From single-CPA practices to 200-partner firms. Tax season uptime + IRS-grade safeguards on one contract.
Specialized IT security for accounting professionals handling sensitive financial data and client tax information.
CPA firms across Metro Vancouver (BC + cross-border US clients), Greater Toronto, South Florida, Orlando, and LA β peak-season-tested.
93% of tickets touched within 15 minutes. 100% of after-hours messages acknowledged the same business day. Every engagement staffed by a named senior engineer.
Phishing volume targeting CPAs spikes 4x in February and March every year. The cost of a 30-minute outage during return prep isn't just the missed billables β it's the client who switches firms next April.
Since 2023 the IRS treats Pub 4557's Written Information Security Plan (WISP) as a compliance requirement, not a recommendation. Firms without one are exposed at the next licensure review. Most firms we audit are running on a 2018 template that misses the 2023 multi-factor and incident-response updates.
Returns, K-1s, source docs β all sit behind portal credentials that get reused by clients across every other site they use. If MFA isn't enforced on the portal AND on your file-sharing app AND on your tax software, one client password breach is your data breach.
Realistic phishing tests and employee education
Encrypted instant messaging and file sharing
Comprehensive vulnerability and patch management
Intelligent data lifecycle management and archiving
Advanced authentication security and access control
Written Information Security Plan covering data inventory, risk assessment, employee training, vendor management, MFA, encryption, incident response β reviewed annually.
We draft your WISP the first week of engagement, run the annual review with you, and keep the evidence binder current so the next IRS or state-board inquiry is a 24-hour turnaround.
FTC's June 2023 update added explicit MFA, encryption, access logging, and breach-notification requirements for any firm handling consumer financial data.
MFA enforced tenant-wide, encrypted email + file transfer, audit logs retained 1 year, and a documented 30-day breach-notification runbook tied to your malpractice carrier.
Evidence of operating controls over security + availability for any firm providing financial services to other businesses (CAS, fractional CFO, family-office work).
Evidence collector runs year-round; typical first-time SOC 2 Type II at 9-12 weeks for a 50-200 person CPA firm.
Two short diagnostics built by our senior engineers. Answer a handful of questions, get a scored report with next steps β yours to keep either way.
Ten questions across MFA, backups, patching, access, response. Get a weighted score and a prioritized fix list.
Users, downtime hours, annual spend, loaded cost. We compute projected savings and payback months in real time.
Straight answers so the health-check call can skip the basics.
Yes β all five plus the more niche ones (TaxWise, ATX, MyTAXPrepOffice). We don't resell, but we manage the integration: workstation provisioning, license tracking, vendor coordination during peak season, and patch windows that respect your billing cycle.
Yes. The 90-day pre-season runbook is the most-requested engagement we run β workstation refresh, MFA enforcement, phishing-sim baseline, backup validation, and tax-software readiness on a documented schedule. Most firms are operationally ready by late December if we start in October.
Documented incident-response plan activates: portal isolation within 30 minutes, malpractice carrier notified, regulatory clock started (state + federal), client-by-client notification queue prioritized by risk. We've rehearsed this with every client via tabletop in October β the worst time to rehearse is in March.
Probably not for traditional 1040 work. If you offer outsourced-CFO, advisory, family-office, or audit-support to public-company clients, SOC 2 is increasingly being asked for in the engagement letter. We can scope a fast-path readiness assessment to tell you definitively in 30 minutes.
Yes β we maintain a state-by-state matrix of CPA-board IT requirements (NY, CA, TX, FL all differ) and coordinate so a single control set satisfies the strictest state in your footprint.
Free 90-minute health check. Scored roadmap. A real senior engineer. No sales maze.
