You set up remote access in a hurry in spring 2020. It worked. Your staff could log in, pull client files, and close tax season from their kitchen tables. Four years later, almost nothing about that setup has changed - and that’s exactly the problem.
”It Works” and “It’s Compliant” Are Not the Same Thing
There’s a version of remote work that feels totally normal - your staff logs into QuickBooks, pulls up a client’s tax return, takes a Zoom call, and wraps up their day. From the outside, it looks like a functioning firm. From a compliance standpoint, it may be a liability waiting to surface.
Most CPA firms that stood up remote access between 2020 and 2022 did what they had to do: they got people connected fast. They bought Microsoft 365 licenses, set up VPNs (or skipped that step entirely), and let staff work from whatever devices they had at home. Nobody paused to ask whether those setups met the technical requirements under IRS Publication 4557, the Federal Trade Commission (FTC) Safeguards Rule, or their state CPA board’s data protection standards.
And most firms never went back to check.
The gap between “it works” and “it’s compliant” is where the real risk lives. Client tax data - Social Security numbers, business financials, household income records - is among the most sensitive personally identifiable information that exists. A single breach doesn’t just cost money. It triggers mandatory notification requirements, potential state board complaints, and the kind of client trust damage that’s very hard to recover from.
The firms most exposed aren’t the ones being reckless. They’re the ones that solved the access problem without solving the security problem.
Why This Matters for CPA Firms Specifically
CPA firms aren’t subject to HIPAA, so there’s a temptation to assume your regulatory burden is lighter than it is. It isn’t.
IRS Publication 4557 - Safeguarding Taxpayer Data - is the IRS’s direct guidance to tax professionals. It calls for a written information security plan (WISP), access controls, encryption, and regular risk assessments. The IRS has made clear that preparers who fail to protect taxpayer data can face penalties under Internal Revenue Code Section 7216 and related provisions.
The FTC Safeguards Rule (updated in 2023 under the Gramm-Leach-Bliley Act) now applies to many CPA firms that provide financial services to individuals - including tax preparation. The rule requires firms to designate a qualified individual to oversee their information security program, implement multi-factor authentication (MFA) for any system containing client financial data, encrypt data in transit and at rest, and monitor for unauthorized access. These aren’t suggestions.
State-level requirements add another layer. California’s Consumer Privacy Rights Act (CPRA) and the California Consumer Privacy Act (CCPA) give California residents rights over their personal data - and your clients are almost certainly California residents if your firm is Bay Area-based.
If your firm’s remote work setup was built around getting access rather than securing it, you’re likely out of compliance with at least some of these requirements. The question is how exposed you are.
How to Audit Your Firm’s Remote Work Setup Without Hiring a Consultant
You don’t need a six-figure security assessment to get a realistic picture of where your firm stands. A firm principal or office manager can work through this in an afternoon.
Step 1: Map every remote access path. List every way a staff member accesses client data from outside the office. VPN, remote desktop, direct cloud login, email - all of it. If you don’t know every access point, you can’t secure them.
Step 2: Check device status. Are staff using firm-owned, firm-managed devices - or personal laptops and home computers? Personal devices are a major compliance exposure. You can’t enforce encryption, screen lock timeouts, or endpoint security on a machine you don’t manage. If any staff are using personal devices for client work, that needs to change.
Step 3: Confirm encrypted connections. Every remote session should run over an encrypted connection. A VPN is the standard approach for connecting to on-premise systems. Cloud platforms like Microsoft 365 encrypt in transit by default, but that doesn’t mean your configuration is airtight. Check whether users are accessing any systems over plain HTTP or unencrypted remote desktop connections.
Step 4: Verify MFA is actually enforced - not just available. MFA being “turned on” for your Microsoft 365 tenant doesn’t mean every user is using it. Pull your MFA enrollment report. If you have staff without MFA on any system that touches client data, that’s a Safeguards Rule gap right now.
Step 5: Test session timeouts and screen privacy controls. IRS Publication 4557 specifically references automatic session timeouts and screen privacy. Are workstations locking after 10-15 minutes of inactivity? Are remote sessions timing out? This is easy to check and easy to enforce - but most firms haven’t.
