Log in
Resources & News

How to Stay Updated on IRS WISP Requirements Changes and Compliance Guidelines

January 2, 2025
IRS WISP Builder Tool | How to Stay Updated on IRS WISP Requirements Changes and Compliance Guidelines

Stay Compliant with the IRS WISP Requirements

Creating an IRS mandated WISP, or Written Information Security Plan, is the first step to FTC compliance. But in order to stay compliant you must update your plan consistently and be able to prove that you have done so. All tax and accounting firms, or any business that deals with sensitive client information, is required by the FTC Safeguard Rule to create, implement, and maintain a Written Information Security Plan (WISP).

An IRS WISP is a cyber security plan created by your firm that includes putting systems in place and creating company policies on how to best handle client data in order to help protect your clients’ personal information. Without a regularly updated IRS WISP your firm is considered non-compliant and could face fines and penalties up to $100,000 and 5 years in prison. More importantly, there continues to be new and emerging cyber security threats. This constant evolving threat means it’s vital to your client’s data security and to the well being of your practice to be updating your security plan at least annually or any time there is a change in your practice, technology, or IRS requirements.

What is required to stay compliant?

According to IRS Publication 4557, in order to stay compliant with the FTC Safeguard Rule every company must include in it’s Written Information Security Plan:

  • A designated qualified individual who is responsible for implementing and enforcing the firm’s security plan;
  • Multi-factor authentication for anyone who is able to access client’s sensitive information within your system;
  • Identification and assessment of the risks to your client’s personal information in every area of your business and have a plan for minimizing these risks;
  • A safeguards program that is regularly monitored and tested;
  • Service providers who maintain safeguards and who are also required to maintain safeguards within their own service;
  • Plans to regularly evaluate and update the security program;
  • Ongoing training for employees to stay up to date on the firm’s security plan as well as keeping your firm’s WISP accessible to all employees at all times.

Notice that each of these areas of compliance are most likely going to change and shift throughout the course of business. The plan is meant to be flexible in knowing that the size of the business, scope of practice, and the level of sensitivity in client data could determine the complexity of your security plan. This flexibility means there must be continued evaluation and adjustments made to the IRS WISP in order to stay in compliance.

In the case of a data breach, the IRS will ask to see if your firm not only has a Written Information Security Plan, but that you have been sufficiently implementing and updating the plan as needed.

When do you need to update your IRS WISP?

IRS WISP requirements state to update your security plan at least annually. It’s important to schedule refreshers for your employees each year, or whenever changes are made to the firm’s WISP.

You are also required to make updates anytime there are changes within the company such as:

  • New employees or seasonal workers, new personnel or contractors are required to be trained on the company’s Written Information Security Plan and acknowledge the WISP to be able to prove compliance to the FTC;
  • Changes in personnel, for instance if the designated qualified person implementing the security plan changes then this update would need to be made within the WISP itself;
  • Changes in service providers, systems, or operations;
  • Updates made to the policies and protocols after evaluating risks or learning of new threats to security.

If your firm changes in size or shifts its scope of practice, these changes will also impact your security plan. Any and all changes within the company need to be reflected in your Written Information Security Plan and acknowledged by your employees in order to stay compliant.

Create a strategy for maintaining compliance.

Getting compliant starts with creating your IRS WISP, but staying compliant requires you to keep your plan updated. It’s considered best practice for the designated qualified person who is implementing the security plan to schedule regular audits and reviews of the IRS WISP requirements, periodic training and awareness for employees, and to stay up to date on the latest cyber threats.

This means that you should create a cyber security review plan for your practice. One that acknowledges the need for legal compliance, but is also sensitive to the needs of your practice. Here is a sample schedule to consider.

Prior to the beginning of tax season (October – December), but after extension filing is completed, take out your WISP and review it. Make any updates as required and then approve it. Do this AT LEAST once a year. Ideally, create a time and date stamp on the plan to prove your evergreen compliance. Next, review and update any and all supporting elements to the plan. This includes reviewing policies and procedures, disaster recovery plans, security audit functions and any PII related sources. Then update and schedule your training and staff reviews. Finally, get signed acknowledgement of your newly updated WISP by all staff, and document any training attendance. Remember, this acknowledgment and training is not just for employees, it includes contractors as well. Try to have this done before the end of the year. This will provide a great launch into the next filing season.

Special note for solo practices.

If it is just you or a couple of staff, DO NOT take shortcuts. You still need to prove you reviewed and updated your approval of your WISP. You also need to acknowledge the WISP and provide evidence of training on security. Do not set it and forget it!

But the WISP cycle is more than simple proof of legal compliance. A high level of data breaches could be avoided just by increasing the awareness and training on protocols for security and protecting client data. So create a WISP that actually works for you and your firm.

Tools to keep on top of IRS WISP requirements to stay compliant.

When using WISP Builder, you will have reminders and notifications to help you stay on top of the required WISP review cycle. The editable template allows you to easily make updates as changes in employees, services, or operations come up throughout the year. The approval function shows that your plan is approved and when it was approved by key members of your firm. Training resources are included to help you keep all staff and contractors up to date. And the acknowledgement function proves to authorities that your Written Information Security Plan has been viewed and acknowledged by all key staff. The WISP Builder electronic signoff process proves this timely acknowledgement. Compliance can be complicated, but creating and maintaining your WISP doesn’t have to be.

Being proactive with a solid plan to help protect your client’s confidential data is a non-negotiable for your tax and accounting firm. WISP Builder’s purpose is to provide you with a tool to make compliance easy and help make your client personal information more secure.

cyber security plan for accountantsdo i need a wispirs wisp planirs wisp requirementswisp
Previous
How the IRS WISP Helps Prevent Data Breaches: Key Security Measures Explained
Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Youtube
Consent to display content from - Youtube
Vimeo
Consent to display content from - Vimeo
Google Maps
Consent to display content from - Google
Spotify
Consent to display content from - Spotify
Sound Cloud
Consent to display content from - Sound
Save