Your clients trust you with their most sensitive financial data. Tax returns, bank statements, Social Security numbers, payroll records, partnership agreements. If that data is compromised, it is not just an IT problem. It is a client trust problem, a regulatory problem, and potentially a firm survival problem.

This guide covers everything a CPA firm managing partner or firm administrator needs to know about IT in 2026: what you need, what the regulators require, where AI fits, and how to evaluate providers who actually understand your business.

Table of Contents

  1. Why CPA Firms Need Specialized IT
  2. Managed IT Essentials for Accounting Firms
  3. Cybersecurity Requirements for CPA Firms
  4. The Compliance Landscape: IRS 4557, FTC Safeguards, SOC 2
  5. AI for Accounting: What Works, What Does Not, and What to Watch
  6. How to Evaluate IT Providers for Your CPA Firm
  7. What IT Should Cost Your Firm
  8. FAQ

Why CPA Firms Need Specialized IT {#why-cpa-firms-need-specialized-it}

A general IT provider can set up email and fix printers. But CPA firms operate under a specific combination of regulatory pressure, seasonal workload intensity, and client confidentiality requirements that generic IT simply does not address.

The core problem: According to the 2024 Verizon Data Breach Investigations Report, professional services firms experienced a 49% increase in confirmed data breaches year-over-year. The IBM Cost of a Data Breach Report 2024 puts the average cost of a breach in the professional services sector at $4.47 million. For a 20-person CPA firm, a single breach can mean the end of the practice.

Here is what makes CPA firm IT different from general business IT:

Seasonal demand spikes. Your firm does not operate at a steady pace. During tax season (January through April 15) and extension season (August through October 15), your team works evenings and weekends. Systems have to perform at peak load during the exact periods when downtime is most catastrophic. Your IT provider needs to understand that a server issue on April 10 is not the same as a server issue on June 10.

Multi-regulatory environment. Your firm is subject to IRS Publication 4557 requirements, the FTC Safeguards Rule (if you provide any financial advisory services), state privacy laws (California’s CCPA/CPRA), and potentially SOC 2 if you serve enterprise clients. A generalist IT provider typically does not track any of these.

Client data volume and sensitivity. A single tax return contains enough personally identifiable information (PII) to fully compromise a client’s identity. Multiply that by hundreds or thousands of clients, and your firm is holding an extraordinarily high-value data set.

Software ecosystem complexity. CPA firms run specialized software: CCH Axcess, Lacerte, UltraTax, ProSystem fx, Drake, Thomson Reuters Practice CS, QuickBooks, Sage, and various document management systems. Your IT provider needs to understand how these tools interact, how they authenticate, and how to optimize their performance.

If your current IT provider does not understand these four realities, you are paying for general IT while carrying industry-specific risk.

Related: What Real IT Support Looks Like for Accounting Firms

Managed IT Essentials for Accounting Firms {#managed-it-essentials-for-accounting-firms}

Managed IT services replace the break-fix model (calling someone when things break) with proactive monitoring, maintenance, and strategic planning. For CPA firms, managed IT should include the following baseline components:

Infrastructure Management

  • Cloud or hybrid infrastructure designed for tax and accounting workloads, with performance guarantees during peak season
  • Server monitoring 24/7 with automated alerts and remediation for disk, memory, and CPU issues before they affect your team
  • Backup and disaster recovery with recovery time objectives (RTO) and recovery point objectives (RPO) aligned to your billing cycle and filing deadlines
  • Network management including firewall configuration, VPN for remote staff, and bandwidth planning for peak periods

Help Desk and User Support

  • Live help desk with response time SLAs (not a voicemail tree) staffed by technicians who understand accounting software
  • Onboarding and offboarding that accounts for the access levels unique to CPA firms: client data, tax portals, bank connections, e-filing credentials
  • Remote access configured for security and performance, especially during tax season when partners and staff work from home

Strategic IT Planning

  • Technology roadmap aligned to your firm’s growth plan, compliance requirements, and partner retirement/succession timeline
  • Quarterly business reviews (QBRs) that go beyond ticket metrics and address upcoming regulatory changes, infrastructure lifecycle, and risk
  • Vendor management for your accounting software vendors, ISPs, phone systems, and cloud platforms

Related: CPA Firm Server Elimination and Cloud Migration Case Study

What “Fully Managed” Should Mean for a CPA Firm

If your provider calls their service “fully managed,” verify that the following are included, not billed separately:

