CRA EFILE IT Controls Checklist for Canadian Tax Preparers (2026 Update)

A working IT controls map for Canadian tax preparers and CPA firms registering or renewing CRA EFILE in 2026, including the new software-specific control that begins enforcing in February 2026 and the eight control families a small or mid-market practice should have documented before a CRA suitability review.

Written for solo CPAs, 3 to 15-preparer firms, and mid-market CPA practices running CCH iFirm, CaseWare, TaxCycle, ProFile, or TaxPrep. CISSP-led, CPA Canada cybersecurity-guidance aligned, and built for a CRA EFILE-suitability evidence packet you can hand a CRA reviewer without scrambling.

Feb 2026 Software-specific control live
8 control families Documented and testable
CISSP-Certified Security leadership
PIPEDA-aware Private-sector privacy aligned
Book a Consultation
National Accounting-Firm IT Hub →

Best fit for solo CPAs, 3 to 15-preparer firms, and Canadian CPA practices renewing EFILE for the 2026 program.

MP
Authored by Mike Pearlstein, CISSP, Founder & CEO, Fusion Computing. CISSP-certified, MSc Computer Science (Guelph 2011).
Reviewed and last updated 2026-05-18 · Named in Canada’s 50 Best Managed IT Companies 2024 & 2025.

What changed in February 2026

According to the Canada Revenue Agency (2026), starting February 2026 every EFILE account is bound to one or more designated CRA-certified T1 and T3 software products, and any return transmitted with unregistered software is automatically refused. The CRA stated this software-specific control is designed to limit the operational usefulness of compromised EFILE credentials.

The most material CRA EFILE change of the 2026 program year is the new software-specific control that begins enforcing in February 2026. EFILE credentials no longer function independently of tax software. Each EFILE account is now bound to one or more designated CRA-certified T1 and T3 software products, and when a return is transmitted the CRA validates both the EFiler’s credentials and the specific software used. If the software does not match what is registered to the account, the transmission is refused.

For existing EFILERs, the linkage is established during the 2025 EFILE renewal cycle, with the CRA automatically associating an account with software products based on prior filing history. New applicants select their intended software during initial registration and screening, and any later software change runs through the EFILE Helpdesk rather than self-service. Multiple certified products can be tied to a single EFILE account if each one is approved in advance.

The scope is broader than current-year T1 work. The restriction also applies to amended returns, late filings, and trust filings for prior years. A return transmitted with unregistered software is refused regardless of the filing year.

If you need help mapping the February 2026 software-binding rule to your firm’s endpoint and EFILE policy stack, talk to a CRA-EFILE-aware IT specialist.

The 8 control categories CRA EFILE-registered preparers must document

“CRA EFILE is not just a login, it is a custodial responsibility for other people’s tax data. The failures I see at tax-prep shops are mundane: shared EFILE credentials, no MFA on the preparer’s Microsoft 365, and T1 files in a personal OneDrive. Document who can touch EFILE, enforce MFA, and keep the audit log, and most of the CRA control expectations fall into place.”

Mike Pearlstein, CISSP, CEO and CISO, Fusion Computing

CRA EFILE suitability screening is the controls audit the CRA performs before approving or renewing an EFILE registration. The published guidance does not read like a NIST control catalogue, but the practical evidence a CRA reviewer asks for clusters into eight families. These are the families we build the documented controls inventory around for every CPA practice we onboard.

1. Data protection at rest and in transitDisk-level encryption on every device that touches taxpayer data (BitLocker on Windows, FileVault on macOS), TLS 1.2 or higher on every system that exchanges data with the CRA, encrypted backup with tested restore.
2. Multi-factor authenticationMFA enforced on every account that touches the CRA, the tax software, the practice-management platform, the firm email, and any cloud file store containing client data. No shared logins, no MFA bypass for principals.
3. Encryption of taxpayer dataEncrypted-at-rest in Microsoft 365 or equivalent, encrypted in transit on every channel where client information moves, encrypted client-portal exchange instead of plain email attachments for T-slips and engagement files.
4. Secure storage and access controlRole-based access to engagement folders, named-user accounts for every preparer and admin, conditional access blocking sign-ins from unmanaged devices, sensitivity labels on the most sensitive taxpayer records.
5. Breach notification and incident responseWritten incident response runbook with the CRA EFILE Helpdesk notification path, PIPEDA breach-notification workflow, mandatory privacy-breach reporting to the Privacy Commissioner where the threshold is met.
6. Vendor and software due diligenceInventory of every vendor that touches taxpayer data, including the new CRA-required list of designated tax software products tied to the EFILE account. Vendor SOC 2 / ISO 27001 evidence on file.
7. Access logging and audit trailAudit-log retention on Microsoft 365 or the equivalent identity platform, mailbox auditing for forwarding-rule changes, CRA Represent a Client access tied to a named individual rather than a shared mailbox.
8. Business continuity and tested restoreBackup retention covering at least the current tax year and the prior reassessment window, restore tests performed and documented at least annually, business continuity plan covering a ransomware-style outage during tax season.

