CRA EFILE IT Controls Checklist for Canadian Tax Preparers (2026 Update)

A working IT controls map for Canadian tax preparers and CPA firms registering or renewing CRA EFILE in 2026, including the new software-specific control that begins enforcing in February 2026 and the eight control families a small or mid-market practice should have documented before a CRA suitability review.

Written for solo CPAs, 3 to 15-preparer firms, and mid-market CPA practices running CCH iFirm, CaseWare, TaxCycle, ProFile, or TaxPrep. CISSP-led, CPA Canada cybersecurity-guidance aligned, and built for a CRA EFILE-suitability evidence packet you can hand a CRA reviewer without scrambling.

Feb 2026 Software-specific control live
8 control families Documented and testable
CISSP-Certified Security leadership
PIPEDA-aware Private-sector privacy aligned
Book a Consultation
National Accounting-Firm IT Hub →

Best fit for solo CPAs, 3 to 15-preparer firms, and Canadian CPA practices renewing EFILE for the 2026 program.

MP
Authored by Mike Pearlstein, CISSP, Founder & CEO, Fusion Computing. CISSP-certified, MSc Computer Science (Guelph 2011).
Reviewed and last updated 2026-05-18 · Named in Canada’s 50 Best Managed IT Companies 2024 & 2025.

What changed in February 2026

According to the Canada Revenue Agency (2026), starting February 2026 every EFILE account is bound to one or more designated CRA-certified T1 and T3 software products, and any return transmitted with unregistered software is automatically refused. The CRA stated this software-specific control is designed to limit the operational usefulness of compromised EFILE credentials.

The most material CRA EFILE change of the 2026 program year is the new software-specific control that begins enforcing in February 2026. EFILE credentials no longer function independently of tax software. Each EFILE account is now bound to one or more designated CRA-certified T1 and T3 software products, and when a return is transmitted the CRA validates both the EFiler’s credentials and the specific software used. If the software does not match what is registered to the account, the transmission is refused.

For existing EFILERs, the linkage is established during the 2025 EFILE renewal cycle, with the CRA automatically associating an account with software products based on prior filing history. New applicants select their intended software during initial registration and screening, and any later software change runs through the EFILE Helpdesk rather than self-service. Multiple certified products can be tied to a single EFILE account if each one is approved in advance.

The scope is broader than current-year T1 work. The restriction also applies to amended returns, late filings, and trust filings for prior years. A return transmitted with unregistered software is refused regardless of the filing year.

Why the CRA is doing this: the stated goal is to limit the usefulness of compromised EFILE credentials. If a credential is phished or sold, an attacker cannot transmit fraudulent returns through arbitrary software because the EFILE-to-software binding rejects the submission. The practical implication for IT is that the software you let a preparer install is now a CRA-relevant control, not just an internal procurement decision. Sources: Canadian Accountant (canadian-accountant.com), Mondaq (Canadian tax authorities coverage), TaxCycle.com, TaxPage.com, Canada.ca EFILE program updates.

If you need help mapping the February 2026 software-binding rule to your firm’s endpoint and EFILE policy stack, talk to a CRA-EFILE-aware IT specialist.

The 8 control categories CRA EFILE-registered preparers must document

According to the Office of the Privacy Commissioner of Canada (2024), PIPEDA requires every Canadian organization handling personal information to implement physical, organizational, and technological safeguards proportionate to the sensitivity of the data, with mandatory breach notification when there is a real risk of significant harm. The eight CRA EFILE control families below operationalize PIPEDA’s safeguard obligation for the tax-preparer context.

CRA EFILE suitability screening is the controls audit the CRA performs before approving or renewing an EFILE registration. The published guidance does not read like a NIST control catalogue, but the practical evidence a CRA reviewer asks for clusters into eight families. These are the families we build the documented controls inventory around for every CPA practice we onboard.