ComponentWhy It Matters for CPA Firms
Endpoint detection and response (EDR)Required by most cyber insurance policies and increasingly by regulators
Email security and anti-phishingCPA firms are high-value phishing targets during tax season
Patch managementUnpatched systems are the #1 attack vector per CISA advisories
Mobile device management (MDM)Partners checking client data on phones and tablets need policy enforcement
Encrypted backup with offsite copyIRS and FTC require data recoverability
Multi-factor authentication (MFA)Baseline requirement for every cyber insurance policy issued since 2023

Cybersecurity Requirements for CPA Firms {#cybersecurity-requirements-for-cpa-firms}

Cybersecurity for accounting firms is not optional. It is a regulatory mandate, a client expectation, and an insurance requirement.

The Threat Landscape

The AICPA’s 2024 Cybersecurity Advisory identifies three primary threats to CPA firms:

  1. Business email compromise (BEC). Attackers impersonate partners via email to redirect wire transfers or request client data. The FBI’s Internet Crime Complaint Center (IC3) reported $2.9 billion in BEC losses in 2023 alone.
  2. Ransomware. Attackers encrypt your files and demand payment for the decryption key. Tax season is the preferred timing because firms cannot afford downtime.
  3. Phishing and social engineering. Staff click a link, enter credentials, and attackers gain access to client portals, e-filing systems, and financial records.

Cybersecurity Baseline for CPA Firms

Every CPA firm, regardless of size, should have these controls in place:

  • Multi-factor authentication (MFA) on every account, every application, no exceptions
  • Endpoint detection and response (EDR) on every device, including partners’ home machines if used for firm work
  • Email filtering and anti-phishing with link rewriting and attachment sandboxing
  • Security awareness training for all staff, with simulated phishing tests at least quarterly
  • Encrypted data at rest and in transit for all client files
  • Incident response plan documented, tested annually, and accessible offline
  • Dark web monitoring to detect compromised firm credentials before attackers use them

Cyber Insurance Requirements

Cyber insurance carriers have dramatically tightened their underwriting requirements since 2023. Most policies for CPA firms now require documented evidence of:

  • MFA on all remote access and email
  • EDR deployed on all endpoints
  • Encrypted backups stored offsite or immutable
  • Written incident response plan
  • Security awareness training program
  • Privileged access management for admin accounts

If you cannot document these controls, your carrier may deny coverage or refuse to renew. If you have a claim and cannot prove the controls were in place at the time of the incident, the carrier may deny the claim.

Related: CPA Cyber Insurance Documentation Requirements

The Compliance Landscape {#the-compliance-landscape}

CPA firms operate under multiple overlapping compliance frameworks. Understanding which ones apply to your firm, and what they actually require, is essential.

IRS Publication 4557: Safeguarding Taxpayer Data

IRS Publication 4557 is the IRS’s official guidance for tax professionals on protecting taxpayer data. While not technically a law, it represents the IRS’s expectation for minimum security standards, and failure to follow it can result in sanctions, including loss of e-filing privileges.

Key requirements include:

  • Written information security plan (WISP) tailored to your firm’s size and data handling practices
  • Risk assessment identifying threats to client data
  • Employee training on data security practices
  • Physical security controls for offices containing client data
  • Technical safeguards including firewalls, encryption, access controls, and intrusion detection
  • Incident response procedures for suspected data breaches
  • Vendor management ensuring third parties (including your IT provider) protect data appropriately

FTC Safeguards Rule

The FTC Safeguards Rule applies to “financial institutions,” which the FTC defines broadly enough to include tax preparers, accounting firms that provide financial advice, and firms that handle consumer financial data. The updated rule (effective June 2023) imposed specific technical requirements that many CPA firms have not yet addressed.

Key requirements:

  • Designated Qualified Individual responsible for your information security program
  • Written risk assessment with criteria for evaluating identified risks
  • Access controls limiting who can access customer information
  • Encryption of customer information in transit and at rest
  • Multi-factor authentication for anyone accessing customer data
  • Monitoring and logging to detect unauthorized access
  • Annual penetration testing and bi-annual vulnerability assessments
  • Vendor oversight with contractual security requirements
  • Incident response plan with mandatory reporting

Related: FTC Safeguards Compliance for CPA Firms

SOC 2 Compliance

SOC 2 (Service Organization Control 2) is an auditing standard developed by the AICPA. It is increasingly requested by enterprise clients and financial institutions as a condition of doing business with your firm. If your firm provides outsourced accounting, payroll, or financial reporting to larger organizations, expect to encounter SOC 2 requirements.

