Built for the six moments
a CPA firm actually hits.

Not a generic GRC tool repackaged for accountants. A platform shaped around the situations where you need governance to exist: insurance renewals, client assessments, regulator inquiries, and everything in between.

Six situations. One platform.

Every module in Kompflow exists because a CPA firm is going to live one of these six moments this year. Probably more than one.

Cyber insurance renewal

The questionnaire just landed. Your renewal is four weeks out.

The Insurance Gap Assistant pulls from your actual firm data (your risk decisions, controls, WISP, training records) and tells you what you have, what you're missing, and what to fix first. Grounded in evidence, not generic copy.

How we handle renewals

Client security questionnaire

A big client just asked for your WISP, training records, and IRP.

Your Security Package (WISP, IRP, control register, training completion, vendor oversight) is signed, dated, and downloadable the afternoon you finish onboarding. You send it. You don't build it from scratch.

Client security questionnaires

Regulator inquiry

The IRS, FTC, or a state AG wants to see your program.

Full audit trail. Version history. Signed approvals. State-specific breach notification already mapped across all 50 states + DC. No scramble, no last-minute consultant engagement.

What is governance?

Incident or near-miss

Something actually happened. You need to act in the next 72 hours.

Scenario-specific IRP playbooks (ransomware, wire fraud, lost device, email compromise, data breach, system outage) with your contact tree, state breach laws, and step-by-step response already built.

See the setup flow

Program change

New software, new state, new partner. The program has to catch up.

Compliance events surface the drift: an expired policy, a stale risk decision, a vendor review past due, a new state breach law. Each event comes with a recommended action and a direct link to resolve.

How ongoing compliance works

Staff training & turnover

New hire starts Monday. Tax season starts in three weeks.

Training modules assigned automatically based on firm size and each person's role. Tracked to completion. Records ready to send when your insurer, client, or regulator asks without chasing anyone.

Training and team workflow

What you'll have without building it yourself

Four pillars. Every module fits underneath.

Know your posture

Data inventory. Risk assessment. Microsoft 365 auto-sync. You see your firm clearly, and so does everyone who needs to.

Document your program

WISP. Incident Response Plan. Risk decisions with AI-drafted briefs. Everything your insurer, regulator, and biggest clients ask for, kept current automatically.

Train your team

Modules assigned automatically based on firm size and each person's role, and tracked to completion. Training records ready to send, without chasing anyone.

Prove your compliance

Evidence-backed control testing. Full audit trail. Four reports ready on demand: Annual Assessment · Audit Trail · Gap Analysis · Compliance Calendar.

Not Templates, Personalized Documents

See the Difference

Generic templates leave you filling in blanks. Kompflow analyzes your risk profile and generates documents unique to your firm.

Generic TemplateWhat you get from DIY

[COMPANY NAME] maintains a Written Information Security Program in compliance with applicable regulations.

Incident Response: In the event of a data breach involving [SOFTWARE SYSTEM], the designated [CONTACT NAME] should be notified within [X HOURS].

Notify affected individuals per [STATE] breach notification laws within [X DAYS].

Kompflow OutputPersonalized to your firm

Maple Street Tax Associates maintains a Written Information Security Program in compliance with the FTC Safeguards Rule (16 CFR 314) and IRS Publication 4557.

Drake Software Breach Response: In the event of unauthorized access to Drake Tax, Sarah Chen (Incident Manager) should be notified within 1 hour. Immediately contact Drake Support at 828-524-8020.

Notify affected individuals per Massachusetts breach notification law (M.G.L. c. 93H) within 30 days and file with AG Maura Healey's office.

12 blanks to fill in. State laws to research. Weeks of work.

Generated in minutes. Tailored to your software, team, and state laws.

How Personalization Works

You Enter
Your software, team size, states of operation, and client types
We Analyze
Your risk profile, state breach laws, and software-specific vulnerabilities
You Get
Policies, IRPs, and a WISP written specifically for your firm
Governance Roadmap

Your Compliance Calendar, Built Automatically

Designed around tax season. Heavy compliance work happens in the off-season (Q2–Q4). During busy season, Kompflow keeps things on autopilot, so you focus on filing, not paperwork.

Q1 (Jan–Mar): Busy Season

Minimal tasks while you're filing returns

Automated alerts only, no heavy compliance lifts
Confirm cyber insurance is active before season starts
Quick-check: team MFA & access controls still in place

Q2 (Apr–Jun): Post-Season Reset

Season's over, time to catch up on governance

Annual risk assessment review & update
WISP review, re-approval, and digital signature
Update data inventory for any new software or staff changes
Employee security training renewal (all staff)

Q3 (Jul–Sep): Vendor & Controls Review

Off-season deep dive into third-party risk

Vendor security assessment reviews (SOC 2, DPAs)
MSP controls assessment verification
Review access controls and remove former employees/contractors
Update incident response contact trees

Q4 (Oct–Dec): Renewal & Season Prep

Lock everything down before busy season

Apply any new state or federal regulatory changes to policies
Prepare documentation for cyber insurance renewal
Year-end audit trail review and archival
Verify all governance documentation is current for tax season

Automated Alerts

Email reminders before every deadline so you never miss a review

Task Assignment

Assign quarterly tasks to your team, MSP, or yourself with due dates

Overdue Tracking

Visual dashboard shows what's on track, what's due, and what's overdue

Automatic Regulatory Updates

Your Policies Stay Current. Automatically.

