.png?width=1200&height=1200&name=PK-Tech_logo%20(1).png "PK-Tech_logo (1)")
| Other guys | PK Tech | |
|---|---|---|
| IT Fundamentals | ||
| Day-to-day IT support during business hours | ||
| Procurement and installation of business-class workstations, servers, network equipment, and cloud solutions | ||
| 24x7x365 IT support availability | ||
| Audited annually by a third party for security controls (SOC 2 Type II) | ||
| Properly insured for comprehensive coverage of breaches, extortion, and mistakes | ||
| 15+ years of Microsoft partnership and expertise | ||
| CPA Industry Specific | ||
| Experts in helping CPA firms comply required regulations, such as the FTC Safeguards Rule, IRS Publication 4557 | ||
| Familiarity and additional support offered during tax season deadlines | ||
| Successful track record of hosting and managing tax applications in Microsoft Cloud | ||
| Works well with internal IT managers as their backup, escalation point, and security advisor | ||
| 15+ years of experience supporting CPA firms | ||
Why PK Tech for my CPA firm?
Third-party audited (SOC 2), 24/7/365 support, Over 15 years of CPA support, Experts at FTC Safeguard Rule, We call you -- CP-YAYs
PK Tech is a full-service IT company that originated within a CPA firm. We have been serving CPAs for over fifteen years.
A Message to CPA Firms
We know CPA firms — because that’s where we started.
Our company was built inside a CPA firm over 15 years ago, and we’ve been focused on supporting accountants ever since. We understand the pressure of deadlines, the importance of client confidentiality, and the need for systems that simply work when you need them most.
We specialize in IT services for CPA firms, with deep expertise in:
- Regulatory compliance, including the FTC Safeguards Rule and IRS-required Written Information Security Plans (WISPs)
- Secure, compliant infrastructure designed specifically for accounting workflows
- Seasonal staffing efficiency, including short-term Microsoft 365 licensing so you don’t pay for unused accounts year-round
When you work with us, you get a partner who:
- Knows how accounting firms run
- Builds reliable systems that protect your data and reputation
- Helps you cut costs and stay compliant
We’ve been doing this for over 15 years. We’re not learning your industry — we’ve lived it.
If your current IT provider doesn’t understand what a WISP is, it’s time to talk to someone who does.
Partner with PK Tech.
Jordan Hetrick
Founder & CEO
Why work with an IT company familiar with CPAs?
Born inside a CPA firm
Our roots were planted in a real accounting office, supporting the same deadlines, software quirks, and compliance headaches you deal with every day.
We (fake) phish your staff!
The #1 cybersecurity threat is your staff falling for phishing emails. We safely phish train your staff with CPA specific content (Intuit receipts, etc.)
Internal IT staff? No problem!
With a co-manage agreement, your internal staff can take PTO while we cover, escalate tickets, and big picture plan your long-term IT strategy together.
We know your apps
We've waited on hold for underwhelming technical support from vendors like CCH, Thomson Reuters, Intuit, and more (just like you!).
Tax Season Support
Your deadlines don't wait, neither do we. We offer extremely quick response times during the busy seasons.
Assist with safe outsourcing
Near or offshoring work? We've helped CPAs lock down access, screen record, and block functionality (printing, etc.) so your client data remains safe.
Seasonal Staff Savvy
We know during the busy seasons that you need more help. We implement the additional resources you need so that you are not paying for them year around (e.g., Microsoft licenses).
