Serving tax & accounting firms
Questions? Call (907) 600-0222 Client Login (Aurora Command)

TAX & ACCOUNTING FIRMS

Be ready when a client, regulator, or buyer says: “Show me.”

Reviewers can’t grade effort—only documented proof. Borealis builds and runs a cyber governance program for tax & accounting firms (11–50 employees).

We keep evidence current in Aurora Command (the compliance portal). FTC Safeguards expectations are defensible. Tax season stays stable. Prevent last-minute diligence gaps that stall a sale.

Answer “show me” in minutes, not weeks.

Book a 30‑minute Program Review See Available Times

Confidential • Built around FTC Safeguards Rule + taxpayer-data expectations • 30 minutes • No obligation

PROGRAM SNAPSHOT

Built for Accounting Reality, Not Generic Compliance

  • Built around FTC Safeguards expectations and real client due‑diligence questions
  • Works alongside your MSP (managed service provider) - we don’t replace helpdesk, tools, or ticketing
  • Evidence-first: every requirement is mapped to proof, assigned an owner, and printable/exportable on demand
  • Built for the moments that matter: E&O renewals, client questionnaires, IRS/FTC scrutiny, and M&A diligence
  • Designed around the calendar: implementation season (May–Aug), readiness season (Aug–Nov), low‑disruption tax season ops

Remote-friendly kickoff. Low disruption for staff.

Good fit if:

  • You handle taxpayer data (SSNs, W‑2s, 1099s, 1040s) and want defensible governance - not scattered screenshots
  • You have an MSP, but “security ownership” is unclear beyond tools
  • You’re moving from compliance work into advisory/CAS and want premium clients to trust your posture
  • You want a clean diligence story as partners exit or private equity asks hard questions

Not a fit if:

  • You want a provider to replace your MSP/helpdesk or run day-to-day IT operations
  • You want “templates only” without operating a living program
  • You’re looking for a one‑time document instead of year‑round defensibility

Your MSP runs IT. Governance and evidence are a different job.

Security tools reduce risk. Governance turns that work into defensible proof. Most firms don’t struggle because controls are missing. They struggle because ownership, decisions, and evidence aren’t documented consistently enough to stand up to scrutiny.

The Analogy

Operational IT and governance serve different purposes. Your MSP executes controls. Borealis operates the governance layer that makes those controls defensible - ownership, decisions, and evidence you can produce on demand.

The Shift

Clients and regulators increasingly treat taxpayer data like financial‑institution data. That means named responsibility, cadence, documented decisions, and an evidence trail.

Why the pressure is increasing

Regulators set the baseline. Clients bake it into questionnaires. Procurement and diligence teams check the same boxes. The pressure converges on one place: your firm.

Diagram showing regulators and clients pushing compliance requirements toward a tax and accounting firm.
Regulators, clients, and buyers all pushing requirements toward the firm.

Here’s where it hits first:

Client due diligence & questionnaires

If proof can’t be produced quickly, engagements slow down, conditions appear, and you lose trust at the worst time.

Tax season operations

You do not want to build a defensible story during peak season. You want a system quietly maintained all year.

Valuation & diligence

Weak governance becomes leverage against price, terms, or timeline. Clean governance reduces uncertainty.

How we got here

From guidance to mandates to diligence pressure.

Timeline: From Guidelines to Mandates

Key Milestones

  • Regulation
  • Threat Landscape
  • Industry Standard
  1. 2003
    FTC Safeguards Rule Enacted

    Federal Safeguards expectations formalized for “financial‑institution‑type” data handling, including tax preparers.

  2. 2021–2023
    Safeguards Rule Amendments

    Safeguards requirements tightened around accountability, access controls, encryption, and program governance.

  3. Ongoing
    Taxpayer Data Threats Escalate

    Taxpayer‑data threats—business email compromise (BEC), W‑2 fraud, refund fraud, account takeover—made “security posture” a client and buyer requirement.

  4. Now
    M&A and PE Diligence Pressure

    Private equity and succession planning turned security into a valuation factor, not an IT preference.

The questions you’ll get asked

Who is your designated security owner—and where is it documented? What reviewers want: Named accountability with documented authority
Show your written security program and when it was last reviewed. What reviewers want: Current written program that matches operational reality
Show MFA and access governance for email, portals, and document management. What reviewers want: Access controls that prevent common breach paths
Show encryption expectations and how sensitive data is transmitted. What reviewers want: Defensible handling of SSNs and tax documents
Show vendor oversight: tax software, DMS, portals, MSP, payroll, e‑signature. What reviewers want: Third-party risk management with evidence
Show incident readiness: roles, steps, timelines, and tabletop evidence. What reviewers want: Tested and documented response capability
Prove this is operated year-round - not assembled when asked. What reviewers want: Continuous governance with dated evidence
Book a 30‑minute Program Review

The Firm Governance Program

We build a repeatable operating system for governance, and keep it alive month to month. Your program stays current through a defined cadence of reviews, updates, and evidence collection.

