CPA firm partners reviewing FTC Safeguards audit documentation and cybersecurity compliance checklist

How to Prepare Your CPA Firm for an FTC Safeguards Audit in 2026

Matt Kinsey — Cyber Risk, Compliance & AI Governance for Law & CPA FirmsGeneral

Most CPA firms believe they are compliant. However, that confidence often disappears when someone asks for proof.

Under the Gramm-Leach-Bliley Act (GLBA), CPA firms qualify as financial institutions. In addition, the FTC Safeguards Rule requires documented security controls, ongoing monitoring, and formal oversight.

In other words, compliance is not about what tools you installed. Instead, it is about what you can clearly demonstrate.

If a regulator, insurance carrier, or major client requests documentation, your firm must produce structured evidence immediately.

Preparation is straightforward. Nevertheless, it requires discipline.

Step 1: Conduct a Formal Risk Assessment

First, complete a documented risk assessment tailored to your firm’s operations.

Specifically, this assessment should evaluate:

  • Internal access controls
  • External threats
  • Data storage practices
  • Vendor exposure
  • Safeguard effectiveness

If your IT provider cannot produce a written assessment from the past 12 months, you have a gap.

Additionally, if you are unsure how compliance impacts investment, review our breakdown of FTC Safeguards compliance cost for CPA firms.

Step 2: Maintain a Current Written Information Security Plan (WISP)

Next, maintain a current Written Information Security Plan.

A WISP should clearly define:

  • Your safeguards
  • Assigned security responsibility
  • Monitoring procedures
  • Incident response planning
  • Policy review schedule

Importantly, auditors request the document itself — not a summary.

If your WISP has not been updated recently, that creates exposure.

Step 3: Align Technical Controls with Documentation

After documentation is in place, confirm that your technical controls match your written policies.

For example, if your WISP states that MFA is enforced, then it must include:

  • Microsoft 365
  • Tax software
  • Administrative accounts
  • Business computer logins

Likewise, if your policy states that monitoring occurs, you must demonstrate centralized logging and alert review.

To compare your safeguards against modern standards, review our guide on the cybersecurity stack CPA firms need in 2026.

Documentation without enforcement fails quickly.

Step 4: Demonstrate Ongoing Monitoring

Furthermore, FTC Safeguards requires continuous oversight.

To prepare properly, you should be able to show:

  • Log aggregation
  • Alert documentation
  • Quarterly review records
  • Security awareness training completion

If no one actively reviews alerts, then monitoring does not exist — even if software is installed.

Step 5: Designate a Qualified Security Lead

Finally, assign a designated individual to oversee your information security program.

This person should:

  • Understand your cybersecurity stack
  • Oversee risk assessments
  • Coordinate documentation updates
  • Report findings to firm leadership

Clear responsibility creates accountability. Without it, oversight weakens.

Real Example: “We Thought We Were Compliant”

A 5-person CPA firm in Broward County believed they were compliant. However, when documentation was requested, they could not produce:

  • A formal risk assessment
  • A current WISP
  • Monitoring documentation
  • Structured compliance reports

At the same time, they struggled with slow response times and limited proactive planning from their previous provider.

We implemented a compliance-aligned program at $1,650 per month, which included:

  • Formal risk assessments
  • GLBA-aligned WISP development
  • MFA enforcement across all systems
  • Centralized monitoring
  • Quarterly compliance review meetings

As a result, they now maintain documented compliance alignment and enter every tax season with structured oversight. We have supported them for seven years.

The difference was not new technology. Instead, it was consistent execution.

The Most Common Audit Failure Points

In our experience, CPA firms most often struggle with:

  • Outdated WISP documentation
  • Inconsistent MFA enforcement
  • Lack of centralized monitoring
  • Missing risk assessments
  • Undefined security leadership

These are not complex technical failures. Rather, they reflect gaps in process and accountability.

The Bottom Line

Ultimately, FTC audit preparation is about building a defensible security posture.

For most CPA firms in South Florida, budgeting $200–$400 per user per month supports operational IT as well as structured compliance oversight.

If you are unsure whether your firm could withstand documentation scrutiny, review our guide on managed IT cost for CPA firms in South Florida.

Because once documentation is requested, assumptions no longer protect you.