Contractor Security for Accounting and Tax Firms: How to Protect Sensitive Data When Using Temporary and Outsourced Staff

Hiring seasonal tax preparers, outsourced bookkeepers, and temporary admin support is routine for many firms, but these hires open major vulnerabilities. Jatin Narang warned, “Average breach cost is three hundred thousand dollars.”

He emphasized that the risk is not just about lost money but also reputation. “More than sixty percent of small businesses close shop within six months of getting hacked. Within six months, because they cannot really afford to pay back. They cannot really afford the reputational damage that it causes you whenever there is a breach”.

Even one mismanaged login or forgotten account can result in client data being leaked to the dark web. It doesn’t really matter to the IRS and FTC who touched your data and how long they were there for, whether it was a temporary staff or a full-time time. It is ultimately your responsibility. The biggest mistake is thinking security applies only to full-time staff, when contractors often have the same level of access and power over sensitive information

The Three-Gate Security Workflow: Onboarding, Access Control, and Offboarding for Contractors

Narang introduced a clear, actionable structure for firm security, which he called the three-gate workflow. He told attendees, “If you cannot do it in these three workflows, you gotta rethink your workflow right now.” He then broke down the system as follows:

Secure Onboarding Must Happen Within One Hour
Narang was clear that security should not wait. “If you can’t onboard somebody securely in under one hour, you’ll skip the security part. You will rush.”

His onboarding checklist requires a signed NDA, an acceptable use policy, and a background check before any access is granted. Every role is documented, access is defined, and unique credentials are created for each contractor. “Don’t have any unnamed credentials or credentials that are, like, admin or tax preparer one or t preparer, something like that. That you shared among users because that way you will not be able to do a trail check of who got access to what, who made what changes.” Narang also recommended two-factor authentication and strong passwords as absolute requirements. “You have to have zero tolerance around these policies. Because again, it’s your client files that they trust you with at stake”.

Role-Based Access Control Protects Your Firm During Employment
After onboarding, access should be tightly restricted. Narang used the hotel metaphor: “When you check-in, do they give you a master key that gives you access to every room? That doesn’t happen. They only give you access to your room that is assigned to you.” He stressed that data entry staff, preparers, and consultants all need different access levels and that permissions must be assigned only as needed, not to everyone by default. “Do not give them access to everything because it’s the easiest way to onboard a new employee. That is one of the most common mistakes that we see people making.”

Automated Offboarding Ensures No Loose Ends When Contractors Leave
When contractors finish their assignments, firms must follow a detailed checklist to lock down access. Narang insisted,

“When they leave, you have twenty-four hours to lock everything down. There’s gotta be a checklist that you follow. It has to be a printed checklist that you have. Again, don’t memorize. Don’t trust your brain with this.” Every system account and email must be disabled, passwords changed, and company devices retrieved. Try to do single sign-on as much as possible, wherever possible. So that you can just disable that, and you know it is disabling everything.

Essential Security Practices for Temporary and Remote Workers in Accounting
Narang detailed several technical and procedural practices that all accounting and tax firms should have in place for contractors:

• Create unique credentials. Do not share logins.
• Enable two-factor authentication and have zero tolerance for exceptions.
• Never allow access to your systems or client files without a VPN.”
• Make sure every contractor signs an NDA and an acceptable use policy.
• Limit every permission. Give people only what they need and nothing more.
• Always set expiration dates for contractor accounts and automate deactivation.
• Document every action, every access change, and keep a record for compliance.
• Review your access lists weekly. Sit down and see who has access to your data, who left last week, and who might still have open accounts.

These habits prevent most of the accidental or malicious breaches that cost firms their future.

Make Contractor Security Part of Your Firm’s Culture and Daily Practice

Jatin Narang’s WorkflowCon session made it clear that protecting client data from contractor risks is not just about technology, but about systems, culture, and vigilance. He told firm leaders, “Do not be one of those. Take it seriously.”

Security is not a one-time project but a commitment that must be renewed with every new hire, every offboarded staff member, and every week of busy season.

Why Written Information Security Plans (WISP) Are Critical for Compliance and PTIN Renewal

A Written Information Security Plan (WISP) is one of the most important compliance tools for accounting and tax firms today. It is no longer just a best practice or a document that sits on a shelf. The IRS now requires an active, updated WISP for PTIN renewal, and the FTC’s Safeguards Rule has made security documentation a top regulatory priority.

A WISP provides a comprehensive record of who has access to sensitive client information, which devices are connected to firm systems, and how data is secured and managed throughout every stage of employment, including temporary and contractor access. For firm owners, this document acts as both a roadmap and an audit trail for all security activities, including onboarding, access changes, and offboarding.

Maintaining a WISP is not only about avoiding fines but also about proving diligence in the event of a breach or client inquiry. If your firm is ever investigated after a data incident, your WISP serves as evidence that you followed best practices and regulatory requirements.

Jatin Narang stressed that this is a live, working document, not a one-time formality. “The WISP is only valuable if it is actually used. Update the plan every time you onboard or offboard a contractor, and make sure all steps, NDAs, permissions, expirations, are documented in writing”

Every time a contractor joins, leaves, or changes roles, your WISP should reflect those updates. It should track the start and end date of every account, details about authentication methods, the presence of signed agreements, and the full list of systems accessed.

A current WISP is also vital for meeting the IRS’s PTIN renewal requirements. If you check the box on your renewal form stating that you have a WISP but do not maintain an accurate and up-to-date plan, your firm is exposed to compliance violations. As Narang put it, “If IRS finds out that you don’t have a WISP and you check that you do have a WISP while renewing your PTIN, that’s a straight up violation”
Beyond IRS obligations, the FTC can levy fines of up to $100,000 for failing to have a proper security plan, and insurance providers may deny claims if your firm cannot show written documentation of security procedures.

Get your free WISP template here

For accounting and tax firm owners, making WISP maintenance a regular business process, not just a compliance checkbox, builds long-term resilience. It demonstrates professionalism to clients, readiness for regulatory review, and a culture that values both data privacy and operational excellence.

Lasting Trust Begins with Secure Workflows

When it comes to protecting client data, good intentions are not enough. Firms that treat security as part of everyday operations—supported by an active Written Information Security Plan—set themselves apart in a crowded and high-risk market. The effort you invest in building secure onboarding and access controls today protects your clients, your reputation, and your business for years to come.