Bookkeepers and Enrolled Agents:
Your WISP Guide
Yes, the WISP requirement applies to your practice — even if you work solo, part-time, or primarily in QuickBooks. Here's what it means and what to do about it.
Yes — unambiguously. Under GLBA, any firm "significantly engaged" in financial activities is a financial institution subject to the FTC Safeguards Rule (16 CFR Part 314). Bookkeepers handle bank data, payroll records, income statements, and account credentials — all nonpublic personal financial information. Enrolled agents prepare tax returns, hold IRS power of attorney, and handle tax transcripts — fully covered.
The 5,000-consumer threshold does not exempt small firms from having a WISP; it only reduces documentation depth for some subsections. Whether you have five clients or five hundred, you still need a written program that identifies risks, designates a responsible person, and documents safeguards. IRS Publication 4557 requires tax professionals to safeguard taxpayer data, and IRS Publication 5708 provides the template structure the IRS expects. If you touch client financial data, the WISP requirement applies to you, regardless of firm size.
What WISPWolf does for bookkeepers and EAs
A compliance program sized for small practices, mapped to the actual rules that apply to you.
Built for small practices
WISPWolf works for solo bookkeepers and single-person enrolled agents, not just large CPA firms. The intake adapts to one-person workflows and still produces a defensible WISP.
Starts in 5 minutes
The guided intake covers your actual software, clients, and data handling. You answer plain-English questions; WISPWolf does the compliance writing.
Scored against real requirements
Your compliance score maps directly to IRS Publication 4557 and FTC 16 CFR Part 314, not a generic checklist. You see exactly where you stand.
Renewal on autopilot
Annual review reminders and one-click attestation keep your WISP current. Compliance becomes a habit, not a last-minute scramble.
From quiz to compliant WISP in under an hour
A simple process designed for bookkeepers and enrolled agents without an in-house IT team.
1. Take the guided quiz
Answer plain-English questions about your practice, tools, and clients.
2. Review your tailored WISP
Receive a bookkeeper-specific WISP mapped to GLBA and FTC requirements.
3. Connect Microsoft 365
Optional read-only integration verifies MFA and admin posture for live evidence.
4. Maintain with annual reviews
Track acknowledgements and schedule reviews so your WISP stays current.
Simple, transparent pricing
Pick the tier that matches your firm. Pilot pricing — cancel anytime.
Starter
For solo preparers and small practices getting compliant.
- Guided WISP assessment
- AI-assisted WISP draft
- FTC and IRS control mapping
- PDF export
- Annual review reminders
Professional
For growing firms that want an ongoing compliance program.
- Everything in Starter
- Compliance readiness score
- Gap remediation workflow
- Evidence organization
- Policy acknowledgement tracking
- Priority support
Agency
For multi-location firms and partners managing several programs.
- Everything in Professional
- Multi-client or multi-location support
- Team workflow
- Advanced reporting
- Partner-ready dashboard
- Dedicated onboarding support
Pilot program now open. 14-day free trial. No credit card required to start. Some advanced features are labeled “Coming Soon” and are actively in development.
Bookkeeper and EA WISP questions
Straight answers to the questions small practices ask most often.
I only have a few clients — do I still need a WISP?
Yes. The FTC Safeguards Rule and IRS Publication 4557 apply regardless of client count. A solo bookkeeper or enrolled agent has the same WISP obligation as a large firm. The difference is only the size and complexity of your documentation.
What's the difference between what a bookkeeper needs and what a CPA firm needs?
The framework is the same, but the risks differ. A CPA firm may emphasize audit workflows and multi-staff access. A bookkeeper's WISP focuses on QuickBooks access, payroll vendor oversight, client portal use, and bank-account verification.
I use QuickBooks and a client portal — what does my WISP need to say about those?
Your WISP should document who has access to each system, what MFA is enabled, how data is transmitted, and what happens if credentials are compromised. WISPWolf generates these sections automatically.
How do I prove my WISP to a cyber insurer or a client asking for it?
You need the WISP document, a signed annual review, evidence of safeguards like MFA, and proof of training. WISPWolf exports these as a single packet you can share directly.
Build your bookkeeper WISP today
Generate a tailored, GLBA-mapped Written Information Security Plan in under an hour. No templates, no consultants, no compliance theatre.
Sources: FTC 16 CFR Part 314, IRS Publication 4557, IRS Publication 5708.