WISP Risk Assessment Template for Tax & Accounting Firms

Every Written Information Security Plan that holds up under FTC examination, IRS Stakeholder Liaison review, or a cyber insurance claim audit shares one underlying artifact: a current, written risk assessment. The risk assessment is the document that justifies every other choice in the WISP — why you require MFA on these systems, why you encrypt those drives, why you train staff on this schedule, why you keep the vendor list you keep. Without it, the WISP is opinion. With it, the WISP is a defensible response to specific, named threats.

This template walks through the structure tax preparers, CPAs, bookkeepers, and enrolled agents can use to produce a risk assessment that satisfies 16 CFR § 314.4(b), aligns with IRS Publication 5708, and gives the firm a working tool — not just an audit artifact.

What the FTC Safeguards Rule actually requires

16 CFR § 314.4(b) requires every covered financial institution to base its information security program on a risk assessment that is:

• Written (for firms maintaining information on 5,000+ consumers)
• Sufficient to identify reasonably foreseeable internal and external risks
• Specific about the criteria for evaluating and categorizing those risks
• Specific about the criteria for assessing the adequacy of existing safeguards
• Refreshed periodically to address material changes

Pub 5708 expects the same structure from every PTIN holder, regardless of size. The 2026 WISP requirements guide covers how regulators have tightened expectations.

The six-step risk assessment template

Step 1 — Scope and information inventory

Begin by listing the customer information your firm collects, stores, transmits, and disposes of. For most tax practices that includes:

• Names, addresses, Social Security numbers, ITINs
• Bank account and routing numbers (direct deposit, ACH)
• Driver's license and state ID numbers
• Wage and 1099 income data
• Dependents' SSNs
• Health insurance information (1095 forms)
• Investment, retirement, and brokerage statements
• Mortgage and HELOC information
• Prior-year returns and supporting documents

Next list the systems and locations where that data lives: tax software, document management system, email tenant, file server, cloud backup, physical filing cabinet, off-site storage. The inventory becomes the universe of assets the assessment scores.

Step 2 — Identify threats

For each asset, list reasonably foreseeable threats. The starter list every tax firm should consider:

• External — phishing, credential stuffing, ransomware, business email compromise, supply-chain compromise (e.g., tax-software vendor breach), nation-state actor targeting EFINs, ACH and wire fraud, social engineering of staff over phone.
• Internal — untrained staff clicking phishing links, departing employee exfiltrating client list, shared passwords, unauthorized side work on home computers, contractor over-privileged on production data.
• Environmental — fire, water damage, hardware failure, ransomware-induced outage, ISP outage during deadline week, vendor outage (Microsoft 365, e-file software).

Step 3 — Score likelihood and impact

For each threat × asset pair, score:

• Likelihood — 1 (rare) to 5 (almost certain), based on industry incident data and your own history.
• Impact — 1 (negligible) to 5 (existential), considering financial cost, regulatory exposure, client harm, and reputational damage.

Multiply for an inherent risk score (1–25). Document the rationale in one sentence per row — auditors and underwriters read the rationale more carefully than the number. Phishing leading to credential compromise typically scores 5×4=20 for a tax firm today. Office fire destroying paper records typically scores 1×5=5 because backups exist.

Step 4 — Map existing safeguards

For each high-scoring risk, list the safeguards already in place. This is where the FTC Safeguards Rule checklist becomes useful: walk the nine elements and check off which ones address which risks. Typical mappings:

• Phishing → MFA on M365, security awareness training, EDR on endpoints, mail filtering.
• Ransomware → immutable cloud backup, EDR with rollback, application allow-listing.
• Insider data theft → least-privilege access, M365 audit logs, departure checklist with credential revocation.
• Wire fraud → callback verification policy, separation of duties on payment changes.

Step 5 — Calculate residual risk and decide

Re-score each row with the safeguard credit applied. The remaining number is residual risk. For every row still above a threshold the firm defines (commonly 9 of 25, or anything red on a heat map), document one of four decisions:

• Mitigate — add or strengthen a safeguard (e.g., move from SMS MFA to authenticator app).
• Transfer — buy or expand cyber insurance coverage.
• Avoid — stop performing the activity (e.g., stop accepting client documents over personal email).
• Accept — document the rationale and the partner who accepted it.

Step 6 — Approve, file, and schedule

The Qualified Individual signs the assessment. The governing body (partner group, owner, or board) receives it as part of the annual review report required by 16 CFR § 314.4(i). The assessment is filed as an appendix to the WISP and the next review is scheduled on the calendar — most firms anchor it to the off-season, between April 16 and PTIN renewal.

Sample risk register row

Here is what a single row looks like when written for a small tax practice:

Threat: Phishing email captures M365 credentials of preparer who has access to the client document portal.
Asset affected: Microsoft 365 mailbox, SharePoint client documents.
Inherent likelihood: 5 — phishing of tax firms during filing season is near-constant.
Inherent impact: 4 — exposure of 200 client returns, mandatory breach notification, FTC and state AG reporting.
Inherent score: 20.
Existing safeguards: Conditional access requiring authenticator-app MFA from all locations; mail-filtering on the M365 tenant; quarterly security awareness training; M365 alerts on impossible-travel sign-ins; EDR on every endpoint.
Residual likelihood: 2. Residual impact: 3. Residual score: 6.
Decision: Mitigate further by adding hardware security keys (FIDO2) for the two partners with global admin rights. Re-assess at the next annual review.

Risk assessment for solo practitioners

A solo PTIN holder does not need a 60-page document. The Safeguards Rule's written-assessment requirement formally kicks in at 5,000 customers. But IRS Pub 4557 and Pub 5708 both expect a written assessment, and a five-page version is enough — one page per asset class, one page for the risk register, one page for safeguards, one page for the decision log, one page for the sign-off. The bookkeeper and EA guide shows how the lighter version still satisfies expectations.

Tying the assessment to incident response

The risk assessment and the incident response plan are designed to talk to each other. Every high-residual-risk scenario in the assessment should have a corresponding section in the IRP. If the assessment identifies ransomware as a top risk, the IRP must have a tested ransomware playbook. An examiner who sees a risk on the register but no IRP scenario will mark the program incomplete.

Common mistakes

Copy-paste risk lists. An assessment that uses the same threats as a 10-attorney law firm or a 200-employee credit union does not reflect your environment. Strip out anything that does not match how your firm actually operates.

Scoring without rationale. A number with no sentence behind it is indefensible. Every score should have a one-line justification.

No re-scoring. Firms often score inherent risk, list safeguards, and never recalculate residual risk. The whole point of the assessment is to show that controls reduce exposure — skipping the residual score defeats it.

No follow-through. An assessment that does not produce at least one or two action items per year is either an honest "no material change" report (rare) or a sign the assessment was performative. Auditors notice.

Bottom line

A risk assessment turns your WISP from a generic template into a defensible, firm-specific program. The six-step structure above takes a solo preparer about half a day and a small firm about a day. Run it once, schedule the next one, and you have closed the single largest gap most tax-and-accounting WISPs share. Pair it with the WISP template and the incident response plan template for a complete program.