Step 6: Review your written information security plan. Do you have a current WISP? Does it actually describe the remote work environment your firm uses today, or does it describe the office-only environment from 2019? A WISP that doesn’t reflect your current setup offers no real protection.
The Three Most Common Remote Work Gaps We Find at CPA Firms
When One82 onboards a new CPA firm client, we almost always find the same three issues.
Personal devices accessing client data with no endpoint management. The fix: implement a mobile device management (MDM) solution and set a clear policy - firm data is only accessed on firm-managed or formally enrolled devices, period.
MFA enrolled but not enforced. Enrollment and enforcement are different things. Microsoft 365 allows conditional access policies that block logins without MFA, full stop. Most firms haven’t configured this. The fix takes under an hour.
No session timeout on remote desktop or VPN connections. Staff connect in the morning and stay connected all day - sometimes forgetting to lock their screen when they step away. A family member, a house cleaner, or a roommate can now see client tax data. The fix is enforcing screen lock policies via group policy or MDM, plus idle session timeouts on remote connections.
None of these fixes require a massive infrastructure overhaul. They require configuration, documentation, and follow-through.
What to Look for in an IT Partner
If you decide to bring in outside help, the right IT partner for a CPA firm isn’t just any managed service provider. Ask these questions before you engage anyone:
- Do you have experience working with CPA firms specifically? Can you reference IRS Publication 4557 and the FTC Safeguards Rule without looking them up?
- Can you show us a sample WISP you’ve helped a firm develop or update?
- How do you handle device management for remote staff - including the transition from personal to managed devices?
- What does your MFA enforcement process look like, and how do you verify that every user is actually enrolled?
- How often do you review remote access configurations against current regulatory requirements?
A generalist IT provider can keep your email running. A partner who understands CPA firm compliance can keep your firm protected - and keep you out of a conversation with your state board that nobody wants to have.
The Bottom Line
Your remote work setup probably works fine day-to-day. But “works” and “compliant” aren’t the same standard. IRS Publication 4557, the FTC Safeguards Rule, and state privacy laws create real obligations for how your firm handles client data - and most of those obligations apply directly to your remote access environment. The self-audit steps above will show you where your gaps are. Close the obvious ones now, document what you’ve done, and make sure your IT setup reflects your actual compliance requirements.
Frequently Asked Questions
Does the FTC Safeguards Rule actually apply to my CPA firm?
It likely does if your firm provides tax preparation, financial planning advice, or similar services to individual clients. The updated Safeguards Rule (effective June 2023) applies to “financial institutions” as defined under the Gramm-Leach-Bliley Act, and the FTC has specifically included tax preparation firms in that definition. If you’re uncertain, a review by a compliance-aware IT provider or your business attorney can confirm your firm’s status.
What is IRS Publication 4557 and what does it require for remote work?
IRS Publication 4557 is the IRS’s guidance document for tax professionals on protecting taxpayer data. It requires a written information security plan, access controls (including MFA), encryption of sensitive data in transit and at rest, automatic session timeouts, and annual risk assessments. The guidance applies directly to remote work environments - it’s not limited to office-based systems.
What’s the difference between having a written security policy and actually being compliant?
A written policy documents your intent. Compliance requires that your actual technical controls match what the policy says. If your policy states that all remote sessions use encrypted VPN connections, but some staff are logging in directly without a VPN, the policy doesn’t protect you - it may actually create additional liability because it demonstrates you knew the requirement and didn’t enforce it.
How do I know if my staff are using personal devices to access client data?
Honestly, you may not know without actively checking. A mobile device management platform gives you visibility into every device accessing your firm’s systems. Short of that, reviewing login logs in Microsoft 365 or your remote access solution can surface unrecognized devices. If you’ve never audited device access, do it before your next busy season.
If you’re working through CPA firm remote work security compliance challenges at your firm, let’s talk. One82 works exclusively with CPA firms, law firms, and financial advisory companies in the Bay Area - we know your world.