Setup to renewal in seven steps

How Kompflow sets up your firm,
from start to finish.

Wizard-based. Most firms finish onboarding in a day. Then your governance program runs in the background, and you step in only when there is a decision to make.

No compliance expertise needed. Every step explains what you are doing and why it matters.

Get started

Kompflow WISP $499 first year . Starter $249/mo . Professional $499/mo

Step 1

Set up your firm profile

A guided wizard collects your firm details in 3 minutes. Everything you generate will be tailored to this info.

Firm details: Name, size, locations, employee count, client count
Software inventory: Tax software, email, cloud storage, backups, and practice management, all auto-mapped to your data inventory.
Team and contacts: Incident Manager, Communications Lead, and Scribe: the contact tree regulators look for.
External partners: MSP, cyber insurance, IT staff, and IRS liaison: everyone who plays a role.
Recovery settings: Tax season RTO/RPO, backup strategy, and training frequency: all built into your plans.

Average setup time: 3 minutes

app.kompflow.com/welcome
Set Up Your Firm
This powers everything we generate for you
Step 3 of 5
โœ“ Firm Details
โœ“ Software
Team
Partners
Recovery
Software Detectedโœ“ Complete
๐Ÿ“Š
Drake Tax
Tax Preparation
โœ“
๐Ÿ“ง
Microsoft 365
Email & Productivity
โœ“
โ˜๏ธ
SharePoint Online
Cloud Storage
โœ“
๐Ÿ’พ
Carbonite
Backup
โœ“
๐Ÿ“’
QuickBooks Online
Accounting
โœ“
Incident Response TeamIn Progress
Incident Manager
Sarah Chen
โœ“
Communications Lead
Daniel K.
โœ“
Scribe / Documenter
Not assigned
+ Add
IRS Liaison
Not assigned
+ Add
8
Employees
1
Locations
MA, NH
States
~450
Clients
app.kompflow.com/data-inventory
๐Ÿ—„๏ธData Inventory
12 Systems Mapped
12
Total Assets
8
Reviewed
3
Needs Review
1
Not Started
โš  2 without MFAโš  1 missing encryption
System
Classification
MFA
Encryption
Status
Drake Tax
Critical
โœ“
๐Ÿ”’
โœ“ Reviewed
Microsoft 365
Sensitive
โœ“
๐Ÿ”’
โœ“ Reviewed
SharePoint Online
Sensitive
โœ“
๐Ÿ”“
Needs Review
Carbonite Backup
Internal
โœ—
๐Ÿ”’
โœ“ Reviewed
QuickBooks Online
Critical
โœ—
๐Ÿ”’
Needs Review
Step 2

Map your data

FTC requires you to know exactly where client data lives. Kompflow auto-generates your data inventory from the software you listed in Step 1.

Auto-generated: Systems populated from your firm profile: your tax software, email, cloud storage, and practice management.
Security controls: Track MFA, encryption at rest, encryption in transit, BAA/DPA status for each system.
Classification: Critical, Sensitive, or Internal, so you know which systems matter most.
Gaps detection: Highlights missing controls, unreviewed systems, and vendor compliance gaps.
Microsoft 365 integration: Connect your M365 tenant to auto-sync MFA status, conditional access policies, device compliance, and encryption settings.

Auto-populated. Just review and confirm.

Step 3

Assess your risks

A structured 7-module risk assessment built on a vCISO framework. Assign modules to different team members such as your MSP, office manager, or yourself.

7 assessment modules: Covers access controls, data protection, incident readiness, vendor risk, training, physical security, and governance.
Multi-assessor: Assign modules to your MSP, IT lead, or team members via tasks, and each person completes their section.
Approval workflow: Draft to In Progress to Submitted to Approved, with full status tracking per module.
Overdue tracking: Due dates and warnings so nothing falls through the cracks.

Delegate modules across your team. No bottlenecks.

app.kompflow.com/risk-assessment
โš ๏ธAnnual Risk Assessment 2026
In Progress
Overall Progress36/66 questions
2 Approved 2 In Progress 3 Not Started
Access Controls
12/12 questions
1 criticalYou
โœ“
Data Protection
10/10 questions
1 warningOffice Mgr
โœ“
Incident Readiness
8/12 questions
2 critical1 warningYou
โ†’
Vendor Risk
6/8 questions
2 warningMSP
โ†’
Training & Awareness
0/6 questions
Office Mgr
โ—‹
Physical Security
0/8 questions
โ—‹
Governance
0/10 questions
โ—‹
app.kompflow.com/risk-assessment/remediation
๐ŸŽฏRemediation Plan
Active
7
Total
2
Open
3
In Progress
2
Closed
MFA not enforced on Drake Taxโœ“ Approved
Access ControlsยทSarah ChenยทDue Mar 15
Enable MFA through Drake portal, update team access procedures
No encryption at rest on backup storageIn Progress
Data ProtectionยทMSP (TechSecure)ยทDue Mar 30
Migrate to AES-256 encrypted Carbonite vault
Missing vendor DPA for cloud storagePlan Submitted
Vendor RiskยทDaniel K.ยทDue Apr 10
No documented access review processOpen
Governance
Step 4

Close your gaps

Your risk assessment does not just score you. It identifies exactly where your compliance program falls short and creates an AI-guided remediation plan to close every gap.

