Implementation Guide: Gather supporting documents, reconcile accounts, and prepare draft returns

Hardware Procurement

Software Procurement

Prerequisites

• Active subscription to a tax preparation platform (Drake Tax, UltraTax CS, Lacerte, ProConnect Tax Online, or CCH Axcess Tax) — must be current and licensed before AI agent deployment
• Active QuickBooks Online Accountant account (free for ProAdvisors) with at least one client company file connected, OR equivalent Xero/Sage subscription with active bank feeds
• Reliable internet connectivity: minimum 25 Mbps symmetric (fiber preferred); latency under 100ms to Azure/AWS US-East endpoints — verify with speedtest and traceroute before deployment
• Current Written Information Security Plan (WISP) document — if not existing, MSP must create one as Phase 1 deliverable before any AI tools touch taxpayer data
• Updated IRC §7216 taxpayer consent forms that explicitly authorize AI-assisted processing of tax return information — must be reviewed by the firm's legal counsel or a tax compliance attorney
• Multi-factor authentication (MFA) enforced on ALL systems that access taxpayer data: email, tax software, cloud storage, practice management, and AI platforms — no exceptions per IRS mandate effective 2025
• Domain name and DNS access for configuring SPF/DKIM/DMARC email authentication (required for secure client communications)
• Windows 10 Pro or Windows 11 Pro on all workstations (Home editions lack BitLocker, Group Policy, and domain join capabilities)
• Administrative credentials for the firm's QuickBooks Online, tax software, and any existing practice management platforms
• Physical access to the office for scanner installation, network equipment deployment, and workstation setup
• Designated project champion at the firm: a senior accountant or partner who will validate AI agent output, approve workflow configurations, and serve as the primary point of contact
• Cyber liability insurance policy in place or in process — strongly recommended before AI deployment given expanded data processing scope
• Current client list with engagement types (individual 1040, business 1120/1120S/1065, bookkeeping-only) to size the AI agent deployment and configure appropriate return types

Installation Steps

Step 1: Compliance & Security Foundation Audit

Before any technology deployment, conduct a comprehensive security and compliance audit of the accounting firm. Review the existing WISP (or create one), audit current MFA implementation, assess endpoint protection, verify backup procedures, and evaluate IRC §7216 consent forms. This step is non-negotiable — deploying AI agents without proper compliance infrastructure exposes the firm (and the MSP) to federal criminal liability under §7216 and FTC enforcement actions.

# Run Microsoft Secure Score assessment
# Navigate to https://security.microsoft.com/securescore

# Verify MFA status for all users in Azure AD / Entra ID
Connect-MsolService
Get-MsolUser -All | Select-Object DisplayName, UserPrincipalName, @{N='MFA Status'; E={$_.StrongAuthenticationRequirements.State}} | Export-Csv -Path C:\Audit\MFA_Status.csv -NoTypeInformation

# Check BitLocker encryption status on all workstations
manage-bde -status C:

# Verify Windows Defender / EDR status
Get-MpComputerStatus | Select-Object AntivirusEnabled, RealTimeProtectionEnabled, AntivirusSignatureLastUpdated

Step 2: Network Infrastructure Deployment

Install and configure the Fortinet FortiGate 40F firewall, establish network segmentation, configure TLS inspection for outbound traffic, and create firewall policies that whitelist approved AI vendor endpoints. Set up a dedicated VLAN for accounting workstations separate from guest/general traffic. Configure DNS-over-HTTPS to prevent DNS leakage of client queries.

# FortiGate initial configuration via CLI (after factory reset and console connection)
config system interface
  edit port1
    set mode static
    set ip 192.168.1.1 255.255.255.0
    set allowaccess ping https ssh
  next
end

# Create accounting workstation VLAN
config system interface
  edit VLAN10-ACCOUNTING
    set vdom root
    set ip 10.10.10.1 255.255.255.0
    set allowaccess ping
    set device-identification enable
    set interface port2
    set vlanid 10
  next
end

# Configure DNS to use FortiGuard DNS (filtered)
config system dns
  set primary 208.91.112.53
  set secondary 208.91.112.52
end

# Create address objects for AI vendor endpoints
config firewall address
  edit TaxGPT-Cloud
    set type fqdn
    set fqdn app.taxgpt.com
  next
  edit Dext-Cloud
    set type fqdn
    set fqdn api.dext.com
  next
  edit Botkeeper-Cloud
    set type fqdn
    set fqdn app.botkeeper.com
  next
  edit TaxDome-Cloud
    set type fqdn
    set fqdn app.taxdome.com
  next
end