| Rightworks (formally Right Networks) | Thomson Reuters | PK Tech | |
|---|---|---|---|
| IT Fundamentals | |||
| Day-to-day IT support during business hours | |||
| Procurement and installation of business-class workstations, servers, network equipment, and cloud solutions | ❓ |
||
| 24x7x365 IT support availability | ❓ |
||
| Audited annually by a third party for security controls (SOC 2 Type II) | ❓ |
||
| Properly insured for comprehensive coverage of breaches, extortion, and mistakes | ❓ |
||
| 15+ years of Microsoft partnership and expertise | ❓ |
||
| CPA Industry Specific | |||
| Experts in helping CPA firms comply required regulations, such as the FTC Safeguards Rule, IRS Publication 4557 | ❓ |
||
| Familiarity and additional support offered during tax season deadlines | ❓ |
||
| Successful track record of hosting and managing tax applications in Microsoft Cloud | ❓ |
||
| Works well with internal IT managers as their backup, escalation point, and security advisor | ❓ |
||
| 15+ years of experience supporting CPA firms | ❓ |
||
Ready to speak with an expert?
| On your own | Generic MSP | PK Tech | |
|---|---|---|---|
| FTC Safeguards Rule | |||
| Qualified Individual to implement and supervise your company’s information security program The Qualified Individual can be an employee of your company or can work for an affiliate or service provider. The person doesn’t need a particular degree or title. What matters is real-world know‑how suited to your circumstances. The Qualified Individual selected by a small business may have a background different from someone running a large corporation’s complex system. If your company brings in a service provider to implement and supervise your program, the buck still stops with you. It’s your company’s responsibility to designate a senior employee to supervise that person. If the Qualified Individual works for an affiliate or service provider, that affiliate or service provider also must maintain an information security program that protects your business. |
Unknown |
||
| Conduct a risk assessment You can’t formulate an effective information security program until you know what information you have and where it’s stored. After completing that inventory, conduct an assessment to determine foreseeable risks and threats – internal and external – to the security, confidentiality, and integrity of customer information. Among other things, your risk assessment must be written and must include criteria for evaluating those risks and threats. Think through how customer information could be disclosed without authorization, misused, altered, or destroyed. The risks to information constantly morph and mutate, so the Safeguards Rule requires you to conduct periodic reassessments in light of changes to your operations or the emergence of new threats. |
|||
| Required safeguards | |||
| Implement and periodically review access controls Determine who has access to customer information and reconsider on a regular basis whether they still have a legitimate business need for it. |
🤝 |
||
| Know what you have and where you have it. A fundamental step to effective security is understanding your company’s information ecosystem. Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. Keep an accurate list of all systems, devices, platforms, and personnel. Design your safeguards to respond with resilience. |
|||
| Encrypt customer information on your system and when it’s in transit. If it’s not feasible to use encryption, secure it by using effective alternative controls approved by the Qualified Individual who supervises your information security program. |
|||
| Assess your apps. If your company develops its own apps to store, access, or transmit customer information – or if you use third-party apps for those purposes – implement procedures for evaluating their security. |
|||
| Implement multi-factor authentication for anyone accessing customer information on your system For multi-factor authentication, the Rule requires at least two of these authentication factors: a knowledge factor (for example, a password); a possession factor (for example, a token), and an inherence factor (for example, biometric characteristics). The only exception would be if your Qualified Individual has approved in writing the use of another equivalent form of secure access controls. |
|||
| Dispose of customer information securely. Securely dispose of customer information no later than two years after your most recent use of it to serve the customer. The only exceptions: if you have a legitimate business need or legal requirement to hold on to it or if targeted disposal isn’t feasible because of the way the information is maintained. |
|||
| Anticipate and evaluate changes to your information system or network. Changes to an information system or network can undermine existing security measures. For example, if your company adds a new server, has that created a new security risk? Because your systems and networks change to accommodate new business processes, your safeguards can’t be static. The Safeguards Rule requires financial institutions to build change management into their information security program. |
|||
| Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. Implement procedures and controls to monitor when authorized users are accessing customer information on your system and to detect unauthorized access. |
|||
| Regularly monitor and test the effectiveness of your safeguards. Test your procedures for detecting actual and attempted attacks. For information systems, testing can be accomplished through continuous monitoring of your system. If you don't implement that, you must conduct annual penetration testing, as well as vulnerability assessments, including system-wide scans every six months designed to test for publicly-known security vulnerabilities. In addition, test whenever there are material changes to your operations or business arrangements and whenever there are circumstances you know or have reason to know may have a material impact on your information security program. |
