Skip to main content Skip to navigation

5 Security Questions CPA Firms Should Ask Tax Automation Vendors

by SafeSend February 18, 2025
7 Apps That Make Busy Season Easier for ...
Home Blog Thought Leadership

Imagine this. 

It’s a normal workday during busy season. You sip your coffee as you log into your tax workflow app to start the day. With a few clicks, you run a report. 

But you see data that isn’t yours. 

You rub your eyes, blink a few times, and look at the screen again. Maybe you’re overtired (it is busy season, after all), and you convince yourself that you’re just seeing things. 

“What’s going on?” you wonder, starting to panic. “Where’s my data? And whose data is this?!” 

We’d love to say this is a scenario only seen in nightmares, but it’s a true story. Just recently, TaxDome reported an incident where users saw high-level reporting with incorrect numbers during the course of an hour. While TaxDome said no individual client details were accessible, this incident highlights why CPAs must carefully evaluate potential software vendors before trusting them with sensitive client data. 

Why Tax Automation Vendor Security Matters 

With the current staffing shortage in the accounting profession, more and more firms are turning to technology to maintain productivity and service quality. They’re hunting for end-to-end solutions to make tax season run more smoothly and improve the process for clients and staff alike. 

While technology makes our lives—and busy seasons—easier (goodbye, manual data entry!), it also means we have to think about security when choosing software providers. The bigger the tech stack, the more third-party vendors you invite to access one of your firm’s most valuable assets: client data. And with human error accounting for 22% of all data breaches, proper security protocols become even more crucial. 

Should you be concerned about cybersecurity incidents elsewhere in the tax and accounting profession? Absolutely. CPA firms are an abundant source of personally identifiable information (PII). Your clients trust you with their data, and it’s up to you to protect it. Consider this statistic from IBM’s Cost of Data Breach Report 2024: 

The average cost of a data breach jumped to $4.88 million from $4.45 million in 2023—a spike of 10% and the highest increase since the pandemic. 

For CPA firms, the impact of a data breach goes well beyond financial losses. It can erode client trust, damage your professional reputation, and potentially lead to the loss of your firm. That’s why you need to ensure that the vendors you work with keep security and data privacy top of mind.  

The 5 Essential Security Questions You Need to Ask

When your firm is evaluating tax workflow solutions, security shouldn’t be an afterthought. While you’re not expected to be a cybersecurity expert, understanding these essential security measures will help you protect your firm and client data from scenarios like the one described above. Here are five questions you should be asking each and every solution your firm considers. 

1. What security certifications and compliance standards do you maintain? 

Think of security certifications like your CPA license: They show that vendors have met certain professional standards. Here are the most common ones to look for. 

  • System and Organization Controls 2 (SOC 2®). SOC 2, a compliance framework developed by the AICPA, is designed to evaluate and validate an organization’s information security practices. Software providers that store, process, or transmit any kind of client data must be SOC 2-compliant. 
  • ISO 270001. ISO 27001 is an international standard for information security management systems (ISMS) that defines the requirements for information security, such as confidentiality, information integrity, and data availability. 

While certifications aren’t everything, they do provide an important baseline for following best practices when it comes to security. Don’t be shy about asking for recent audit reports—any reputable provider should be happy to share this information with you. 

2. How do you handle data protection and encryption? 

You wouldn’t leave client files chock full of PII sitting out on your desk, right? Your software provider shouldn’t, either (with digital files, of course). Be sure to ask about: 

  • Data encryption protocols. Do they offer end-to-end encryption for data in transit (while being sent) and at rest (while being stored)? Think of encryption as a secure digital safe that protects data at all times. 
  • MFA. Does their application enforce multifactor authentication (MFA) to prevent unauthorized access? This is like having both a key and an alarm code for extra security. 
  • Regular penetration testing. Do they run simulated cyberattacks conducted by ethical hackers to identify security vulnerabilities in their applications to ensure their system remains secure against evolving cybersecurity threats? 
  • Real-time security monitoring. Does the vendor use security tools to track logins, file access, and other activities? Do they continuously monitor their system’s security to detect, analyze, and respond to potential threats? 

