832-304-1850

Texas Compliance and Cybersecurity for CPA and Accounting Firms

Under federal law, your firm is a financial institution — which means a written security program isn’t optional, and the IRS asks whether you have one every time you renew. Briggs IT helps Texas accounting firms understand what’s required and build the documented program that satisfies both.

You’re a financial institution — whether

you knew it or not

Under the Gramm-Leach-Bliley Act, a CPA or accounting practice that handles customer financial information is defined as a “financial institution” — which puts your firm squarely under the FTC Safeguards Rule. Most practitioners have no idea this applies to them, right up until the moment it matters: a PTIN renewal question they can’t answer truthfully, a breach, or an inquiry from a regulator. By then, the time to have a program was already behind them.

The IRS adds its own layer. At PTIN renewal, the W-12 form now asks directly whether you maintain a Written Information Security Plan — and IRS Publication 4557 spells out what that plan has to contain. The FTC Safeguards Rule lays out its own set of administrative, technical, and physical safeguards. These two overlap heavily, but they aren’t identical. The good news: one well-built written program can satisfy both at once — and that’s exactly what Briggs IT helps your firm put in place.

What a CPA practice

actually needs

A program that satisfies both the IRS and the FTC is a set of pieces working together — and the written evidence that each one exists. For most accounting firms, that looks like things such as:

This isn’t a checklist you complete once and file away. It’s a program you maintain, update, and re-evidence every year — because that’s what both the IRS and the FTC actually expect.

The best time to fix this is before your

busy season

For an accounting firm, timing isn’t a small detail — it’s everything. A security gap that’s an inconvenience in your slow months is a five-alarm fire at the peak of filing season, when a huge share of your year runs through a short window and there’s no slack to absorb a breach or a system failure. That’s exactly why the off-season is the right time to get your program in order: the pressure is low, the calendar is open, and the work gets done properly instead of in a panic.

Working with Briggs IT, the rhythm is built around your year, not against it. We do the heavy lifting — the risk assessment, the written program, the staff training, the documentation — in the quieter months, so that when filing season hits, the compliance side is already handled and you can give your attention to clients. The goal is simple: walk into your busy season knowing the program is built, current, and ready, with nothing hanging over it.

The two things every

firm says first

“We use software that handles our security.”

Your software vendor secures their own platform — not your firm. The workstations your team uses, the email you exchange with clients, the cloud storage holding your working papers, the machines where returns and books get prepared and reviewed: all of that is your responsibility, not your software provider’s. The FTC Safeguards Rule applies to your firm, not to the accounting platform you log into. The software is one piece. The program around it is yours to build.

“We’re a small firm.”

Being small doesn’t put you outside these rules. The FTC Safeguards Rule’s lighter-touch provisions only reach the very smallest firms — and that’s measured by total customer records, which includes the records belonging to your clients’ clients. Most small practices cross that line without realizing it. And no matter where a firm lands on that question, the IRS’s written-plan requirement applies to every single preparer who holds a PTIN. There’s no version of “too small” that makes this go away.

See where your firm stands

The Compliance Readiness Review is a working session built for accounting firms. We walk through where your practice sits against the FTC Safeguards Rule, IRS Publication 4557, and sound security practice. Afterward, once we’ve worked through what we found, you get a written gap report in plain English — what’s in place, what’s missing, and what to address first. No sales pressure. The report is yours to keep, whether or not you ever hire Briggs IT.