In accounting, WISP stands for Written Information Security Plan. A WISP is a document that accountants are required to create by law. A WISP is your strategy or game plan for keeping your customer’s personal and financial information safe. If you get paid to do someone’s bookkeeping, then yes! You’re going to need a WISP.
Creating a WISP is a useful exercise, as it gives you access to what you and your company are doing to protect your customers from hackers, financial marauders, or other potential security breaches. Then again, making a WISP is also now the law, which means knowing how a WISP works is mandatory.
How a WISP works
Once upon a time there was a law called Gramm–Leach–Bliley Act. He said financial institutions, including his beloved accounting firm, must protect customer data.
The Federal Trade Commission (FTC) soon followed this law with something called the Safeguards Rule.
The safeguards rule it gives you the heart of the matter. He says that to stay in good standing with the law, every financial institution in the United States of America must do the following, and I quote:
-
- Designate one or more employees to coordinate your information security program
- Identify and assess risks to customer information in each relevant area of the business’s operation, and assess the effectiveness of current safeguards to control these risks.
- Design and implement a safeguards program, and regularly monitor and test it.
- Select service providers who can maintain adequate security measures by ensuring that their contract requires them to maintain security measures and oversee the handling of customer information.
- Evaluate and adjust the program taking into account relevant circumstances, including changes in the company’s business or operations, or the results of security monitoring and testing.
Your WISP is a written document, double-spaced and in font size 12, of all the ways your accounting firm meets these requirements.
Okay, okay, the safeguards rule doesn’t say anything about double spacing or font size 12. That’s just a bit of humor. But it does say that you have to create the document and that it has to be more or less coherent.
You know you need to create a WISP. Now what?
If you do not want to create a WISP yourself, you can hire another person or company to do it for you. Alternatively, you can also go to the IRS website and download a document that will guide you through the process.
The document is creatively titled “Creating a written information security plan for your tax and accounting practice.” As you can see, the person who did the final editing of the document misunderstood the difference between the title and the sentence. The “you” should actually be capitalized.
It’s what’s inside the document that matters, and luckily it’s quite useful. For example, on page 5, you get a recommended table of contents for your WISP. It looks more or less like this:
1. Define the objectives, purpose and scope of the WISP
2. Identify the responsible persons
3. Assess risks
4. Hardware inventory
5. Document security measures in place
6. Draft an implementation clause
7. Attachments
Again, don’t think too much about the IRS and FTC’s shocking lack of understanding when it comes to a title vs. judgment case. Focus instead on what the words say and then follow the outline.
Later, there is even a sample WISP that you can follow as a template for your own document.
Is a WISP required for a PTIN?
Now that you’ve learned a bit about WISPs, there’s only one question left: Is a WISP required for a PTIN? You can bet your socks it is.
Anyone who is paid to help someone with their bookkeeping needs a WISP. In fact, the PTIN application has a checkbox to confirm that you have a WISP. When you get to that point, try to remember George Washington accidentally cutting down his father’s cherry tree, and then check the box as truth dictates you do. (Hopefully, you just have a WISP out of the box, so you don’t have to think too hard about it.)
That concludes this week’s episode on the historical, emotional, spiritual, and legal importance of WISPs.
Do you want more content about the accounting industry? Subscribe to our email bulletin.
