Free Download

CPA FIRM CYBERSECURITY RESOURCE PACK

Four practice-grade templates every CPA firm needs. WISP template, Qualified Individual memo, Vendor SOC 2 review tracker, Breach-Notification 30-day matrix. Aligned with IRS Publication 4557, the FTC Safeguards Rule, and AICPA SOC 2.

CMMC Registered Practitioner Org | Raleigh, NC | 23+ Years | BBB A+
Get the Free Pack See the Paid CPA Course
Version: 2026.05 Updated: 2026-05-08 Files: 4 templates
Why This Pack Matters

The IRS, the FTC, and Your Clients Now Audit Your Cybersecurity Posture

CPA firms are the highest-value target in the FTC Safeguards Rule expansion. Tax data, financial statements, payroll, audit workpapers, M&A diligence — every engagement file is a complete identity-theft kit.

The regulatory ground beneath accounting practice has shifted. IRS Publication 4557 (Safeguarding Taxpayer Data), last revised October 2024, requires every tax professional to maintain a Written Information Security Plan and to document the designation of a person responsible for the program. IRS Publication 5708 walks through the WISP elements in plain English. Failure to maintain a documented WISP is a publishable PTIN renewal concern, an enforcement basis for the FTC under the Safeguards Rule, and — increasingly — the first artifact your firm's E&O carrier asks for after a breach.

Layered on top is the FTC Safeguards Rule (16 CFR Part 314), expanded in late 2021 and amended November 2023. The amendments brought CPA firms squarely into "financial institution" jurisdiction and added a hard 30-day breach-notification obligation under 16 CFR 314.5 (effective May 2024) for any incident touching 500 or more consumers. The Rule names eight required program elements — Qualified Individual designation, written risk assessment, written information security program (the WISP), service-provider oversight, training, monitoring, incident response, and annual reporting — every one of which must be documented.

And on the third axis, AICPA SOC 2 Common Criteria have become the de-facto bar your audit clients now expect of you — not just the cloud vendors you assess. CPA firms pursuing managed services, advisory, fractional CFO, or BPO engagements increasingly face client questionnaires that look exactly like the SOC 2 Trust Services Criteria. The vendor SOC 2 review tracker in this pack lets you flip the table: track your vendors against the same bar your clients now hold you to.

This Resource Pack is the documentation chassis that satisfies all three. Fill it in once, review annually, and you have evidence the IRS, the FTC, and your clients all accept.

What's Inside

Four Templates, One ZIP Download

Editable HTML files. Open in any browser, paste into Word or Google Docs, brand with your firm letterhead, sign, file.

01

Written Information Security Plan (WISP) Template

The full WISP document. Sections for firm overview, scope of covered information (taxpayer data, audit workpapers, payroll, advisory), Qualified Individual designation, risk assessment summary, administrative safeguards (policies, training, incident response), technical safeguards (access control, encryption, MFA, logging, patching), physical safeguards (offices, document destruction, device disposal), service-provider oversight (MSP, tax software, e-signature, cloud, payroll), employee training, monitoring and testing, incident response, breach-notification process, annual review and approval, and signature blocks for the Qualified Individual and Managing Partner. Aligned with IRS Pub 4557, IRS Pub 5708, and FTC 16 CFR 314.4. The single most important document your firm has not yet authored.

wisp-template.html — 24 KB
02

Qualified Individual Designation Memo

One-page formal memo recording the firm's named Qualified Individual under 16 CFR 314.4(a). Sections: QI name and title, qualifications and certifications, scope of authority, reporting cadence to senior leadership (annual minimum), security program oversight responsibilities, signature of designating partner, effective date. The first artifact an FTC examiner asks to see. Sign it. File it next to the WISP.

qualified-individual-designation-memo.html — 9 KB
03

Vendor SOC 2 Review Tracker

Tracker for every third-party service provider your firm relies on. Columns: vendor name, service category (tax software, audit tool, e-signature, cloud, payroll, MSP, payment processor, document management, secure file transfer, video conferencing), data classification handled, last SOC 2 report date, report type (Type 1 or Type 2), report scope, exceptions of concern, next renewal date, contractual security terms (BAA, security addendum, audit rights, breach-notification clause), review owner, and review status. Review annually. Satisfies FTC 16 CFR 314.4(f) and SOC 2 CC9.2.

