How a 28-person CPA firm passed FTC Safeguards review and ended tax-season slowdowns
28-person CPA firm · single office · Knoxville, TN
The challenge
Where they started.
FTC §314.4 required a Written Information Security Plan and a named Qualified Individual — they had neither. RDS server choking during tax season meant 30–60 second app launches in CCH Axcess for staff. Seasonal preparers from prior years still had VPN access nobody had revoked.
Specific pain points
- FTC Safeguards Rule effective date passed; no WISP or IR plan documented
- Tax-season RDS performance degraded 30–60s app launches in CCH Axcess
- Seasonal preparer accounts from past years still active with VPN access
- Client tax docs transiting through email attachments and personal Dropbox accounts
- MFA on partner accounts only; rest of the firm was username + password
The approach
What we did.
WISP and IR plan delivered first to clear regulatory urgency, then tax-software workloads were re-platformed for elastic scaling. Identity hardening was sequenced to land before January 31 so the firm hit tax season with a clean baseline.
What we delivered
- Written Information Security Plan + Incident Response plan (FTC §314.4 / IRS Pub 4557 aligned)
- Named Qualified Individual (vCISO arrangement) for ongoing oversight
- Windows 365 environment for CCH Axcess, sized for tax-season peak
- TaxDome client portal replacing email attachment workflows
- Phishing-resistant MFA enforced firm-wide via Authenticator number-match
- Seasonal preparer accounts now provisioned with hard-coded April 16 expiration
- Quarterly identity audit cadence with documented offboarding workflow
The outcomes
What changed.
First tax season after the engagement ran without a single performance complaint. Safeguards review passed first time. April 17 onboarding fire drill — perennially the worst day of their year — simply didn't happen.
- Passed first attemptFTC Safeguards Rule review
- 45s → 18sCCH Axcess average launch time
- 0Unplanned tax-season outages
- 100% workforceMFA coverage
- Auto-expires April 16Seasonal account offboarding
“Tax season used to be when our IT broke. Now it's when our IT shows up and saves us. The Safeguards binder was the bonus.”
Services involved
The Equal Tech stack behind this engagement.
Managed IT
Proactive monitoring, patching, and unlimited help-desk for desktops, laptops, and end users — flat-fee per seat.
Cybersecurity
Endpoint detection, dark-web monitoring, phishing-resistant MFA, and security awareness training — built for SMBs.
Cloud Services
Microsoft 365, Azure, Google Workspace, hybrid infrastructure, VDI, and immutable cloud backup — designed and operated end-to-end.
CIO Services
Executive-level IT leadership without the executive-level salary — roadmaps, budgets, vendor management, and digital transformation.
More case studies
Other engagements worth a read.
Dental group: HIPAA + Microsoft 365 migration
An East TN dental group running Microsoft 365 through a reseller had no admin access and a HIPAA risk analysis 18 months overdue. We migrated them to a direct tenant, locked down identity, and produced the HIPAA evidence binder.
Manufacturer: CMMC readiness + ransomware recovery
A North GA aerospace parts manufacturer lost a contract because they couldn't demonstrate CMMC Level 2 readiness, then got hit with ransomware via a SaaS vendor. We segmented OT/IT, delivered the 110 NIST 800-171 controls, stood up immutable backup. They re-qualified for the contract and contained a follow-up attack in 90 minutes.
Ready when you are
Let's talk about your IT.
A 30-minute call is all it takes to know whether we're the right partner. No pressure, no jargon, no obligation.
What to expect
- 130-minute discovery call
We listen first — your environment, pain points, and goals.
- 2Free IT assessment
Senior engineer reviews your stack and flags real risks.
- 3Plain-English roadmap
Clear scope, clear pricing. Walk away with a plan, not a pitch.