Does the IRS actually audit WISPs?

Not in the traditional tax-audit sense. The IRS conducts data-security reviews tied to your PTIN and EFIN. Revenue agents and Stakeholder Liaison staff can request your written plan, your risk assessment, evidence of staff training, and your incident response procedure at any time. If you cannot produce them, the IRS can escalate findings to the FTC and, in serious cases, suspend or revoke your EFIN. The checklist above mirrors the exact documentation categories we see requested most often.

How is this different from the IRS template?

The IRS Publication 5708 template is a skeleton. It tells you what sections to include, but it does not tell you whether your specific controls are adequate, whether your risk assessment is current, or whether your staff acknowledgements are documented. This checklist turns the template into an actionable audit-readiness tool — with yes/no items you can verify against your actual systems, not generic placeholders.

What if I answer no to several items?

Three or more 'no' answers means your firm has audit exposure right now. That is not a guess — it is the threshold at which most firms we onboard are missing documentation the IRS or FTC expects on request. The good news is that most gaps are fast to close with a guided workflow. Start with the free compliance quiz to see exactly which categories need attention first.

Can I use this checklist for cyber insurance too?

Yes. Most cyber insurance carriers now ask for the same five categories: written program, risk assessment, technical safeguards, training, and incident response. Underwriters often request evidence of MFA, encryption, backup testing, and staff acknowledgement. If you can tick every item on this checklist, you are in a strong position to answer 'yes' truthfully on the application — which typically reduces premiums and protects payout in a breach.

How often should I run through this checklist?

At minimum, once per year before PTIN renewal. We recommend twice: once at the start of filing season to catch gaps before client data volume peaks, and once at year-end as part of your annual WISP review. If you add staff, change tax software, switch IT providers, or experience any security event, run it again immediately. The FTC Safeguards Rule requires updates whenever your systems or risks change.

2026 Audit-Ready Checklist

Free WISP Audit Checklist for Tax Preparers

See if your firm's Written Information Security Plan would survive an IRS review or FTC enforcement action — in under 10 minutes.

By the WISPWolf Compliance Team · Updated June 2026 · 10 min read

Download the free checklist View sample WISP

The IRS Security Summit is actively increasing WISP enforcement for tax preparers, CPAs, enrolled agents, and small firms. In 2026, IRS examiners and FTC investigators look for specific documentation — not just that a Written Information Security Plan exists, but that it is current, implemented, and reviewable on demand. This checklist maps directly to IRS Publication 4557, IRS Publication 5708, and FTC 16 CFR Part 314. Use it before your PTIN renewal, before any cyber insurance application, and before your next annual WISP review.

IRS & FTC expectations

What IRS auditors look for in a WISP review

These are the eight documentation categories most commonly requested during IRS data-security reviews and FTC Safeguards Rule enforcement actions. Each item below is a direct quote or paraphrase from IRS Publication 5708, IRS Publication 4557, or 16 CFR Part 314.

Self-assessment

The WISP audit checklist

Work through each category. Mark yes only if you can produce documentation on request. If you mark no, that is a gap — and gaps are what auditors write up.

Written program documentation

Named Qualified Individual documented in writing with title, contact information, and scope of authority
WISP signed and dated within the last 12 months by the QI and firm leadership
Annual review attestation on file with date, reviewer name, and summary of changes
WISP version history maintained so an auditor can trace what changed and when
Staff list with access levels documented — who can access client data, on which systems, and at what permission level
Physical and remote access policy current, including visitor procedures, workstation locking, and off-hours access rules

Risk assessment & controls

Written risk assessment completed within the last 12 months with a clear completion date
Risk assessment covers all systems containing client data — tax software, cloud storage, email, backups, and any mobile devices
Risk ratings assigned and documented for each identified threat, with likelihood and impact scores
Control decisions mapped to risk findings — every risk has a corresponding documented control
Vendor security assessment on file for all data-handling service providers, including tax software, IT support, and cloud backup vendors