# Create firewall policy allowing accounting VLAN to AI services
config firewall policy
  edit 10
    set name Allow-AI-Services
    set srcintf VLAN10-ACCOUNTING
    set dstintf wan1
    set srcaddr all
    set dstaddr TaxGPT-Cloud Dext-Cloud Botkeeper-Cloud TaxDome-Cloud
    set action accept
    set schedule always
    set service HTTPS
    set ssl-ssh-profile deep-inspection
    set av-profile default
    set ips-sensor default
    set logtraffic all
  next
end

Step 3: Workstation Deployment and Hardening

Deploy Dell OptiPlex 7020 workstations with Windows 11 Pro, join to Azure AD (Entra ID), enable BitLocker encryption, deploy SentinelOne EDR agent, configure Microsoft Intune device compliance policies, and install required base software (Chrome/Edge, Adobe Reader, Microsoft 365 Apps). Apply CIS Benchmark Level 1 hardening via Intune configuration profiles.

Step 4: MFA and Conditional Access Policy Enforcement

Configure Azure AD (Entra ID) Conditional Access policies to require MFA for all users on all cloud applications. Deploy YubiKey 5 NFC hardware tokens as primary MFA method. Configure break-glass emergency access accounts. Set up passwordless authentication where supported.

Step 5: Document Scanner Deployment and Dext Configuration

Install Ricoh ScanSnap iX2500 scanners at designated locations (front desk for client walk-ins, back office for staff processing). Install ScanSnap Home software on designated workstations. Configure scan profiles optimized for tax documents (300 DPI, color, auto-crop, dual-sided). Set up Dext Prepare account, connect to QuickBooks Online, and configure automated scan-to-Dext workflow using ScanSnap Cloud or folder watching.

Step 6: QuickBooks Online Integration and Bank Feed Configuration

Verify the firm's QuickBooks Online Accountant (QBOA) portal access. Ensure all managed client QBO companies have active bank feed connections. Configure Dext-to-QBO integration for automated receipt/invoice posting. Set up Botkeeper integration with QBO for AI-powered reconciliation. Verify chart of accounts standardization across client files.

Step 7: TaxGPT Autonomous Agent Deployment

Set up TaxGPT Tax Prep Agent for the firm. This is the core autonomous AI agent that reads source documents and operates the firm's existing tax preparation software (Drake Tax in our recommended stack) to complete draft returns. TaxGPT uses RPA-style desktop automation — it literally controls the tax software UI as a human would. Configure agent credentials, connect document sources, set up return type workflows, and establish review queues.

Step 8: Botkeeper AI Bookkeeping and Reconciliation Setup

Deploy Botkeeper as the AI-powered bookkeeping and reconciliation engine. Configure client entities, connect to QuickBooks Online, set up automated transaction categorization rules, bank reconciliation schedules, and month-end close checklists. Botkeeper will handle the ongoing reconciliation that keeps books clean for tax preparation.

Step 9: TaxDome Practice Management and Client Portal Configuration

Deploy TaxDome as the unified practice management platform with secure client portal. Configure client records, document request templates (organizers), workflow automations that trigger AI agent tasks, secure messaging, e-signatures, and return delivery. TaxDome serves as the client-facing layer and the orchestration hub connecting Dext, Botkeeper, TaxGPT, and SafeSend.

Step 10: SafeSend Returns Integration for Automated Delivery

Configure SafeSend Returns to automate the final step of the tax preparation workflow: assembling the completed return, generating signature pages, collecting e-file authorizations, and securely delivering the final return package to clients. Integrate with Drake Tax for automatic return import and with TaxDome for workflow status updates.

Step 11: Backup, Disaster Recovery, and Data Retention Configuration

Configure encrypted backup for all taxpayer data across cloud platforms and local systems. Set up Veeam Backup for Microsoft 365 to protect email and OneDrive. Configure Drake Tax local backup to encrypted cloud storage. Establish retention policies aligned with IRS requirements (minimum 3 years, recommended 7 years for tax records). Test restore procedures.

