A guide for IT professionals in selecting tax software and vendors

For IT professionals working within large accounting and audit firms, there is no question that security breaches are a major concern. That's why it's important to critically assess software vendors from a data security and compliance perspective.

Download our checklist to help in your vendor selection process and learn more about:

  • Key considerations when evaluating vendors
  • Why choosing the right vendor matters for your data
  • How to assess your firm's current data security position
  • Essential questions to ask potential vendors
What to ask the vendor Y N Why this is important
Do you maintain a comprehensive information security management framework supported by security policies, standards, and practices?     The vendor’s current privacy and data security policies will help you understand their approach to information security and risk management and decide if they align with your expectations and are capable of protecting your clients’ data.
Are your employees subject to a Code of Business Conduct and Ethics?      The vendor should require all directors, officers, employees, and contingent workers to acknowledge a Code of Business Conduct and Ethics annually.
Do you have a dedicated, global privacy organization founded upon the Privacy Management Framework (PMF)?     

Formerly known as the Generally Accepted Privacy Principles (GAPP) and established by the Association of International Certified Professional Accountants (AICPA), the PMF is a principle-based framework.

Vendors that prioritize meeting their customers’ expectations of privacy typically have a dedicated global privacy office responsible for implementing, promoting, and overseeing a stringent privacy program that supports compliance with applicable privacy and data protection laws around the globe.

Is your global information security organization in alignment with the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF)?    

The NIST CSF is voluntary, actionable guidance to help organizations manage, reduce, and communicate cybersecurity risks.

The vendor’s global information security organization should align with the NIST CSF to prevent, detect, and respond to cybersecurity threats. 

Do your product development processes include security best practices?    

Product development processes should include key integration points with security infrastructure and architecture leads to guide security best practices throughout the build and development of applications and services.

Products should each have a separate set of compliance attestations, including:

  • SOC 1 and SOC 2 reports
  • ISO/IEC 27001:2017
  • SOX 404
  • CJIS roadmap
  • Cyber Essentials Plus roadmap
  • Internal controls assessments against vendor policies
What is your approach to physical data security?     The vendor should manage its data centers based on best practices in the industry, including ongoing certification of ISO/IEC 27001:2017.
Do you have an enterprise risk management framework that incorporates cybersecurity risk assessments conducted semi-annually?    

The vendor’s compliance team should perform assessments against policies, standards, and regulatory requirements and register findings for review and remediation initiatives within the business.

Review the results from applicable data security risk assessments, including identified risks and remediation plans and any past privacy or security incidents, including data breaches and post-event analysis and remediation efforts.

Do you participate in cyber-risk analytics and security ratings from third-party scanning partners?     Vendors committed to meeting external cyber-risk analytics and security ratings, as indicated by third-party scanning partners such as BitSight, often leverage a risk-based approach and a defined process to continuously monitor and address the identified findings. 
Do you maintain a data protection program designed to minimize the cybersecurity, business, and legal risk associated with intentional or unintentional data loss?    

The vendor’s data classification structure should set forth the security controls for managing customer data throughout its entire lifecycle.

Ensure the vendor accomplishes this by using data loss prevention technologies, engaging employees in proper data handling, and providing incident response on data handling violations. 

Do you conduct due diligence to ensure your vendors and partners have the appropriate controls in place to protect your data and that of your customers?     Third-party vendors should be contractually required to comply with the vendor’s standards of conduct and controls. Conduct assurance assessments on vendors and third parties to verify compliance with these contractual terms.
Do your cloud deployments leverage security inherent to leading third-party cloud providers?    

The vendor’s cloud deployments should leverage security inherent to leading third-party cloud providers by utilizing native security services.

Additionally, the vendor should increase cloud defense in the Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) environments by employing threat detection capabilities, as well as custom detection telemetry in crucial locations.

What is your approach to network and infrastructure security?     

The vendor should employ a strategy of detective and preventative defensive security controls to achieve defense in depth against modern threats.

At critical locations within the network, the vendor should use technologies such as distributed denial of service mitigation, web application firewalls, next-generation firewalls, intrusion detection systems, and deep packet inspection to implement tiered network segmentation, route isolation, remote access control, and defensive visibility.

What is your business continuity plan?      The vendor’s business continuity plan should prepare them to respond and recover from disruptive incidents such as natural disasters, pandemics, and transit shutdowns.
What is your approach to identity and access management?    

The vendor should employ identity and logical access security controls to the enterprise network and infrastructure, product environments, and applications for all employees, contractors, and third-party suppliers.

Identity and access controls should adhere to various established industry standards and best practices, including principle of least privilege, segregation of duties, unique IDs, strong password creation and management, multi-factor authentication, and privileged access management.

In addition, the vendor should conduct multiple internal and external assessments that evaluate access control effectiveness, such as SOC 1, SOC 2, and ISO/IEC 27001:2017.

Are your policies compliant and audited frequently?

Do they successfully pass annual SSAE 18 and SOC audits?

    When dealing with your firm’s sensitive information, the appropriate security measures must be in place. A third party should certify policies and procedures to ensure they are SSAE 18 and ISAE-3402 compliant.
Do you partner with leading professional services firms for implementation?     From implementation to configuration, your vendor should have a close working relationship and strong partnership with your advisors. 
Do you offer personal support and adequate training, documentation, and support materials?     No matter how much you scrutinize potential vendors, there will always be questions post-implementation. You should choose a vendor that offers ongoing, convenient support, which may include 24/7 priority support.
Total score    

How’d they score?

We encourage you to call and go through this same checklist with a Thomson Reuters product expert.

Looking for accounting firm management software that checks all the boxes? Confidently manage your firm and client communication in the cloud with Onvio Firm Management and FirmFlow.

Connect the dots for a more efficient tax workflow

Drive efficiency with the industry’s only interconnected ecosystem of tax compliance solutions