Setup to Renewal: Seven Steps

How Kompflow sets up your firm from start to finish.

Wizard-based. Most firms finish onboarding in a day. Then your governance program runs in the background, and you only step in when there's a decision to make.

No compliance expertise needed. Every step explains what you're doing and why it matters.

Get Started

Starting at $99/mo · Billed annually

STEP 1

Set Up Your Firm Profile

A guided wizard collects your firm details in 3 minutes. Everything you generate will be tailored to this info.

Firm Details: Name, size, locations, employee count, client count
Software Inventory: Tax software, email, cloud storage, backups, and practice management, all auto-mapped to your data inventory.
Team & Contacts: Incident Manager, Communications Lead, and Scribe: the contact tree regulators look for.
External Partners: MSP, cyber insurance, IT staff, and IRS liaison: everyone who plays a role.
Recovery Settings: Tax season RTO/RPO, backup strategy, and training frequency: all built into your plans.

⏱ Average setup time: 3 minutes

app.kompflow.com/welcome
Set Up Your Firm
This powers everything we generate for you
Step 3 of 5
Firm Details
Software
Team
Partners
Recovery
Software Detected✓ Complete
📊
Drake Tax
Tax Preparation
📧
Microsoft 365
Email & Productivity
☁️
SharePoint Online
Cloud Storage
💾
Carbonite
Backup
📒
QuickBooks Online
Accounting
Incident Response TeamIn Progress
Incident Manager
Sarah Chen
Communications Lead
Daniel K.
Scribe / Documenter
Not assigned
+ Add
IRS Liaison
Not assigned
+ Add
8
Employees
1
Locations
MA, NH
States
~450
Clients
app.kompflow.com/data-inventory
🗄️Data Inventory
12 Systems Mapped
12
Total Assets
8
Reviewed
3
Needs Review
1
Not Started
⚠ 2 without MFA⚠ 1 missing encryption
System
Classification
MFA
Encryption
Status
Drake Tax
Critical
🔒
✓ Reviewed
Microsoft 365
Sensitive
🔒
✓ Reviewed
SharePoint Online
Sensitive
🔓
Needs Review
Carbonite Backup
Internal
🔒
✓ Reviewed
QuickBooks Online
Critical
🔒
Needs Review
STEP 2

Map Your Data

FTC requires you to know exactly where client data lives. Kompflow auto-generates your data inventory from the software you listed in Step 1.

Auto-Generated: Systems populated from your firm profile: your tax software, email, cloud storage, and practice management.
Security Controls: Track MFA, encryption at rest, encryption in transit, BAA/DPA status for each system
Classification: Critical, Sensitive, or Internal, so you know which systems matter most
Gaps Detection: Highlights missing controls, unreviewed systems, and vendor compliance gaps
Microsoft 365 Integration: Connect your M365 tenant to auto-sync MFA status, conditional access policies, device compliance, and encryption settings. Your data inventory stays accurate without manual checks.

⚡ Auto-populated, just review and confirm

STEP 3

Assess Your Risks

A structured 7-module risk assessment built on a vCISO framework. Assign modules to different team members such as your MSP, office manager, or yourself.

7 Assessment Modules: Covers access controls, data protection, incident readiness, vendor risk, training, physical security, and governance
Multi-Assessor: Assign modules to your MSP, IT lead, or team members via tasks, and each person completes their section
Approval Workflow: Draft → In Progress → Submitted → Approved, with full status tracking per module
Overdue Tracking: Due dates and warnings so nothing falls through the cracks

👥 Delegate modules across your team, with no bottlenecks

app.kompflow.com/risk-assessment
⚠️Annual Risk Assessment 2026
In Progress
Overall Progress36/66 questions
2 Approved 2 In Progress 3 Not Started
Access Controls
12/12 questions
1 criticalYou
Data Protection
10/10 questions
1 warningOffice Mgr
Incident Readiness
8/12 questions
2 critical1 warningYou
Vendor Risk
6/8 questions
2 warningMSP
Training & Awareness
0/6 questions
Office Mgr
Physical Security
0/8 questions
Governance
0/10 questions
app.kompflow.com/risk-assessment/remediation
🎯Remediation Plan
Active
7
Total
2
Open
3
In Progress
2
Closed
MFA not enforced on Drake Tax✓ Approved
Access Controls·Sarah Chen·Due Mar 15
Enable MFA through Drake portal, update team access procedures
No encryption at rest on backup storageIn Progress
Data Protection·MSP (TechSecure)·Due Mar 30
Migrate to AES-256 encrypted Carbonite vault
Missing vendor DPA for cloud storagePlan Submitted
Vendor Risk·Daniel K.·Due Apr 10
No documented access review processOpen
Governance
STEP 4

Close Your Gaps

Your risk assessment doesn't just score you. It identifies exactly where your compliance program falls short and creates an AI-guided remediation plan to close every gap.