None of these eight families is novel for IT, but the discipline required is documenting them at the same time, in writing, with evidence a CRA reviewer can read. The most common gap we see is not the absence of controls; it is the absence of a documented evidence packet that proves the controls were running on a specific date.

Practical IT controls map for a small Canadian tax-prep practice

For a 1 to 15-user CPA or tax-prep firm, the eight control families above translate into a fairly compact technical stack. The mapping below is what we deploy at most accounting-firm onboardings, with the vendor names that show up most often in the Canadian market.

Data at rest encryptionBitLocker enforced on every Windows workstation via Microsoft Intune. FileVault enforced on every Mac. Server-side encryption on Microsoft 365 by default. SQL Server TDE on any on-premise practice-management database. Encrypted at rest is the default state of every device that touches taxpayer data.
Multi-factor authenticationMicrosoft Entra ID conditional access requiring MFA on every sign-in to the firm tenant. Authenticator app preferred over SMS. CRA Represent a Client access tied to a named individual’s personal CRA credential, not a shared mailbox or a partner login. Tax software (CCH iFirm, CaseWare Cloud, TaxCycle Connect, ProFile, Karbon, Liscio) configured to honour the same identity.
Encryption in transit and secure client exchangeTLS 1.2 or higher across the board. Liscio, SmartVault, or Microsoft 365 secure-link sharing for T-slip and engagement-file exchange. Plain-email PDF attachments of returns become a documented exception with a reason, not the default workflow.
Secure storage and access controlSharePoint engagement sites scoped at the engagement level with role-based access. Microsoft Purview sensitivity labels on the most sensitive client folders (large-balance T1s, owner-managed T2s, family-trust T3s, voluntary-disclosures). Conditional access policies blocking sign-ins from non-managed devices and from countries outside the firm’s operating geography by default.
Breach notification and incident responseWritten incident response plan covering CRA EFILE Helpdesk notification, PIPEDA breach notification to the Privacy Commissioner where the “real risk of significant harm” threshold is met, internal partner-board notification, and client notification if required. Annual tabletop exercise to make sure the runbook still matches the firm’s stack.
Vendor and software due diligenceVendor inventory covering Microsoft 365, the tax software stack, the practice-management system, the client portal, the backup vendor, and any niche add-ons. SOC 2 Type II or ISO 27001 evidence on file where the vendor publishes it. Tax-software list cross-referenced against the CRA-designated software linked to the EFILE account post-February 2026.
Access logging and audit trailMicrosoft 365 audit log retention at the highest tier the firm’s licensing allows, mailbox auditing for forwarding-rule changes, CRA Represent a Client and EFILE web logins reviewed monthly. Anything that moves taxpayer data is logged, and the logs are retained at least for the reassessment window.
Business continuity and tested restoreEncrypted backup of Microsoft 365, the practice-management database, and any on-premise file shares. Quarterly restore test on at least one critical dataset, with the result documented. Ransomware-specific tabletop run once a year. Tax-season-specific BC plan covering what the firm does if the practice-management system is unavailable in the last two weeks of T1 season.

For a printable, CRA-audit-ready evidence map covering all eight control families, request the EFILE controls toolkit.

Common audit findings and how to avoid them

According to the Canadian Anti-Fraud Centre (2024), identity-fraud reports involving compromised tax-preparer credentials are a recurring pattern in Canadian fraud telemetry, and accounting and tax-prep firms appear repeatedly as high-value targets during T1 and T2 deadline weeks. The six audit-finding patterns below are the gaps most commonly exploited in those incidents.

