Tax Season IT Checklist for Accountants

January is peak season for two things: tax deadline pressure and cyber attacks on accountancy practices.

Attackers know your calendar. They know your staff are stressed, email volumes are high, and nobody has time to double-check that suspicious message.

67% of UK small/medium sized buisnesses experienced a cyber incident last year. Most discovered it only after client data was compromised.

This checklist covers the practical IT and security controls you should have in place before the January rush hits. Nothing here is expensive or complicated. Most can be done in an afternoon.

But the difference between practices that sail through January and those that face breaches, downtime, or ICO investigations often comes down to these basics.

Use this as a quick audit. If you can tick everything off, you’re ahead of most. If you can’t, you know what to prioritise.

Email Security (The #1 Risk)

78% of cyber attacks start with email. For accountancy practices, this means phishing emails disguised as:

• HMRC notifications
• Client requests for urgent transfers
• Software update alerts (Sage, Xero, QuickBooks)
• Invoice attachments

Checklist:

• MFA enabled on all email accounts – Not just partners. Everyone with access to client data. This single control stops the majority of email compromises.
• Suspicious email reporting process – Staff know how to flag questionable emails without feeling embarrassed.
• Email encryption for client communications – Sending sensitive documents? They should be encrypted in transit.
• External email warning banners – Emails from outside your organisation should be clearly marked.
• Anti-phishing training completed – When did staff last receive training? If it’s more than 12 months, it’s overdue.

Why This Matters for PI Insurance

Professional Indemnity insurers increasingly ask for evidence of email security controls. “We have Outlook” isn’t sufficient anymore. They want documented proof of MFA, training records, and incident response procedures.

Backup and Recovery

The question isn’t whether you have backups. It’s whether you can actually restore from them when January 31st goes wrong.

Checklist:

• Backup tested in the last 30 days – Not “we have backups configured.” Actually restored a file and verified it works.
• Recovery time documented – If everything went down at 2pm on deadline day, how long until you’re operational? Do you actually know?
• Offsite or cloud backup in place – If ransomware encrypts your server and your backup drive, you have nothing.
• Client data backup separated – Can you recover client files independently of your systems?
• Backup monitoring active – Would you know if backups stopped working three weeks ago?

The January Scenario

Ransomware hits at 4pm on January 28th. Your files are encrypted. Attackers want payment.

Practice A: Tested backups last week. Restored overnight. Lost half a day.

Practice B: “Backups are automatic.” Last successful backup was November. Three months of work gone.

Which one are you?

Access Control

Who can access what? More importantly, who shouldn’t be able to access what but still can?

Checklist:

• Leavers disabled same day – Ex-employees with active logins are a breach waiting to happen. Check your Active Directory or Microsoft 365 admin portal now.
• Admin access limited – Not everyone needs admin rights. Limit to those who genuinely require it.
• Shared passwords eliminated – “The office password” shouldn’t exist. Individual accounts, individual passwords.
• Password manager in use – Staff using the same password everywhere? That’s one breach away from total compromise.
• Client portal access reviewed – Third parties with access to your systems? When did you last audit who has what?

Common Finding

In security assessments, we consistently find:

• Ex-employee accounts still active (average: 3 per practice)
• Shared admin passwords unchanged for 2+ years
• Staff with admin rights who don’t need them

These aren’t expensive fixes. They just need doing.

Incident Response

When (not if) something goes wrong, do you have a plan?

Checklist:

• Incident response plan documented – Who does what? Who makes decisions? Who contacts clients? Written down, not just “we’ll figure it out.”
• ICO reporting process understood – Personal data breaches must be reported within 72 hours. Not working days. Hours.
• Insurance notification process known – Most policies require immediate notification. Delayed reporting can void cover.
• Client communication templates ready – If you need to notify clients of a breach, having pre-approved wording saves panic.
• IT support contact accessible – Can you reach your IT support at 11pm on a Friday? Or just during office hours?

The 72-Hour Reality

Friday 5pm: You discover a breach.
Monday 9am: You start dealing with it.
Monday 5pm: 72 hours have passed.

You’re already late for ICO reporting. The clock starts when you discover the breach, not when it’s convenient.

Software and Patching

Outdated software is one of the easiest attack vectors. Attackers don’t need sophisticated techniques when your systems have known vulnerabilities.

Checklist:

• Windows updates current – When did your computers last update? Check every machine, not just your own.
• Accounting software updated – Sage, Xero, QuickBooks, CCH – all release security updates. Are you current?
• Browser updates enabled – Chrome, Edge, Firefox – browsers are primary attack targets.
• Router/firewall firmware current – Often forgotten. Often vulnerable. Check your manufacturer’s site.
• End-of-life software identified – Windows 10 reaches end of support October 2025. What’s your plan?

The Patching Reality

“We’ll update when we have time” means “we’ll update after we’ve been breached.”

Critical security patches need applying within days, not months.

Physical Security (Yes, Still Relevant)

Digital security gets attention. Physical security gets forgotten.

Checklist:

• Clean desk policy observed – Client files visible on desks after hours?
• Screen locks active – Computers lock automatically after inactivity?
• Visitor access controlled – Who can walk into your server room?
• Printed documents secured – Client documents in unlocked cabinets?
• Remote working secured – Home workers using personal devices? Accessing systems from coffee shops?

ICAEW/ACCA Compliance Reference

Professional body guidance on cyber security is increasingly specific:

ICAEW Technical Release: Firms must demonstrate adequate security controls for client data protection.

ACCA Guidance: Cyber security is a core practice management responsibility, not an IT afterthought.

Key Requirements:

• Documented security policies
• Staff training and awareness
• Incident response procedures
• Regular security assessments
• Evidence of controls (not just claims)

When regulators ask (and they increasingly do), “we’re careful” isn’t an answer. Documentation is.

Quick Wins: What You Can Do This Week

If this checklist feels overwhelming, start here:

Day 1: Enable MFA on all email accounts. This single action blocks most email compromises.

Day 2: Test your backup. Actually restore a file. See if it works.

Day 3: Review user accounts. Disable anyone who’s left in the last 12 months.

Day 4: Check for software updates. Run them on one machine, verify nothing breaks, then roll out.

Day 5: Document your incident response plan. Even a one-page version is better than nothing.

Source: https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2025/cyber-security-breaches-survey-2025