Does a small tax practice really need a WISP?
Yes — it's not optional at any size. The FTC Safeguards Rule and the IRS require every paid preparer to maintain a WISP, and PTIN renewal asks you to attest to your data-security responsibilities. A real WISP is a living program — named responsibilities, access controls, MFA, encryption, incident response — not a downloaded template in a drawer. 88% of CPA firms now carry cyber insurance; the underwriters read these documents.
The ATCOS package for accounting firms
- WISP-as-a-service: we write the plan around your actual practice, implement the controls (MFA, encryption, access reviews, vendor management), train staff, and update it annually. Fixed-fee packages from $5,000, then maintained under retainer.
- Managed IT that respects the calendar: January–April gets priority SLAs and a pre-season readiness check — workstations, tax-suite connectivity, e-file, verified backups — so you enter filing season verified, not hopeful.
- AI policy for tax workflows: staff are pasting client financials into AI tools today. We inventory what's in use, vet it against your confidentiality obligations, and write the policy.
- Microsoft 365 + tax suite environment: identity, email security (the #1 breach vector for preparer firms), document retention, and license right-sizing.
Why now (May–June)
The weeks after filing season are when firms fix what they swore they'd fix in March. Remediation, migrations, and WISP builds done now are invisible by January. Firms that wait until Q4 do this work during extension season instead.
We only need help January–April. Can we pay for just that?
Seasonal-only support means your January emergency is handled by whoever's available, with no knowledge of your environment. The annual agreement prices the off-season light and the season heavy — same budget, but the firm is actually known and ready.
Our IT person handles the computers. Who handles the WISP?
That's the usual gap: the tech keeps machines running but nobody owns the written program, the risk assessment, or the attestation. Co-managed mode adds exactly that layer without replacing anyone.