5 Security Questions CPA Firms Should Ask Tax Automation Vendors
Technology
March 19, 2025In this article, strategic partner SafeSend outlines five essential security questions CPA firms should ask when evaluating tax automation vendors. As technology plays a growing role in streamlining tax workflows, ensuring the protection of sensitive client data is more important than ever. From verifying security certifications to understanding how vendors handle data protection and incident response, these questions will help your firm choose a trusted, security-first partner.

Explore more technology resources, including thought leadership and partner content, on our dedicated Technology Hub.
Imagine this
It’s a normal workday during busy season. An accountant sips their coffee as they log into a tax workflow app to start the day. With a few clicks, a report is run.
But the data displayed isn’t theirs.
They rub their eyes, blink a few times, and look at the screen again. Perhaps they are overtired (it is busy season, after all), and they convince themselves that they are just seeing things.
“What’s going on?” they wonder, starting to panic. “Where’s my data? And whose data is this?!”
This is not just a scenario seen in nightmares, it is a true story. Just recently, TaxDome reported an incident where users saw high-level reporting with incorrect numbers during the course of an hour. While TaxDome stated that no individual client details were accessible, this incident highlights why CPAs must carefully evaluate potential software vendors before trusting them with sensitive client data.
Why Tax Automation Vendor Security Matters
With the ongoing staffing shortage in the accounting profession, many firms are turning to technology to maintain productivity and service quality. They’re looking for end-to-end solutions to streamline tax season, making the process easier for both clients and staff.
While technology helps reduce manual data entry and improve workflows, it also raises important questions around security. The larger the tech stack, the more third-party vendors gain access to one of a firm’s most valuable assets: client data. And with human error responsible for 22% of all data breaches, maintaining strong security protocols is more important than ever.
Cybersecurity is a growing concern across the tax and accounting profession. CPA firms manage large volumes of personally identifiable information (PII), and clients rely on them to keep that data safe. According to IBM’s Cost of a Data Breach Report 2024:
The average cost of a data breach rose to $4.88 million in 2024, up from $4.45 million in 2023. That’s a 10% spike and the biggest increase since the pandemic.
For CPA firms, the consequences go far beyond financial losses. A data breach can erode client trust, harm a firm’s reputation, and in some cases, threaten its long-term viability. That’s why it’s essential to work with software vendors that prioritize security and data privacy.
The 5 Essential Security Questions Firms Need to Ask
When evaluating tax workflow solutions, security should not be an afterthought. While firms are not expected to be cybersecurity experts, understanding these essential security measures will help protect both the firm and client data. Here are five questions firms should ask when considering any solution.
1. What security certifications and compliance standards are maintained?
Security certifications are akin to a CPA license: They demonstrate that vendors have met professional standards. Key certifications to look for include:
- System and Organization Controls 2 (SOC 2®). SOC 2, a compliance framework developed by the AICPA, is designed to evaluate and validate an organization’s information security practices. Software providers that store, process, or transmit any kind of client data must be SOC 2-compliant.
- ISO 270001. ISO 27001 is an international standard for information security management systems (ISMS) that defines the requirements for information security, such as confidentiality, information integrity, and data availability.
- Compliance with data privacy regulations in states where you do business. This can include the California Consumer Privacy Act (CCPA) and the Gramm-Leach-Bliley Act (GLBA). Check to ensure that your third-party tax software provider follows the requirements of the data regulations in your state or area.
While certifications are not the sole measure of security, they provide a critical baseline for best practices. Firms should request recent audit reports, as a reputable provider will readily share this information.
2. How is data protection and encryption handled?
Data protection is as critical in the digital realm as it is for physical files. Firms should inquire about:
- Data encryption protocols. Do they offer end-to-end encryption for data in transit (while being sent) and at rest (while being stored)? Think of encryption as a secure digital safe that protects data at all times.
- MFA. Does their application enforce multifactor authentication (MFA) to prevent unauthorized access? This is like having both a key and an alarm code for extra security.
- Regular penetration testing. Do they run simulated cyberattacks conducted by ethical hackers to identify security vulnerabilities in their applications to ensure their system remains secure against evolving cybersecurity threats?
- Real-time security monitoring. Does the vendor use security tools to track logins, file access, and other activities? Do they continuously monitor their system’s security to detect, analyze, and respond to potential threats?
3. What employee security protocols are in place?
Security-aware vendors implement strong employee security protocols. Firms should verify the following:
- Mandatory IT security training programs. All employees should complete comprehensive security training before they access any systems. They should also have refresher courses throughout the year to ensure they understand their role in protecting client data.
- Regular employee cybersecurity awareness testing. Look for vendors who regularly test their employees’ security knowledge through simulated phishing campaigns and security assessments.
- Mobile Device Management (MDM) policies. Security-aware vendors have clear guidelines on how employees can use company devices and access company data on personal devices, including the ability to remotely wipe data if a device is lost or stolen.
- Strict access control protocols. Vendors should apply the “least privilege” approach when giving employees access to only the data they need to do their jobs.
- Background checks. Reputable vendors should conduct background checks on all employees who might have access to client data.
4. How are security incidents and communications handled?
Even with the best safeguards, incidents can occur. Reliable vendors should:
- Have clear procedures for security incidents, such as an incident response plan (IRP).
- Communicate openly with their clients as part of their IRP.
- Conduct regular security testing and monitoring.
- Provide transparent post-incident analysis.
5. What is the track record with security and updates?
A vendor's past performance can indicate future reliability. Firms should ask about:
- How reliable their system is (look for 99.99% uptime or better).
- How they handle updates and maintenance (and it shouldn’t be during busy season).
- How past security incidents were brought to light and resolved.
- How they communicate with clients during security issues.
- How they assess the security of third parties they work with.
Watch Out for These Red Flags
Certain warning signs should raise concerns when evaluating vendors:
- They dodge questions about security, suggesting they haven’t made it a priority.
- They’re not upfront about past incidents or sweep them under the rug as “no big deal,” which indicates poor transparency.
- They’re vague about their security update practices, which could mean irregular or inadequate updates.
- They can’t clearly explain their security procedures, possibly indicating a lack of established protocols.
- They can’t provide their SOC 2 or ISO 270001 certifications, a fundamental gap in security validation.
- They’re reluctant to provide documentation, meaning they may have something to hide.
If any of these red flags arise, it may be a sign that the vendor is not a suitable partner.
The Importance of Building a Security-First Partnership
Selecting software means choosing a long-term partner. It is advisable to work with vendors specializing in the accounting profession who understand both data security and industry-specific needs.
A trustworthy tax workflow solutions vendor should:
- Maintains transparent security practices.
- Provides documents surrounding security measures.
- Communicates security updates regularly.
Moving Forward
The goal remains the same: to serve clients well while protecting their information. Technology helps streamline workflows, but it is crucial to ask the right questions before selecting a software partner.
Client trust depends on maintaining robust data protection, and firms should ensure that their solutions provider is equally committed to safeguarding sensitive information.
While firms do not need to be security experts, asking these five essential questions will go a long way toward ensuring a secure partnership.