1. Data protection at rest and in transitDisk-level encryption on every device that touches taxpayer data (BitLocker on Windows, FileVault on macOS), TLS 1.2 or higher on every system that exchanges data with the CRA, encrypted backup with tested restore.
2. Multi-factor authenticationMFA enforced on every account that touches the CRA, the tax software, the practice-management platform, the firm email, and any cloud file store containing client data. No shared logins, no MFA bypass for principals.
3. Encryption of taxpayer dataEncrypted-at-rest in Microsoft 365 or equivalent, encrypted in transit on every channel where client information moves, encrypted client-portal exchange instead of plain email attachments for T-slips and engagement files.
4. Secure storage and access controlRole-based access to engagement folders, named-user accounts for every preparer and admin, conditional access blocking sign-ins from unmanaged devices, sensitivity labels on the most sensitive taxpayer records.
5. Breach notification and incident responseWritten incident response runbook with the CRA EFILE Helpdesk notification path, PIPEDA breach-notification workflow, mandatory privacy-breach reporting to the Privacy Commissioner where the threshold is met.
6. Vendor and software due diligenceInventory of every vendor that touches taxpayer data, including the new CRA-required list of designated tax software products tied to the EFILE account. Vendor SOC 2 / ISO 27001 evidence on file.
7. Access logging and audit trailAudit-log retention on Microsoft 365 or the equivalent identity platform, mailbox auditing for forwarding-rule changes, CRA Represent a Client access tied to a named individual rather than a shared mailbox.
8. Business continuity and tested restoreBackup retention covering at least the current tax year and the prior reassessment window, restore tests performed and documented at least annually, business continuity plan covering a ransomware-style outage during tax season.

None of these eight families is novel for IT, but the discipline required is documenting them at the same time, in writing, with evidence a CRA reviewer can read. The most common gap we see is not the absence of controls; it is the absence of a documented evidence packet that proves the controls were running on a specific date.

Practical IT controls map for a small Canadian tax-prep practice

According to the Canadian Centre for Cyber Security (2024), the Baseline Cyber Security Controls for Small and Medium Organizations names MFA enforcement, automated patching, EDR, configured backups with tested restore, and identity-based access control as the foundational discipline every Canadian small business should run. The control map below operationalizes that baseline for a 1 to 15-user Canadian tax-prep practice under CRA EFILE registration.

For a 1 to 15-user CPA or tax-prep firm, the eight control families above translate into a fairly compact technical stack. The mapping below is what we deploy at most accounting-firm onboardings, with the vendor names that show up most often in the Canadian market.

Data at rest encryptionBitLocker enforced on every Windows workstation via Microsoft Intune. FileVault enforced on every Mac. Server-side encryption on Microsoft 365 by default. SQL Server TDE on any on-premise practice-management database. Encrypted at rest is the default state of every device that touches taxpayer data.
Multi-factor authenticationMicrosoft Entra ID conditional access requiring MFA on every sign-in to the firm tenant. Authenticator app preferred over SMS. CRA Represent a Client access tied to a named individual’s personal CRA credential, not a shared mailbox or a partner login. Tax software (CCH iFirm, CaseWare Cloud, TaxCycle Connect, ProFile, Karbon, Liscio) configured to honour the same identity.
Encryption in transit and secure client exchangeTLS 1.2 or higher across the board. Liscio, SmartVault, or Microsoft 365 secure-link sharing for T-slip and engagement-file exchange. Plain-email PDF attachments of returns become a documented exception with a reason, not the default workflow.
Secure storage and access controlSharePoint engagement sites scoped at the engagement level with role-based access. Microsoft Purview sensitivity labels on the most sensitive client folders (large-balance T1s, owner-managed T2s, family-trust T3s, voluntary-disclosures). Conditional access policies blocking sign-ins from non-managed devices and from countries outside the firm’s operating geography by default.
Breach notification and incident responseWritten incident response plan covering CRA EFILE Helpdesk notification, PIPEDA breach notification to the Privacy Commissioner where the “real risk of significant harm” threshold is met, internal partner-board notification, and client notification if required. Annual tabletop exercise to make sure the runbook still matches the firm’s stack.
Vendor and software due diligenceVendor inventory covering Microsoft 365, the tax software stack, the practice-management system, the client portal, the backup vendor, and any niche add-ons. SOC 2 Type II or ISO 27001 evidence on file where the vendor publishes it. Tax-software list cross-referenced against the CRA-designated software linked to the EFILE account post-February 2026.
Access logging and audit trailMicrosoft 365 audit log retention at the highest tier the firm’s licensing allows, mailbox auditing for forwarding-rule changes, CRA Represent a Client and EFILE web logins reviewed monthly. Anything that moves taxpayer data is logged, and the logs are retained at least for the reassessment window.
Business continuity and tested restoreEncrypted backup of Microsoft 365, the practice-management database, and any on-premise file shares. Quarterly restore test on at least one critical dataset, with the result documented. Ransomware-specific tabletop run once a year. Tax-season-specific BC plan covering what the firm does if the practice-management system is unavailable in the last two weeks of T1 season.

For a printable, CRA-audit-ready evidence map covering all eight control families, request the EFILE controls toolkit.

