Managed governance for tax & accounting firms
Client Login

GOVERNANCE FOR TAX & ACCOUNTING FIRMS

FTC Safeguards Compliance. Don’t Just Say You’re Secure. Prove It.

The IRS and your clients don’t grade effort. They grade proof.

For tax return preparers and tax professional firms, IRS Publication 4557 points to the FTC Safeguards Rule and a written security plan as the baseline for protecting taxpayer data. Borealis builds and maintains that evidence-first governance program. We can serve as your Qualified Individual or support an internal owner. Either way, your written program, evidence, and ownership stay organized in Aurora Command for periodic review and handoff.

We build in the summer. We maintain in the fall. We let you work in the winter.

Book a 30‑Minute Program Review See Reviewer Evidence Examples

Focused review • FTC‑aligned • No obligation

PROGRAM SNAPSHOT

What the Program Covers

  • FTC Safeguards expectations and real client due‑diligence questions
  • Works alongside your MSP or internal IT, not a replacement
  • Every requirement mapped to proof, assigned an owner, and exportable on demand
  • Client questionnaires, diligence reviews, and engagement renewals ready
  • Calendar-aware: implementation season, readiness season, and low‑disruption tax season ops

Remote-friendly kickoff. Light lift for your team.

FTC Safeguards Governance, Operated Monthly

We maintain the written program, ownership, and evidence cadence so reviews and questionnaires don’t turn into a rebuild.

If client data is stolen, IRS guidance says tax professionals should report the incident immediately / as soon as possible to the local IRS stakeholder liaison.

The Tax Season Blackout (Built-In)

  • Pre‑season readiness checklist (controls, evidence, staffing access)
  • Peak‑season “fast response” incident checklist
  • Phishing and BEC micro‑training designed for busy teams
  • Review package kept current before January

Good fit if:

  • You handle taxpayer data (SSNs, W‑2s, 1099s, 1040s) and want defensible governance, not scattered screenshots
  • You have an MSP, but “security ownership” is unclear beyond tools
  • You’re moving from compliance work into advisory/CAS and want premium clients to trust your posture
  • You want a clean diligence story as partners exit or private equity asks hard questions

Not a fit if:

  • You need IT support or MSP replacement. We provide governance oversight and documentation.
  • You want a static template to file away. We build living programs that survive IRS and FTC scrutiny.

Control crosswalk / reviewer evidence examples

FTC Safeguards reviews and client questionnaires tend to ask for the same core proof. These are reviewer evidence examples, not a universal legal checklist that applies identically in every jurisdiction.

  • A current written program with named ownership and a documented review cadence
  • Risk assessment + risk register (findings, owners, decisions)
  • Vendor oversight (MSP and key platforms) with review notes
  • Incident readiness with breach notification checklist
  • Training records and policy approvals (where applicable)
  • A Reviewer‑Ready Packet and a clean evidence bundle
See What You Get

Your MSP Secures the Server. We Secure the Firm.

Security tools reduce risk. Governance makes that work defensible.
Most firms fail audits not because they lack firewalls, but because they lack the “Separation of Duties” to prove those firewalls are monitored.

The Reality Check

Your MSP executes the controls. Borealis acts as the independent governance layer that verifies and documents their work.

The Shift

Clients and regulators increasingly treat taxpayer data like financial‑institution data. That means named responsibility, cadence, documented decisions, and an evidence trail.

Why the Pressure Is Increasing

Regulators set the baseline. Clients bake it into questionnaires. Procurement and diligence teams check the same boxes. The pressure converges on one place: your firm.

FTC & IRS

The FTC Safeguards Rule and IRS guidance define the baseline every firm handling taxpayer data must meet.

Clients & Buyers

Due diligence questionnaires and engagement requirements turn those standards into questions you must answer.

M&A & Valuation

Partner exits, PE diligence, and succession events expose every gap in documented governance.

Here is where it hits first:

The Tax Season Blackout

The worst time to fix a compliance gap is February 15th. We design our cadence around your calendar: heavy lifting in the summer, maintenance in the fall, and zero disruption during tax season.

Client Due Diligence & Questionnaires

If proof cannot be produced quickly, engagements slow down, conditions appear, and trust erodes right when work needs to keep moving.

Valuation & Diligence

Weak governance becomes leverage against price, terms, or timeline. Clean governance reduces uncertainty.

The Questions Reviewers Will Ask

Who is your designated security owner, and where is it documented? What reviewers want: Named accountability with documented authority
Show your written security program and when it was last reviewed. What reviewers want: Current written program that matches operational reality
Show MFA and access governance for email, portals, and document management. What reviewers want: Access controls that prevent common breach paths
Show encryption expectations and how sensitive data is transmitted. What reviewers want: Defensible handling of SSNs and tax documents
Show vendor oversight: tax software, DMS, portals, MSP, payroll, e‑signature. What reviewers want: Third-party risk management with evidence
Show incident readiness: roles, steps, timelines, and tabletop evidence. What reviewers want: Tested and documented response capability
Prove this is operated year-round, not assembled when asked. What reviewers want: Continuous governance with dated evidence
Book a 30‑Minute Program Review

The Firm Governance Program

We build a repeatable governance cadence and keep it current month to month.