SOC 2 evaluates your firm against five trust service criteria:

  1. Security (required for all SOC 2 reports)
  2. Availability — system uptime and accessibility
  3. Processing integrity — data accuracy and completeness
  4. Confidentiality — protection of confidential information
  5. Privacy — handling of personal information

Achieving SOC 2 compliance requires documented policies, technical controls, and an audit by an independent CPA firm. The process typically takes 6-12 months from a standing start. Your IT provider should be a key partner in building and maintaining SOC 2 readiness.

How These Frameworks Overlap

The good news: there is significant overlap between IRS 4557, the FTC Safeguards Rule, and SOC 2. A well-designed compliance program addresses the common controls once and maps them to each framework:

ControlIRS 4557FTC SafeguardsSOC 2
Written security planRequiredRequiredRequired
Risk assessmentRequiredRequiredRequired
MFARecommendedRequiredRequired
Encryption (transit + rest)RecommendedRequiredRequired
Access controlsRequiredRequiredRequired
Employee trainingRequiredRequiredRequired
Incident response planRequiredRequiredRequired
Penetration testingNot specifiedAnnual requiredAnnual recommended
Vendor managementRequiredRequiredRequired

One82 helps CPA firms build a single compliance program that satisfies all applicable frameworks simultaneously, rather than duplicating effort across separate initiatives. Learn more about our compliance services.

AI for Accounting: What Works, What Does Not, and What to Watch {#ai-for-accounting}

AI is reshaping accounting — but the hype is running ahead of the reality. Here is an honest assessment of where AI delivers value for CPA firms today, and where it is headed.

What Works Now

Document processing and data extraction. AI can read scanned tax documents, bank statements, and receipts and extract structured data. This eliminates hours of manual data entry, especially during tax season. Tools like Botkeeper, Vic.ai, and Dext use machine learning to improve accuracy over time.

Anomaly detection and risk identification. AI excels at spotting patterns that humans miss: unusual transactions, duplicated entries, or clients with profiles that suggest audit risk. This is particularly valuable for firms that provide advisory or forensic accounting services.

Client communication automation. AI-powered tools can draft client emails, generate engagement letters, and produce status updates. The key word is “draft” — a human must review everything before it goes to a client.

Research and reference. AI assistants can search across IRS publications, FASB standards, and state tax codes to surface relevant guidance quickly. This saves research time but does not replace professional judgment.

What Does Not Work (Yet)

Fully autonomous tax preparation. No AI system can reliably prepare a complete tax return without human oversight. The liability risk is too high, and the edge cases in tax law are too numerous.

Audit-ready work product. AI-generated work papers and analyses are useful starting points, but they do not meet the documentation standards required for audit defense without human review and editing.

Client advisory without guardrails. AI can analyze data, but it should not be giving tax advice to clients. The ethical and liability implications are significant.

How to Adopt AI Safely at Your Firm

  1. Start with internal workflows, not client-facing deliverables. Use AI for data entry, scheduling, and research before putting it near client work product.
  2. Establish a firm-wide AI policy that specifies which tools are approved, how client data can be used (or not used) with AI, and who reviews AI-generated output.
  3. Never feed client PII into public AI tools. Consumer versions of ChatGPT, Claude, and Gemini may use your data for training. Use enterprise-grade AI tools with proper data handling agreements.
  4. Train your team. AI is a skill. The firms that invest in training will outperform the firms that ban AI or ignore it.

One82’s AI Integration & Strategy practice helps CPA firms evaluate, deploy, and govern AI tools with proper security and compliance controls in place.

How to Evaluate IT Providers for Your CPA Firm {#how-to-evaluate-it-providers}

Not all managed service providers (MSPs) are qualified to serve CPA firms. Here is what to look for — and what should disqualify a provider.

