A systematic process of identifying threats to your firm's data and evaluating the effectiveness of your security controls.
A risk assessment in the context of CPA firm compliance is a structured evaluation of threats and vulnerabilities to the confidentiality, integrity, and availability of client data. It involves identifying what data you hold, where it is stored, what threats exist (both internal and external), what controls are in place, and where gaps remain. The FTC Safeguards Rule requires risk assessments to be documented in writing and to cover seven specific areas: access controls, data inventory, encryption, secure development, authentication, disposal procedures, and change management.
Risk assessments are the foundation of your entire compliance program, and they drive your WISP, your incident response plan, and your control testing strategy. The FTC Safeguards Rule specifically requires periodic risk assessments, and the results must be documented. Without a current risk assessment, your WISP and other policies are effectively built on guesswork. Regulators and insurers expect to see documented risk assessments as evidence that you understand your firm's threat landscape.
The 7-Module Risk Assessment module handles this for your firm, personalized to your software, team size, and state requirements.
See plans and pricingA documented set of policies and procedures describing how your firm protects sensitive client data.
A federal regulation requiring financial institutions, including tax preparers, to develop and maintain a comprehensive information security program.
A comprehensive record of all systems, applications, and locations where your firm stores, processes, or transmits client data.
A structured list of all security controls your firm should have in place, mapped to regulatory requirements, with testing status and evidence.
Buy the WISP yourself if you need the document.
Talk to us if you want the platform.
We use cookies to measure site performance. No data is sold to third parties. You can opt out at any time. Privacy Policy