Common audit findings and how to avoid them

According to the Canadian Anti-Fraud Centre (2024), identity-fraud reports involving compromised tax-preparer credentials are a recurring pattern in Canadian fraud telemetry, and accounting and tax-prep firms appear repeatedly as high-value targets during T1 and T2 deadline weeks. The six audit-finding patterns below are the gaps most commonly exploited in those incidents.

The CRA does not publish a public list of EFILE suitability findings, but the patterns we see across Canadian accounting-firm onboardings are repetitive. These are the six most common gaps a CRA reviewer or an internal audit walks into, and the fix posture for each.

Shared CRA logins between partners and admin staffOne of the most common findings. Every CRA Represent a Client login should be tied to a named individual. Shared credentials are a near-automatic suitability concern. Fix: deprovision shared accounts, issue named credentials, document the change.
MFA enforced on email but not on tax software or practice managementSurprisingly common in firms that adopted M365 MFA early but never extended it to CCH iFirm, CaseWare Cloud, TaxCycle Connect, or the practice-management portal. Fix: extend MFA enforcement to every system that touches client data, not just email.
Backup runs but restore has never been testedBackup-without-restore-test is the most common business-continuity finding. CRA suitability and PIPEDA both expect tested restore, not just retention. Fix: perform a quarterly restore test on a non-production environment and document the result.
Plain-email PDF return delivery as the defaultSending the final T1 PDF by plain email attachment with no encryption or secure-portal alternative is the most common in-transit gap. Fix: deploy Liscio, SmartVault, or M365 secure-link sharing and make plain-email delivery an opt-in exception with a documented reason.
No written incident response or breach notification runbookFirms often have antivirus and EDR running but no written incident-response plan. Fix: write a one-page runbook covering CRA EFILE Helpdesk notification, PIPEDA breach notification, internal escalation, and client notification. Update it at least annually.
Tax software installed by an associate without IT reviewNewly relevant after the February 2026 software-specific control. A preparer who installs an unregistered tax product on their own workstation can trigger transmission failures. Fix: route all tax-software installs through IT, and reconcile the install list against the CRA-designated software tied to the EFILE account.

What this costs to implement and operate

According to CPA Canada (2024), Cyber Security: Establishing a Risk Management Program directs every Canadian CPA firm to fund cybersecurity as an ongoing operating-cost line rather than a one-off project, with controls spend scaled to the sensitivity of the client data the firm handles. The pricing below treats EFILE-aligned cybersecurity as part of the monthly managed-IT spend, not a tax-season add-on.

The honest answer is that the CRA EFILE control set rarely justifies a separate “EFILE compliance” line on the IT bill. The eight families are the same controls a CPA Canada-aligned managed-IT engagement deploys for any small Canadian accounting practice, so the cost lives inside the regular monthly managed-IT spend.

A solo CPA or 2-staff tax-prep practice typically lands at $500 to $1,200 per month for fully managed IT and cybersecurity that produces a defensible CRA EFILE evidence packet. That covers Microsoft 365 administration, MFA enforcement, conditional access, encrypted backup with tested restore, sensitivity-label deployment, EDR on every device, helpdesk, and a documented controls inventory.

A small Canadian CPA firm of 3 to 15 preparers and admin staff typically lands at $1,500 to $3,400 per month under the same scope. The headline drivers are the per-user M365 licensing tier (Business Premium or higher for the sensitivity-label and conditional-access features), EDR licensing, the client-portal subscription (Liscio, SmartVault, or equivalent), and the managed-IT engagement itself.

A mid-market firm of 16 to 60 staff covering one or two satellite offices typically lands at $3,500 to $7,500 per month, with the higher end of that range capturing firms that need Microsoft Purview eDiscovery (Premium), advanced audit log retention, manufacturing or finance-sector integration, or a documented vCIO engagement to back the partner-board on quarterly risk-posture reviews. Cybersecurity is included in the baseline. There is no separate “tax-season compliance pack” or “CRA EFILE surcharge.” Software licensing on the tax-product side (CCH iFirm, CaseWare Cloud, TaxCycle Connect) flows through without a Fusion markup. For a per-firm quote scoped to your software stack and headcount, request a costed scoping conversation.

CRA EFILE resources and where to learn more

“The February 2026 EFILE update meant our shared Represent a Client login was a CRA risk overnight. Fusion turned on per-preparer MFA, BitLocker on every TaxCycle workstation, and built our audit-logging pack the CRA suitability team actually wanted to see. We renewed EFILE on the first submission and our partner stopped losing sleep over preparer turnover.”