3. What are your employee security protocols? 

Even the most sophisticated security technology isn’t as strong as the people using it. When handling sensitive tax documents, employee security training isn’t just good practice—it’s a necessity. Look for vendors who maintain: 

  • Mandatory IT security training programs. All employees should complete comprehensive security training before they access any systems. And they should have refresher courses throughout the year to ensure they understand their role in protecting client data. 
  • Regular employee cybersecurity awareness testing. Look for vendors who regularly test their employees’ security knowledge through simulated phishing campaigns and security assessments. 
  • Mobile Device Management (MDM) policies. Security-aware vendors have clear guidelines on how employees can use company devices and access company data on personal devices, including the ability to remotely wipe data if a device is lost or stolen. 
  • Strict access control protocols. Vendors should apply the “least privilege” approach when giving employees access to only the data they need to do their jobs. 
  • Background checks. Reputable vendors should conduct background checks on all employees who might have access to client data. 

4. How do you handle security incidents and communications? 

Pobody’s nerfect (i.e., nobody’s perfect), and sometimes things go wrong. What matters, though, is how a company handles a security incident. Third-party providers should: 

  • Communicate openly with their clients as part of their IRP. 
  • Conduct regular security testing and monitoring. 
  • Provide transparent post-incident analysis. 

5. What’s your track record with security and updates? 

Past performance matters, especially during busy season when you can’t afford downtime. Ask about: 

  • How reliable their system is (look for 99.99% uptime or better). 
  • How they handle updates and maintenance (and it shouldn’t be during busy season). 
  • How past security incidents were brought to light and resolved. 
  • How they communicate with clients during security issues. 
  • How they assess the security of third parties they work with. 

Watch Out for These Red Flags 

When you’re meeting with a potential tax software vendor, there are some warning signs to keep an eye out for: 

  • They dodge questions about security—suggesting they haven’t made it a priority. 
  • They’re not upfront about past incidents or sweep them under the rug as “no big deal,” which indicates poor transparency. 
  • They’re vague about their security update practices, which could mean irregular or inadequate updates. 
  • They can’t clearly explain their security procedures, possibly indicating a lack of established protocols. 
  • They can’t provide their SOC 2 or ISO 270001 certifications—a fundamental gap in security validation. 
  • They’re reluctant to provide documentation, meaning they may have something to hide. 

If you see any of these red flags, don’t take it lightly. It’s likely a sign that that vendor isn’t one you should work with. 

The Importance of Building a Security-First Partnership 

Remember, when it comes to choosing software, you’re not just choosing an app to help fill the gaps; you’re choosing a partner for your firm. And while there may be many great solutions available, you should really partner with a provider in the accounting profession. They not only understand the importance of data security, but they know the profession just as well as you do—and won’t impede your processes during busy season. 

Partner with a tax workflow solutions vendor who puts security first by looking for an organization that: 

  • Maintains transparent security practices. 
  • Provides documents surrounding security measures. 
  • Communicates security updates regularly. 

Moving Forward 

We all want the same thing: To serve our clients well and protect their information. While technology helps the profession streamline workflows and processes, it’s worth taking the time to ask at least these five questions before choosing the right software partner. After all, you don’t want to find yourself in a similar situation like our opening scenario, wondering whose data you’re looking at! 

Your clients trust you with their sensitive data, and you need to trust that your solutions provider will help you protect it. 

Remember, you don’t need to be a security expert—you just need to ask the right questions. 

Article7 Apps That Make Busy Season Easier for CPAs

SafeSend uses cookies in order to enhance your experience on our site. To learn about what cookies are, why we use them, or how to block or remove them, view our Cookie Policy.

X