IRS Publication 5708 requires a Written Information Security Plan with documented security awareness training. Tax professionals are also covered by the FTC Safeguards Rule (16 CFR Part 314). One live Team session satisfies both — with individual attendance records for your compliance file.
The WISP Requirement. IRS Publication 5708 requires every tax professional who maintains or accesses client tax return data to develop, implement, and maintain a Written Information Security Plan (WISP). The WISP must include security awareness training as a required control — with documented evidence of annual training for all staff who handle client tax data.
Double Compliance — IRS WISP + FTC Safeguards Rule. Tax preparation firms are listed as financial institutions under the FTC Safeguards Rule (16 CFR Part 314 §314.2(h)). This means a single tax professional firm must comply with both IRS Publication 5708 and FTC §314.4(j) simultaneously. Both require documented security awareness training for all personnel whose responsibilities involve handling client financial and tax data. A single session with documented attendance records satisfies both mandates and can be filed in both compliance documentation packages.
IRS e-File Application Impact. The IRS has integrated WISP completion into the e-file application requirements for tax professionals. A complete, implemented WISP — including documented staff training — is now part of the IRS's review process for e-file application renewals. Incomplete or undocumented training can affect your ability to file electronically for your clients.
Phishing and Social Engineering — The Primary Attack Vector. The most common threat to tax professionals is client impersonation fraud, W-2 phishing, and BEC targeting the firm's partners and administrative staff. Attackers use information from prior data breaches (or the dark web) to send convincing emails that appear to come from the IRS, client CFOs, or firm partners — requesting urgent wire transfers, bulk client W-2 exports, or filing access. Staff training on recognising and escalating these requests is the primary and most cost-effective defence.
Our Team session ($390) covers all staff who access client tax return data in a single 90-minute live session. Attendance records with individual timestamps are provided for every participant — filed in both your IRS WISP documentation and your FTC Safeguards compliance record.
Personal — $150 → Executive — $390 → Business — $900 flat →Every IRS WISP / FTC training engagement includes these artefacts for your compliance file:
Staff name, session date, session ID, and timestamp per participant — primary evidence for IRS WISP and FTC §314.4(j) documentation.
Date, duration, topics covered, instructor name — maps to your WISP security controls documentation and FTC Safeguards Rule programme records.
Threat scenarios covered (W-2 phishing, BEC, client impersonation, ransomware) — satisfies the role-appropriate training requirement.
Versioned curriculum with date, suitable for IRS WISP documentation review and FTC Safeguards Rule evidence package.
Attackers send emails impersonating firm partners, corporate HR departments, or clients — requesting bulk W-2 exports, client tax returns, or filing access. In documented cases, CPA firms have sent 800+ client W-2s in a single response. Staff who can recognise these requests and verify out-of-band are the primary and only effective defence.
BEC emails targeting tax firm partners impersonate the IRS, clients requesting urgent refunds, or vendors with updated payment instructions. The losses in documented cases run into six figures per incident. No technical control prevents an employee from following instructions in a convincing impersonation — only staff training does.
A ransomware attack on a tax firm's practice management software encrypts years of client tax returns. Recovery takes weeks. The breach triggers IRS breach notification obligations and potentially state attorney general notifications for every affected client. Staff training on recognising the phishing emails that precede ransomware deployment addresses the primary entry vector.
IRS Publication 5708 requires every tax professional who maintains or accesses client tax return data to develop and implement a Written Information Security Plan (WISP). The WISP must include written policies, procedures, and controls — including annual security awareness training for all staff with access to client tax data. The IRS has integrated WISP completion into the e-file filing requirements for tax professionals. Without a documented training programme, your WISP is incomplete and your e-file application may be affected.
Yes. Tax preparation firms are specifically listed as financial institutions under the FTC Safeguards Rule (16 CFR Part 314 §314.2(h)), meaning they must comply with both IRS Publication 5708 and FTC §314.4(j) simultaneously. Both require documented security awareness training. A single session with attendance records satisfies both requirements and can be filed in both your IRS WISP documentation and your FTC Safeguards compliance record.
Client impersonation fraud — attackers use information from prior breaches to impersonate tax professionals and request bulk client data. BEC targeting the firm's partners — attackers impersonate the IRS or clients to request wire transfers or sensitive documents. Ransomware on practice management software, which contains years of client tax returns. W-2 fraud where attackers use a tax professional's email to request employee W-2 data from HR departments. Staff training on recognising these scenarios is the most cost-effective control available.
IRS Publication 5708 and the FTC Safeguards Rule both require annual refresher training. New staff must receive training upon joining and before accessing client tax return data. Training must be documented — with individual attendance records that show who completed training, when, and on what topics. In an IRS audit, FTC investigation, or breach notification event, the absence of documented training is one of the first gaps investigators identify.
An IRS/tax breach of client tax return data triggers mandatory breach notification obligations under the WISP and potentially state data breach laws. The absence of documented training creates additional exposure under the FTC Safeguards Rule — civil penalties up to $50,120 per day of ongoing violation. If you cannot demonstrate that your staff received training on phishing and social engineering before the breach occurred, regulators treat this as a failure of the security programme under §314.4(j). Documented training is your primary evidence of a good-faith compliance effort.
One Team session satisfies both your IRS WISP training obligation and your FTC Safeguards Rule §314.4(j) requirement — with individual attendance records your firm can produce on demand. $390 flat, all practice staff covered.