,

The Outdated WISP Problem Hiding in Many CPA Firms

By

A Written Information Security Plan may satisfy the question “do we have one?” But if it no longer reflects your people, systems, vendors and workflows, it may not help when your firm actually needs it.

Most CPA firms know they need a Written Information Security Plan, or WISP. Many have one saved somewhere, reviewed during a compliance exercise or pulled out when a client, insurer or regulator asks about security documentation. The better question is whether the plan still matches how the firm actually operates.

A WISP written a few years ago may not reflect how client data moves through the firm now. Since then, the firm may have added remote employees, seasonal staff, offshore support, new cloud applications, Microsoft 365 tools, AI platforms, vendors or acquired offices. Each change can affect how taxpayer information is accessed, stored, shared and protected. The firm changed, and the WISP should change with it.

A WISP is required, but that is only the starting point

Tax and accounting professionals are considered financial institutions under the Gramm-Leach-Bliley Act and FTC Safeguards Rule, which means they are required to implement and maintain a written information security plan. IRS Publication 5708 describes the WISP as a written and accessible plan that should be tailored to the firm’s size, scope, complexity and the sensitivity of the data it handles. It also describes the WISP as an “evergreen document” that should be reviewed, tested and updated as the business changes.

That last point matters. A WISP is not just proof that the firm checked a compliance box. It should help define who is responsible for protecting client information, where risk exists, what safeguards are in place and how the firm will respond if something goes wrong. If the plan no longer reflects current systems, staffing models, vendors or workflows, it may create a false sense of readiness.

Your firm may have changed more than the WISP has

CPA firms rarely change all at once. The shifts happen gradually. A new cloud application gets added. Seasonal staff are onboarded faster during tax season. A vendor gets access to client data. A team experiments with AI to summarize documents or draft client communications.

Individually, those changes may seem manageable. Together, they can make an older WISP outdated. Common changes that should prompt a WISP review include:

  • Remote or hybrid work that expands where and how firm systems are accessed
  • Seasonal, offshore or contractor staffing that changes who can access taxpayer information
  • New cloud applications, portals or collaboration tools that affect where client data lives
  • AI tools that raise new questions about data use, retention and review
  • M&A or office expansion that introduces inherited systems, vendors and access practices
  • Cyber insurance renewals or client security questionnaires that require evidence of controls

The issue is not whether these changes are bad. Most are necessary for growth, efficiency and better client service. The issue is whether the firm’s security documentation and controls have kept pace.

Where outdated WISPs create gaps

An effective WISP must bridge the gap between documented policy and the daily habits of employees to truly protect sensitive financial data. Firms that fail to align their security documentation with their evolving business models risk creating a dangerous false sense of organizational readiness.

An outdated WISP usually does not fail in one dramatic way. Instead, it gradually creates gaps between what the plan says and what actually happens.

Common examples include:

  • The WISP says access is limited by business need, but permissions across Microsoft 365, tax applications or client portals have not been reviewed in the past year.
  • The plan references vendor oversight, but new tools are added without a consistent approval process.
  • Employee training is documented, but seasonal staff, contractors or offshore team members are not clearly included.
  • Incident response roles are listed, but the firm has not tested who makes decisions, communicates with clients or manages reporting obligations.
  • Backup procedures are documented, but recovery has not been tested recently enough to prove the plan works under pressure.

AI is another pressure point. A WISP written before AI tools became widely available likely does not address which tools are approved, what client data can be used, how outputs should be reviewed or whether vendors can use firm data to train models. Those are not just AI policy questions. They are client data protection questions.

The FTC Safeguards Rule expects covered firms to develop, implement and maintain an information security program that includes risk assessments, access controls, encryption, app assessment, MFA, secure disposal, change management, activity logging, monitoring and testing, staff training, service-provider oversight and incident response. It also calls for periodic reassessment as operations change or new threats emerge.

That is why WISP reviews should not be treated as simply a paperwork exercise. They are an opportunity to ask whether the firm’s documented controls still line up with the way people work.

A current WISP supports better insurance and client conversations

WISP updates also matter because firms are being asked to prove more about their security posture. Cyber insurance renewals, client questionnaires and due diligence requests increasingly focus on how controls are enforced, not just whether they exist.

It is one thing to say the firm has MFA. It is another to show where MFA is enforced, how exceptions are handled and whether privileged accounts receive additional review. It is one thing to say backups exist. It is another to show when recovery was last tested and who is responsible if systems go down. It is one thing to say there is an incident response plan. It is another to know who makes decisions, who communicates with clients and how reporting obligations will be handled.

A current WISP gives firm leaders a clearer foundation for those conversations. It helps connect policy, technology and accountability in a way that is easier to explain to clients, insurers and internal stakeholders.

When should your firm review its WISP?

CPA firms should review their WISP regularly, but certain events deserve a closer look because they change how client data is accessed or protected. These include:

  • Adding offices or acquired firms
  • Expanding remote or seasonal staffing
  • Rolling out AI tools
  • Changing vendors
  • Updating identity and access practices
  • Preparing for cyber insurance renewal
  • Responding to client security questionnaires
  • Completing a risk assessment, tabletop exercise or security test

The goal is not to rewrite the entire plan every time something changes. The goal is to make sure the plan remains accurate enough to guide real decisions.

Treat the WISP as an operating document

A WISP should not sit untouched in a folder until someone asks for it. It should reflect the firm’s actual environment, including the people, systems, vendors and workflows involved in protecting client data.

For CPA firms, that alignment is becoming more important. Client expectations are higher. Insurance reviews are more detailed. AI and cloud tools are changing how work gets done. Staffing models are more flexible. M&A and growth can add complexity quickly.

An outdated WISP may still satisfy the question, “Do we have one?” But it may not answer the more important question: “Does this plan reflect how we protect client data today?”

That is the question firm leaders should be asking before busy season, before a renewal deadline and before an incident forces the issue.

If your firm is not sure whether its WISP still reflects how work actually gets done, Netgain can help you take a closer look. Our team works with CPA firms to align cloud, security, compliance and day-to-day operations so your documentation, controls and technology environment support the way your firm operates now.