vendor-soc2-review-tracker.html — 8 KB
04

Breach-Notification 30-Day Matrix

Single-page reference matrix mapping the day-by-day notice deadlines that fire after a confirmed or reasonably-suspected breach. Hour 0 detection through Day 30 FTC notification. Includes the 30-day FTC Safeguards Rule notice (16 CFR 314.5, effective May 2024 for incidents involving 500+ consumers), IRS data theft reporting obligations, multi-state attorney general notice deadlines (NY 30 days, CA "without unreasonable delay," TX 60 days, IL 45 days, MA "as soon as practicable"), GLBA customer notification expectations, and the engagement-letter contractual notice clauses common in CPA-client agreements. Print and tape inside your incident-response binder.

breach-notification-30-day-matrix.html — 10 KB
When to Use It

Five Common CPA Firm Use Cases

PTIN Renewal Season

The IRS PTIN renewal questionnaire now references "data security plan" expectations. Authoring (or refreshing) the WISP before renewal removes the largest renewal-time compliance gap.

FTC Safeguards Rule Readiness

Sign the QI designation memo, file the WISP, complete the vendor tracker, post the breach matrix. Four artifacts cover four of the eight named program elements under 16 CFR 314.4.

Managed-Services Client Onboarding

Firms moving up-market into client-managed-IT or fractional CFO services increasingly face SOC 2-style vendor questionnaires from prospects. Have the WISP ready as your reply.

E&O Insurance Renewal

Cyber and E&O carriers now ask for the WISP, the vendor review process, and the breach-notification runbook as part of policy renewal underwriting. Premium savings of 15-30% are typical for firms with documented programs.

Post-Acquisition Diligence

Acquiring or merging with another firm? The combined entity needs a unified WISP within 90 days of close. Use this template as the consolidation chassis; appendices capture office-specific variances.

How To Deploy

Five Steps from Download to Filed Documentation

Download and unzip

Enter your firm email below. We send the ZIP within 60 seconds. Unzip locally; the four HTML files open in any browser for preview.

Designate the Qualified Individual

Open the QI Designation Memo. Insert your QI's name (typically the managing partner, IT principal, or fractional CISO). Sign. File. This is the legal and regulatory foundation for everything else.

Author the WISP

Walk through the WISP template section by section. Replace placeholders with your firm's actual systems, vendors, controls, and personnel. Schedule 4-6 hours of focused QI time. Most firms complete a first-draft in a single afternoon.

Populate the Vendor Tracker

List every third-party service provider — tax software, e-signature, cloud, payroll, document management, MSP, payment, secure file transfer, video conferencing. Request the latest SOC 2 from each. Most reputable vendors return a copy within 5 business days.

Post the breach matrix and review annually

Print the 30-day breach matrix. Tape it inside your incident-response binder, in the QI's office, and on the IT helpdesk wall. Set a calendar reminder for annual WISP review (a 16 CFR 314.4 requirement).

Get The Pack

Free Download — Email Below

Enter your firm email. We send the ZIP within 60 seconds and add you to our monthly cybersecurity newsletter (one-click unsubscribe). No credit card. No upsell ambush.

Send Me the CPA Resource Pack

4 templates. ZIP. Free.

By submitting, you agree to receive the resource pack and our monthly newsletter. We never sell your email. Unsubscribe in one click.

Go Deeper

Pair the Pack with the Course

The pack is the documentation chassis. The course turns your QI, partners, and tax preparers into operationally proficient defenders.

CPA Firm Cybersecurity & Compliance Course

Practitioner-grade training: WISP authoring deep-dive, FTC Safeguards Rule walkthrough, IRS Publication 4557 and 5708, IRC 7216 consent management, SOC 2 vendor review workflow, breach-notification rehearsal. $499 per seat per year.