Must-Have Qualifications

  • Demonstrated experience with CPA firms. Ask for client references in the accounting industry. A provider who primarily serves retail, manufacturing, or healthcare will not understand your regulatory environment.
  • Compliance expertise. Can they explain IRS 4557, the FTC Safeguards Rule, and SOC 2 without looking them up? If compliance is not a core competency, they cannot serve you effectively.
  • Accounting software knowledge. They should have experience managing CCH, Lacerte, UltraTax, ProSystem fx, or whichever platform your firm uses. This includes hosting, updates, integration, and troubleshooting.
  • Tax season readiness. Ask what their staffing and SLA model looks like during January through April. If they do not have a seasonal escalation plan, they are not CPA-ready.
  • Cyber insurance support. They should help you complete your insurance application, provide evidence of controls, and ensure you remain compliant with policy requirements.

Red Flags

  • They cannot name the specific compliance frameworks that apply to your firm
  • They offer a generic “business” package with no industry customization
  • Their SLAs do not differentiate between peak and off-peak periods
  • They have never helped a client with a cyber insurance application
  • They outsource their help desk to a third party with no accounting industry training
  • They do not offer or require MFA for their own administrative access to your systems

Questions to Ask During Evaluation

  1. How many CPA firms do you currently serve?
  2. What is your average response time during tax season specifically?
  3. Can you walk me through your approach to FTC Safeguards Rule compliance?
  4. What happens to my data if I leave your service?
  5. Do you hold any industry certifications (SOC 2 for your own operations, CompTIA Security+, etc.)?
  6. How do you handle onboarding and offboarding of seasonal staff?
  7. What is included in your base price versus billed separately?

One82 has specialized in IT for professional services firms — including CPA and accounting firms — since 1999. We serve firms across the San Francisco Bay Area including San Jose, Campbell, Los Gatos, Palo Alto, and San Francisco.

Learn more about our services for accounting firms.

What IT Should Cost Your Firm {#what-it-should-cost-your-firm}

IT pricing for CPA firms varies based on firm size, complexity, compliance requirements, and geographic market. Here is a realistic breakdown for Bay Area CPA firms in 2026.

Per-User Pricing Model

Most MSPs price managed IT on a per-user, per-month basis. For a fully managed package that includes the cybersecurity and compliance components CPA firms require, expect:

Firm SizeTypical Range (per user/month)What Should Be Included
5-15 users$175 - $275Managed IT, EDR, email security, MFA, backup, help desk, basic compliance support
16-40 users$150 - $250All of the above plus dedicated account manager, QBRs, compliance documentation
41-100 users$125 - $225All of the above plus strategic IT planning, custom reporting, advanced compliance

What Drives Cost Up

  • Compliance requirements. FTC Safeguards and SOC 2 readiness involve additional tooling, documentation, and ongoing audit support.
  • Legacy infrastructure. On-premise servers, older software versions, and hardware past end-of-life increase management overhead.
  • Remote workforce. Securing home offices, managing VPN access, and supporting remote devices adds complexity.
  • Rapid growth. Firms that are adding partners, offices, or service lines need infrastructure that scales.

What to Watch For in Pricing

  • “Unbundled” pricing where cybersecurity, backup, or compliance are separate line items that double the effective per-user cost
  • Hidden project fees for onboarding, migrations, or compliance gap assessments that should be part of the service
  • Minimum commitments that lock you into a contract without performance guarantees
  • Per-incident charges for security events — your provider should be incentivized to prevent incidents, not profit from them

The Real Cost Comparison

The question is not “how much does managed IT cost?” The question is “how much does inadequate IT cost?”

  • Average cost of a data breach for a professional services firm: $4.47 million (IBM, 2024)
  • Average cyber insurance claim for a small professional services firm: $345,000 (NetDiligence Cyber Claims Study, 2024)
  • Cost of IRS e-filing suspension: 100% of filing revenue during the suspension period
  • Cost of client attrition after a breach: Typically 25-40% of affected clients leave within 12 months

FAQ {#faq}

What IT compliance requirements apply to CPA firms in 2026?

CPA firms are subject to IRS Publication 4557 (taxpayer data protection), the FTC Safeguards Rule (if they handle consumer financial data), state privacy laws like California’s CCPA/CPRA, and potentially SOC 2 if they serve enterprise clients. Each framework has specific technical and administrative requirements. A qualified IT provider should help you identify which frameworks apply and build a unified compliance program.

How much should a CPA firm spend on IT per year?

