CPA Technology Competence Checklist (Free Download for Canadian Accounting Firms)
A line-by-line checklist Canadian accounting firms can use to evidence the technology controls a CPA Canada cybersecurity review, a CRA EFILE practice inspection, or a cyber-insurance renewal questionnaire will actually ask about.
Built by Fusion Computing’s CISSP-led team. Mapped to CPA Canada cybersecurity guidance, PIPEDA, CIS Controls v8.1, and CRA EFILE expectations. Field-tested at Canadian CPA practices before publication.
Why this checklist exists
Canadian accounting firms operate under a stack of overlapping technology-and-privacy expectations: PIPEDA at the federal level, the CPA Canada cybersecurity guidance for the profession, CRA EFILE requirements for registered tax preparers, provincial CPA Code of Professional Conduct rules on client confidentiality, and the cyber-insurance baseline controls underwriters now expect at renewal. None of those publishes a single combined checklist. A managing partner trying to demonstrate “reasonable” security measures has to assemble the evidence from six different sources.
This checklist is the assembly. Each line item maps to the underlying expectation it satisfies, so when a CPA Canada review, a CRA practice inspection, an insurance underwriter, or a sophisticated client asks “how do you protect our financial data,” the answer is a documented control, a date, and a name.
The regulatory floor for Canadian accounting firms: PIPEDA requires every business that collects, uses, or discloses personal information in the course of commercial activity to implement reasonable security measures. For an accounting firm, “reasonable” means protecting client tax files, SINs, T1/T2/T4 returns, and banking details with the same care expected for the firm’s own financial records. CPA Canada publishes guidance including Cyber Security: Establishing a Risk Management Program and ongoing reporting alerts on cybersecurity risks and incidents. CRA EFILE registration carries its own data-handling expectations under the EFILE suitability screening framework. Sources: priv.gc.ca, cpacanada.ca, canada.ca/cra-efile.
The checklist (eight control families)
Each control family below maps to expectations a CPA Canada review, CRA EFILE practice inspection, or cyber-insurance renewal will ask about. Use it as the audit-readiness inventory for your firm.
1. Identity and access
- Multi-factor authentication enforced on every user account (partners, staff, contractors)
- Conditional access policies block sign-ins from unmanaged devices and from non-Canadian IP ranges by default
- Quarterly access review across CCH iFirm, CaseWare, TaxCycle, QuickBooks Online, and the client portal
- Departing-staff offboarding runbook revokes access on the last day with documented audit trail
- CRA Represent a Client login credentials issued to named individuals, never shared
2. Endpoint and device security
- EDR (Endpoint Detection and Response) deployed on every firm-managed device with active monitoring
- Encrypted disk (BitLocker on Windows, FileVault on Mac) enforced via policy
- Patch management with documented monthly cadence; emergency patches within 48 hours
- Mobile Device Management on any phone or tablet that accesses firm email or client files
- Personal devices kept off the firm tenant unless enrolled and policy-controlled
3. Email and communication
- DMARC, DKIM, and SPF enforced on the firm domain to defend against email spoofing
- Phishing-simulation training run at least twice a year with reporting metrics retained
- Secure client portal for exchanging tax files (not email attachments) — Liscio, Truepoint, or equivalent
- Out-of-band callback verification required for any banking-detail change request inside 72 hours of a transaction
- Legacy email protocols (POP3, IMAP, SMTP basic auth) disabled at the tenant level
4. Backup and recovery
- Daily encrypted backup of file shares, Microsoft 365 mailboxes, OneDrive, SharePoint, and the practice-management database
- Documented backup restore test performed at least quarterly, with the date and result on file
- Backup data held in Canada or under Canadian jurisdiction where the firm’s client agreements require
- Recovery Time Objective and Recovery Point Objective defined and communicated to partners
- Disaster recovery runbook with named responsibilities and external-vendor contacts
5. Client-data protection (PIPEDA + CPA Code)
- Microsoft Purview sensitivity labels (or equivalent) applied automatically to client tax files
- Documented data-classification policy distinguishing client-confidential, internal, and public
- Written records-retention policy aligned to CRA requirements (six years) and applied via system rules
- Privacy breach response plan with the 24-hour internal notification trigger and 72-hour client/regulator decision window
- Data Processing Agreement on file for every third-party vendor handling personal information
6. CRA EFILE and tax-season infrastructure
- Tax-season capacity planning: cloud licensing, hardware, and bandwidth scaled for February through April peak
- CRA EFILE software (TaxCycle, ProFile, TaxPrep) on supported platforms with current security patches
- Practice-management software (CCH iFirm, CaseWare, Karbon) integrated with M365 identity