View course →

CPA Firm Cybersecurity Service Page

PTG's full CPA-vertical cybersecurity offering: vCISO and Qualified Individual outsourcing, MDR, WISP authoring, IRS Pub 4557 readiness, SOC 2 readiness, e-signature and tax-software integration security review.

Service overview →
More Free Packs

Other Industry-Specific Resource Packs

Cluster the documentation chassis across every regulatory environment your firm serves.

Security Awareness Training Resource Pack

Incident Report, MFA Enrollment Checklist, Vendor Risk Questionnaire, Quick Reference Card. For every employee at every business. Pair with the SAT course.

Download SAT pack →

FTC Compliance Resource Pack

GLBA Privacy Notice, Safeguards Rule annual report template, claim substantiation log, marketing disclosure checklist. For any business under FTC jurisdiction.

Download FTC pack →
FAQ

Frequently Asked Questions

Twelve questions we hear most often from CPA firms about the pack, the WISP, the QI designation, and how the templates fit into a complete program.

What is in the free CPA Firm Cybersecurity Resource Pack?
Four practice-grade templates: a Written Information Security Plan (WISP) template aligned with IRS Publication 4557 and the FTC Safeguards Rule, a Qualified Individual (QI) Designation Memo recording the firm's named QI under 16 CFR 314.4(a), a Vendor SOC 2 Review Tracker for the auditors and tax-software vendors your firm relies on, and a 30-Day Breach-Notification Matrix mapping disclosure obligations to GLBA, IRS, state attorney general, and client contractual notice deadlines. Editable HTML, single-firm license, free.
Why does a CPA firm need a WISP?
Because the IRS requires it. Publication 4557 (Safeguarding Taxpayer Data) and Publication 5708 explicitly require any tax professional handling client tax data to maintain a written data security plan. Without one, the firm is out of compliance with PTIN renewal expectations and exposed to FTC Safeguards enforcement under 16 CFR Part 314. The WISP template in this pack is the documentation chassis — fill it in with your firm's actual systems and controls, sign it, review annually, store with your engagement letters.
Is the resource pack really free?
Yes. Free for any CPA firm or accounting practice to download and use internally. There is no per-seat fee, no time-limited trial, and no obligation to purchase the paid CPA Firm Cybersecurity & Compliance course. The only ask is your work email so we can send the ZIP and add you to our monthly cybersecurity newsletter — one-click unsubscribe.
Which compliance frameworks does this pack support?
IRS Publication 4557 and Publication 5708 (Safeguarding Taxpayer Data), FTC Safeguards Rule (16 CFR Part 314), GLBA Privacy Rule (16 CFR Part 313), AICPA SOC 2 Common Criteria CC1 through CC9, IRC Section 7216 disclosure consent rules, and state CPA-specific data security statutes (NY SHIELD Act, MA 201 CMR 17, CA CCPA / CPRA, TX 521 / HB 4, IL Personal Information Protection Act). Use the templates as the documentation chassis; fill them in with your firm's actual controls and evidence.
What is the Qualified Individual Designation Memo for?
16 CFR 314.4(a) requires every covered financial institution — and CPA firms qualify — to designate a single Qualified Individual responsible for overseeing, implementing, and enforcing the information security program. The named QI must report at least annually to the firm's senior leadership. The memo in this pack records the designation, the QI's qualifications, the reporting cadence, and the scope of authority. Sign it. File it. The first thing an FTC examiner asks for is the QI designation.
How does the Vendor SOC 2 Review Tracker work?
A spreadsheet-style tracker for every third-party SaaS, cloud, payroll, tax-software, audit-tool, payment, and IT vendor your firm relies on. Columns: vendor name, service category, data classification handled, last SOC 2 report date, report type (Type 1 or Type 2), report scope, exceptions of concern, next renewal date, contractual security terms, and review owner. Review at least annually. The tracker satisfies the FTC Safeguards Rule's vendor oversight requirement under 16 CFR 314.4(f) and AICPA SOC 2 Common Criteria CC9.2.
What is the Breach-Notification 30-Day Matrix?
A single-page reference matrix mapping the day-by-day notice deadlines that trigger after a confirmed or reasonably-suspected breach. The matrix covers the 30-day FTC Safeguards Rule notice obligation under 16 CFR 314.5 (in effect for breaches involving 500+ consumers since May 2024), the IRS data theft reporting obligation, the multi-state attorney general notification deadlines (NY, CA, TX, IL, MA — most aggressive deadlines first), the GLBA customer notification expectations, and the engagement-letter contractual notice clauses common in CPA-client agreements. Print it. Tape it inside your incident-response binder.
Do I need a separate WISP for each office or partner?
No. One firm-wide WISP is the standard. The template includes sections for office locations, designated personnel by office (Office Security Coordinator), and per-office variances. Multi-office firms with materially different systems may attach office-specific appendices, but the master document remains a single firm-level WISP signed by the QI and approved by the managing partner.
How does this pack pair with the CPA Firm Cybersecurity & Compliance course?
The pack is the documentation chassis. The course is the practitioner-grade training that makes your QI, partners, and tax preparers operationally proficient: WISP authoring, FTC Safeguards Rule deep-dive, IRS Publication 4557 walkthrough, IRC 7216 consent management, SOC 2 vendor review workflow, breach-notification rehearsal. The course currently runs $499 per seat per year; the four-course bundle (SAT, CPA, FTC, and CMMC) is available at firm pricing.
What if our firm uses a third-party MSP — do we still need our own WISP?
Yes. The FTC Safeguards Rule places primary responsibility on the firm itself, not on the MSP. The MSP is a service provider under 16 CFR 314.4(f) and your WISP must document how you oversee them. The WISP template in this pack includes a service-provider oversight section that captures MSP scope, SOC 2 attestation status, contractual security terms, and review cadence. Your QI signs the WISP, not the MSP.
Are these templates legal advice?
No. The templates are documentation starting points authored by cybersecurity practitioners with input from CPA-firm counsel. They are calibrated to typical small and mid-sized firm posture. Engage your own legal counsel and your AICPA Peer Review committee on jurisdiction-specific or matter-specific compliance interpretations. PTG can introduce you to CPA-experienced counsel on request.
What other free resource packs do you offer?
The Security Awareness Training Resource Pack for every employee at any business, the FTC Compliance Resource Pack for FTC-regulated businesses generally, and (planned for Q3 2026) a CMMC 2.0 Level 2 documentation pack for defense-supply-chain firms. Each is themed to a regulatory environment.
About The Author