A fully managed IT program for a CPA firm typically costs $150-$275 per user per month in the San Francisco Bay Area market. For a 20-person firm, that translates to approximately $36,000-$66,000 per year. This should include managed IT, cybersecurity, backup, and baseline compliance support. Additional costs may apply for SOC 2 preparation or major infrastructure projects.

What is IRS Publication 4557 and does it apply to my firm?

IRS Publication 4557, “Safeguarding Taxpayer Data,” provides the IRS’s guidance for tax professionals on protecting client information. If your firm prepares tax returns, handles taxpayer identification numbers, or accesses IRS e-filing systems, Publication 4557 applies to you. It requires a written information security plan (WISP), risk assessments, employee training, and specific technical safeguards. Read our detailed guide to IRS Publication 4557.

Does the FTC Safeguards Rule apply to accounting firms?

Yes, in most cases. The FTC defines “financial institutions” broadly enough to include tax preparers, financial advisors, and firms that handle consumer financial data. The updated rule (effective June 2023) requires specific technical controls including MFA, encryption, access controls, penetration testing, and a designated Qualified Individual. Read our complete FTC Safeguards Rule overview.

How do I protect my CPA firm from ransomware?

Ransomware protection requires a layered approach: endpoint detection and response (EDR) on all devices, email filtering with attachment sandboxing, security awareness training for all staff, network segmentation to contain potential breaches, immutable backups stored offsite, and a tested incident response plan. The most important single control is verified, tested backups — because even the best prevention fails eventually, and recovery depends on having clean backups available.

Should my CPA firm adopt AI?

Yes, but deliberately and with proper governance. AI delivers real value in document processing, data extraction, anomaly detection, and research. Start with internal workflows rather than client-facing deliverables. Establish a firm-wide AI policy that specifies approved tools and data handling rules. Never feed client PII into consumer AI tools. One82’s AI Integration & Strategy practice helps firms adopt AI with proper security controls.

What should I look for in an IT provider for my CPA firm?

Look for demonstrated experience serving CPA firms specifically, knowledge of IRS 4557 and FTC Safeguards Rule requirements, familiarity with accounting software (CCH, Lacerte, UltraTax, etc.), seasonal SLA guarantees for tax season, and cyber insurance application support. Ask how many CPA firms they currently serve and request references. Avoid providers who offer generic “business” IT packages without industry customization.

How long does it take to become compliant with the FTC Safeguards Rule?

For a CPA firm starting with basic IT security, achieving full FTC Safeguards Rule compliance typically takes 3-6 months. This includes deploying required technical controls (MFA, encryption, EDR), completing a risk assessment, developing a written security plan, appointing a Qualified Individual, and establishing ongoing monitoring and testing procedures. If SOC 2 compliance is also needed, add an additional 6-12 months. Read our FTC Safeguards compliance guide.

Can my CPA firm pass a cyber insurance audit?

With proper IT controls in place, yes. Cyber insurance carriers evaluate your firm against specific technical requirements: MFA on all remote access, EDR on all endpoints, encrypted backups, documented incident response plans, and security awareness training. Your IT provider should proactively maintain these controls and provide the documentation your carrier requests during underwriting or audits. Read our guide to CPA cyber insurance documentation.

What is the difference between break-fix IT and managed IT for a CPA firm?

Break-fix IT means you call someone when something breaks, pay per incident, and hope they can fix it quickly. Managed IT means your systems are monitored 24/7, problems are detected and resolved before they affect your team, compliance is maintained continuously, and you have a strategic IT plan aligned with your firm’s growth. For CPA firms — where downtime during tax season can mean missed filing deadlines and lost revenue — break-fix is a liability, not a cost savings.

Next Steps

If you are a CPA firm managing partner or firm administrator evaluating your IT strategy, One82 can help. We have served professional services firms exclusively since 1999, and we understand the regulatory, operational, and seasonal realities of running an accounting practice.

Schedule a 15-Minute Discovery Call to discuss your firm’s IT, cybersecurity, and compliance needs. No sales pitch. Just a conversation about where you are, where you need to be, and what it takes to get there.

Or call us directly at 408-335-0353.

One82 is a managed IT services provider serving CPA firms, law firms, and boutique financial services firms across the San Francisco Bay Area, including San Jose, Campbell, Los Gatos, Palo Alto, and San Francisco. Founded in 1999, One82 specializes in managed IT, cybersecurity, compliance, and AI integration for professional services firms with 5 to 100 employees.