Program Spine

  • Written Information Security Program (Safeguards‑aligned) - tailored to how your firm actually operates
  • Governance structure: roles, approvals, documented responsibility
  • Policy set written to survive real scrutiny - not templates that don’t match reality

Risk System

  • Risk assessment (annual, and updated after material changes)
  • Risk register with owners, due dates, and status
  • Remediation roadmap prioritized for your MSP (no busywork)

Incident & Resilience

  • Incident Response Plan with playbooks for BEC, impersonation, and document theft
  • Business continuity and disaster recovery expectations, including recovery objectives (RTO/RPO)
  • Notification readiness and “fast capture” timelines (no panic math)

People & Vendors

  • Access governance (MFA, joiner/mover/leaver, access reviews, seasonal access)
  • Vendor inventory, minimum requirements, and review cadence
  • Security awareness completion evidence (with tax season timing in mind)

Tax Season Readiness (built-in)

  • Pre‑season readiness checklist (controls, evidence, staffing access)
  • Peak‑season “fast response” incident checklist
  • Phishing and BEC micro‑training designed for busy teams
  • Proof pack ready before January

Can you produce evidence on demand?

Every requirement is mapped to proof. Every proof has an owner. Evidence is collected continuously - not assembled in a panic.

Evidence mapping index
Evidence requests & reminders
Evidence library
Print‑ready Audit Workbook and clean binder exports

Everything is tracked in Aurora Command.

Aurora Command is your system of record for governance—tasks, decisions, and evidence in one place. You don’t hope you can answer the request. You open the dashboard, see what’s due, and export what’s needed—cleanly.

  • See what’s due before busy season
  • Assign owners so it doesn’t live in your head
  • Export a clean diligence packet when someone asks “show me”
Tour Aurora Command (opens Aurora Command)

SYSTEM OF RECORD

No more spreadsheet chaos.

Borealis is the managed governance service. Aurora Command is the compliance portal that keeps your policies and evidence current. If you prefer to run the program in-house, Aurora Command can also be used self‑serve.

Nationwide Baseline and State Overlays

Aurora Command is built around the FTC Safeguards Rule requirements: written program, risk system, vendor oversight, incident readiness, and evidence. State overlays are added as new requirements take effect, so you build once, operate once, and export to match the request.

State overlays (when applicable)
Federal baseline (FTC Safeguards)

Hover or click a state to see the summary. Overlays are highlighted so you can focus on what changes.

Licensed in multiple states?

You build once, operate once, and we show what changes by state where an overlay exists, without multiplying programs.

Book a 30‑minute Program Review

What defensible looks like

Short, clear, operated monthly. Evidence collected before it’s requested.

Written Security Program

Tailored to your firm size, not a 100-page template that doesn’t match reality.

Risk System

Annual assessment and risk register with owners, dates, and treatment decisions.

Vendor Oversight

Track your MSP, tax stack, DMS, and portals with minimum requirements and review cadence.

Incident Readiness

Response plan, playbooks, notification timelines, and tabletop evidence.

Evidence Library

Mapped to requirements, organized for scrutiny, printable/exportable on demand.

Audit Workbook (Print)

A current snapshot you can print anytime - built from your living program.

Choose how governance responsibility is handled

Qualified Individual (QI) = the named person responsible for the security program. vCISO (virtual CISO) = ongoing security leadership without a full-time hire.

ADVISORY TRACK

You retain the Qualified Individual (QI) internally

Best for firms with an internal Qualified Individual (QI)—the named person responsible for the security program—who can execute tasks but needs structure, cadence, and defensible evidence. Your program owner stays internal; we provide the system, evidence map, and accountability.

  • We help you select the right framework
  • We provide the governance model
  • We help you design your policies
  • Aurora Command helps you stay on track
  • You remain the program owner (we provide structure + evidence mapping)
Show Me the Program (opens Aurora Command)

For teams who want to run the program in‑house

RECOMMENDED
MANAGED TRACK

We serve as your Qualified Individual and operate the program

For firms that want governance operated, not just assigned. We serve as your QI, run the cadence, document decisions, and keep a clean evidence trail for renewals, questionnaires, and diligence.

  • We help you establish or refresh your governance program
  • We manage your daily governance model
  • We serve as your Qualified Individual and provide CISO-level advisory services
  • We take the stress off your hands
Show Me the Program (opens Aurora Command)

For teams who want full support

Advisory Track gives you the system. Managed Track gives you the system and the operator.

What happens after you book

1

30‑minute Program Review

We discuss firm size, services, tech stack, and current governance posture.