AI-Identified Gaps: Critical and warning-level findings surfaced automatically from your assessment, with no guesswork
Remediation Action Plans: Each gap comes with an AI-generated recommendation and a structured action plan, so you can assign an owner, set a target date, and track progress
QI Review & Approval: Your Qualified Individual reviews each remediation through the workflow Open → Plan Submitted → In Progress → Completed → Approved
Automated Reminders: Email reminders for overdue items, status notifications, and a complete audit trail. You decide what to do; we document the decision.

🎯 Don't just know your risks. Close them.

STEP 5

Generate Policies & Plans

Your risk profile, software stack, and state laws are analyzed to generate a Written Information Security Program (WISP) unique to your firm, not a generic template. Professional and Premium plans also generate Incident Response Plans (IRPs) with scenario-specific playbooks.

WISP Generator

Personalized overview + 10 FTC-compliant security policies built from your firm's risk profile, software stack, and team structure.

Covers access controls, data retention, encryption, vendor management, employee training, physical security, and more.

Incident Response PlansProfessional+

Scenario-specific playbooks for ransomware, data breaches, wire fraud, lost devices, email compromise, and system outages.

Each plan includes your contact tree, state breach laws, and step-by-step response procedures.

✓ Version Control✓ Approval Workflow✓ Signature Capture✓ Annual Review Reminders✓ Draft → Active States
app.kompflow.com/wisp
🔒Written Information Security Program
Active WISPv2.1
Approved Feb 14, 2026
10 Security Policies·Last reviewed: Feb 14, 2026
✓ Approved by Sarah Chen
🔄Regulatory Update Availablev2.2 draft
Massachusetts breach notification timeline updated from 30 to 14 days
IRP UpdatedBreach Policy Updated
All Critical Issues Addressed2 resolved
1 Warning Flag
Annual review due in 45 days
FTC-Required Policies
Access Control Policy
Data Classification & Handling
Encryption Standards
Employee Security Training
Vendor Risk Management
+ 5 more policies
STEP 6

Test Your Controls

Your risk assessment automatically maps to 58 FTC and IRS controls. Create testing cycles, assign evidence collection to your team or MSP, and track effectiveness over time.

Controls Auto-Populated: 58 controls mapped from your risk assessment results, with no manual setup
Evidence Collection: Upload screenshots, documents, or attestations per control per asset. AI reads and evaluates screenshots for tax systems that aren't API-connected
AI Evaluation: Evidence is scored with confidence levels (high/medium/low) and effectiveness grading, then your QI reviews and approves final results
Testing Cycles: Create quarterly, semi-annual, or annual testing cycles. Results feed back into the control register to close the loop

🛡️ Prove compliance, don't just document it

Control Testing Flow

1
Risk assessment maps 58 controls automatically
2
Create a testing cycle (quarterly/annual)
3
Assign evidence tasks to team, MSP, or yourself
4
Upload evidence (screenshots, docs, attestations)
5
AI evaluates, then QI reviews and approves
6
Control register updated with audit trail preserved
Professional+
Ongoing Compliance

Keep It Running, Year-Round

Compliance isn't a one-time event. Kompflow keeps your program current between insurance renewals, client reviews, and regulator checks.

app.kompflow.com/tasks
📋Compliance Tasks
1 Overdue2 In Progress
All (5)Open (4)Overdue (1)Done (1)
Enable MFA on Drake TaxCritical
Risk Assessment → Access Controls·Sarah Chen·⚠ Mar 15
Overdue
Complete vendor DPA for Carbonite
Risk Assessment → Vendor Risk·Daniel K.·Apr 10
In Progress
Q1 security training for all staff
Compliance Academy·Office Manager·Mar 31
In Progress
Review & sign updated WISP v2.2
WISP → Regulatory Update·Sarah Chen (QI)·Apr 5
Pending
Update IRP contact tree
Incident Response Plan·Daniel K.·Feb 28
Done

Task Management Professional+

Assign compliance tasks to team members, your office manager, or your MSP. Track due dates, approvals, and progress, all in one place. Tasks are linked directly to risk assessment findings, remediation items, and policy reviews.

