It’s March 3rd. Your staff accountant arrives at 7 a.m. to pull a client’s prior-year QuickBooks file and sees a folder full of corrupted data. The backup your firm has been “running” for two years? It was pointing to a local drive that failed six weeks ago—silently, without alerting anyone. The deadline is in nine days.
This isn’t a hypothetical. It’s the most common way CPA firms discover their backup strategy was never actually a strategy.
The Problem: Assumptions Don’t Protect Client Data
Most CPA firms operate on a quiet, unspoken assumption: if something were wrong with the backups, someone would have said something. An alert would have fired. The IT person would have called. The software would have flagged it.
That assumption is wrong. And it’s expensive to find out at the worst possible time.
Backup systems fail quietly. A cloud sync stops authenticating because a password expired. A backup agent on the server becomes misconfigured after a software update. A network-attached storage device fills to capacity and silently stops writing new data. None of these events generate a phone call. None of them appear on a dashboard your team monitors. They just happen, and the backup job shows “completed” because the job itself ran—it just had nothing useful to write.
The three backup failures we see most often in CPA firms are specific and preventable:
Backing up the wrong locations. Drake Tax, QuickBooks Desktop, and Lacerte often store client data in locations that are easy to overlook—local C: drives, mapped network drives that aren’t actually being captured, or application-specific folders outside the standard Documents path. If your backup scope was configured years ago and your file structure has changed, you may be backing up nothing that matters.
Single-destination backup without redundancy. An external hard drive in the server room is not a disaster recovery plan. It’s a single point of failure that also burns in the same fire, floods in the same storm, and gets encrypted by the same ransomware attack as everything else.
Never validating recovery time. You may have backups. But can you restore 200 GB of client files in four hours? Or does it take three days? That gap between assumption and reality only reveals itself when you’re already behind.
Why This Matters for CPA Firms
Accounting firms face a specific combination of risks that makes backup failures far more painful than they are for other small businesses.
First, there’s the regulatory angle. The Gramm-Leach-Bliley Act (GLBA) requires firms that handle certain financial data to implement safeguards—including controls around data integrity and availability. The Federal Trade Commission’s updated Safeguards Rule, which now applies to many accounting firms, explicitly requires a written information security plan that covers data backup and recovery. “We had a backup” isn’t a defense if you can’t demonstrate it was tested and actually worked.
Second, there’s the calendar problem. A CPA firm’s exposure to data loss isn’t uniform throughout the year. Losing a week of work in July stings. Losing a week during the two weeks before April 15th is a firm-threatening event. Your backup and disaster recovery strategy needs to account for this asymmetry. Your Recovery Point Objective (RPO) and Recovery Time Objective (RTO) in February should be far more aggressive than your current setup probably reflects.
Third, there’s client trust. Your clients hand you sensitive financial records, Social Security numbers, and business financials because they trust you to protect and preserve them. A data loss event isn’t just an operational problem. It’s a client relationship problem—and potentially a liability one.
How to Run a Backup Audit Without an IT Department
You don’t need a full-time IT team to verify whether your backups are actually working. You need a structured set of questions and a willingness to demand real answers, not reassurances.
Start with RPO and RTO in plain language.
Recovery Point Objective (RPO) is how much data you’re willing to lose. If your backup runs nightly at 11 p.m. and your server crashes at 4 p.m. the next day, you’ve lost 17 hours of work. Is that acceptable in February? Probably not. A well-designed backup strategy for a CPA firm during peak season should target an RPO of four hours or less—meaning backups run multiple times per day for critical systems.
Recovery Time Objective (RTO) is how long you can afford to be down. If restoring your data takes 48 hours and your deadline is in 24, your RTO and your business reality are incompatible. Know your number.
Check these four things right now:
-
Verify what’s actually being backed up. Log into your backup software or ask your IT vendor for a file manifest from the last successful backup. Confirm that your tax software data paths, QuickBooks company files, client document folders, and email archives are explicitly included—not assumed to be included.
-
Confirm where the backup is going. You should have at least two destinations: one local (for fast restores) and one offsite or cloud-based (for disaster scenarios). If the answer is “a hard drive in the server room,” that’s a single point of failure.
