IRS WISP audits are not common, but they are not rare either. The Return Preparer Office and Security Summit partners audit tax firms each year, often triggered by a reported breach, an EFIN compliance issue, or a referral. When the letter arrives, what the firm produces in the next 30 days determines the outcome.
This is a composite case based on actual audits at small to mid-size firms. Names changed, numbers anonymized, but the questions, sequence, and outcomes are taken from real engagements.
The trigger
A 5-person tax firm with 600 active clients. The audit was triggered by a client complaint that the firm's emailed tax return had been intercepted and altered. The client filed a fraud report. The IRS Return Preparer Office opened a compliance review.
The firm received a letter requesting documentation of their information security program within 30 days. The letter was specific: WISP, training records, vendor agreements, incident response plan.
Day 1: the response strategy
First decision in the first hour: do not respond alone. The owner contacted her CPA's E&O carrier and the firm's cyber insurance carrier. Both retained counsel. The firm's response went through legal review.
First strategic decision: respond fully and quickly. The IRS gives 30 days. Firms that take 28 days look like they are scrambling. Firms that respond in 5 days look organized. The optics matter.
Day 2 to 5: the artifact gather
The firm pulled every artifact the letter requested. What they had ready:
- WISP, dated 8 months prior, named qualified individual, signed by the owner
- Risk assessment, dated 8 months prior, listing 14 specific threats and the controls in place
- Employee training records for all 5 staff, completed within the last 11 months
- Vendor list with 12 vendors and signed DPAs for 10 of them
- Incident response plan with named breach coach and insurance contact
What they did not have ready:
- Signed DPAs for 2 vendors (a banking platform and a productivity tool)
- Documentation of the most recent backup test (the test had been done, but no written record)
- A current vulnerability scan
Day 6 to 12: closing the gaps
The firm's response strategy was to provide everything they had, plus a written remediation plan for the 3 missing items, with specific dates for completion within the next 60 days.
For the missing DPAs: contacted both vendors, requested signed agreements, received them in 4 and 7 days respectively.
For the backup test: ran a fresh test, documented it with screenshots and timestamps.
For the vulnerability scan: engaged a security firm to run a scan, received results in 5 days.
Day 13: the formal response
The firm submitted a 47-page response with table of contents, every artifact organized by category, and a 2-page executive summary that explicitly addressed each item the IRS letter mentioned.
Inside the response:
- A copy of the WISP
- The risk assessment
- Training records for each employee, with completion dates
- Vendor list with all DPAs attached as exhibits
- Incident response plan
- A timeline showing each control implementation date
- Evidence of the breach response (the email compromise, the actions taken, the notifications made)
- The remediation plan for any items still in progress
Day 14 to 30: the IRS review
The Return Preparer Office reviewed the submission. Their typical timeline is 30 to 90 days for an initial review.
In this case, they responded with three follow-up questions on day 22:
- Confirmation that the email security tool documented in the WISP was active during the period of the reported incident
- Evidence of the specific notification sent to the affected client
- A statement of how the firm verified that no other clients were affected
The firm responded within 48 hours with the requested evidence: vendor logs showing the email security tool's activation date, a copy of the notification letter, and a summary of the forensic investigation that confirmed scope.
Day 30 to 60: the resolution
The IRS issued a closure letter. The firm was not penalized. The closure letter specifically noted the firm's "comprehensive information security program and prompt response to identified gaps."
The total cost to the firm:
- Legal fees: about $9,000
- Vulnerability scan: $2,500
- Internal time: about 60 hours across 3 weeks
The audit closed in 6 weeks. Firms without the documentation typically face audits that drag for 4 to 6 months and end with formal corrective action plans, fines, and EFIN suspension risk.
What worked
- The WISP existed and was current. Most of the audit was already answered before it started.
- Documentation was organized in a single folder structure. Artifacts could be pulled and packaged in days, not weeks.
- Counsel reviewed the response. The framing of "here is what we have, here is what we are remediating, here is the timeline" reads as professional, not defensive.
- Speed mattered. Responding in 13 days instead of 28 demonstrated the program was real.
What this means for your firm
An IRS audit is not the moment to build the WISP. It is the moment to produce the WISP that already exists. The 12 months before an audit are when the work happens. The 30 days during the audit are when the work pays off.
If your WISP is older than 12 months, your training records are missing dates, or your vendor list does not have current DPAs, you are not ready for an audit. The cost of getting ready is dramatically less than the cost of getting it wrong during one.
