A WISP older than 12 months does not count. Both the FTC Safeguards Rule and IRS Publication 4557 require an annual review. Most firms know this and most firms still skip it because the review feels vague.
Here is the 9-item checklist that turns the annual review into a 90-minute exercise instead of an open-ended project. Each item has a specific artifact attached so the review is provable, not theoretical.
1. Refresh the qualified individual designation
Confirm the named individual is still in the role, still at the firm, and still has the time to perform the duties. If anything changed, update the designation in writing with a new effective date.
Artifact: Updated WISP page with the qualified individual section, dated, signed.
2. Refresh the risk assessment
Walk through the threats your firm faces. New software added in the past year? New vendors? New staff? New offices or remote workers? Each change is a new risk to document.
Artifact: A dated risk assessment document listing each major threat, the affected systems, and the controls in place.
3. Verify the technical safeguards
Confirm each of the technical safeguards listed in the WISP is still in place and working.
- Multi-factor authentication on every system that holds customer information
- Endpoint protection on every device
- Encrypted laptops and removable drives
- Patch management current within 30 days
- Email security configured
Artifact: A screenshot or vendor report dated within the last 30 days for each control.
4. Verify the administrative safeguards
Confirm:
- Every employee completed security awareness training in the last 12 months
- Every employee has acknowledged the firm's information security policy in writing
- New hires went through onboarding security setup
- Departing employees had access revoked the same day
Artifact: Training completion records, signed acknowledgments, onboarding and offboarding checklists.
5. Verify the physical safeguards
For most tax firms this is short:
- Office locks and alarm system
- Locked file cabinets for paper records
- Locked workstations when unattended
- Secure disposal of paper and electronic records
Artifact: A walkthrough memo describing the physical safeguards, dated.
6. Refresh the vendor inventory
List every vendor that touches client data. For each one, confirm:
- There is a signed data processing agreement on file
- The vendor's most recent SOC 2 report or security questionnaire is on file
- The contract has been reviewed in the last 12 months
Artifact: A vendor list with status flags for each.
7. Refresh the incident response plan
Confirm:
- The breach coach contact is current
- The cyber insurance contact is current
- The notification timeline matches current state laws (state laws change)
- The internal escalation list is current
Artifact: Updated incident response plan with current names and numbers.
8. Test something
Pick one of the following and run it:
- Phishing simulation against the team
- Backup restore test
- Tabletop exercise (a 30-minute "what would we do if X happens" walkthrough)
- Penetration test or vulnerability scan
Artifact: The test report or a written summary, dated.
9. Document the annual report to leadership
The qualified individual must report annually to firm leadership on the state of the program. For a sole owner this is a documented self-review meeting. For a partnership it is a partner meeting with minutes.
The report covers: program status, incidents in the last year, gaps identified, plan for the next year.
Artifact: Meeting minutes, signed by the qualified individual and at least one partner or owner.
When to do this
Most firms run the annual review in May or June, after tax season ends. Block 90 minutes on a Tuesday. Walk through the 9 items in order. Save each artifact in a folder named "WISP Annual Review [Year]." Done.
If the FTC or IRS knocks, you produce that folder. The audit ends in 30 minutes instead of 6 weeks.
