Skip to main content
All resources
Training

Security Awareness Training for Tax Preparers: What Your WISP Must Include

IRS Publication 5708 and the FTC Safeguards Rule require documented security awareness training for all tax preparer staff. Here's what's required, what to cover, and how to prove it.

June 202610 min read
By the WISPWolf Compliance Team· June 2026Reviewed by WISPWolf Compliance TeamLast Updated: June 2026 · Verified July 16, 2026

In a hurry? Get your free Compliance Score, then come back to this guide.

Take the Free Quiz View Sample WISP

Human error is the leading cause of data breaches in tax firms — 68% of breaches involve a human element according to the 2024 Verizon DBIR. The IRS and FTC know it. That's why IRS Publication 5708 and the FTC Safeguards Rule both require documented, ongoing security awareness training as a core WISP control. Not recommended — required. And not just once: training must be conducted at onboarding and annually for all staff. If your WISP doesn't document this control — or your documentation can't prove training actually happened — it's an open gap.

What the law requires

IRS Publication 5708 requires your Written Information Security Plan to include a plan for annual security awareness training that covers specific topics and is documented. The IRS expects current, system-specific training backed by proof of completion.

IRS Publication 4557, Safeguarding Taxpayer Data reinforces the same expectation: every tax preparer must establish and maintain safeguards for taxpayer data, and staff training is a required part of that program. A security training attestation is effectively signed at PTIN renewal.

FTC Safeguards Rule 16 CFR Part 314 requires covered financial institutions — including tax preparers — to implement security awareness and training for personnel as part of their information security program. The rule also requires oversight of service providers and anyone with customer information access.

This applies to solo practitioners too. If you have no staff, you are the staff, and your own training must still be documented. The IRS and FTC do not exempt one-person firms from the WISP security training requirements.

What training must cover

A compliant program should address the firm's actual technology and risks, but must cover these ten topics:

  1. Phishing and email-based social engineering. Tax season brings targeted phishing, fake IRS emails, and W-2 theft attempts. Staff must recognize suspicious senders, unexpected attachments, and urgent requests that bypass normal approval.
  2. Credential hygiene and password management. Use strong, unique passphrases for every system that stores taxpayer data. Avoid password reuse between personal and firm accounts.
  3. Multi-factor authentication use and importance. MFA must be enabled on email, tax software, client portals, and any cloud service. Staff should understand why it matters and how to use it properly.
  4. Proper handling of taxpayer PII (paper and digital). Social Security numbers, tax transcripts, and financial documents must be stored, transmitted, and disposed of securely — both on paper and electronically.
  5. Secure use of tax software and client portals. Staff should know how to log out securely, verify recipient identity, and avoid sending sensitive documents through unencrypted email.
  6. Clean desk and physical security practices. Lock computers, secure paper files, and control visitor access to areas where taxpayer data is visible or stored.
  7. Remote work and VPN requirements. Anyone working outside the office must follow the firm's remote-access policy, including VPN use and prohibitions on storing client data on personal devices.
  8. Device security. Cover screen locking, full-disk encryption, patching, and the exact lost- or stolen-device procedure staff must follow.
  9. Incident reporting. Everyone must know what to do the moment something looks wrong — who to call, how to preserve evidence, and when to escalate.
  10. AI-powered phishing and deepfake social engineering. This is the emerging 2026 threat. Staff should know that voice clones, video calls, and highly personalized emails can be generated by AI and require extra verification before acting on sensitive requests.

How to document training

Documentation turns a training session into a defensible WISP control. Here is a five-step process:

  1. Choose a training format. This can be formal security awareness software, an in-person walkthrough, or a recorded session. The law does not prescribe a vendor or delivery method; it only requires that the right topics are covered and the session is provable.
  2. Keep an attendance log. Record the date, the staff member's name, and the specific topics covered. An attendance log is the minimum evidence an auditor will expect to see.
  3. Have staff sign an acknowledgement form. A signed form confirms the employee completed the training and understands the firm's security policies. This is the difference between "we said it" and "they agreed they heard it."
  4. Store records for at least three years. The FTC recommends retaining information security program records for at least three years. Keep training logs, materials, and acknowledgements with your WISP.
  5. Note training in your annual WISP review. Document the training completion date, the next scheduled refresh, and any follow-up needed. This closes the loop on the annual WISP training requirement.

Common mistakes that create audit exposure

Most training failures are about incomplete coverage or missing proof, not bad content:

  • Training only for some staff. The IRS requires training for every person who accesses taxpayer data, including seasonal preparers, contractors, bookkeepers, and administrative staff.
  • No documentation of what was covered. A verbal walkthrough without a dated log or acknowledgement will not satisfy a WISP security training audit.
  • Covering phishing but not physical security or AI threats. A narrow program misses required controls and leaves gaps an auditor will flag.
  • No record that the solo practitioner trained themselves. One-person firms must document their own annual training just like a multi-staff firm.
  • Annual training done but acknowledgement form never signed. Training without an acknowledgement is a story without proof.

How WISPWolf tracks this

Dashboard Control

Training is a tracked control in WISPWolf

In the WISPWolf dashboard, security awareness training appears as a tracked compliance control. If training hasn't been documented or is more than 12 months old, it surfaces as an open gap with a "critical" or "review" flag. Policy acknowledgement tracking is built in — staff (or the solo practitioner) can sign off directly in the platform, creating a timestamped audit record.

  • Central training log with due dates and completion status
  • Per-staff coverage tracking including seasonal and remote employees
  • Annual review reminders tied to your WISP refresh cycle
  • Evidence storage linked to the control for fast audit response

Sources and next steps

This guide is based on the following authoritative sources:

  • IRS Publication 5708, Section on Employee Training
  • IRS Publication 4557, Safeguarding Taxpayer Data
  • FTC Safeguards Rule, 16 CFR Part 314
  • Verizon Data Breach Investigations Report 2024
  • NIST Cybersecurity Framework (training guidance)

If you are not sure whether your current training program meets IRS and FTC expectations, start with the free WISPWolf Compliance Score. It asks the same questions an auditor will and maps your answers to the controls your WISP must contain — including security awareness training.

Ready to prove your training program? Take the free quiz and get a personalized compliance scorecard.

Take the Free Quiz Open Checklist
References

Sources & References

Primary regulatory and standards sources used throughout WISPWolf's compliance guidance.

  1. IRS Publication 5708 — Creating a Written Information Security Plan
  2. IRS Publication 4557 — Safeguarding Taxpayer Data
  3. FTC Safeguards Rule (16 CFR Part 314)
  4. Gramm-Leach-Bliley Act (GLBA) Safeguards
  5. IRS Tax Security — Protect Your Clients, Protect Yourself
  6. NIST Cybersecurity Framework
  7. Microsoft Security Documentation
Free Compliance Starter Kit

Get the free WISPWolf Compliance Starter Kit

Download the starter kit and identify your compliance gaps. Includes an IRS WISP starter template (not a completed customized WISP), FTC Safeguards Rule checklist, GLBA checklist, risk assessment worksheet, cyber insurance guide, and tax preparer compliance checklist.

Free WISP Compliance Score

Get Your Free WISP Compliance Score

See how your firm's security practices compare to FTC Safeguards Rule and IRS WISP expectations. Answer 15 questions and get a personalized scorecard in minutes.

IRS Pub 5708 Compliant · FTC Safeguards Rule · AES-256 Encrypted · No Credit Card Required