Program Spine

  • Written Information Security Program (Safeguards‑aligned) tailored to how your firm actually operates
  • Governance structure: roles, approvals, documented responsibility
  • Policy set written to survive real scrutiny, not templates that don’t match reality

Risk System

  • Risk assessment (annual, and updated after material changes)
  • Risk register with owners, due dates, and status
  • Remediation roadmap prioritized for your MSP (no busywork)

Incident & Resilience

  • Incident Response Plan with playbooks for BEC, impersonation, and document theft
  • Business continuity and disaster recovery expectations, including recovery objectives (RTO/RPO)
  • Notification readiness and “fast capture” timelines (no guesswork under deadline)

People & Vendors

  • Access governance (MFA, joiner/mover/leaver, access reviews, seasonal access)
  • Vendor inventory, minimum requirements, and review cadence
  • Security awareness completion evidence (with tax season timing in mind)

Can You Produce Evidence on Demand?

Every requirement is mapped to proof. Every proof has an owner. Evidence is collected continuously, not assembled at the last minute.

Evidence map (what proves what)
Evidence requests & reminders
Evidence library
Reviewer-ready packet exports

Aurora Command

What tax firms should see before busy season starts

Borealis uses Aurora Command to keep the evidence set, approvals, framework requirements, and reviewer handoff current before tax-season pressure makes every missing artifact more expensive.

Aurora Command screenshot showing evidence freshness, approval history, and expiring proof items ahead of a deadline. Busy-season proof Owner + due date Current before January Expiring next 30 days

Seasonal Readiness

See what is current before busy season starts

Tax and accounting teams need proof that is already current before January. Borealis uses Aurora Command to surface owners, due dates, and what is about to expire before the calendar turns hostile.

  • Useful when the firm has a real tax-season blackout window.
  • Makes it obvious what must be refreshed before questionnaires hit.
  • Supports the promise of calm, year-round readiness.
Aurora Command screenshot showing control-to-framework mapping with evidence counts and freshness indicators. Governance + reuse Mapped once Evidence-linked Freshness visible

Governance Mapping

Map one control set to every reviewer context

Aurora Command keeps control coverage, evidence counts, and framework mapping in one working view instead of across spreadsheets.

  • Control-level mapping stays tied to evidence.
  • Framework overlap does not create duplicate work.
  • Stale items are visible before a reviewer notices.
Aurora Command screenshot showing a controlled reviewer handoff and request-access workflow. Controlled handoff Controlled access No loose attachments

Reviewer Handoff

Deliver the right evidence without attachment chaos

Aurora Command helps Borealis package the maintained evidence set into a deliberate handoff, so questionnaires and buyer reviews start from a current record instead of a scramble.

  • Useful when the buyer wants a believable trust and export path.
  • Reinforces the evidence-first story without email sprawl.
  • Makes the Aurora handoff feel intentional instead of abrupt.
Tour Aurora Command Compare Advisory vs Managed

Real Aurora Command screenshots from the live public Aurora surface.

Borealis Baseline and State Requirements

Aurora Command is built around the FTC Safeguards Rule requirements: written program, risk system, vendor oversight, incident readiness, and evidence. State requirements are mapped into that same operating model, but the jurisdiction-specific deltas still need explicit tracking before you export a response.

Hover a state to preview the summary. Click or tap a state to pin the summary. Press Escape to close a pinned summary.

State-specific requirements
Federal requirements (FTC Safeguards)

Hover or click a state to see the summary. Highlighted states show example requirements on top of the FTC Safeguards baseline.

High-level overview only (not legal advice). Requirements shown are illustrative and not exhaustive; confirm applicability with counsel.

Serving Clients in Multiple States?

One maintained operating model can support multi-state work, but we still map the state-specific deltas so deadlines, recipients, and notice thresholds do not get lost.

See State Requirements

What Defensible Looks Like

Short, clear, operated monthly. Evidence collected before it’s requested.

Written Security Program

Tailored to your firm size, not a 100-page template that does not match reality.

Risk System

Risk assessment with a documented review cadence, plus a risk register with owners, dates, and treatment decisions.

Vendor Oversight

Track your MSP, tax stack, DMS, and portals with minimum requirements and review cadence.

Incident Readiness

Response plan, playbooks, notification timelines, and tabletop evidence.

Evidence Library

Mapped to requirements, organized for reviewers, exportable on demand.

Program Snapshot Export

A current snapshot you can export anytime, built from your living program.

Choose Your Governance Model

Qualified Individual (QI) under FTC Safeguards = the named person responsible for the security program. Other frameworks use different titles, such as CISO or equivalent under NYDFS Part 500 and a responsible security program owner under applicable insurance laws. Fractional security leadership = ongoing leadership support without a full-time hire.

ADVISORY TRACK

Option 1: ADVISORY TRACK (You are the QI)

Best if a partner or internal ops leader acts as the Qualified Individual. You retain the legal role. We provide the Aurora Command system, the policy structure, and the monthly cadence so the program does not drift.

