Managed governance for accounting & advisory firms
Client Login

GOVERNANCE FOR CPA & ADVISORY FIRMS

One defensible governance program for CPA and advisory firms

Wealth clients don’t grade effort. They demand proof.

Borealis builds and maintains the evidence-first governance program CPA & advisory firms need when FTC Safeguards, state privacy laws, and high‑net‑worth client diligence all apply. For the tax-return-preparer side of the house, IRS Publication 4557 points to the FTC Safeguards Rule and a written security plan as the baseline for protecting taxpayer data.

Stop running two separate compliance tracks. One core program can support the overlapping FTC, privacy, and client-diligence pressures, but the state-specific deltas still need to be mapped explicitly.

Book a 30‑Minute Program Review See Reviewer Evidence Examples

Focused review • Built around FTC Safeguards + client diligence expectations • 30 minutes • No obligation

PROGRAM SNAPSHOT

What the Program Covers

  • FTC Safeguards baseline and client diligence expectations
  • Works alongside your MSP or internal IT, not a replacement
  • Every requirement mapped to proof, owned, and exportable on demand
  • E&O renewals, client questionnaires, and M&A diligence ready
  • Multi‑state friendly: one program with clear deltas by state

Remote-friendly kickoff. Light lift for your team.

The “Two-Front War” of Advisory Compliance

You have tax data (regulated by the FTC) and wealth data (scrutinized by clients and state laws).

The Mistake: Running two separate compliance programs that duplicate work.

The Borealis Fix: One maintained operating model. We map your evidence once, then layer in the reviewer-specific outputs and state-specific deltas needed for the request in front of you.

For the tax-return-preparer side of a mixed firm, IRS guidance says tax professionals should report client data theft immediately / as soon as possible to the local IRS stakeholder liaison.

Good fit if:

  • Your clients send security questionnaires before signing and you need defensible answers
  • You plan to sell or merge within three years and need clean governance to protect your valuation
  • You operate in multiple states and need one program that covers all of them

Not a fit if:

  • You need an MSP replacement or day-to-day IT operations
  • You want templates only, not a living, maintained program
  • You prepare a small number of seasonal returns and governance is not a priority

Control crosswalk / reviewer evidence examples

Client diligence and FTC Safeguards reviews tend to ask for the same core proof. These are reviewer evidence examples, not a universal legal checklist that applies identically in every jurisdiction.

  • A current written program with named ownership and a documented review cadence
  • Risk assessment + risk register (findings, owners, decisions)
  • Vendor oversight (MSP and key platforms) with review notes
  • Incident readiness with breach notification checklist
  • Training records and policy approvals (where applicable)
  • A structured review package (PDF) plus the evidence bundle (ZIP)
Book a 30‑Minute Program Review

Separation of Duties is Non-Negotiable.

Your MSP manages the tech. We audit the process.
You wouldn’t let the bookkeeper audit their own books. Why let your IT provider audit their own security?

The Reality Check

Borealis provides the independent governance layer that proves your MSP is doing their job, giving you the “checks and balances” story that auditors love.

The Compliance Gap

FTC Safeguards gives you a baseline. Clients and buyers add their own diligence requirements. Regulators and diligence teams expect you to know where you stand, and prove it.

If You Do Both Tax and Insurance/Annuity Work

  • A single program with clear ownership covers both tracks.
  • Where expectations differ, we document the requirement and keep the delta current.
  • You can export different structured review packages from the same maintained evidence set.

One core program, three reviewer contexts

CPA and advisory firms do not need three separate compliance programs. They need one maintained operating model that can answer three different kinds of reviewer pressure without rewriting the story each time.

FTC baseline

Your written program, risk system, and named ownership need to stay current enough to survive FTC Safeguards scrutiny and the follow-up questions that come with it.

Wealth-client diligence

High-net-worth and institutional prospects want proof that feels premium: clean exports, consistent answers, and visible operating discipline instead of generic assurances.

State and privacy requirements

Multi-state work changes notification timing and privacy expectations. Borealis tracks the requirement deltas so your team is not guessing which rule changed the response.

One maintained program. Three clean outputs.

  • One ownership model and evidence cadence inside Aurora Command
  • One reusable packet structure for client diligence, buyer review, and regulator pressure
  • One change log that shows what is baseline versus what is a requirement

The Questions Reviewers Will Ask

“Who is in charge?” The Question: Who is your designated Qualified Individual (QI)? The Answer: You need a named human being, not a generic “IT Dept.” We can help you document this internal role, or we can step in and fill it for you.
Show your written program and last review (FTC baseline and requirement alignment). Current policy that matches operational reality
Show your risk system: assessment, register, treatment decisions, and remediation tracking. Owners, dates, and documented remediation
Show incident readiness and notification timing, especially for fast state windows. Tested and documented response capability
Show vendor oversight for custodians, platforms, MSP, DMS, portals, payroll, and e‑signature. Third-party risk management with evidence
Prove this is operated year-round, not assembled when asked. Continuous governance with dated evidence
If you’re licensed in multiple states, show what changes by state and how you track it. Multi-state awareness with exportable proof
Book a 30‑Minute Program Review

The Governance Program

One governance cadence for both sets of expectations. Clear requirements where state privacy and breach rules apply. Evidence kept current.

