The Most Common Compliance Gaps in Small Professional Services Firms

Compliance is one of those topics that firm owners acknowledge is important and then proceed to address with the minimum effort possible. Not because they do not care, but because running a practice, serving clients, and managing staff leaves little time for reading regulatory frameworks.

The result is predictable. Small and mid-sized professional services firms have compliance gaps they do not know about. These gaps sit quietly until an auditor, insurer, or breach reveals them. And at that point, "we did not know" is not a compelling defense.

This article covers the most common compliance gaps we see in accounting firms, law firms, and advisory practices. Not the exotic, edge-case stuff. The everyday gaps that put firms at risk.

Gap 1: Incomplete Written Information Security Plans

Many regulations require firms to maintain a Written Information Security Plan (WISP). The IRS requires it for all tax preparers (Publication 4557). Many states require it for businesses handling personal information. The FTC's Safeguards Rule requires it for financial institutions, which includes many advisory firms.

The gap is not usually the absence of a plan. It is having a plan that was written three years ago, never updated, and does not reflect current systems, processes, or threats.

A compliant WISP should include:

Designation of a security coordinator
Risk assessment findings and remediation plans
Employee training requirements and documentation
Technical, physical, and administrative safeguards
Vendor management requirements
Incident response procedures
Regular review and update schedule

If your WISP does not cover these areas, it has a gap. If you do not have one at all, that is a larger problem. Build one. Start with the practical cybersecurity checklist as a foundation.

Gap 2: Inadequate Risk Assessments

Compliance frameworks almost universally require risk assessments. The problem is that many firms either skip them entirely or treat them as a one-time activity.

A proper risk assessment identifies:

What sensitive data you handle and where it is stored
What threats could compromise that data
What vulnerabilities exist in your current environment
What controls are in place and whether they are effective
What residual risk remains and whether it is acceptable

Risk assessments should be conducted at least annually and whenever significant changes occur (new systems, new offices, major staff changes, new service offerings).

The firms that skip this step often have no idea where their most sensitive data actually lives. It is hard to protect something you have not mapped.

Gap 3: Missing or Inconsistent Access Controls

Access control gaps are everywhere. Common scenarios:

Former employees who still have active accounts weeks or months after leaving
Staff with access levels that exceed what their role requires
Shared accounts where multiple people use the same credentials
No formal access review process

Every compliance framework emphasizes the principle of least privilege: users should have access to only the data and systems they need to perform their job. In practice, access tends to accumulate over time as people change roles, take on temporary projects, or receive "just in case" permissions.

Fix this by implementing role-based access controls and regular reviews. Automate offboarding to ensure accounts are disabled promptly when employees leave.

Gap 4: No Data Retention or Disposal Policy

Firms tend to keep everything forever. Hard drives from 2010 sitting in a closet. Email archives going back a decade. Client files from engagements that ended years ago.

This creates two problems:

1. You are storing data you are no longer required to keep, increasing your breach surface 2. You probably cannot identify what data you have or where it is, making it impossible to comply with data subject access requests or breach notification requirements

A data retention policy defines how long different categories of data are kept and how they are securely disposed of when the retention period expires. Most firms do not have one, and even those that do rarely enforce it.

Create categories, define retention periods based on regulatory requirements, implement secure disposal methods, and actually follow through. See our deep dive on data retention, access control, and encryption.

Gap 5: Insufficient Employee Training Documentation

Most compliance frameworks require security awareness training. Many firms do some form of training. Very few document it properly.

Common documentation gaps:

No record of who attended training and when
No evidence of what topics were covered
No tracking of phishing simulation results
No documentation of new hire security orientation
No refresher training for employees who failed phishing tests

If you cannot prove that training happened, it did not happen as far as regulators and insurers are concerned. Use a training platform that tracks completion, or at minimum, maintain a log of training dates, attendees, and topics covered.

Learn how to build a security culture that makes training feel less like a checkbox and more like a genuine improvement.

Gap 6: Weak Vendor Management

Your firm probably shares client data with multiple third parties: cloud storage providers, practice management platforms, tax software vendors, IT service providers, document scanning services.

Compliance frameworks require you to evaluate the security of these vendors and manage the risk they introduce. Common gaps:

No vendor security assessments before engagement
No data processing agreements or business associate agreements
No ongoing monitoring of vendor security posture
No process for evaluating new vendors before purchase

This gap is expanding as firms adopt AI tools. Assessing the security of AI vendors requires even more diligence than traditional software because of data training and privacy concerns.

Gap 7: Incomplete Incident Response Planning

Having an incident response plan is a compliance requirement in most frameworks. Having one that is complete, current, and tested is where firms fall short.

Common gaps in incident response plans:

No defined roles and responsibilities
Contact information is outdated
No communication templates for client notification
No consideration of regulatory notification requirements
The plan has never been tested or practiced
No one knows where the plan is stored

If you need to create or update your plan, start with our guide on building a breach response plan. Know what to do in the first 24 hours after discovering a breach.

Gap 8: Encryption Gaps

Most firms have some encryption in place but rarely have it everywhere it needs to be.

Common encryption gaps:

Laptops without full-disk encryption (especially personal devices used for work)
Email sent without encryption when containing sensitive client data
Data at rest in cloud storage without client-managed encryption keys
USB drives used for data transfer without encryption
Legacy systems or databases without encryption enabled
Backup data stored without encryption

The fix is usually straightforward. Enable BitLocker (Windows) or FileVault (Mac) on all devices. Enable encryption options in your cloud platforms. Implement email encryption for sensitive communications.

Gap 9: Missing Business Continuity Planning

Business continuity planning goes beyond incident response. It addresses how your firm continues to operate during and after a disruption.

Common gaps:

No documented recovery priorities (which systems/data are restored first?)
No alternative communication plan if email is unavailable
No tested backup restoration procedures
No plan for operating without primary systems for an extended period
No consideration of physical disasters (fire, flood, power outage)

For a firm that depends on technology to serve clients (which is every firm), an extended outage during peak season could be devastating.

Gap 10: Audit Trail and Logging Deficiencies

Many compliance frameworks require audit trails that document who accessed what data, when, and what they did with it. Small firms often have minimal logging:

No tracking of who accessed specific client files
No logging of administrative actions
No monitoring of email forwarding rules or mailbox access
No retention of security event logs
No regular review of logs for suspicious activity

Enable logging in your key systems (email, document management, cloud storage, practice management) and retain logs for at least 12 months. Even better, use a SIEM or managed security service that monitors logs for anomalies.

Closing the Gaps

Do not try to address everything at once. Prioritize based on:

1. **Regulatory exposure.** Which gaps could result in fines or sanctions? 2. **Insurance requirements.** Which gaps could invalidate your cyber insurance? 3. **Client expectations.** Which gaps could cause you to lose clients? 4. **Risk reduction.** Which gaps, if closed, would most reduce your overall risk?

Start with the three or four gaps that score highest across these criteria. Create a timeline for addressing the rest.

For a comprehensive approach, visit our cybersecurity guide for professional services. Compliance is not the ceiling of security, but it is the floor. Build that floor first, then keep building.