  • Aurora Command system + evidence engine
  • Policy templates and baseline program structure
  • Monthly checklist, prompts, and reminders
  • Evidence map and exportable proof set
  • You retain the legal QI role (we provide structure and accountability)
Book a 30‑Minute Program Review Tour Aurora Command

For teams who want to run the program in‑house

RECOMMENDED
MANAGED TRACK

Option 2: MANAGED TRACK (We are the QI)

Best for firms who want more operating lift. Borealis serves as your designated Qualified Individual (QI) under the FTC Safeguards Rule where that model fits. We run the meetings, oversee the MSP governance inputs, and maintain the documentation trail. You still retain final legal responsibility for the firm.

  • Borealis serves as your Qualified Individual (QI)
  • We run the governance cadence and meetings
  • We oversee the MSP and document their work
  • We maintain the documentation trail and audit-support package
Book a 30‑Minute Program Review Tour Aurora Command

For teams who want full support

Advisory Track: you are the QI. Managed Track: we are the QI.

What Happens After You Book

1

30‑Minute Program Review

We discuss firm size, services, tech stack, and current governance posture.

2

Scope & Proposal

You receive a tailored proposal with clear deliverables and timeline.

3

Build Phase Kickoff

Remote-friendly onboarding. We build the program foundation while keeping staff disruption minimal.

Phase 1

The Build

One-time setup. We build your governance foundation.

  • Program Scope Services, data types, vendor stack, MSP boundaries.
  • Safeguards-aligned Written Program Draft → finalize.
  • Risk Assessment Initial risk assessment and risk register.
  • Evidence Map Evidence map and print/export structure.
  • Tax Season Readiness Plan Calendar and minimum proof set.
  • Aurora Command Setup Tasks, library, owners.
Phase 2

The Run

Monthly cadence. We keep you ready.

Advisory Track
  • Monthly accountability check-ins
  • Evidence collection reminders
  • Updates for material changes
  • Guided questionnaire support
QI-as-a-Service (FTC Safeguards) Adds
  • QI-led governance actions & oversight with Borealis support
  • Higher-touch buyer and client diligence support
  • Leadership-ready reporting & decision tracking
  • Diligence packaging (clean evidence trail)

How Borealis Delivers Through Aurora Command

Aurora Command is the system. Borealis runs the cadence around it so evidence stays current, proof stays reusable, and responses stay calm during busy season.

Compliance Governance

Turn requirements into a working cadence: owners, decisions, due dates, and a single source of truth.

  • Track requirements (including custom)
  • Assign owners and due dates
  • Turn gaps into remediation

Evidence Collection

Map controls to what proves them, keep evidence organized, and export the Reviewer‑Ready Packet and evidence bundle on demand.

  • Evidence library and indexing
  • Requests, reminders, and follow-up
  • Reviewer‑ready exports (packet + evidence bundle)

Questionnaire Prep (Service-First)

We help you respond faster without sending “trust me” answers.

  • Reusable response library
  • Evidence-backed answers
  • Clean exports for reviews and questionnaires

Built for Real Questionnaires

Upload what you have today, see what’s covered, then turn the rest into tracked requirements and remediation.

1

Bring It Together

Bring questionnaires, evidence, and policies into one workspace.

2

See Coverage

See how many questions can be drafted from your approved policies and evidence.

3

Review and Edit

Walk through the assessment, attach evidence, and preserve human edits.

4

Export Cleanly

Export answers and evidence as structured files and review bundles.

SEE IT WORK

Get a Guided Aurora Command Walkthrough

See how questionnaires map to requirements, how evidence stays organized, and what a controlled review handoff looks like.

Tour Aurora Command Book a 30‑Minute Program Review

FAQ

Do you replace our MSP?

No. Your MSP runs IT operations and tooling. Borealis runs the governance layer: ownership, cadence, documentation, and evidence.

Can’t I just download templates?

Templates that aren’t operated become liabilities. We build policies that match operations and create the evidence trail that proves year-round operation.

We have fewer than 5,000 clients. Are we exempt?

Be careful. The FTC rule counts “records,” not just active clients. If you have 500 clients but keep 10 years of history, you likely have >5,000 records and are not exempt. We help you scope this accurately so you don’t accidentally break the law.

We can’t disrupt tax season. Can we do this without chaos?

Yes. We plan around the calendar. Build in implementation season; maintain quietly during peak season; keep proof ready before January.

Do you provide legal, tax, or accounting advice?

No. We are a cybersecurity and compliance implementation firm. We help you implement defensible programs and evidence.

Can we do this without disrupting staff?

Yes. What we need from staff is small and scheduled. Most work is leadership alignment, documentation, and evidence organization, done remotely with minimal interruptions.

Do you work nationwide even though you’re Alaska-based?

Yes. The program is designed for remote execution and multi-state realities.

Secure Your Firm Before Next Tax Season.

Don’t wait for a breach or an audit to test your governance.

Book a 30‑Minute Program Review

Focused review • FTC‑aligned • No obligation

Book a Program Review See Deliverables