Program Spine

  • FTC Safeguards-aligned written program, tailored to how you operate
  • Requirement alignment for applicable state privacy and breach expectations
  • Governance structure: roles, approvals, documented responsibility
  • Policies that match reality (not shelfware)

Risk System

  • Risk assessment (annual and updated on material changes)
  • Risk register with owners, dates, and treatment decisions
  • Remediation roadmap that your MSP can execute without churn

Incident & Notification Readiness

  • Incident Response Plan with playbooks
  • Notification readiness for fast windows (with role clarity and checklists)
  • Tabletop exercises with evidence that stands up to scrutiny
  • “Determination worksheet” and timeline capture template

People & Vendors

  • Access governance (MFA, joiner/mover/leaver, access reviews)
  • Vendor inventory, minimum requirements, and review cadence
  • Security awareness evidence

Can You Produce Evidence on Demand?

Every control mapped to proof. Every proof owned. Evidence maintained continuously.

Evidence map (what proves what)
Evidence requests & reminders
Evidence library
Reviewer-ready packet exports

Aurora Command

What advisory firms should see when buyer diligence hits

Borealis uses Aurora Command to keep control mapping, evidence freshness, and controlled reviewer sharing aligned across FTC baseline obligations, privacy requirements, and client diligence.

Aurora Command screenshot showing one control set mapped across multiple frameworks and reviewer contexts. One program, many asks FTC baseline State deltas visible One evidence set

Requirement Mapping

Keep one control set across FTC and state requirements

Advisory firms often need one maintained program that can answer FTC baseline obligations, state requirements, and buyer diligence without forking the evidence set.

  • Useful when the same firm faces overlapping reviewer lenses.
  • Reduces duplicate work across tax, advisory, and privacy requests.
  • Supports cleaner exports for different reviewer contexts.
Aurora Command screenshot showing evidence freshness timing, approvals, and current versus expiring status indicators. Monthly cadence Approval trail Current / expiring / stale

Freshness + Timing

Keep evidence current between review cycles

Aurora Command surfaces freshness timing, approval history, and review status so Borealis can run a calm monthly cadence instead of a last-minute scramble.

  • Good evidence has an owner, a date, and a refresh cadence.
  • Review cycles stop depending on memory and inbox searches.
  • Borealis uses this to keep the program organized for review year-round.
Aurora Command screenshot showing a controlled reviewer handoff and request-access workflow. Controlled handoff Controlled access No loose attachments

Reviewer Handoff

Deliver the right evidence without attachment chaos

Aurora Command helps Borealis package the maintained evidence set into a deliberate handoff, so questionnaires and buyer reviews start from a current record instead of a scramble.

  • Useful when the buyer wants a believable trust and export path.
  • Reinforces the evidence-first story without email sprawl.
  • Makes the Aurora handoff feel intentional instead of abrupt.
Tour Aurora Command Compare Advisory vs Managed

Real Aurora Command screenshots from the live public Aurora surface.

Borealis Baseline and State Requirements

Aurora Command is built around the FTC Safeguards Rule baseline. State privacy and breach requirements are mapped into that same operating model, but the jurisdiction-specific deltas still need to be tracked explicitly before you export a response.

Hover a state to preview the summary. Click or tap a state to pin the summary. Press Escape to close a pinned summary.

State-specific requirements
Federal requirements (FTC Safeguards)

Hover or click a state to see the summary. Highlighted states show example requirements on top of the FTC Safeguards baseline.

High-level overview only (not legal advice). Requirements shown are illustrative and not exhaustive; confirm applicability with counsel.

Serving Clients in Multiple States?

We map once and show you what changes by state, without multiplying programs.

Book a 30‑Minute Program Review

Choose Your Governance Model

Qualified Individual (QI) under FTC Safeguards = the named person responsible for the security program. Other frameworks use different titles, such as CISO or equivalent under NYDFS Part 500 and a responsible security program owner under applicable insurance laws. Fractional security leadership = ongoing leadership support without a full-time hire.

ADVISORY TRACK

Option 1: ADVISORY TRACK (Internal QI)

Best for firms with a partner ready to take responsibility. You keep the legal title of Qualified Individual. We provide the Aurora Command system, the operating roadmap, and the monthly discipline that keeps the program current.