The CRA does not publish a public list of EFILE suitability findings, but the patterns we see across Canadian accounting-firm onboardings are repetitive. These are the six most common gaps a CRA reviewer or an internal audit walks into, and the fix posture for each.

Shared CRA logins between partners and admin staffOne of the most common findings. Every CRA Represent a Client login should be tied to a named individual. Shared credentials are a near-automatic suitability concern. Fix: deprovision shared accounts, issue named credentials, document the change.
MFA enforced on email but not on tax software or practice managementSurprisingly common in firms that adopted M365 MFA early but never extended it to CCH iFirm, CaseWare Cloud, TaxCycle Connect, or the practice-management portal. Fix: extend MFA enforcement to every system that touches client data, not just email.
Backup runs but restore has never been testedBackup-without-restore-test is the most common business-continuity finding. CRA suitability and PIPEDA both expect tested restore, not just retention. Fix: perform a quarterly restore test on a non-production environment and document the result.
Plain-email PDF return delivery as the defaultSending the final T1 PDF by plain email attachment with no encryption or secure-portal alternative is the most common in-transit gap. Fix: deploy Liscio, SmartVault, or M365 secure-link sharing and make plain-email delivery an opt-in exception with a documented reason.
No written incident response or breach notification runbookFirms often have antivirus and EDR running but no written incident-response plan. Fix: write a one-page runbook covering CRA EFILE Helpdesk notification, PIPEDA breach notification, internal escalation, and client notification. Update it at least annually.
Tax software installed by an associate without IT reviewNewly relevant after the February 2026 software-specific control. A preparer who installs an unregistered tax product on their own workstation can trigger transmission failures. Fix: route all tax-software installs through IT, and reconcile the install list against the CRA-designated software tied to the EFILE account.

What this costs to implement and operate

According to CPA Canada (2024), Cyber Security: Establishing a Risk Management Program directs every Canadian CPA firm to fund cybersecurity as an ongoing operating-cost line rather than a one-off project, with controls spend scaled to the sensitivity of the client data the firm handles. The pricing below treats EFILE-aligned cybersecurity as part of the monthly managed-IT spend, not a tax-season add-on.

The honest answer is that the CRA EFILE control set rarely justifies a separate “EFILE compliance” line on the IT bill. The eight families are the same controls a CPA Canada-aligned managed-IT engagement deploys for any small Canadian accounting practice, so the cost lives inside the regular monthly managed-IT spend.

A solo CPA or 2-staff tax-prep practice typically lands at $500 to $1,200 per month for fully managed IT and cybersecurity that produces a defensible CRA EFILE evidence packet. That covers Microsoft 365 administration, MFA enforcement, conditional access, encrypted backup with tested restore, sensitivity-label deployment, EDR on every device, helpdesk, and a documented controls inventory.

A small Canadian CPA firm of 3 to 15 preparers and admin staff typically lands at $1,500 to $3,400 per month under the same scope. The headline drivers are the per-user M365 licensing tier (Business Premium or higher for the sensitivity-label and conditional-access features), EDR licensing, the client-portal subscription (Liscio, SmartVault, or equivalent), and the managed-IT engagement itself.

CRA EFILE resources and where to learn more

“The February 2026 EFILE update meant our shared Represent a Client login was a CRA risk overnight. Fusion turned on per-preparer MFA, BitLocker on every TaxCycle workstation, and built our audit-logging pack the CRA suitability team actually wanted to see. We renewed EFILE on the first submission and our partner stopped losing sleep over preparer turnover.”

Operations Director, 24-person tax-prep firm, Burlington.

Talk to a CRA-EFILE-aware IT specialist

Thirty-minute walk-through of your firm’s current stack, the eight CRA EFILE control families you need documented, and the February 2026 software-specific control implications for your tax-software inventory. No charge, no obligation.

Book a Consultation

Frequently asked questions about CRA EFILE IT controls

What does CRA EFILE require for IT controls in 2026?
Are the Feb 2026 software-specific controls mandatory for all registered preparers?
How does Microsoft 365 and Entra ID conditional access map to CRA EFILE suitability screening?
What if I get a CRA EFILE suitability review: what evidence do I need ready?
Can a managed IT provider provide a CRA EFILE controls compliance pack?
Are the Feb 2026 controls retroactive: do I have to remediate before tax season?
How do these controls interact with PIPEDA and provincial privacy law?

Updated