In 2024, the IRS received more than 250 reports of data breaches involving tax professionals, impacting over 200,000 clients. These incidents frequently trigger IRS investigations, with a strong focus on Written Information Security Plan (WISP) compliance.
As of 2025, the IRS has tightened enforcement requirements, making WISP attestation a standard component of the Preparer Tax Identification Number (PTIN) renewal process. Falsely attesting to having a WISP when one does not exist, may be prosecuted as federal fraud. In addition, a WISP must be reviewed and renewed at least every five years, regardless of the size of your firm. Small practices are not exempt from these requirements.
A WISP is not merely a formality. It is a formal document that accurately reflects the security safeguards currently in place within your organization. Simply downloading a template, printing a generic version from the IRS or tax software provider, or checking a box without meeting the underlying requirements does not constitute compliance. Your WISP must honestly and thoroughly represent your actual network environment, policies, and controls.
This raises important questions:
- Is your WISP truly compliant?
- Does it reflect your real-world IT environment?
- Is the document attestable, meaning you can confidently and truthfully certify its accuracy during PTIN renewal or an IRS inquiry?
- Is your IT provider qualified to develop and maintain a compliant WISP?
If you need a WISP, are unsure whether your current WISP is valid, or want to ensure your firm is fully prepared for IRS scrutiny, ControlAltProtect can help.
Call: (877) 292-3791
Email: info@controlaltprotect.com
Protect your practice, your clients, and your reputation….before an audit or breach forces the issue.