  • Aurora Command system + operating roadmap
  • Monthly prompts, reminders, and evidence checklist
  • Evidence map and exportable packet structure
  • Guidance for HNW diligence and buyer requests
  • You retain the legal QI title (we keep you on track)
Book a 30‑Minute Program Review Tour Aurora Command

For teams who want to run the program in‑house

RECOMMENDED
MANAGED TRACK

Option 2: MANAGED TRACK (Outsourced QI)

Best for firms who want to transfer the weight. Borealis serves as your designated Qualified Individual where that FTC model fits. We maintain the WISP, run the governance cadence and risk-assessment process, and support the audit response. You still retain final legal responsibility for the firm.

  • Borealis serves as your designated QI where that FTC model fits
  • We maintain the WISP and operating cadence
  • We run the risk-assessment process and documentation
  • We support audit and diligence responses while keeping the evidence current
Book a 30‑Minute Program Review Tour Aurora Command

For teams who want full support

Advisory Track: internal QI. Managed Track: outsourced QI.

What Happens After You Book

1

30‑Minute Program Review

We discuss firm size, services, tech stack, and current governance posture.

2

Scope & Proposal

You receive a tailored proposal with clear deliverables and timeline.

3

Build Phase Kickoff

Remote-friendly onboarding. We build the program foundation while keeping staff disruption minimal.

Phase 1

The Build

One-time setup. We build your governance foundation.

  • Program Scope Services, data types, vendor stack, MSP boundaries, advisory scope.
  • FTC Safeguards-aligned Written Program Draft to final, with baseline and state requirement alignment.
  • Risk Assessment Initial risk assessment and risk register.
  • Evidence Map Evidence map and structured review package structure.
  • Aurora Command Setup Tasks, library, owners.
Phase 2

The Run

Monthly cadence. We keep you ready.

Advisory Track
  • Monthly accountability check-ins
  • Evidence collection reminders
  • Updates for material changes
  • Guided questionnaire support
QI-as-a-Service (FTC Safeguards) Adds
  • QI-led governance actions & oversight with Borealis support
  • Higher-touch buyer and diligence support
  • Leadership-ready reporting & decision tracking
  • Diligence packaging (clean evidence trail)

How Borealis Delivers Through Aurora Command

Aurora Command is the system. Borealis runs the cadence around it so evidence stays current, proof stays reusable, and responses stay calm when client diligence arrives.

Compliance Governance

Turn requirements into a working cadence: owners, decisions, due dates, and a single source of truth.

  • Track requirements (including custom)
  • Assign owners and due dates
  • Turn gaps into remediation

Evidence Collection

Map controls to what proves them, keep evidence organized, and export a structured review package (PDF) plus evidence bundle (ZIP) on demand.

  • Evidence library and indexing
  • Requests, reminders, and follow-up
  • Reviewer-ready packet exports (PDF) + evidence bundle (ZIP)

Questionnaire Prep (Service-First)

We help you respond faster without sending “trust me” answers.

  • Reusable response library
  • Evidence-backed answers
  • Clean exports for reviews and questionnaires

Built for Real Questionnaires

Upload what you have today, see what’s covered, then turn the rest into tracked requirements and remediation.

1

Bring It Together

Bring questionnaires, evidence, and policies into one workspace.

2

See Coverage

See how many questions can be drafted from your approved policies and evidence.

3

Review and Edit

Walk through the assessment, attach evidence, and preserve human edits.

4

Export Cleanly

Export answers and evidence as structured files, plus a structured review package (PDF) and evidence bundle (ZIP).

SEE IT WORK

Get a Guided Aurora Command Walkthrough

See how questionnaires map to requirements, how evidence stays organized, and what a controlled review handoff looks like.

Tour Aurora Command Book a 30‑Minute Program Review

FAQ

Do you replace our MSP?

No. Your MSP runs IT operations and tooling. Borealis runs the governance layer: ownership, cadence, documentation, and evidence.

Can’t I just download templates?

Templates that aren’t operated become liabilities. We build policies that match operations and create the evidence trail that proves year-round operation.

We are an RIA / Wealth Management firm. Does FTC Safeguards apply?

Likely yes, if you do any tax planning. But even if you don’t, your state privacy laws and client contracts impose strict standards. We build a program that covers the FTC baseline and the higher expectations of wealth management.

We’re licensed in multiple states. Do we need multiple programs?

No. One program, with state requirements tracked and exportable.

We can’t disrupt tax season. Can we do this without chaos?

Yes. We plan around the calendar. Build in implementation season; maintain quietly during peak season; keep proof ready before January.

Do you provide legal, tax, or accounting advice?

No. We are a cybersecurity and compliance implementation firm. We help you implement defensible programs and evidence.

Can we do this without disrupting staff?

Yes. What we need from staff is small and scheduled. Most work is leadership alignment, documentation, and evidence organization, done remotely with minimal interruptions.

Do you work nationwide even though you’re Alaska-based?

Yes. The program is designed for remote execution and multi-state realities.

Stop Managing Compliance. Start Proving Trust.

Your clients trust you with their future. Show them you can protect it.

Book a 30‑Minute Program Review

Focused review • M&A-focused • No obligation

Book a 30‑Minute Program Review See Deliverables