Operations Director, 24-person tax-prep firm, Burlington.

Talk to a CRA-EFILE-aware IT specialist

Thirty-minute walk-through of your firm’s current stack, the eight CRA EFILE control families you need documented, and the February 2026 software-specific control implications for your tax-software inventory. No charge, no obligation.

Book a Consultation

Frequently asked questions about CRA EFILE IT controls

What does CRA EFILE require for IT controls in 2026?

CRA EFILE expects an EFILE-registered preparer to operate a documented set of IT controls covering data protection, multi-factor authentication, encryption, secure storage and access control, breach notification, vendor and software due diligence, access logging, and business continuity. The 2026 program year adds a software-specific control that locks each EFILE account to one or more designated CRA-certified T1 and T3 tax software products beginning in February 2026. The CRA validates both the EFiler’s credentials and the software used at transmission time, and refuses returns transmitted with unregistered software.

Are the Feb 2026 software-specific controls mandatory for all registered preparers?

Yes. The software-specific control applies across the EFILE population, not just to new registrations. For existing EFILERs, the CRA establishes the software linkage during the 2025 EFILE renewal cycle, automatically associating an EFILE account with the software products that account has used historically. New applicants select their intended software during the initial registration and screening process. Multiple certified products can be tied to one EFILE account if approved in advance, and any later change to that software list runs through the EFILE Helpdesk rather than being self-service.

How does Microsoft 365 and Entra ID conditional access map to CRA EFILE suitability screening?

Microsoft 365 with Entra ID conditional access covers most of the suitability-screening expectations on identity, access, and audit. MFA enforcement via Entra ID covers the multi-factor authentication family. Conditional access policies cover device compliance, geographic restrictions, and unmanaged-device blocking under the secure storage and access control family. M365 audit log retention covers the access logging family. Microsoft Purview sensitivity labels and data loss prevention extend the encryption and secure-storage families to specific high-sensitivity engagement folders. The combination is not the only way to meet the bar, but it is the most common stack we deploy at Canadian CPA firms because the licensing economics line up and the audit-evidence export is straightforward.

What if I get a CRA EFILE suitability review: what evidence do I need ready?

A documented controls inventory covering the eight families above, with evidence for each. The most useful artifacts: a written information security policy or controls summary, the M365 conditional access policy export, the MFA enforcement report, the EDR coverage report, the encrypted-backup retention and restore-test log, the sensitivity-label deployment report, the vendor inventory with SOC 2 / ISO 27001 evidence where available, the incident response runbook, and the list of designated tax software tied to the EFILE account post-February 2026. The CRA does not publish a fixed evidence packet template, so the goal is to assemble a binder a reviewer can read and conclude that the controls are documented, deployed, and tested.

Can a managed IT provider provide a CRA EFILE controls compliance pack?

Yes, that is one of the more common deliverables a Canadian managed-IT provider produces for CPA firm clients. At Fusion, the controls inventory is part of every accounting-firm engagement, and we produce the evidence packet as an export-ready document the firm can hand to a CRA reviewer or to a sophisticated client’s due-diligence request. The MSP cannot register the EFILE account on the firm’s behalf, and the suitability obligation remains with the registered EFiler, but the IT artifacts that prove the controls were running are something the MSP can carry end-to-end.

Are the Feb 2026 controls retroactive: do I have to remediate before tax season?

The software-specific control becomes enforcing in February 2026 and applies to current-year and prior-year transmissions through EFILE, including amended returns, late filings, and trust filings for prior years. The practical implication is that a return transmitted with software that is not on the EFILE account’s registered software list will be refused regardless of which tax year the return covers. There is no “legacy software grandfather” that we have seen documented. The remediation pattern most firms run is to reconcile the actual tax-software inventory against the CRA-registered list during the 2025 renewal cycle and make any change requests through the EFILE Helpdesk before T1 season opens.

How do these controls interact with PIPEDA and provincial privacy law?

Considerable overlap. PIPEDA imposes safeguards, breach-notification, and accountability obligations on every Canadian private-sector organization that handles personal information, and tax data is squarely within scope. Quebec’s Law 25 adds stricter consent, transparency, and breach-notification rules for Quebec residents. The eight CRA EFILE control families above also satisfy the technical safeguards a PIPEDA breach assessment looks for, and the written incident response runbook covers both the CRA EFILE Helpdesk notification path and the PIPEDA breach-notification path. For firms with Quebec clients or staff, the Law 25 additions live inside the same documented controls inventory, with the consent and transparency components added on the practice-management side. See our PIPEDA compliance guide for the full mapping.