# Veeam Backup for Microsoft 365 Setup:
# 1. Deploy Veeam Backup for M365 on a management server or use Veeam Cloud Service Provider
# 2. Connect to Microsoft 365 tenant via Azure AD app registration
# 3. Configure backup job:
#    - Include: All user mailboxes, OneDrive, SharePoint sites
#    - Schedule: Daily at 11 PM
#    - Retention: 7 years (aligned with IRS record-keeping recommendations)

# Drake Tax Local Backup:
# In Drake: Setup > Options > Backup
# - Backup location: Network share -> synced to encrypted cloud storage
# - Schedule: After each batch processing run
# - Verify: Test restore quarterly

# Configure Azure Blob Storage for long-term archival (optional):
az storage account create \
  --name firmbackuparchive \
  --resource-group MSP-Backups \
  --location eastus \
  --sku Standard_LRS \
  --encryption-services blob \
  --min-tls-version TLS1_2

az storage container create \
  --name tax-returns-archive \
  --account-name firmbackuparchive \
  --public-access off

# Enable immutable storage (WORM) for compliance:
az storage container immutability-policy create \
  --resource-group MSP-Backups \
  --account-name firmbackuparchive \
  --container-name tax-returns-archive \
  --period 2556

# Test restore procedure:
# 1. Select a random client's data from 30 days ago
# 2. Restore to a test location (not production)
# 3. Verify file integrity and readability
# 4. Document the test in the WISP maintenance log
# 5. Repeat quarterly

Step 12: End-to-End Integration Testing and Workflow Validation

Before go-live, execute a complete end-to-end test using sample/test data that mirrors real client scenarios. Process test documents through the entire pipeline: scan -> Dext extraction -> Botkeeper categorization -> QuickBooks reconciliation -> TaxGPT draft return preparation -> reviewer approval -> SafeSend delivery. Validate data accuracy at each handoff point.

Custom AI Components

Document Intake Orchestrator

Type: workflow

A Zapier/Make.com automation workflow that orchestrates the document intake pipeline. When a client uploads documents to TaxDome portal, this workflow routes them to Dext for AI extraction, monitors extraction completion, validates extracted data quality, and triggers downstream processes (Botkeeper for bookkeeping documents, TaxGPT for tax source documents). Includes error handling and notification for documents that fail extraction.

Implementation:

# Document Intake Orchestrator - Make.com (Integromat) Blueprint
# This workflow automates the routing of client-uploaded documents

Trigger: TaxDome Webhook

• Configure in TaxDome: Settings > Webhooks > Add
• Event: document.uploaded
• URL: https://hook.make.com/YOUR_WEBHOOK_ID

Module 1: Parse TaxDome Webhook

Extract: client_id, document_id, document_name, file_url, upload_timestamp

Module 2: Download Document from TaxDome

# HTTP GET: {{file_url}}
# Headers: Authorization: Bearer {{taxdome_api_token}}
# Save to: /tmp/{{document_id}}.pdf

Module 3: Classify Document Type (Router)

Module 5A: Wait for Dext Processing

• Sleep: 60 seconds (Dext typical processing time)
• Then poll: GET https://api.dext.com/v1/documents/{{dext_document_id}}
• Check status == 'processed'
• If not processed after 5 minutes: send alert email

Module 6A: Validate Extraction Quality

# Check Dext response for:
# - confidence_score > 0.85 (proceed automatically)
# - confidence_score 0.60-0.85 (flag for review, proceed with caution)
# - confidence_score < 0.60 (route to manual processing queue)
# Extract: document_type, amounts, dates, payer/payee info

Module 7A: Update TaxDome Job Status

# HTTP PATCH: TaxDome API
# Update job stage to 'Documents Processing'
# Add note: 'Document {{document_name}} extracted by Dext. Confidence: {{score}}'

Module 8A: Trigger TaxGPT Task (when all docs received)

Error Handler (Global):

Top 20 Vendors by Spend

{top_vendors}

Spending by Account

{account_totals}

System Prompt:

User Prompt Template:

Please review the following draft tax return against the provided source documents.

RETURN INFORMATION

• Return Type: {{return_type}} (e.g., Form 1040, 1120S, 1065)
• Tax Year: {{tax_year}}
• Filing Status: {{filing_status}}
• State(s): {{states}}

PRIOR YEAR COMPARISON

• Prior Year AGI: ${{prior_agi}}
• Prior Year Total Tax: ${{prior_tax}}
• Prior Year Refund/Balance Due: ${{prior_result}}

CURRENT YEAR DRAFT RETURN DATA

{{draft_return_data}}

SPECIFIC REVIEW AREAS

{{specific_concerns}}

Perform a comprehensive quality assurance review and return your findings as structured JSON.

Example Implementation in Python:

import openai
import json

def run_qa_review(return_data: dict, source_docs: list, prior_year: dict) -> dict:
    client = openai.OpenAI(api_key='sk-...')
    
    # Format source document summary
    doc_summary = '\n'.join([
        f"- {doc['type']}: {doc['payer']} - ${doc['amount']:.2f}" 
        for doc in source_docs
    ])
    
    # Format return data (simplified - actual implementation extracts from Drake XML/PDF)
    return_summary = json.dumps(return_data, indent=2)
    
    user_prompt = f"""Please review the following draft tax return against the provided source documents.

