Annual Security Review: A Checklist for Tax Practices

Security isn't something you set up once and forget. New threats emerge, software changes, staff turns over, and what worked last year might not be adequate today. An annual security review ensures you're maintaining appropriate protections and identifying areas for improvement.

Access Control Review

Start by reviewing who has access to what. Go through your user accounts for all systems—tax software, email, cloud storage, client portals, and office systems. Remove or disable accounts for anyone who no longer needs access. Verify that current users have appropriate permission levels for their roles.

Review physical access as well. Who has keys or access codes to your office? Who can access areas where sensitive information is stored? Update access lists to reflect current staffing.

Password and Authentication Audit

Evaluate your authentication practices against current recommendations. Is two-factor authentication enabled everywhere it's available? Are password policies being followed? Are there any shared accounts that should be individualized?

Consider whether it's time to update passwords for critical systems, especially if there's been staff turnover or if passwords have been in use for an extended period.

Software and Systems Update

Verify that all software is current, including operating systems, tax preparation software, antivirus protection, and other applications. Enable automatic updates where possible. Document any systems that aren't updated and have a plan to address them.

Review your technology inventory. Are you aware of all devices and software in use, including personal devices used for work purposes? Untracked devices represent security blind spots.

Backup Verification

Test your backups by actually restoring files from them. Having backups isn't enough—you need to know they work. Verify that backup schedules are appropriate for your data change rate and that off-site or cloud backups are functioning.

Review your backup retention periods. Are you keeping enough backup history to recover from problems that might not be discovered immediately?

Document Security Plan Review

Pull out your written information security plan (WISP) and compare it to your actual practices. Does the plan accurately reflect what you do? Are you following the procedures you documented? Update the plan to address any gaps.

Note any significant changes to your practice since the last review—new staff, new technology, new services—and ensure your security plan accounts for them.

Staff Training Assessment

When did staff last receive security training? Is everyone up to date on current threats like phishing and vishing? Plan training sessions to address knowledge gaps.

Consider how well staff follow security procedures in practice. If you observe shortcuts or non-compliance, additional training and reinforcement may be needed.

Incident Response Readiness

Review your incident response plan. Would you know what to do if you discovered a data breach? Are contact numbers current for relevant authorities and service providers?

Conduct a tabletop exercise walking through a hypothetical security incident. This reveals gaps in planning and ensures key people know their roles.

Vendor and Third-Party Review

Assess the security practices of vendors who handle your data or your clients' data. Have they experienced any breaches? Have they changed their security practices? Are there any new vendors that should be evaluated?

Review contracts and data processing agreements with vendors to ensure they reflect current security requirements and compliance needs.

Documentation and Reporting

Document the results of your security review. Note what you examined, what you found, what actions you're taking, and what improvements you're planning. This documentation demonstrates due diligence and tracks your security evolution over time.