Skip to main content
WISPWolf
The Living WISP
Compliance

What IRS Auditors Commonly Look for During a WISP Review

A field-tested guide to IRS WISP audit expectations — what triggers a review, the documents and evidence auditors request, the mistakes that convert a routine inquiry into a formal finding, and how to prepare your Written Information Security Plan so it holds up under scrutiny.

Get Your Compliance Score Download Free Resources

Every paid tax preparer with a PTIN is required to maintain a Written Information Security Plan — a WISP. The requirement is not new, but the way the IRS verifies it has changed. In 2024 the PTIN renewal form added a data-security attestation. By 2026 the IRS Stakeholder Liaison program is actively sampling those attestations and requesting documentation. This article explains what an IRS auditor or field agent actually looks for during a WISP review, the evidence that satisfies them, and the gaps that typically produce findings.

Table of contents

Why the IRS requires a WISP

The IRS WISP requirement rests on three pillars: IRS guidance, federal regulation, and the PTIN holder's professional obligation to protect taxpayer data.

IRS Publication 5708

IRS Publication 5708Creating a Written Information Security Plan for Your Tax & Accounting Practice — is the IRS's official template and walkthrough. It names the seven sections every WISP should contain, from the designated Data Security Coordinator to the annual review attestation. Publication 5708 is not a statute, but it is the document IRS field agents reference when they ask to see your plan.

The FTC Safeguards Rule

The FTC classifies tax preparers as financial institutions under the Gramm-Leach-Bliley Act. That makes the FTC Safeguards Rule (16 CFR Part 314) directly applicable. The Safeguards Rule mandates nine elements, including a written risk assessment, enforced multi-factor authentication, encryption at rest and in transit, employee training, vendor oversight, and a tested incident response plan. The IRS WISP requirement and the FTC Safeguards Rule overlap almost completely; satisfying one generally satisfies the other.

Protection of taxpayer information

Section 7216 of the Internal Revenue Code restricts the use and disclosure of taxpayer information. The WISP is the practical framework that demonstrates how your firm honors those restrictions. Without it, a breach or misuse incident has no documented containment or response protocol.

PTIN holder responsibilities

Since the 2024 renewal cycle, the PTIN form has required every preparer to attest that they maintain a written data security plan. In 2026 the IRS is treating that attestation seriously. A false statement on a federal form can carry exposure under 18 U.S.C. § 1001, and the IRS Stakeholder Liaison program is the most common channel through which preparers are asked to produce their WISP and supporting evidence.

What an IRS auditor may request

An IRS WISP review is not a standardized checklist in the same way a financial audit is. The scope depends on how the review was initiated — routine sampling, a client complaint, a breach notification, or a referral from another agency. That said, the following categories of documents are requested in the majority of reviews.

Written Information Security Plan

The auditor will ask for the current WISP document itself. It must be dated within the last twelve months and must reflect your firm's actual environment — not a generic template with placeholder text. The document should name the Data Security Coordinator, describe your data inventory, and map administrative, technical, and physical safeguards to the risks you have identified.

Risk assessment

A risk assessment is required by both the FTC Safeguards Rule and IRS Publication 5708. Auditors expect to see a written evaluation of where client data lives, how it moves, who can access it, and what threats could compromise it. The assessment should be dated, signed, and reviewed at least annually. A risk assessment that is older than twelve months or that references systems you no longer use is a common finding.

Employee security procedures

Auditors want evidence that employees know the security policies and have been trained on them. This includes onboarding security briefings, annual refresher training, phishing simulations, and signed acknowledgment forms. Solo preparers are not exempt — if you have access to client data, you are the employee, and your training and procedures still need to be documented.

Incident response procedures

The WISP must contain a tested incident response plan that describes how your firm detects, contains, eradicates, and recovers from a security event. Since May 2024, the FTC also requires notification within 30 days for events affecting 500 or more consumers. The IRS expects tax-data incidents to be reported to the Stakeholder Liaison, generally within 24 to 72 hours. An incident response plan that does not include contact information, escalation steps, and regulatory notification workflows will raise a flag.

Vendor management documentation

Every vendor that touches client information — tax software providers, e-file transmitters, cloud storage platforms, document portals, payroll processors, and IT support firms — must be documented. Auditors look for written agreements that address data security, evidence of due diligence before onboarding, and periodic re-evaluation. A vendor matrix with names, services, data types accessed, and review dates is strong evidence.

Security awareness training records

Training is not a one-time event. Auditors expect dated training completion records for every person with access to client data. Phishing simulation results, policy acknowledgment signatures, and annual refresher certificates all count. Gaps in training records — especially for new hires or contractors — are frequent audit findings.

Evidence of implemented controls

This is where many reviews turn formal. Auditors do not simply accept a statement like "we use multi-factor authentication." They want evidence: screenshots of MFA enforcement settings, encryption configuration reports, endpoint protection dashboards, access control review logs, and security monitoring alerts with documented responses. The more concrete and dated the evidence, the stronger your position.

The difference between having a WISP and following a WISP

One of the most important distinctions an auditor makes is between possession and practice. A WISP that sits in a folder and was last updated two years ago is a liability, not an asset.