RETURN INFORMATION

• Return Type: {return_data.get('form_type', 'Form 1040')}
• Tax Year: {return_data.get('tax_year', '2025')}
• Filing Status: {return_data.get('filing_status', 'Single')}
• State(s): {return_data.get('states', 'Federal only')}

PRIOR YEAR COMPARISON

• Prior Year AGI: ${prior_year.get('agi', 0):,.2f}
• Prior Year Total Tax: ${prior_year.get('total_tax', 0):,.2f}
• Prior Year Refund/Balance Due: ${prior_year.get('result', 0):,.2f}

CURRENT YEAR DRAFT RETURN DATA

{return_summary}

{doc_summary}

SPECIFIC REVIEW AREAS

• Verify all W-2 and 1099 amounts match source documents exactly
• Check for missing income sources compared to prior year
• Verify deduction eligibility and substantiation
• Check estimated tax payment credits
• Verify dependent eligibility

Perform a comprehensive quality assurance review and return your findings as structured JSON."""

response = client.chat.completions.create(

    response = client.chat.completions.create(
        model='gpt-4.1-2025-04-14',
        messages=[
            {'role': 'system', 'content': SYSTEM_PROMPT},  # From above
            {'role': 'user', 'content': user_prompt}
        ],
        response_format={'type': 'json_object'},
        temperature=0.1,  # Low temperature for consistent, careful analysis
        max_tokens=4000
    )
    
    return json.loads(response.choices[0].message.content)

# Integration: Call this after TaxGPT completes a draft return,
# before the human reviewer opens the return in Drake Tax.
# Post results to TaxDome as a review checklist note.

Client Document Completeness Monitor

Type: integration

An integration between TaxDome and Microsoft Teams that monitors client document upload progress during tax season and sends daily digest notifications to the firm's Teams channel. Tracks which clients have submitted all required documents, which are partially complete, and which haven't started. Enables proactive client follow-up to prevent last-minute filing crunches.

Implementation:

# Client Document Completeness Monitor
# TaxDome -> Microsoft Teams Integration via Power Automate
# Sends daily digest of client document status during tax season

# Implementation: Microsoft Power Automate Flow
# Trigger: Recurrence - Daily at 8:00 AM EST (Jan 15 - Apr 15)

# Flow Definition (Power Automate JSON export format):

{
  "definition": {
    "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json",
    "triggers": {
      "Recurrence": {
        "type": "Recurrence",
        "recurrence": {
          "frequency": "Day",
          "interval": 1,
          "startTime": "2026-01-15T08:00:00Z",
          "timeZone": "Eastern Standard Time"
        }
      }
    },
    "actions": {
      "Get_TaxDome_Client_Status": {
        "type": "Http",
        "inputs": {
          "method": "GET",
          "uri": "https://api.taxdome.com/v1/jobs?pipeline=individual_tax_2025&status=active",
          "headers": {
            "Authorization": "Bearer @{parameters('TaxDome_API_Key')}"
          }
        }
      },
      "Parse_JSON": {
        "type": "ParseJson",
        "inputs": {
          "content": "@body('Get_TaxDome_Client_Status')",
          "schema": {
            "type": "object",
            "properties": {
              "data": {
                "type": "array",
                "items": {
                  "type": "object",
                  "properties": {
                    "client_name": {"type": "string"},
                    "stage": {"type": "string"},
                    "organizer_status": {"type": "string"},
                    "docs_received": {"type": "integer"},
                    "docs_required": {"type": "integer"},
                    "last_activity": {"type": "string"}
                  }
                }
              }
            }
          }
        }
      },
      "Categorize_Clients": {
        "type": "Scope",
        "actions": {
          "Filter_Complete": {
            "type": "Query",
            "inputs": {
              "from": "@body('Parse_JSON')?['data']",
              "where": "@equals(item()?['organizer_status'], 'complete')"
            }
          },
          "Filter_Partial": {
            "type": "Query",
            "inputs": {
              "from": "@body('Parse_JSON')?['data']",
              "where": "@and(not(equals(item()?['organizer_status'], 'complete')), greater(item()?['docs_received'], 0))"
            }
          },
          "Filter_NotStarted": {
            "type": "Query",
            "inputs": {
              "from": "@body('Parse_JSON')?['data']",
              "where": "@equals(item()?['docs_received'], 0)"
            }
          }
        }
      },
      "Post_Teams_Message": {
        "type": "ApiConnection",
        "inputs": {
          "host": {
            "connection": {
              "name": "@parameters('$connections')['teams']['connectionId']"
            }
          },
          "method": "post",
          "path": "/v3/beta/teams/@{parameters('Teams_Team_Id')}/channels/@{parameters('Teams_Channel_Id')}/messages",
          "body": {
            "body": {
              "contentType": "html",
              "content": "<h2>📊 Daily Tax Season Document Status</h2><p><strong>Date:</strong> @{formatDateTime(utcNow(), 'MMMM dd, yyyy')}</p><h3>✅ Ready for AI Processing (@{length(body('Filter_Complete'))})</h3><p>@{join(body('Filter_Complete'), ', ')}</p><h3>⏳ Partially Complete (@{length(body('Filter_Partial'))})</h3><p>@{join(body('Filter_Partial'), ', ')}</p><h3>🔴 Not Started (@{length(body('Filter_NotStarted'))})</h3><p>@{join(body('Filter_NotStarted'), ', ')}</p><hr><p><em>Clients in 'Ready' status will be queued for TaxGPT processing today.</em></p>"
            }
          }
        }
      },
      "Trigger_Auto_Reminders": {
        "type": "Http",
        "inputs": {
          "method": "POST",
          "uri": "https://api.taxdome.com/v1/reminders/batch",
          "headers": {
            "Authorization": "Bearer @{parameters('TaxDome_API_Key')}"
          },
          "body": {
            "client_ids": "@body('Filter_NotStarted')",
            "template": "document_request_reminder",
            "channel": "email"
          }
        },
        "runAfter": {
          "Post_Teams_Message": ["Succeeded"]
        }
      }
    }
  }
}