|||
| Train your staff. A financial institution’s information security program is only as effective as its least vigilant staff member. That said, employees trained to spot risks can multiply the program’s impact. Provide your people with security awareness training and schedule regular refreshers. Insist on specialized training for employees, affiliates, or service providers with hands-on responsibility for carrying out your information security program and verify that they’re keeping their ear to the ground for the latest word on emerging threats and countermeasures. |
|||
| Monitor your service providers. Select service providers with the skills and experience to maintain appropriate safeguards. Your contracts must spell out your security expectations, build in ways to monitor your service provider’s work, and provide for periodic reassessments of their suitability for the job. |
|||
| Keep your information security program current. The only constant in information security is change – changes to your operations, changes based on what you learn during risk assessments, changes due to emerging threats, changes in personnel, and changes necessitated by other circumstances you know or have reason to know may have a material impact on your information security program. The best programs are flexible enough to accommodate periodic modifications. |
|||
| Create a written incident response plan. Every business needs a “What if?” response and recovery plan in place in case it experiences what the Rule calls a security event – an episode resulting in unauthorized access to or misuse of information stored on your system or maintained in physical form. Section 314.4(h) of the Safeguards Rule specifies what your response plan must cover: The goals of your plan; The internal processes your company will activate in response to a security event; Clear roles, responsibilities, and levels of decision-making authority; Communications and information sharing both inside and outside your company; A process to fix any identified weaknesses in your systems and controls; Procedures for documenting and reporting security events and your company’s response; and A post mortem of what happened and a revision of your incident response plan and information security program based on what you learned. |
|||
| Require your Qualified Individual to report to your Board of Directors. Your Qualified Individual must report in writing regularly – and at least annually – to your Board of Directors or governing body. If your company doesn’t have a Board or its equivalent, the report must go to a senior officer responsible for your information security program. What should the report address? First, it must include an overall assessment of your company’s compliance with its information security program. In addition, it must cover specific topics related to the program – for example, risk assessment, risk management and control decisions, service provider arrangements, test results, security events and how management responded, and recommendations for changes in the information security program. |
|||
-1.png?width=1000&height=705&name=Untitled%20design%20(1)-1.png)
We know public accounting IT
-
What did the IRS add to the PTIN renewal form since 2019 regarding attesting to following cybersecurity requirements?
Since October 2019, tax prepares have been presented with a "Data Security Responsibilities" section on their PTIN application and renewal form (IRS Form W-12). In order to submit this form, prepares have had to attested to the following "I am aware that paid tax return preparers are required by law to create and maintain a written information security plan that provides data and system security protections for all taxpayer information. See IRS Publication 5708 and 4557 for more information about your responsibilities".
An AICPA survey has shown that large number of preparers did not understand or implement what they agreed to by renewing their PTIN. There's a significate risk for non-compliance, as there are fines up to $100,000 per violation for example.
Here's what the IRS is expecting per Publication 4557, Safeguarding Taxpayer Data:
- Background checks on employees/contractors
- A designated individual to be responsible for the WISP
- An annual IT risk assessment
- Up to date inventory of where sensitive data lives
- Written policies covering data collection/retention/safe destruction, data disclosure, network and intrusion protection, user access, electronic data exchange, Wi-Fi access, remote access, connected devices, reportable incidents, and a employee/contractor code of conduct policy
- IT safeguards in place, such as anti-virus software, strong passwords, multi-factor authentication, data encryption, backups, and formal cybersecurity training
- Training employees/contractors on all security and all policies at least annually
- Measures in place for detecting that your safeguards are effective
- Annually revisiting and updating the WISP
Effective May 13, 2024, the FTC Safeguards rule went info affect for all CPA firms and the IRS updated Publication 4557 to expand its requirements. The IRS states "Protecting taxpayer data is the law. Federal law gives the Federal Trade Commission authority to set data safeguard regulations for various entities, including professional tax return preparers. According to the FTC Safeguards Rule, tax return preparers must create and enact security plans to protect client data".