Templates alone are not compliance

Downloading a WISP template and filling in your firm name is the starting point, not the finish line. The FTC Safeguards Rule explicitly requires you to keep the program current and to monitor or test safeguards on a continuing basis. A template cannot do that. A static PDF cannot enforce MFA, run a phishing simulation, or verify that a vendor still meets your security standards.

Stale documentation is a finding

An auditor who sees a WISP dated eighteen months ago, referencing software you no longer use, and naming a Data Security Coordinator who left the firm will document a deficiency. The annual review requirement exists specifically to prevent staleness. The review must be written, signed, and dated — and it must describe what changed and why.

Lack of evidence defeats the plan

A beautifully written WISP with no supporting evidence is like a financial statement with no underlying transactions. Auditors are trained to trace controls from policy to proof. If your WISP says you encrypt laptops but you cannot produce a configuration report or BitLocker recovery key inventory, the control is unsubstantiated.

Annual reviews close the loop

The annual review is not a calendar reminder — it is a governance event. The Qualified Individual (or Data Security Coordinator) must evaluate the program's adequacy, report to the firm's governing body, and produce a signed attestation. That attestation is what the IRS references when it samples PTIN renewals.

Evidence auditors like to see

Concrete, dated, and attributable evidence is the currency of a successful WISP review. The following categories carry the most weight.

Multi-factor authentication enabled

Screenshots of MFA enforcement policies from your identity provider, email admin console, tax software, and cloud accounting platform. Conditional access policies that block legacy authentication are particularly strong evidence. In 2026, phishing-resistant factors — authenticator apps, FIDO2 keys, or platform authenticators — are the baseline.

Email security controls

Configuration reports showing SPF, DKIM, and DMARC policies in enforce mode. Anti-phishing and anti-malware rule sets. Email encryption for sensitive client communications. DLP policy screenshots that prevent unauthorized forwarding of tax documents.

Encryption

Evidence of encryption at rest — BitLocker or FileVault configuration for endpoints, encrypted backups, encrypted cloud storage. Evidence of encryption in transit — TLS 1.2 or higher on all web services, VPN usage for remote access, secure file transfer protocols. Encryption that is claimed but not documented is treated as absent.

Endpoint protection

EDR or antivirus deployment dashboards showing all managed devices. Patch management logs with compliance percentages. Device inventory showing encrypted storage and screen-lock policies. Remote wipe capability for lost or stolen devices.

Security monitoring

SIEM or security-tool alert logs with documented response actions. Failed login attempt reports. Unusual access pattern investigations. Monthly or quarterly security review meeting minutes. Monitoring without response is only half a control — auditors want to see that alerts are triaged and closed.

Access control reviews

Quarterly access reviews showing who has access to client data and whether that access is still justified. Offboarding checklists that revoke access within 24 hours of termination. Role-based access policies that enforce least privilege. Shared-account elimination — auditors routinely flag generic or shared logins as a deficiency.

Common WISP mistakes

The same mistakes appear across reviews regardless of firm size. Knowing them in advance is the fastest way to avoid a finding.

Downloading a template and never updating it

This is the single most common mistake. A template provides structure, but a WISP is a living program. Controls change, vendors change, employees change, and threats change. If the document does not reflect reality, it is worse than no document — it is evidence of a false attestation.

No annual review

The annual review is not optional. It is the mechanism by which the firm confirms that the WISP is still adequate. A missing annual review is an automatic finding in most structured audits.

No risk assessment

The risk assessment is the foundation of the entire program. Without it, there is no documented basis for the controls you have chosen. Auditors will ask how you decided which safeguards to implement; the risk assessment is your answer.

No documented procedures

Procedures do not have to be lengthy, but they must exist. How do you onboard a new employee? How do you offboard a departing one? How do you evaluate a new vendor? How do you respond to a phishing email? How do you report a breach? Each of these should have a written procedure, even if it is only a few paragraphs.

No verification of controls

A control that is claimed but never verified is a policy fiction. If your WISP says you patch endpoints within 72 hours, produce the patch compliance report. If it says you encrypt laptops, produce the encryption recovery key inventory. Verification closes the gap between intent and reality.

How a living WISP helps

A static WISP document is a snapshot. A living WISP is a system that stays current as your environment evolves. The difference becomes obvious the moment an auditor asks for evidence.

Continuous updates

A living WISP is updated whenever a material change occurs — a new software tool, a new vendor, a new employee, a new threat. The update is dated, the reason is documented, and the affected controls are reassessed. There is no scramble to reconstruct eighteen months of history before an audit.

Verification

Living WISP platforms like WISPWolf automate verification. Controls are linked to evidence sources — MFA policy screenshots, training completion logs, patch compliance reports. When a control lapses, the system flags it. When evidence is missing, the gap is visible before an auditor arrives.

Annual attestation

The annual review is generated from the living system, not reconstructed from memory. The firm's governing body receives a report that summarizes the year's changes, verifies the current control state, and produces a signed attestation that aligns with the IRS PTIN renewal requirement.

