Event Description

Taxpayer data is one of the most valuable—and most targeted—assets in any CPA firm. This session focuses on how risk actually occurs in day-to-day CPA workflows and how firms can apply practical safeguards to reduce the likelihood of preventable incidents.

Participants will learn how IRS Publication 4557 guidance, the FTC Safeguards Rule requirements, and a Written Information Security Plan (WISP) work together in practice. The session emphasizes operational controls, staff decision points, and documentation that reflects actual firm activity—not theoretical or template-based approaches.

Rather than focusing solely on tools or awareness, this program explains how common incidents occur through ordinary business actions such as email requests, data handling, and approval workflows—and how verification procedures, defined responsibilities, and repeatable processes help mitigate those risks.

Attendees will leave with a clear, actionable approach to developing or strengthening a security program that is appropriate to their firm’s size and complexity and can be supported with consistent documentation and review practices.

Objectives

1. Explain how key regulatory guidance and requirements relate in practice Describe how IRS Publication 4557, the FTC Safeguards Rule, and a WISP collectively support safeguarding taxpayer and customer information.

2. Identify common risk scenarios in CPA firm workflows Recognize how incidents can occur through routine activities such as email communication, credential use, data transmission, and vendor interaction.

3. Describe appropriate safeguards across administrative, physical, and technical areas Explain the role of policies, training, physical protections, and technical controls in reducing risk within a CPA firm environment.

4. Evaluate the structure and purpose of a Written Information Security Plan (WISP) Identify core WISP components and assess whether documentation aligns with actual firm operations and responsibilities.

5. Apply verification and workflow controls to higher-risk activities Describe procedures such as out-of-band verification, defined escalation paths, and controlled approval processes for sensitive requests.

6. Describe key elements of an incident response process Outline common trigger events and the sequence of actions used to contain risk, preserve information, and coordinate internal response.

7. Identify documentation practices that support program oversight and review
Recognize types of records (e.g., training, access review, incident notes, vendor oversight) that demonstrate ongoing use and maintenance of controls.