In addition to the previous IRS expectations, more requirements were added for CPAs:
- Verify that all data suppliers are using reasonable security measures (your IT company, software companies, vendors, etc.)
- Verify that your designated individual responsible for the WISP is qualified.
- Verify that your policies reflect the broader definition of Customer Data, as define by the FTC Safeguards rule
As you can see, there's an overwhelming amount of work required to initially comply and maintain compliance annually. Considering many of these measures were required in 2019, and further strengthened by the FTC Safeguards rule in May 2023, it's critical all tax prepares take this seriously.
-
How do we know so much about CPAs?
We were born inside a CPA firm in 2009.
Our founder, Jordan Hetrick, started as a IT Manager to a leading public account firm in Arizona. After the partners saw what he could do, they partnered with Jordan formed PK Tech as equal owners. The CPA partners mentored Jordan closely over the years and PK Tech grew rapidly.
In 2016 Jordan has acquired 100% of the business and remains completely independent.
Check out our story for more detail.
-
What IT regulations apply to CPAs?
- IRS Publication 4557, Safeguarding Taxpayer Data
- Since October 2019, tax prepares have been presented with a "Data Security Responsibilities" section on their PTIN application and renewal form (IRS Form W-12). In order to submit this form successfully, prepares have attested to the following "I am aware that paid tax return preparers are required by law to create and maintain a written information security plan that provides data and system security protections for all taxpayer information. See IRS Publication 5708 and 4557 for more information about your responsibilities".
- IRS Publication 4557 also requires:
- Background checks on employees/contractors
- A designated individual to be responsible for the WISP
- An annual IT risk assessment
- Up to date inventory of where sensitive data lives
- Written policies covering data collection/retention/safe destruction, data disclosure, network and intrusion protection, user access, electronic data exchange, Wi-Fi access, remote access, connected devices, reportable incidents, and a employee/contractor code of conduct policy.
- Training employees/contractors on all security and all policies at least annually.
- Annually revisiting and updating the WISP.
- An AICPA survey has shown that large number of preparers did not understand or implement what they agreed to by renewing their PTIN.
- FTC Safeguard Rule
- In 2003, the FTC released the FTC Safeguards Rule. A part of the Gramm-Leach-Bliley Act, the Rule established guidelines for safe handling of consumer records by financial institutions and other similar organizations.
- Updated in October 2021, the definition of “financial institution” was broadened to include CPAs and specific requirements were added. Most notably, the requirement to create a formal Information Security Program designed to protect sensitive consumer data from falling into the hands of cybercriminals.
- In November 2022, the penalty phase was moved to June 9, 2023, to give practitioners more time to comply.
- On June 9th, 2023
- FTC Safeguards Rule took effect on June 9, 2023.
- Penalties are serious—$100,000 per violation, $43,000 per day for each consent violation
- Payment Card Industry Data Security Standard (PCI DSS)
- IRS Publication 4557, Safeguarding Taxpayer Data
-
What official cybersecurity guidance has been issued to CPAs?
-
Can I just use a WISP templates and call it good?
It may seem like a quick way to comply with the Safeguards Rule is to find a WISP (written information security program) template, add your firm's name to the top and call it good.
Additionally, there are companies advertising they can fill out your WISP with only 15 minutes of your time.
These are not legitimate paths to compliance nor will the FTC or IRS be satisfied with a boilerplate WISP full of empty promises.
The IRS offers a free WISP sample that can be customized to your firm. However, your WISP must incorporate the nine Safeguards Rule elements and actually be followed.
We recommend tax prepares avoid using a boilerplate template without following it or any service that claims you can be compliant with only 15 minutes of your time.