Technical safeguards

MFA enabled on all systems accessing client data — not just email, but tax software, cloud storage, remote desktop, and password managers
Data encrypted at rest using AES-256 or equivalent on all devices, drives, and cloud storage containing taxpayer data
Data encrypted in transit using TLS 1.2 or higher for email, file transfers, remote sessions, and API connections
Patch management policy documented and current — who patches, on what schedule, and how exceptions are tracked
Endpoint protection installed and active on all devices that access client data, including personally owned devices if used for work
Remote access requires VPN or equivalent secure connection; no direct RDP or unsecured remote access to firm systems

Staff training & acknowledgement

Annual security awareness training documented with curriculum, date, delivery method, and topics covered
Training attendance records on file for every employee and contractor with access to client data
Staff have signed WISP acknowledgement this year, confirming they have read the plan and understand their responsibilities
Onboarding security training documented for any new staff before they are granted access to client data

Incident response readiness

Written incident response plan exists and is current, with defined severity levels and escalation paths
IRS Stakeholder Liaison contact info documented for your state or territory, with a backup contact
State breach notification timeline documented — know your state's trigger, deadline, and required recipient list
Designated response lead named in writing, with clear authority to engage legal counsel, forensics, and insurance
Post-incident review process defined, requiring the WISP to be updated within 30 days of any security event

Remediation

After the checklist: what to do with your gaps

If you have gaps after running this checklist, you have three paths. First, fix them yourself using the IRS templates at irs.gov — free, but time-intensive and generic, and they do not tell you whether your specific controls are adequate. Second, use WISPWolf to identify, prioritize, and document remediation in a guided workflow that maps to your firm size, tax software, and IT setup. Third, engage an MSP or compliance attorney for complex gaps involving multi-office setups, inherited infrastructure, or prior security incidents. Most solo and small firms fall into the second path: the gaps are real, but the fix is procedural, not architectural. Start with the free compliance quiz to see your exact score and which category to tackle first.

Audit exposure warning

If you answered No to 3 or more items above, your firm has measurable audit exposure today. The FTC's enforcement posture in 2026 is active — "we planned to fix this" is not a defense in an investigation. Start with your highest-impact gaps first.

Score your readiness now

Free tool

Score your firm's readiness in 5 minutes

The WISPWolf compliance quiz turns this checklist into a scored assessment. You will see exactly which categories are green, yellow, or red — and what to fix first. No email required to see your score.

Take the free quiz View sample WISP

Related resources

FAQ

WISP audit questions, answered

Sources

IRS Publication 4557, Safeguarding Taxpayer Data
IRS Publication 5708, Creating a Written Information Security Plan
FTC Safeguards Rule 16 CFR Part 314
IRS Security Summit guidance and model WISP template
Verizon Data Breach Investigations Report 2024

Free WISP Audit Checklist for Tax Preparers

What IRS auditors look for in a WISP review

The WISP audit checklist

Written program documentation

Risk assessment & controls

Technical safeguards

Staff training & acknowledgement

Incident response readiness

After the checklist: what to do with your gaps

Audit exposure warning

Score your firm's readiness in 5 minutes

Dig deeper into WISP compliance

IRS Publication 5708 Guide

Annual WISP Review Checklist

Incident Response Plan Template

WISP audit questions, answered

Free WISP Audit Checklist for Tax Preparers

What IRS auditors look for in a WISP review

1A named, designated individual responsible for the program

2A written risk assessment dated within the last 12 months

3Evidence of multi-factor authentication on all systems holding taxpayer data

4Encryption at rest and in transit, with policy language

5Annual security awareness training with signed employee acknowledgements

6An incident response plan with notification timelines and contact lists

7Vendor oversight documentation and due-diligence records

8A documented annual review with sign-off and change-log

The WISP audit checklist

Written program documentation

Risk assessment & controls

Technical safeguards

Staff training & acknowledgement

Incident response readiness

After the checklist: what to do with your gaps

Audit exposure warning

Score your firm's readiness in 5 minutes

Dig deeper into WISP compliance

IRS Publication 5708 Guide

Annual WISP Review Checklist

Incident Response Plan Template

WISP audit questions, answered

Does the IRS actually audit WISPs?

How is this different from the IRS template?

What if I answer no to several items?

Can I use this checklist for cyber insurance too?

How often should I run through this checklist?