Built for CPA Firms, by Practitioners

CP

Craig Petronella, CMMC-RP

Founder & CEO, Petronella Technology Group

Craig is a CMMC Registered Practitioner, an Amazon best-selling author of 12 cybersecurity books, host of the Cybersecurity and Compliance with Craig Petronella podcast, and a 23-year veteran of incident response, forensic investigation, and compliance program delivery. PTG serves CPA firms across the United States with WISP authoring, fractional Qualified Individual coverage, MDR, vCISO, and IRS Publication 4557 readiness. The PTG team — including Blake Rea, Justin Summers, and Jonathan Wood — are also CMMC Registered Practitioners.

Get the Pack. Author the WISP. Pass the Audit.

Free CPA Firm Cybersecurity Resource Pack now. Optional paid course when you are ready to layer on practitioner-grade training.

Download the Free Pack View the CPA Course
SAT Resource Pack FTC Resource Pack CPA Firm Cybersecurity Service FTC Safeguards Rule Forensic Services All Courses Talk to PTG

Petronella Technology Group, Inc. — 7000 Six Forks Road, Raleigh, NC 27615 — 919-348-4912 — support@petronellatech.com. The free CPA Firm Cybersecurity Resource Pack is provided "as-is" for single-firm internal use. Templates are not legal advice. Consult counsel and your AICPA Peer Review committee for jurisdiction-specific compliance interpretations. The CPA Firm Cybersecurity & Compliance course is sold separately at $499 per seat per year.