Regulations change. State laws get updated. Kompflow monitors these changes and updates your documentation for you, with no consulting fees and no manual review.

State Law Monitoring

Operating in Massachusetts and California? When either state updates its breach notification law, your incident response plans update automatically to match.

FTC & IRS Updates

When the FTC Safeguards Rule or IRS Publication 4557 requirements change, your WISP and policies are updated to stay compliant. No gaps between rule changes and your documentation.

Change Alerts

Get notified when a regulatory change affects your firm. See exactly what changed, why it matters, and how your documents were updated, all with a complete audit trail.

Without Kompflow
Hire a consultant every time a law changes
Manually track 50+ state breach notification laws
Risk non-compliance gaps between rule changes
$1,500+ per policy update cycle
With Kompflow
Automatic policy updates when regulations change
All 50 state breach laws monitored and applied
Zero compliance gaps, with updates happening automatically
Included in your subscription, no extra fees
Prove It, Not Just Document It

58 Controls. Mapped to FTC & IRS. Tested with Evidence.

Most platforms stop at policies. Kompflow maps your compliance to 58 specific controls from the FTC Safeguards Rule and IRS Publication 4557, then tests each one with real evidence.

Control Register

Every control auto-mapped from your risk assessment. Track effectiveness (Effective / Partially Effective / Not Implemented) with inherent and residual risk scores. Mapped directly to FTC §314.4 sections.

Evidence Upload & Testing

Upload screenshots, documents, or attestations per control per asset. Per-asset or firm-wide test scope with recurrence scheduling (quarterly, semi-annual, annual). Because many tax systems aren't API-connected, AI reads and evaluates screenshots directly.

AI-Powered Evaluation

Uploaded evidence is evaluated by AI with confidence scoring (high / medium / low) and effectiveness grading. Your Qualified Individual can accept, reject, or override every evaluation, with a full audit trail preserved.

Identity Provider Inheritance

If your identity provider (e.g., Microsoft Entra ID) passes an AUTH control, that result cascades to all downstream apps connected via SSO. Test once, cover many, and reduce evidence collection from hours to minutes.

Automate Your Data Inventory

Connect Microsoft 365. Auto-Sync Security Signals.

Stop manually checking MFA status and encryption settings across every app. Connect your Microsoft 365 tenant and Kompflow pulls security signals directly from Microsoft Graph.

MFA enrollment status per user
Conditional access policies
Password policy compliance
Device compliance (MDM, encryption)
Sharing settings

Your data inventory stays accurate without manual reviews. When a signal changes, compliance events fire automatically. Manual sync or scheduled (daily/weekly) options available.

Stay Ahead of Compliance Drift

Every Change Tracked. Every Gap Flagged Professional+

Kompflow monitors changes across all modules and surfaces compliance events in real time, so nothing falls through the cracks.

QI designation changes
Immediate compliance event
MFA disabled or encryption removed
Control re-evaluation needed
Risk assessment approved
Remediation plan + control register sync
Remediation items completed
Control effectiveness updated
Regulatory changes detected
Policy regeneration recommended
Document version expires
Annual review reminder triggered

Built-in deduplication prevents alert fatigue. Each event includes recommended action and a direct link to resolve.

Platform vs. Manual Compliance

See what Kompflow automates compared to building a program manually

Feature
Kompflow
From $99/mo
Spreadsheets
Manual
Templates
DIY
Data inventory & classification
Multi-module risk assessment
WISP & policies personalized to your firm
Incident response playbooks
Vendor security tracking
Task assignment & tracking
Staff security training
Customized to your tax software
State breach law coverage (all 50 states)
Version control & audit trail
Automatic regulatory updates when laws change
Compliance calendar with review reminders
Ready in under a day
58-control register mapped to FTC/IRS
Evidence upload with AI evaluation
Microsoft 365 auto-sync
Cross-module compliance events
Multi-assessor risk assessment workflow
QI approval workflow with signatures
58 Controls

Mapped to FTC & IRS requirements

< 1 Day

From setup to fully compliant

100%

FTC & IRS coverage

Already working with a vCISO or MSP? We offer annual partnerships with per-client pricing and white-label options. vCISO partnerships · MSP partnerships

Ready to Get Compliant?

Plans starting at $99/mo · Billed annually

See Plans & Pricing
30-day money-back guarantee
Cancel anytime
No setup fees

We use cookies to measure site performance and improve your experience. No data is sold to third parties. Privacy Policy