The IRS Pub 4557 Security Six + FTC WISP checklist every preparer needs.
A fillable checklist that walks your firm through the six IRS-required controls and the nine FTC Safeguards WISP elements — with PTIN-renewal-ready attestation language and an evidence checklist for every section. Built for solo preparers through fifty-staff firms.
What's inside
Seven sections — built around IRS Pub 4557 and the FTC Safeguards Rule.
Each section is fillable, lists the evidence to keep on file, and ends with the attestation language preparers actually need at PTIN renewal. The checklist combines both regulatory frameworks so you build the programme once, not twice.
- 1Firm profile, PTIN/EFIN & Qualified Individual
- 2IRS Pub 4557 Security Six — control-by-control checklist
- 3FTC Safeguards 9 WISP elements — what we do & evidence
- 4Risk-assessment summary & mitigation tracker
- 5Tax-season incident response & IRS Stakeholder Liaison contacts
- 6Annual review log & PTIN-renewal attestation
- 7Qualified Individual & principal sign-off
The checklist is a printable web document. Use your browser's Print → Save as PDF to keep an offline copy.
Why this matters
The IRS asks. The FTC enforces. Your tax software vendor doesn't do this for you.
The IRS asks at PTIN renewal
Since 2023, PTIN renewal includes an affirmative question confirming you have a written information security plan. Answering "yes" without a WISP that exists is a problem the IRS Office of Professional Responsibility takes seriously.
FTC Safeguards has no size exemption
Every preparer who handles client financial data is a "financial institution" under the FTC's definition. Penalties under the FTC Act reach $43,792 per violation per day. The Security Six alone don't cover this — you need the full 9 WISP elements too.
Cyber carriers ask for the WISP
Cyber and professional-liability questionnaires now ask whether the firm maintains a written WISP, MFA on tax software and e-Services, and tested backups. Misrepresent any of it and a claim gets denied.
Want the controls behind the checklist?
Kapacyber runs the day-to-day security operations behind every row of this checklist — MFA on tax software and IRS e-Services, EDR on every workstation, encrypted backups tested for restorability, tax-season-aware awareness training, and an incident response plan including IRS Stakeholder Liaison notification.