Evidence-backed compliance

The strongest position in an audit is one where every control in the WISP has a corresponding evidence file, every evidence file is dated, and every date falls within the review period. A living WISP maintains that connection continuously, so the audit becomes a presentation exercise rather than a remediation emergency.

WISP audit readiness checklist

Use this checklist to prepare your firm before an IRS WISP review or before your annual PTIN renewal attestation.

Documentation

  • Current WISP document dated within the last 12 months
  • Named Data Security Coordinator with authority to enforce policy
  • Written risk assessment dated and signed within the last 12 months
  • Data inventory showing where client information lives and who can access it
  • Employee security procedures and training program documentation
  • Incident response plan with contact information and regulatory notification workflows
  • Vendor management matrix with due-diligence files and review dates
  • Signed annual review attestation from the firm's governing body

Technical controls evidence

  • MFA enforced on every system that touches customer information
  • Email security: SPF, DKIM, DMARC in enforce mode
  • Encryption at rest for endpoints, backups, and cloud storage
  • Encryption in transit for all remote access and file transfers
  • Endpoint protection deployed on all managed devices
  • Patch management with documented compliance percentages
  • Security monitoring with alert triage and closure logs
  • Quarterly access control reviews with least-privilege enforcement
  • No shared or generic accounts with access to client data

Training and awareness

  • Security training completed by every person with data access
  • Phishing simulation results with follow-up for failures
  • Signed policy acknowledgments on file for all employees and contractors
  • Annual refresher training scheduled and documented

Incident preparedness

  • Incident response plan tested at least annually (tabletop or live)
  • FTC 30-day notification workflow documented and accessible
  • IRS Stakeholder Liaison contact information current
  • Cyber insurance carrier notification requirements reviewed

Conclusion: compliance is more than documentation

An IRS WISP review is not a paperwork exercise. It is a test of whether your firm actually protects taxpayer data — or merely claims to. The auditors who conduct these reviews have seen every variation of the generic template. They know the difference between a document that was downloaded and forgotten and a program that is maintained, verified, and evidenced.

The firms that pass reviews are not necessarily the largest or the most technically sophisticated. They are the ones that treat the WISP as a operational program rather than a compliance artifact. They update it when their environment changes. They collect evidence as they go. They review it annually and sign the attestation with confidence.

If you are unsure where your firm stands, the fastest way to find out is to measure your controls against the IRS and FTC requirements before an auditor does.

Get your free WISP compliance score

Take the Assessment

WISPWolf is evidence-backed compliance software for tax preparers and accounting firms — aligned with IRS Publication 5708 and the FTC Safeguards Rule. Answer 15 questions and get a personalized scorecard that shows exactly where your WISP stands and what an auditor would find.

Get Your Compliance Score See How WISPWolf Works Book a Consultation

No credit card required.

Frequently asked questions

What is an IRS WISP audit?

An IRS WISP audit is a review of your Written Information Security Plan and the evidence that supports it. The IRS Stakeholder Liaison program or a field agent may request the document, risk assessments, training logs, and proof of controls as part of routine outreach or following a data-security incident.

Does every tax preparer face an IRS WISP audit?

Not every preparer is audited every year, but the IRS is increasingly sampling PTIN renewal attestations and requesting documentation. Firms that experience a breach, receive a client complaint, or are selected for random outreach are the most likely to be reviewed.

What documents does an IRS auditor typically request?

Auditors commonly ask for the current WISP document, the most recent risk assessment, employee security training records, incident response procedures, vendor management documentation, evidence of implemented controls such as MFA and encryption, and the signed annual review attestation.

Is a downloaded WISP template enough to pass an IRS review?

A template alone is rarely sufficient. The FTC Safeguards Rule requires that the program be current, tested, and adjusted to your environment. An auditor will look for evidence that the plan is being followed — not just that it exists on paper.

How often should a WISP be reviewed?

At least annually, and whenever there is a material change to your operations, technology, or risk profile. The annual review must be documented and signed by the firm's governing body or owner.

What evidence do IRS auditors value most?

Auditors value concrete evidence over policy statements. Screenshots of MFA enforcement, encryption configuration reports, endpoint protection dashboards, access control review logs, security monitoring alerts with response notes, and dated training completion certificates all carry more weight than a paragraph claiming the control exists.

Can a solo preparer be audited?

Yes. The WISP requirement applies to every PTIN holder regardless of firm size. Solo preparers are expected to maintain the same core controls — MFA, encryption, training, and incident response — scaled to their environment.

What happens if I fail an IRS WISP review?

A failed review can result in a referral to the IRS Office of Professional Responsibility, a record of the deficiency in your PTIN file, and exposure to FTC enforcement under the Safeguards Rule. Cyber insurers may also non-renew or deny claims if the WISP review reveals misrepresented controls.

What is the difference between having a WISP and following a WISP?

Having a WISP means the document exists. Following a WISP means the controls described in it are actively enforced, monitored, and updated. Auditors are trained to look for the gap between the two.

How can I prepare for a WISP audit before it happens?

Start with a current risk assessment, verify that every control in your WISP has evidence behind it, complete an annual review with a signed attestation, and keep training logs and vendor due-diligence files organized. A compliance scoring tool can help surface gaps before an auditor does.

Related guides