-
Request a test restore—a real one. Ask your IT vendor to restore a specific file or folder from a backup taken 30 days ago. Not to confirm the backup ran. To confirm the data is readable and complete. This is the only meaningful backup test.
-
Review backup logs for the last 90 days. Look for jobs that completed with errors, jobs that ran longer than expected, or gaps in the schedule. These are early warning signs.
A simple quarterly verification checklist:
- Backup logs reviewed—no failed or error-state jobs
- Data paths confirmed current and matching actual file locations
- Offsite/cloud destination verified as receiving recent data
- Test restore completed on at least one critical file set
- RTO and RPO targets reviewed against current deadline calendar
- Backup documentation updated with any changes to software or file structure
Document this process and keep the records. If you’re subject to GLBA Safeguards Rule requirements, that documentation is part of your compliance posture.
What to Look for in an IT Partner
If you’re working with an IT vendor or managed service provider (MSP), the right partner treats backup as an ongoing operational discipline—not a one-time setup task. Here’s what good looks like:
Ask your current provider: “When was the last time you performed a test restore, and what did you restore?” A provider who can answer that with a specific date and specific data set is doing the job. A provider who says “the backups are running fine” without evidence is giving you an assumption, not assurance.
Ask: “What happens if our server fails at 9 a.m. on April 10th? Walk me through the recovery process, hour by hour.” A good IT partner has thought through this scenario for your firm specifically—not just generically.
Ask about monitoring and alerting. Backup failures should generate immediate notifications. If your provider doesn’t have automated alerts tied to your backup jobs, they’re relying on the same silent assumption your firm is.
Finally, ask whether they understand the specific data locations used by Drake, Lacerte, or whatever tax software your firm runs. A generalist MSP may back up your server without understanding where the application actually writes client data.
The Bottom Line
A backup that has never been tested isn’t a backup. It’s a guess. CPA firms routinely discover this during tax season—the worst possible time. Running a backup audit doesn’t require technical expertise. It requires asking the right questions and demanding real answers. Start with what’s being backed up, where it’s going, and whether you can actually restore it under deadline pressure. Do that before February.
Frequently Asked Questions
How often should a CPA firm test its backups?
At minimum, CPA firms should perform a documented test restore quarterly—and once more before tax season begins in January. A test restore means actually recovering a file or folder from backup storage and confirming it’s readable, not simply checking that a backup job completed. More frequent testing is warranted if your firm handles high volumes of client data or recently changed software platforms.
What’s the difference between a cloud sync like OneDrive and a real backup?
Cloud sync tools like OneDrive, Dropbox, and Google Drive mirror your files in real time—which means if a file gets corrupted, encrypted by ransomware, or accidentally deleted, that change syncs to the cloud too. A true backup maintains versioned, point-in-time snapshots of your data that are isolated from live systems. For backup and disaster recovery purposes, CPA firms need a dedicated backup solution, not just a sync tool.
Does the FTC Safeguards Rule apply to my CPA firm?
The Federal Trade Commission’s updated Safeguards Rule applies to “financial institutions” as defined under GLBA—a category that includes many accounting firms that prepare tax returns, provide financial planning, or handle certain financial records. If your firm falls under this definition, you’re required to implement a written information security plan that addresses data backup and recovery, among other controls. You should review your obligations with legal counsel familiar with the Safeguards Rule to confirm your firm’s status.
What should my RTO be for tax season versus the rest of the year?
There’s no universal answer, but a practical framework for most CPA firms is this: during peak season (January through April 15th and September through October 15th for extensions), an RTO of four to eight hours is a reasonable target for critical systems. Outside of deadline periods, 24 to 48 hours may be acceptable depending on your firm’s size and client commitments. The key is making this decision deliberately and building a recovery plan that can actually meet the target—not assuming your current setup can.
If you’re working through backup and disaster recovery challenges at your firm, let’s talk. One82 works exclusively with CPA firms, law firms, and financial advisory companies in the Bay Area—we know your world.
