The Federal Trade Commission Safeguards Rule, in accordance with the Gramm-Leach-Bliley Act, requires that every tax professional implement a Written Information Security Plan. The rule has been in place for many years, but in 2023, it became mandatory and actively enforced. Since then, the IRS has added compliance with this rule to its checklist of requirements for tax preparers and accounting firms.
In other words, every tax and accounting firm must have a WISP document, describing how client and taxpayer data is protected, including administrative, technical, and physical safeguards.
If an outsourcing partner is preparing taxes, keeping books, or performing other accounting functions for your firm, then that partner also has to adhere to WISP standard template. If not, your firm may face risks such as non-compliance issues, data exposure, and regulatory fines. So, it’s time to scout for some probable red flags. For CPA firms evaluating new outsourcing vendors or auditing their current partners, it’s critical to confirm whether they meet WISP requirements.
This blog presents 5 warning signs that CPA firms need to be on the lookout for to figure out if your outsourcing partner does not have a WISP document in place, and why your firm should take immediate action if any of these apply.
5 signs your outsourcing partner does not have WISP documentation
1. They cannot provide a copy or summary of their WISP
Any legitimate, compliant outsourcing partner will always be able to present a formal WISP or, at the very least, a summarized version outlining their information security framework.
If an outsourcing partner cannot provide documentation or claims to “follow industry best practices,” that’s a huge warning sign. No amount of verbal assurances can replace written, enforceable standards. Without a WISP documented plan, it is impossible to reliably confirm whether proper protocols are being followed for storing, accessing, and transmitting data.
Without evidence, in today’s regulatory environment, where the FTC Safeguards Rule and IRS standards require written documentation, your firm is vulnerable to compliance failures and increased risk of data breaches.
2. No record of risk assessments or security audits
A properly maintained WISP standard needs regular review and support in the form of ongoing risk assessments and security audits. A lack of diligence means threats may remain hidden for extended periods, giving ample opportunity to cybercriminals to exploit unpatched systems or misconfigured networks.
Regular audits not only meet regulatory expectations but also build confidence in knowing your partner’s controls remain effective as technology and risks evolve. Without such oversight, you are left simply trusting that everything is secure-an assumption that can quickly lead to costly and damaging consequences.
3. Employees receive no data security or privacy training
The weakest link in the strongest security systems is often an employee who has not received proper training. Under the FTC Safeguards Rule, ongoing employee training is a key element of WISP compliance. Every employee with access to customer or taxpayer data should be taught to handle sensitive information, detect phishing emails, manage password creation, and report suspicious activity.
If the partner’s team does not have structured training or appears to be unaware of the security policy, then that represents a significant gap in their compliance and risk management. Most breaches do not occur due to sophisticated hacking; instead, simple mistakes are made, such as clicking on a malicious link or misplacing a highly confidential file.
Firms that do not train their teams put not only their own systems at risk but also those of their clients. A partner who takes training seriously will have documented programs, periodic refresher courses, and clear accountability measures in place. If yours doesn’t, it’s a signal that data security is not baked into their organizational culture.
4. No documented incident response plan
No organization is immune to cyber incidents, even with the best preventive measures in place. That is why every WISP sample should include a documented incident response plan-a process with steps necessary for identifying, containing, and recovering from a data breach or other security event. Without a plan in place, valuable time is lost during an incident, which extends both the impact and the duration of disruption. Furthermore, failing to report and remediate breaches in a timely manner can result in regulatory penalties, as well as damage to your firm’s reputation.
A good partner will have an incident response plan in place, with complete transparency into how they protect your data, manage the crisis, and restore operations quickly while keeping you informed every step of the way.
5. Weak access controls and poor vendor oversight
Strong access control policies are crucial in ensuring the integrity of client data is maintained. An appropriate WISP document should ensure that access to sensitive information is granted only to authorized persons, with such access limited to what each employee’s job function requires.
Suppose an outsourcing partner is giving unrestricted access to customer data to all their team members, or worse, uses third-party subcontractors without disclosing these to you. In that case, this is a severe lack of governance. Uncontrolled access poses a significant risk of insider threats, data theft, and accidental exposure.
The FTC Safeguards Rule also extends vendor management to mean that one’s partner is likewise duty-bound to check on the security practices of third-party entities they may be using. Weak oversight or informal vendor relationships can create hidden vulnerabilities in your data chain.
A responsible outsourcing firm will have documented access controls, employee permissions, and vendor agreements in place consistent with your firm’s WISP sample and compliance obligations. Anything less puts your clients and your firm at risk.
Conclusion
For CPA firms dependent on outsourcing partners, the stakes for data security and regulatory compliance have never been higher. Every file shared, every system accessed, and every process handled externally carries potential risk. The reality is that a single weak link in your outsourcing partner’s information security practices can jeopardize not only your client’s confidential financial data but also your firm’s reputation and compliance standing.
Because AcoBloom recognizes this, the company has teamed up with Verito to ensure enterprise-grade data protection for clients that meets and exceeds the FTC Safeguards Rule and IRS WISP requirements. Verito also offers free WISP templates that accounting firms can use to establish their own baseline WISP documentation, helping firms quickly align with compliance standards while building a foundation for stronger information security practices.