Assign to anyoneDue dates & prioritiesLinked to modulesOverdue alerts
LIVE

Your Whole Team Gets Trained

FTC & IRS require employee security training. Modules are short and assigned automatically by role and firm size, so your staff learns phishing awareness, data handling, and breach response. Tracked completion gives you the records insurers, regulators, and clients ask for.

Auto-assigned by roleNo seminars neededTracked completion records
LIVE

Annual Reviews & Versioning

FTC requires annual reviews of your security program. Automatic reminders, one-click version creation, and a complete audit trail of every change.

Auto remindersVersion historyAudit trail
LIVE

Vendor Assessment Premium

Evaluate the security posture of your third-party vendors, including SOC 2 compliance, contractual safeguards, and data handling practices.

COMING SOON

Control Assessment Professional+

Create quarterly or annual testing cycles. Evidence collection with AI evaluation that reads screenshots for tax systems that aren't API-connected. Track control effectiveness over time with full audit trail.

58 FTC/IRS controlsAI evidence evaluationQI review workflow
LIVE

Compliance Event Monitoring Professional+

Cross-module event tracking monitors data inventory changes, assessment approvals, remediation completions, and more. Severity levels with recommended actions and direct links to resolve.

Cross-module trackingDeduplicationRecommended actions
LIVE

Role-Based Access

Admin, IT, and User roles. Admins manage the program. Team members see only their assigned tasks. Everyone stays in their lane.

AdminITUser
LIVE

Everything Regulators Ask For, on One Platform

FTC and IRS auditors want to see documented evidence of your entire security program. Here's what Kompflow produces:

Data inventory with security controls
7-module risk assessment
Remediation plans with tracked gap closure
Written Information Security Program
Incident Response Plans with 6+ scenarios (Professional+)
58-control register with effectiveness ratings
Evidence of control testing (screenshots, documents, attestations)
Approval signatures and version history
Annual review documentation
Task assignment and completion records (Professional+)
Team training records
Compliance event log showing continuous monitoring
Microsoft 365 security signal verification (if connected)

What it looks like once you're set up

Setup takes a day. After that, you step in only when there's a decision to make.

Day 1

Your WISP, risk decisions, and incident response plan are signed, dated, and downloadable.

You can send your Security Package to your carrier, your client, or your IRS liaison the afternoon you finish onboarding.

Week 1

Microsoft 365 is syncing. Training is assigned by role.

Your data inventory stays accurate without manual checks. Staff modules show up in each person's queue: short, role-matched, tracked to completion.

Month 1

Your first control testing cycle produces evidence.

Screenshots, attestations, and documents uploaded by the people who own each control. AI scores them, your QI reviews and approves. Audit trail builds itself.

Quarter 1

Compliance events surface gaps automatically.

When something drifts (an expired policy, a stale risk decision, a vendor review past due), it shows up as an event with a recommended action. You decide; we document.

Renewal time

Your insurance questionnaire takes an afternoon, not three weeks.

The Insurance Gap Assistant pulls from your actual firm data. You see what you have, what you're missing, and what to fix first: grounded in evidence, not generic copy.

The team experience

Everyone sees only what they need. Nobody scrambles.

Firm owner

You see the program at a glance: what's approved, what's pending your signature, what's drifting. The decisions that need you show up in one queue. Everything else runs on its own.

Qualified Individual

Risk decisions, remediation approvals, control testing reviews: all in one workflow with audit trail. You review what matters, approve with a signature, and move on. No chasing PDFs across email.

Team members

Training modules show up in your queue, matched to your role. Evidence uploads are one click. You see only your tasks. Nothing else. Completion is tracked so nobody has to ask how far along you are.

MSP or vCISO partner

Partners work from a cross-client dashboard with a 5-role RBAC, named report types, and the Agent Decision Queue for AI oversight across every client at once. You collaborate with your firm in their workspace. They keep ownership of the governance decisions.

Who Is Kompflow For?

Solo CPAs & Small Firms

1–25 employees. Need FTC compliance but don't have time to build a program from scratch.

Tax Professionals (EROs)

Electronic Return Originators subject to IRS Publication 4557 requirements.

Firms with MSPs

Your MSP handles security. Kompflow handles the governance documentation they can't.

Firms with vCISOs

Your vCISO sets strategy. Kompflow automates the documentation and tracking.

Ready to Build Your Compliance Program?

From setup to compliant in less than a day, guided every step of the way

Get Started

Starting at $99/mo · Billed annually

We use cookies to measure site performance and improve your experience. No data is sold to third parties. Privacy Policy