Access control guide for tax professionals
The IRS requires every tax preparer to implement access controls that protect client data from unauthorized access. This guide walks you through exactly what you need, why it matters, and how to implement it.
The Basics
What are access controls?
Access controls are the security measures that determine who can access taxpayer data, what they can do with it, and when that access is permitted. For tax professionals, access controls are not optional. They are a legal requirement under IRS Publication 4557 and the FTC Safeguards Rule.
Every tax practice, whether a solo preparer working from a home office or a multi-location firm with dozens of employees, must implement access controls proportional to their risk. The IRS evaluates this as part of its security requirements for anyone with a PTIN.
Access controls fall into three categories: physical (who can physically reach your data), logical (who can electronically access your systems), and administrative (the policies and training that govern human behavior). An effective security program addresses all three.
Physical
Locks, badges, shredders, visitor logs
Logical
Passwords, MFA, permissions, encryption
Administrative
Policies, training, background checks
Regulatory Requirements
What the IRS and FTC require
Tax professionals are subject to multiple overlapping regulations. Here are the specific access control requirements from each.
Safeguards for Protecting Taxpayer Data
- Maintain a Written Information Security Plan (WISP) that includes access control procedures
- Use multi-factor authentication for all systems containing taxpayer data
- Implement role-based access that limits data exposure to the minimum necessary
- Conduct background checks on all employees with access to Federal Tax Information (FTI)
- Encrypt taxpayer data at rest and in transit
Standards for Safeguarding Customer Information
- Designate a Qualified Individual to oversee the information security program
- Implement access controls based on a formal risk assessment
- Restrict access to customer information to authorized users only
- Encrypt all customer information in transit over external networks and at rest
- Implement continuous monitoring or annual penetration testing
Access Control Family (AC)
- Establish and maintain a list of authorized users with defined access privileges
- Enforce separation of duties for sensitive functions
- Limit unsuccessful login attempts and lock accounts after repeated failures
- Provide system use notification (login banners) before granting access
- Monitor and log all access to systems containing sensitive data
Deep Dive
Three types of access controls explained
Physical Controls
Physical access controls prevent unauthorized individuals from reaching the hardware, storage media, and paper documents that contain taxpayer information.
Locked Office and File Storage
All offices where taxpayer data is stored or accessed must be secured with locks. Filing cabinets containing paper returns, W-2s, and 1099s must be locked when not in active use.
Visitor Access Logs
Maintain a sign-in/sign-out log for all non-employee visitors. Visitors should be escorted while in areas where taxpayer data is accessible.
Secure Document Disposal
Cross-cut shredders must be used for paper documents. Hard drives and removable media must be wiped using DoD 5220.22-M standards or physically destroyed before disposal.
Clean Desk Policy
Taxpayer documents must not be left unattended on desks, printers, or fax machines. Implement end-of-day procedures to secure all physical documents.
Logical Controls
Logical access controls govern who can log in to systems, what data they can view, and what actions they can perform within your tax preparation software and network.
Multi-Factor Authentication (MFA)
Require MFA on all systems that access taxpayer data, including tax preparation software, email, cloud storage, and remote desktop connections. The IRS considers this mandatory under Publication 4557.
Role-Based Access Control (RBAC)
Assign permissions based on job function. A receptionist should not have the same system access as a CPA preparing returns. Define roles such as preparer, reviewer, admin, and read-only.
Strong Password Policies
Enforce minimum 12-character passwords with complexity requirements. Use a password manager and prohibit password reuse across systems. Require password changes every 90 days for privileged accounts.
Automatic Session Timeouts
Configure workstations and applications to lock after 5 minutes of inactivity. Tax software sessions should time out after 15 minutes to prevent unauthorized access if a preparer steps away.
Administrative Controls
Administrative controls are the policies, procedures, and training programs that ensure your team knows how to handle taxpayer data properly and consistently.
Written Access Control Policy
Document who has access to what systems and data, how access is granted and revoked, and the approval workflow for new access requests. This must be part of your WISP.
Employee Onboarding and Offboarding
New employees must pass background checks before receiving access. When employees leave, disable all accounts within 24 hours and collect all company devices, keys, and badges.
Annual Security Awareness Training
All staff who handle taxpayer data must complete annual training covering phishing recognition, social engineering, secure data handling, and incident reporting procedures.
Periodic Access Reviews
Conduct quarterly reviews of who has access to what systems. Remove access that is no longer needed. Document each review with the date, reviewer name, and changes made.
Take Action
Access control implementation checklist
Use this checklist to assess and implement access controls in your practice. Each item maps to a specific IRS or FTC requirement.
Need help implementing access controls?
Our cybersecurity team specializes in IRS-compliant access control implementations for tax practices of every size. Get a free assessment of your current controls.
Schedule Free Assessment