AI-identified gaps: Critical and warning-level findings surfaced automatically from your assessment, with no guesswork.
Remediation action plans: Each gap comes with an AI-generated recommendation and a structured action plan, so you can assign an owner, set a target date, and track progress.
QI review and approval: Your Qualified Individual reviews each remediation through the workflow Open, Plan Submitted, In Progress, Completed, Approved.
Automated reminders: Email reminders for overdue items, status notifications, and a complete audit trail. You decide what to do; we document the decision.

Do not just know your risks. Close them.

Step 5

Generate policies and plans

Your risk profile, software stack, and state laws are analyzed to generate a Written Information Security Plan (WISP) unique to your firm, not a generic template. Kompflow Starter and Professional plans also generate Incident Response Plans (IRPs) with scenario-specific playbooks.

WISP generator

Personalized overview plus 10 FTC-compliant security policiesbuilt from your firm's risk profile, software stack, and team structure.

Covers access controls, data retention, encryption, vendor management, employee training, physical security, and more.

Incident Response PlansProfessional+

Scenario-specific playbooks for ransomware, data breaches, wire fraud, lost devices, email compromise, and system outages.

Each plan includes your contact tree, state breach laws, and step-by-step response procedures.

Version controlApproval workflowSignature captureAnnual review remindersDraft to active states
app.kompflow.com/wisp
๐Ÿ”’Written Information Security Program
Active WISPv2.1
Approved Feb 14, 2026
10 Security PoliciesยทLast reviewed: Feb 14, 2026
โœ“ Approved by Sarah Chen
๐Ÿ”„Regulatory Update Availablev2.2 draft
Massachusetts breach notification timeline updated from 30 to 14 days
IRP UpdatedBreach Policy Updated
โœ“All Critical Issues Addressed2 resolved
โš 1 Warning Flag
Annual review due in 45 days
FTC-Required Policies
Access Control Policyโœ“
Data Classification & Handlingโœ“
Encryption Standardsโœ“
Employee Security Trainingโœ“
Vendor Risk Managementโœ“
+ 5 more policies

Control testing flow

1
Risk assessment maps 58 controls automatically
2
Create a testing cycle (quarterly/annual)
3
Assign evidence tasks to team, MSP, or yourself
4
Upload evidence (screenshots, docs, attestations)
5
AI evaluates, then QI reviews and approves
6
Control register updated with audit trail preserved
Professional+
Step 6

Test your controls

Your risk assessment automatically maps to 58 FTC and IRS controls. Create testing cycles, assign evidence collection to your team or MSP, and track effectiveness over time.

Controls auto-populated: 58 controls mapped from your risk assessment results, with no manual setup.
Evidence collection: Upload screenshots, documents, or attestations per control per asset. AI reads and evaluates screenshots for tax systems that aren't API-connected.
AI evaluation: Evidence is scored with confidence levels (high/medium/low) and effectiveness grading, then your QI reviews and approves final results.
Testing cycles: Create quarterly, semi-annual, or annual testing cycles. Results feed back into the control register to close the loop.

Prove compliance. Do not just document it.

Ongoing compliance

Keep it running, year-round.

Compliance is not a one-time event. Kompflow keeps your program current between insurance renewals, client reviews, and regulator checks.

app.kompflow.com/tasks
๐Ÿ“‹Compliance Tasks
1 Overdue2 In Progress
All (5)Open (4)Overdue (1)Done (1)
Enable MFA on Drake TaxCritical
Risk Assessment โ†’ Access ControlsยทSarah Chenยทโš  Mar 15
Overdue
Complete vendor DPA for Carbonite
Risk Assessment โ†’ Vendor RiskยทDaniel K.ยทApr 10
In Progress
Q1 security training for all staff
Compliance AcademyยทOffice ManagerยทMar 31
In Progress
Review & sign updated WISP v2.2
WISP โ†’ Regulatory UpdateยทSarah Chen (QI)ยทApr 5
Pending
Update IRP contact tree
Incident Response PlanยทDaniel K.ยทFeb 28
Done

Task managementProfessional+

Assign compliance tasks to team members, your office manager, or your MSP. Track due dates, approvals, and progress, all in one place. Tasks are linked directly to risk assessment findings, remediation items, and policy reviews.

