IT for tax practices. Engineered for the 90 days that matter.
Tax season concentrates 100% of your revenue into a 90-day window. The IT stack that supports it should be built for that load — and the regulatory posture (IRS Pub 4557, client SOC 2 questionnaires) should be ready before anyone asks.
Do you have a written, current, IRS Pub 4557 WISP?
Every paid tax preparer is required to maintain a Written Information Security Plan under IRS Pub 4557. The IRS started auditing for it in 2023. Most small-to-mid CPA firms haven't refreshed their WISP in years — it's rarely a priority until the IRS asks.
We draft yours during onboarding (week 1 deliverable), review it annually, and document the underlying technical controls (MFA, encryption, audit logging) so when an IRS examiner asks "show me your WISP," you have a current, defensible answer.
Four things CPA firms actually need from IT.
Not a generic SMB checklist. The specific gaps that show up at boutique tax + advisory practices.
Your Written Information Security Plan, drafted and maintained.
IRS Publication 4557 requires every paid tax preparer to maintain a Written Information Security Plan (WISP). We draft yours during onboarding, review it annually, and document the underlying controls (MFA, encryption, audit logs) so when the IRS asks, you have answers — not scrambling.
Sized for the 90 days that pay the year.
Servers, network, and cloud-app capacity provisioned for peak load on day one. Monitoring tuned to detect issues at 1 a.m. on March 14, not after your team starts complaining on March 15. Care+ includes 24/7 monitoring and a 4-hour P1 resolution target.
Per-client folders, audited quarterly.
SharePoint / OneDrive permissions structured so partners and staff see only the clients they should. External-sharing audit run monthly. Document portal for client deliverable exchange — encrypted in transit and at rest, with audit trail.
Answers, not stalls.
Your enterprise clients are starting to send SOC 2–style security questionnaires. We answer them on your behalf, with documented evidence — MFA enforcement, audit log retention, encryption posture, vendor risk management. No more two-week scrambles to fill out a vendor security review.
One contract, one team, the whole stack.
WISP drafting + annual review
IRS Pub 4557–compliant Written Information Security Plan delivered in week 1 of onboarding. Reviewed every year as part of your engagement.
Microsoft 365 for tax practices
Conditional Access locked to known locations during tax season. Mailbox audit logs at 365-day retention. External-sharing audits monthly. License optimization (CPAs often overpay for E5 when E3 + add-ons works).
Encrypted client document portal
Secure replacement for emailing tax returns and W-2s. Audit trail, per-client folders, expiring share links. Integrates with your existing M365 tenant.
Practice management uptime
CCH Axcess, Lacerte, Drake, UltraTax, ProSystem fx — we monitor the install, patch quarterly during off-season, and have a runbook for tax-season recovery scenarios.
Workflow automation
Client onboarding intake forms, missing-document chase emails, engagement-letter automation. We build it on your existing M365 stack, or on custom tooling when you need more flexibility.
Backup + disaster recovery
Daily backup of your file server and M365 tenant (mailboxes, OneDrive, SharePoint, Teams). Immutable offsite copy protected against ransomware. Monthly restore test in off-season.
We work to your calendar — not ours.
Onboarding lands in Q3 or Q4 so the foundation work — MFA enforcement, backup rollout, M365 baseline, WISP drafting — is complete before January. We pre-stage extra capacity for tax season and pause non-urgent changes between January 15 and April 30. Patch windows shift to the off-season unless security-critical.
The goal: between January and April, your team thinks about tax returns and clients — not about IT.
Q3 / Q4 — Foundation
Onboarding, MFA rollout, backup verification, WISP delivery, M365 baseline.
Jan 1 – Apr 15 — Hyper-stable
Change freeze on non-critical work. 24/7 monitoring at heightened alert thresholds. Same-day response to anything that touches return processing.
Apr 16 – Jun — Recovery + review
Post-season retrospective, deferred patches deployed, capacity review for next year.
Jul – Dec — Improvement
Strategy work, automations, infrastructure upgrades, vCIO planning. Annual WISP review lands here.
Before you call.
Do you work with CPA firms outside Sacramento?
Primarily Sacramento metro and Northern California. We'll travel within reason for the right engagement — ask us.
What's the difference between Care and Care+ for our firm?
Entity Care covers the day-to-day: helpdesk, monitoring, patching, M365 administration. Care+ adds 24/7 SOC monitoring, vCIO time, immutable backup with rehearsed restore drills, and the compliance documentation pack (including WISP drafting + annual review). Most CPA firms want Care+ once they're past 10 staff or have clients sending SOC 2 questionnaires.
Can you take over our existing IT mid-tax-season?
Possible, but we usually recommend onboarding in Q3 or Q4 so the foundation work — MFA enforcement, backup, monitoring rollout — is complete before peak load. Mid-season takeovers happen, but they're emergency engagements, priced accordingly.
Do you work with Lacerte / CCH / Drake / UltraTax?
Yes — all of them. We don't sell the tax software (you keep your existing licensing), we just keep it running. We document the install, patch it, and have recovery procedures for tax-season scenarios.
How do you handle our clients' data?
Carefully. We sign your standard NDA, scope access to only what's required, log every administrative action, and our team only accesses client data with documented business need. Full evidence package available on request — same package we hand to your enterprise clients' SOC 2 auditors.
What about workflow automation? We're drowning in client document chase emails.
That's our Custom Software & Automation service line. We build automated intake, document-chase sequences, and engagement-letter routing on top of your existing M365 stack. Sold separately from managed services, scoped per project.
Let's talk before tax season. Better to plan now.
30-minute call. We walk through your current setup, check your WISP status, flag anything that looks risky for the January load, and send a written proposal within 48 hours.