Beyond the WISP: Policies every tax practice needs

You've probably heard that every tax preparer needs a Written Information Security Plan (WISP). But many preparers stop there, thinking a WISP alone satisfies all ethical and compliance duties. If you're running a tax practice, even as a solo preparer, having additional clear, written policies (beyond data security) protects you, your clients and your license. This post discusses what documents matter most and how to build a workable set of ethical procedures.

A WISP is required, but best practices go further

IRS Publication 4557, Safeguarding Taxpayer Data, offers guidance on protecting taxpayers’ private and sensitive information appropriately, based on the legal requirements under the Federal Trade Commission’s (FTC’s) Safeguards Rule. This rule requires tax preparers to maintain a WISP, designate a responsible individual, assess risks, implement safeguards and regularly monitor compliance. (The IRS also offers a template here.) A WISP is only one piece of a broader practice foundation. Other written policies aren’t legally mandated, but they’re widely recognized as best practices to protect you and your clients.

At a minimum, your WISP should cover:

• Physical, electronic and procedural safeguards for taxpayer data
• How you train staff (or yourself) to detect and prevent breaches
• A response plan in case of identity theft, lost equipment or cyberattack
• Annual review and updates to your security policies

However, WISPs are reactive documents. They outline how to protect data, not conduct yourself with clients or manage risk when ethical gray areas appear.

Ethics demands more than technical security

Under Circular 230 (31 CFR Part 10), tax preparers must maintain integrity, objectivity, due diligence and competence. These are professional standards of conduct, not documentation requirements. Still, putting them into written procedures helps you run a stronger practice and demonstrate compliance if your work is ever reviewed or questioned.

Many firms document these standards through written procedures such as:

• Client acceptance and disengagement
• Due diligence reviews for credits and filing status
• Record retention and destruction policies
• Use and disclosure of client information
• Staff supervision and training (if applicable)

Having policies in your head isn't enough. If your practice is ever questioned, whether in a peer review, IRS audit or client complaint, you'll need to show that you had documented standards in place and followed them. Let’s go through a few example policies.

Written policy #1: Intake and client screening

Before you prepare a return, how do you decide whether to accept a client?

A basic client acceptance policy should include:

• Whether you prepare returns with earned income tax credit (EITC), child tax credit (CTC), or Schedule C income
• What do you do if a client refuses to provide documentation
• Whether you accept amended return engagements when you didn't prepare the original
• When you must decline or disengage (e.g., abusive behavior, fraud indicators)

This protects you from inadvertently accepting high-risk returns or clients with unrealistic expectations.

Written policy #2: Due diligence documentation

Every preparer signing a return with EITC, CTC, additional child tax credit (ACTC), American opportunity tax credit (AOTC), or head of household (HOH) filing status must meet specific due diligence rules under §6695(g). That includes:

• Completing Form 8867, Paid Preparer’s Due Diligence Checklist, accurately
• Maintaining documentation for three years
• Asking follow-up questions and recording responses

However, many preparers don't document their policy on how and when this gets done. Your procedures should state:

• Who collects the documentation
• Where it's stored
• How often the records are reviewed or updated
• What to do if a client's explanation is inconsistent

This keeps you compliant and makes training seasonal staff or preparing for due diligence audits easier.

Written policy #3: Disengagement and client communication

When a client relationship breaks down due to conflict of interest, repeated noncompliance or abusive behavior, you need a policy for how to exit ethically.

A disengagement policy should:

• Require written documentation (email or letter) of the decision
• Clarify what documents will be provided or withheld
• Include a client-facing summary of services performed to date
• Reference your original engagement letter terms

This helps you stay on solid ground and avoid potential circular arguments about who said what, when.

Written policy #4: Secure data handling and recordkeeping

Most preparers know they need to encrypt client data and shred old records. However, you should also have a policy that addresses:

• Where records are stored (physical and digital)
• How long do you retain different document types
• How you handle data from clients who never end up filing
• How backups are secured and who can access them

This should align with your WISP but also spell out your day-to-day operational rules, not just the high-level informational technology (IT) goals.

Don't overthink it: Start with what you already do

Many tax pros already follow strong procedures. The missing piece isn’t that Circular 230 requires written policies; it doesn’t. Instead, it requires you to exercise due diligence. Turning what you already do into written procedures makes it easier to stay consistent and demonstrate compliance if your work is ever questioned.

Update your policy set annually and be ready to explain how you meet IRS expectations for ethical conduct, due diligence and data security.