Compliance expectations for CPA firms are rising, with both the Internal Revenue Service (IRS) and the Federal Trade Commission (FTC) outlining clear standards for how firms should manage and safeguard sensitive client data. These frameworks go beyond IT best practices — they represent the evolving benchmarks for professional responsibility in today’s regulatory environment. While IRS and FTC requirements don’t always match point for point, there’s significant common ground that firms can use to build a stronger, more unified compliance posture.
Two Regulators, One Shared Goal: Data Protection
The IRS has long required tax professionals to safeguard taxpayer data under Publication 4557, which outlines essential security controls to prevent unauthorized access and data theft. Separately, the FTC now enforces an updated Safeguards Rule under the Gramm-Leach-Bliley Act that specifically calls out CPA firms and other financial institutions, requiring a formal Written Information Security Plan (WISP), with designated oversight, and ongoing risk management.
The requirements aren’t identical, but they share a common principle: protect sensitive data at all costs. But this isn’t just about satisfying regulators – it’s to protect your firm’s reputation, your clients and your business continuity.
Beyond IRS and FTC: The Expanding Compliance Landscape for CPA Firms
While IRS and FTC requirements are top of mind, they’re just part of a broader set of obligations that firms should be aware of. Depending on your client base, geographic footprint and service offerings, your firm may also fall under other federal, state and industry regulations.
For example:
- The Gramm-Leach-Bliley Act (GLBA) underpins the FTC’s Safeguards Rule, but its requirements extend beyond cybersecurity into how firms share client financial data.
- The Sarbanes-Oxley Act (SOX) may apply if you provide services to publicly traded clients or support audit functions tied to financial reporting.
- State privacy laws like the California Consumer Privacy Act (CCPA) and others in states like Colorado, Virginia and Utah may apply depending on your data practices — even if your firm isn’t headquartered there.
Understanding these frameworks is key to building a holistic compliance program. To make sense of how these various laws and frameworks apply, here’s a quick reference guide CPA firms can use as a starting point:
Compliance Simplified: Key Regulations CPA Firms Should Keep Top of Mind
| Regulation / Law | Applies To | Top 3 Things to Know |
| IRS Publication 4557 | Any firm handling taxpayer data | Requires safeguarding taxpayer information through administrative, technical and physical controls Recommends implementing the “Security Six” Noncompliance may lead to civil or criminal penalties under IRC §6713 and §7216 |
| FTC Safeguards Rule (GLBA) | CPA firms defined as financial institutions | Requires a Written Information Security Plan (WISP) Mandates appointment of a “Qualified Individual” Enforces regular risk assessments and monitoring |
| Sarbanes-Oxley (SOX) | Firms serving publicly traded companies | Emphasizes integrity of financial reporting and internal controls May require IT controls reviews if supporting audit work Violations can carry serious legal and financial consequences |
| State Privacy Laws (CCPA, CPA, VCDPA, etc.) | Firms collecting personal data from residents in covered states | Require clear disclosure of data use and consumer rights May require opt-out mechanisms and data access requests Enforcement varies but noncompliance can result in fines |
| HIPAA | Firms serving healthcare organizations or handling ePHI | Requires safeguards to protect electronic protected health information (ePHI) Includes breach notification obligations Often relevant if your firm supports medical practices or healthcare providers |
Turning Requirements into a Real-World Plan
It’s tempting to think of compliance as a year-end task, but delaying action leaves firms exposed. According to Accounting Today, cyberattacks targeting CPA firms often spike before and after tax season — when threat actors know data is moving and firms may be stretched thin.
This is where your WISP becomes more than just a document — it’s your foundation. A strong WISP addresses both the IRS and FTC requirements and provides a real-world roadmap for how your firm manages security risk, defines roles and responsibilities, outlines safeguards and ensures business continuity in the face of threats.
A few critical components that are critical for a revisit::
- Who’s currently responsible for cybersecurity oversight — and do they have the time and expertise outlined by the FTC’s “qualified individual” requirement?
- Did any shortcuts or new workflows emerge during tax season that need to be documented or remediated?
- Are your encryption, backup and authentication policies consistently applied across your systems and users?
- Have you captured any near-misses or incidents that surfaced during tax season to inform future training?
Where Requirements Overlap — and Where They Don’t
You don’t need two separate programs to meet IRS and FTC standards, but you do need to understand where their priorities align and where they differ.
For example:
- Both regulators expect encryption of sensitive data, both at rest and in transit.
- The IRS highlights the “Security Six” as baseline protections: antivirus software, firewalls, two-factor authentication, secure backups, encryption and VPN usage.
- The FTC goes further, requiring formalized vendor oversight, written risk assessments and regular testing of your security program.
If you approach your security planning with the FTC’s broader lens, you’ll likely exceed IRS requirements in the process — which can make audits and reviews far more manageable down the road.
Documentation Isn’t Optional
If your firm ever faces a breach or audit, regulators will expect more than verbal assurances. They’ll want evidence: written plans, risk assessments, training logs, security configurations and incident response playbooks. This is where many firms stumble — especially smaller ones without in-house IT leadership.
Investing in well-organized, audit-ready documentation now is not just about passing a future exam. It’s about building a practice that treats security and compliance as an ongoing process, not a one-time task.
From Obligation to Opportunity
Let’s be honest — compliance isn’t why most CPAs got into this profession. But in today’s environment, it’s becoming part of the job. Fortunately, it’s also a chance to differentiate your firm.
Clients are becoming savvier about how their data is handled. They want to work with firms that take security seriously. A clear, well-executed security program doesn’t just reduce your risk — it increases your credibility. And if you’re pursuing SSAE SOC 2 or ISO certifications down the line, becoming compliant now sets you up for success later.
Firms that treat compliance as an annual box-checking exercise often find themselves scrambling when issues arise. In contrast, firms that embed security and compliance into their day-to-day operations are better equipped to handle disruptions, respond to incidents and build long-term client trust. It’s a shift from reactive to proactive — and it pays off in both client confidence and operational resilience.
Need a Partner in the Process?
You don’t have to build this alone. At Netgain, we specialize in working with CPA firms to implement secure, compliant IT environments that support IRS and FTC obligations without disrupting day-to-day operations. From WISP development to risk assessments and managed security services, we help make security a business enabler — not a barrier.
Need help evaluating your compliance posture or building a WISP that checks every box? Contact us to start the conversation. Our team can help you assess where you stand and create a plan tailored to your firm’s needs.
Kate Krupey oversees Netgain’s CPA practice vertical, helping firms drive results through smart IT investments and bold change. Her experience as a CPA firm CIO gives her a unique perspective she now uses to guide firms and advance the profession.