Spring cleaning usually starts with closets. For Salt Lake City CPA firms, the tech cleanup that follows tax season has real compliance implications — and it's often the last thing on anyone's mind after April 15.
Old laptops with cached UltraTax or Lacerte credentials. Retired workstations that may still hold client return data. Phones used by former staff with TaxDome or client portal access. Hard drives containing years of archived client financials. Document management systems on old servers that were supposed to be decommissioned after a platform migration.
Every CPA firm accumulates this. The question isn't whether you have it. It's whether anyone has thought through what IRS Publication 4557 and your state board require before it leaves the office.
Technology Has a Lifecycle — and Your Client Data Obligations Follow It
Most CPA firms plan carefully how they buy technology. Few apply the same discipline to retiring it. Old accounting firm devices can hold client tax returns with SSNs and bank account information, UltraTax and Drake credentials, client portal access tokens, state tax authority e-file credentials, and years of archived financial data. A device dropped in a storage box without proper data wiping isn't just an IT oversight — it's a potential IRS data security compliance gap.
A Practical Four-Step Framework
Step 1: Inventory
What are you actually retiring? Staff laptops, workstations, phones, tablets, external drives, old servers? CPA firms often have retired equipment sitting in closets after platform migrations or staff turnover. A walkthrough after tax season often surfaces more than expected.
Step 2: Decide the Destination
Reuse (after certified data wiping), recycle (certified e-waste), or destroy. For CPA firms, any device that held client SSNs, financial data, or tax return information should be destroyed or handled by a compliance-aware ITAD provider with documented chain of custody. IRS Pub 4557 expects this level of care.
Step 3: Prepare the Device Properly
A study by data security firm Blancco found that 42% of resold drives still contained sensitive data — even from sellers who claimed the drives had been wiped. For CPA firms, that could mean client SSNs, business financials, and bank account information for hundreds of clients. A certified data erasure tool overwrites every sector and produces a written verification report. That's the standard IRS Pub 4557 expects.
Step 4: Document Everything
IRS Pub 4557 and many state CPA board requirements expect tax preparers to document data disposal procedures. Keep a record for each retired device: serial number, data classification, method, ITAD provider, date, and authorization. This documentation belongs in your Written Information Security Plan (WISP).
Devices CPA Firms Tend to Forget
- Former staff accountant laptops — likely contain client tax returns, portal credentials, and archived financial data
- Document management and client portal servers — if migrating from SafeSend or SmartVault to a new platform, the old server needs proper decommissioning
- Old printers and copiers — store copies of every tax return and client document ever printed or scanned. If returning a leased copier, confirm the hard drive is wiped.
- External drives used for client archive backups — may contain years of returns for hundreds of clients
The Bigger Opportunity
After tax season is an ideal time to step back and assess: Is our current technology actually supporting how we serve clients and meet IRS and state board requirements? Are our tax preparation platforms, document management, and client portal working together efficiently? Is our cybersecurity program — including our WISP — current and defensible?
Frequently Asked Questions
What does IRS Publication 4557 require for disposing of devices that stored client tax data?
IRS Pub 4557 requires tax preparers to use proper methods for destroying or discarding client data on electronic devices — specifically referencing secure data disposal as a component of a Written Information Security Plan (WISP). Certified data erasure with verification reports, or physical destruction with chain-of-custody documentation, satisfies this requirement.
How often should a Salt Lake City CPA firm review and retire old IT equipment?
Most IT providers recommend a hardware lifecycle review every 12–18 months. For CPA firms, post-tax-season (May–June) is an ideal time for this review — equipment that's seen heavy use during tax season often needs evaluation, and the WISP annual review requirement aligns well with a hardware audit.
Can a managed IT services provider help with compliance-aligned device disposal for a CPA firm?
Yes. A managed IT services partner handles the full hardware lifecycle with documentation suitable for your WISP — coordinating certified ITAD disposal, maintaining records, and ensuring all tax software and client portal credentials are revoked. Qualit provides managed IT services for CPA firms throughout Salt Lake City and the greater Utah area.
Where We Come In
If your firm already has a documented, IRS-compliant process for retiring equipment after tax season — great. If the answer is "we'll deal with it later," that's worth a conversation now, while the data exposure is fresh.
We'd love to help you review your technology lifecycle and WISP compliance. No checklist. No hard sell. Schedule your discovery call here.