Assign to anyoneDue dates and prioritiesLinked to modulesOverdue alerts
Live

Your whole team gets trained

FTC and IRS require employee security training. Modules are short and assigned automatically by role and firm size, so your staff learns phishing awareness, data handling, and breach response. Tracked completion gives you the records insurers, regulators, and clients ask for.

Auto-assigned by roleNo seminars neededTracked completion records
Live

Annual reviews and versioning

FTC requires annual reviews of your security program. Automatic reminders, one-click version creation, and a complete audit trail of every change.

Auto remindersVersion historyAudit trail
Live

Vendor assessmentStarter+

Evaluate the security posture of your third-party vendors, including SOC 2 compliance, contractual safeguards, and data handling practices.

Coming soon

Control assessmentProfessional+

Create quarterly or annual testing cycles. Evidence collection with AI evaluation that reads screenshots for tax systems that aren't API-connected. Track control effectiveness over time with full audit trail.

58 FTC/IRS controlsAI evidence evaluationQI review workflow
Live

Compliance event monitoringProfessional+

Cross-module event tracking monitors data inventory changes, assessment approvals, remediation completions, and more. Severity levels with recommended actions and direct links to resolve.

Cross-module trackingDeduplicationRecommended actions
Live

Role-based access

Admin, IT, and User roles. Admins manage the program. Team members see only their assigned tasks. Everyone stays in their lane.

AdminITUser
Live

Everything regulators ask for, on one platform.

FTC and IRS auditors want to see documented evidence of your entire security program. Here is what Kompflow produces.

Data inventory with security controls
7-module risk assessment
Remediation plans with tracked gap closure
Written Information Security Program
Incident Response Plans with 6+ scenarios (Professional+)
58-control register with effectiveness ratings
Evidence of control testing (screenshots, documents, attestations)
Approval signatures and version history
Annual review documentation
Task assignment and completion records (Professional+)
Team training records
Compliance event log showing continuous monitoring
Microsoft 365 security signal verification (if connected)

What it looks like once you are set up

Setup takes a day. After that, you step in only when there is a decision to make.

Day 1

Your WISP, risk decisions, and incident response plan are signed, dated, and downloadable.

You can send your Security Package to your carrier, your client, or your IRS liaison the afternoon you finish onboarding.

Week 1

Microsoft 365 is syncing. Training is assigned by role.

Your data inventory stays accurate without manual checks. Staff modules show up in each person's queue: short, role-matched, tracked to completion.

Month 1

Your first control testing cycle produces evidence.

Screenshots, attestations, and documents uploaded by the people who own each control. AI scores them, your QI reviews and approves. Audit trail builds itself.

Quarter 1

Compliance events surface gaps automatically.

When something drifts (an expired policy, a stale risk decision, a vendor review past due), it shows up as an event with a recommended action. You decide; we document.

Renewal time

Your insurance questionnaire takes an afternoon, not three weeks.

The Insurance Gap Assistant pulls from your actual firm data. You see what you have, what you are missing, and what to fix first: grounded in evidence, not generic copy.

The team experience

Everyone sees only what they need. Nobody scrambles.

Firm owner

You see the program at a glance: what is approved, what is pending your signature, what is drifting. The decisions that need you show up in one queue. Everything else runs on its own.

Qualified Individual

Risk decisions, remediation approvals, control testing reviews: all in one workflow with audit trail. You review what matters, approve with a signature, and move on. No chasing PDFs across email.

Team members

Training modules show up in your queue, matched to your role. Evidence uploads are one click. You see only your tasks. Nothing else. Completion is tracked so nobody has to ask how far along you are.

MSP or vCISO partner

Partners work from a cross-client dashboard with role-based team access, white-label reporting, and a step by step process across every client at once. You collaborate with your firm in their workspace. They keep ownership of the governance decisions.

Who is Kompflow for?

Solo CPAs and small firms

1 to 25 employees. Need FTC compliance but do not have time to build a program from scratch.

Tax professionals (EROs)

Electronic Return Originators subject to IRS Publication 4557 requirements.

Firms with MSPs

Your MSP handles security. Kompflow handles the governance documentation they cannot.

Firms with vCISOs

Your vCISO sets strategy. Kompflow automates the documentation and tracking.

Ready to build your compliance program?

From setup to compliant in less than a day, guided every step of the way.

Get started

Kompflow WISP $499 first year . Starter $249/mo . Professional $499/mo

Learn more

Understand the building blocks

The compliance concepts that show up in every step of the wizard.

Skip ahead: buy the WISP

If a WISP is all you need today, get one for $499 in under an hour.

Feature

What is a risk assessment?

How the FTC Safeguards Rule defines risk assessment for CPA firms.

Glossary

What is a data inventory?

Mapping client data, where it lives, and who can reach it.

Glossary

Compare Kompflow plans

WISP, Starter, and Professional side by side.

Guide

We use cookies to measure site performance. No data is sold to third parties. You can opt out at any time. Privacy Policy