetting, strong authentication methods, encrypted data transfers, and regular backups.

How does WISP compliance relate to cybersecurity insurance?

Most cybersecurity insurance providers require proof of data protection measures, including a WISP, to approve coverage or process claims.

What are common pitfalls or mistakes to avoid when creating or maintaining a WISP?

• Using a generic template without customization
• Failing to review and update regularly
• Overlooking vendor compliance
• Not training employees consistently

Where can I find additional resources or help to create and maintain my WISP?

You can access WISP templates, compliance checklists, and expert guidance at WISPBuilder.com — the easiest way for tax professionals to build and maintain an IRS-compliant Written Information Security Plan.