2

Scope & Proposal

You receive a tailored proposal with clear deliverables and timeline.

3

Build Phase Kickoff

Remote-friendly onboarding. We build the program foundation while keeping staff disruption minimal.

Phase 1

The Build

One-time setup. We build the governance engine.

  • Program Scope Services, data types, vendor stack, MSP boundaries.
  • Safeguards-aligned Written Program Draft → finalize.
  • Risk Assessment Initial risk assessment and risk register.
  • Evidence Map Evidence map and print/export structure.
  • Tax Season Readiness Plan Calendar and minimum proof set.
  • Aurora Command Setup Tasks, library, owners.
Phase 2

The Run

Monthly cadence. We keep you ready.

Advisory Track
  • Monthly accountability check-ins
  • Evidence collection reminders
  • Updates for material changes
  • Guided questionnaire support
QI-as-a-Service Adds
  • QI/vCISO-led governance actions & oversight
  • Higher-touch buyer and client diligence support
  • Leadership-ready reporting & decision tracking
  • Diligence packaging (clean evidence trail)

Aurora turns governance work into proof.

The program is operated by Borealis, but the work lives in Aurora. That’s where questionnaires, evidence, owners, and exports stay organized so you can answer “show me” without panic.

Compliance Governance

Turn requirements into an operating system: owners, cadence, decisions, and a single source of truth.

  • Track requirements (including custom)
  • Assign owners and due dates
  • Turn gaps into remediation

Evidence Collection

Map controls to what proves them, keep evidence organized, and export clean proof packets on demand.

  • Evidence library and indexing
  • Requests, reminders, and follow-up
  • Print-ready packets and diligence exports

Questionnaire Prep (service-first)

We help you respond faster without sending “trust me” answers.

  • Reusable response library
  • Evidence-backed answers
  • Clean exports for reviews and renewals

FLAGSHIP AUTOMATION

Evidence-backed questionnaire prep - reviewed by humans, supported by automation

We use automation to draft evidence-backed responses from your approved policies and evidence library. Then your Borealis lead and your team review and approve before anything is exported.

Context-Aware

Grounded in your specific policies, evidence, and past approved answers.

Evidence-Backed

Every answer can link to proof - no vague claims.

Continuous Learning

Approved answers become your “golden source” over time.

Client / Insurer Questionnaire
86 questions • Draft ready for review
AI Active
Q12: Do you require MFA for email and client portals?
"Yes. We require MFA for email and all client-facing portals. Exceptions are documented with risk acceptance and compensating controls."
Policy: POLICY-MFA
Q13: How is sensitive taxpayer data encrypted in transit?
"All taxpayer data is transmitted via TLS 1.2 or higher encrypted channels. Secure client portals and encrypted email are required for document exchange."
Evidence: ENCRYPTION-POLICY
Analyzing question 14... 13/86

Built for real questionnaires

Upload what you have today, get immediate coverage signals, then turn the rest into tracked requirements and remediation.

1

Ingest reliably

Bring questionnaires, evidence, and policies into one workspace.

2

See coverage

Know how many questions we can draft answers for right away.

3

Review and edit

Walk through the assessment, attach evidence, and preserve human edits.

4

Export cleanly

Export answers and evidence as structured files and audit-ready bundles.

SEE IT WORK

Get a guided Aurora walkthrough

We’ll show you how questionnaires flow into requirements, how evidence stays organized, and what a print-ready workbook looks like.

Tour Aurora Command (opens Aurora Command) Book a 30‑minute Program Review

FAQ

Do you replace our MSP?

No. Your MSP runs IT operations and tooling. Borealis runs the governance layer: ownership, cadence, documentation, and evidence.

Can’t I just download templates?

Templates that aren’t operated become liabilities. We build policies that match operations and create the evidence trail that proves year-round operation.

We’re under 5,000 consumers. Are we exempt?

Some Safeguards sub-requirements may depend on your consumer count and other factors. Many firms miscount because retention and historical records matter. We scope this carefully and build a defensible position.

We can’t disrupt tax season. Can we do this without chaos?

Yes. We plan around the calendar. Build in implementation season; maintain quietly during peak season; keep proof ready before January.

Do you provide legal, tax, or accounting advice?

No. We are a cybersecurity and compliance implementation firm. We help you implement defensible programs and evidence.

Can we do this without disrupting staff?

Yes. We keep staff asks small and scheduled. Most work is leadership alignment, documentation, and evidence organization - done remotely with minimal interruptions.

Do you work nationwide even though you’re Alaska-based?

Yes. The program is designed for remote execution and multi-state realities.

Ready to turn governance into proof?

Start with a 30‑minute conversation about your firm, your tech stack, and what “defensible” looks like for you.

Book a 30‑minute Program Review

Free • confidential • no obligation

Book a 30‑minute Program Review Program Review