Essential Documents You’ll Need to Prepare for Your WISP Audit
How do you know if everything is actually documented in your IRS WISP? How do you know if you’ve covered all the bases, leaving no holes in your plan?
If the IRS asks to see your Written Information Security Plan, are you ready?
Here are steps you can take to confirm that your security plan is complete and accurately shows how your firm protects client data.
Your IRS Mandated Written Information Security Plan (WISP)
Your Written Information Security Plan should clearly outline how your firm safeguards your clients’ sensitive information.
The IRS will look to confirm that your WISP is a “living document” customized to your firm and not a generic template. It should clearly identify risks specific to your line of business, describe the safeguards you have in place, assign responsibility within your firm, and explain how the plan is maintained.
A big red flag is if your WISP hasn’t been updated or reviewed in over a year. So be sure to schedule regular updates each year, or use WISP Builder which includes reminders and makes updates easy.
Risk assessment to support your plan
A documented risk assessment should be included to support your Written Information Security Plan. The strength of your plan is shown in how you have effectively evaluated your procedures and found where vulnerabilities might exist including risks in:
- Software used at your firm
- Remote access authorization
- Employee conduct
- Use of physical devices
The IRS will want to see that your WISP is created based on real risks that could happen in your specific business – and not built on assumptions.
Cybersecurity policies and best practices
Include written policies supporting your security plan regarding:
- Passwords
- Data access
- Access to devices and systems
- Remote work
- Mobile device
- Data storage
- Data transfer and removal
These policies show that you have carefully considered every moving part of your business and created a solid plan to help prevent theft of your client’s sensitive information.
Employee training records
Employee training is one of the most overlooked aspects of the WISP, but truly the most important. A cybersecurity plan is only as strong as the people who put it into place. In case of an audit, you will want to prove to the IRS that you have been keeping your staff trained on your security plan consistently.
Keep a record that shows when each training occurred, what was taught, and have employees sign acknowledgement of the training. This proof of ongoing training is a great way for you to help ensure that your employees are ready, and it keeps you audit ready too.
Incident response plan and log any action taken
Include a detailed incident response plan outlining what happens if there is a data breach. Include action steps for employees to be able to successfully stop the breach quickly and report the breach to the authorities and clients effectively.
If you do experience a data breach or any security events happen at your firm, it’s important to log this information even if the issue was minor. Keep track of the incident, who was impacted, and how your firm handled it. Transparency with correct documentation are key to a strong security plan.
Third party vendor and service provider agreements
Your firm most likely relies on third-party software and service providers. Your WISP should include clear documentation proving that these vendors understand your security policies.
Include as much documentation as you can such as contracts, security summaries, acknowledgement of your WISP to prove to the IRS that you have reviewed every piece of your firm and the people and systems that have access to it.
System and Access Controls
Have documentation on access control to your systems with lists including user access like:
- Specific roles
- Access levels
- Permissions
- Authentication policies
Specifics in this area of documentation shows that you have been thoughtful and intentional in who has access – and that you are reviewing it regularly.
Proof of ongoing review and updates
The final piece to prepare when sharing your WISP with the IRS is proof that you have been actively maintaining your WISP. Include review logs showing what was tested and updated and proof that employees were trained on the updates.
Remember that a WISP isn’t a one-and-done task. Regular reviews and updates are mandatory for continued compliance.
Preparation brings peace of mind
When the IRS asks for your WISP, you don’t have to panic. While this list may seem overwhelming, use WISP Builder to create and maintain your WISP and ensure proper training. WISP Builder makes it easy to keep your WISP up to date, all of your documentation in one place, and logs all employees who have been trained on your plan.