- Tax-engagement file structure consistent across the firm; partners can audit any matter
- Help-desk SLA documented for tax-season tickets with 15-minute response on critical issues
7. AI and Copilot governance
- Microsoft Copilot deployment scoped to firm tenant; consumer ChatGPT, Claude, Gemini blocked on managed devices
- Written AI use policy signed by all staff with consent to monitoring
- Verification protocol for AI-generated client communications and tax-research outputs
- Audit log of Copilot use retained for the firm’s records-retention horizon
- Partner-board approval list for which advisor roles can use which AI tools on which matters
8. Incident response and insurance
- Written incident response runbook with named on-call contact, decision tree, and external counsel
- Cyber-insurance policy in force with the firm’s required limits and an answered baseline-controls questionnaire
- Tabletop incident exercise run at least annually with after-action notes
- Documented contacts for CRA, Office of the Privacy Commissioner, provincial CPA body, and external counsel
- Post-incident reporting template prepared ahead of time (not built mid-incident)
How to use this checklist
Two ways. First, run it as an internal partner-meeting agenda once a quarter. Each control family becomes one agenda item with a status (in place, partial, gap) and a named owner. Second, hand it to your IT provider with the same status assignment and use the gaps as the prioritized roadmap for the next ninety days.
If your IT provider can’t walk you through their answer to each line item with a date and a control owner, that is a finding. Replacing the provider is not always required — sometimes the gap is documentation rather than missing controls — but the finding is real. Cyber insurance underwriters and CPA Canada reviewers are increasingly explicit that “our IT person says we’re fine” is not an acceptable answer.
Fusion Computing supplies the line-by-line evidence packet for our accounting-firm clients during onboarding and re-confirms it at each quarterly business review. See our IT services for Canadian accounting firms hub for the full operating scope.
Frequently asked questions
Is this checklist a substitute for actual CPA Canada or CRA guidance?
No. It is a practitioner-built consolidation of the technology controls that the CPA Canada cybersecurity guidance, PIPEDA, CRA EFILE expectations, and a typical cyber-insurance baseline all reference, in a form a partner-board can actually work through. For the underlying authoritative texts see CPA Canada’s published cybersecurity resources, the Office of the Privacy Commissioner of Canada’s PIPEDA materials, and the CRA EFILE program documentation. Fusion does not provide regulatory or legal advice.
How does this compare to the SOC 2 audit checklist?
SOC 2 is a third-party attestation framework typically requested by enterprise clients and SaaS vendors. The CPA Technology Competence Checklist is a self-audit baseline for an accounting firm, not a SOC 2 attestation. Many of the controls overlap (access management, encryption, monitoring, incident response), but SOC 2 requires an independent auditor and documented control testing over an evaluation period. If a client demands SOC 2 from your firm, this checklist is the starting inventory, not the finish line.
What if our firm is too small to implement every control?
Most controls scale down. A solo practitioner with two bookkeepers can implement MFA, EDR, encrypted backups with tested restore, written AI policy, and a quarterly access review without a full IT team. The controls that require staffing (24/7 monitoring, tabletop exercises, vCISO touchpoints) are typically the ones a managed IT provider supplies under a fixed monthly engagement. The full Fusion accounting-firm program starts around $500 per month for solo practices and scales from there.
Can we use this checklist if we are CPA-licensed in a province other than Ontario?
Yes. PIPEDA applies federally to private-sector commercial activity in every province except Quebec (which has its own Law 25), Alberta, and British Columbia, which have substantially similar private-sector privacy laws. The CPA Canada cybersecurity guidance is national. CRA EFILE expectations are federal. The checklist works for any Canadian CPA practice. If your firm operates in Quebec under Law 25, the privacy obligations become more specific around French-language records and explicit consent, but the IT controls are the same baseline.
Does Fusion supply the evidence packet, or is this a self-serve resource?
Both. The checklist is freely usable. For Fusion-managed accounting-firm clients, we supply the documented evidence packet against each control family, refreshed at each quarterly business review and on-demand for insurer questionnaires or CPA Canada reviews. The evidence packet typically includes the dated backup-restore test log, MFA enforcement reports, EDR coverage matrix, sensitivity-label deployment status, and the incident-response runbook signed by the firm’s designated partner.
Get the PDF version
Want the printable PDF of this checklist for partner-meeting use? Book a 30-minute walk-through and we’ll send it after the call along with a quick gap-analysis on your current stack.