# Run via Azure Functions or cron job on management server.

# Alternative: Python script version for MSPs not using Power Automate
# Run via Azure Functions or cron job on management server

import requests
from datetime import datetime

def send_daily_digest():
    # Get client status from TaxDome
    td_response = requests.get(
        'https://api.taxdome.com/v1/jobs',
        headers={'Authorization': f'Bearer {TAXDOME_API_KEY}'},
        params={'pipeline': 'individual_tax_2025', 'status': 'active'}
    )
    clients = td_response.json().get('data', [])
    
    complete = [c for c in clients if c['organizer_status'] == 'complete']
    partial = [c for c in clients if c['docs_received'] > 0 and c['organizer_status'] != 'complete']
    not_started = [c for c in clients if c['docs_received'] == 0]
    
    # Format Teams adaptive card
    card = {
        'type': 'message',
        'attachments': [{
            'contentType': 'application/vnd.microsoft.card.adaptive',
            'content': {
                '$schema': 'http://adaptivecards.io/schemas/adaptive-card.json',
                'type': 'AdaptiveCard',
                'version': '1.4',
                'body': [
                    {'type': 'TextBlock', 'text': '📊 Tax Season Document Status', 'size': 'Large', 'weight': 'Bolder'},
                    {'type': 'TextBlock', 'text': f'Date: {datetime.now().strftime("%B %d, %Y")}'},
                    {'type': 'FactSet', 'facts': [
                        {'title': '✅ Ready for AI', 'value': str(len(complete))},
                        {'title': '⏳ Partial', 'value': str(len(partial))},
                        {'title': '🔴 Not Started', 'value': str(len(not_started))},
                        {'title': '📈 Total Active', 'value': str(len(clients))}
                    ]}
                ]
            }
        }]
    }
    
    # Post to Teams webhook
    requests.post(TEAMS_WEBHOOK_URL, json=card)

# Run daily during tax season (Jan 15 - Apr 15)
if __name__ == '__main__':
    today = datetime.now()
    if today.month in [1, 2, 3, 4] and not (today.month == 4 and today.day > 15):
        send_daily_digest()

Testing & Validation

• SCAN TEST: Place a multi-page test document packet (W-2 + 1099-INT + 1099-DIV, minimum 6 pages double-sided) in the ScanSnap iX2500 ADF. Press the scan button. Verify all pages are captured, OCR text is searchable in the resulting PDF, and the file appears in the configured Dext inbox within 60 seconds. Expected result: 100% page capture, readable OCR on all pages.
• DEXT EXTRACTION TEST: Upload a sample W-2 (use IRS sample or redacted real document) to Dext. Verify that Dext extracts the following fields correctly: employer name, employer EIN, employee SSN (last 4), Box 1 wages, Box 2 federal tax withheld, Box 3 Social Security wages, Box 4 Social Security tax, Box 5 Medicare wages, Box 6 Medicare tax. Compare extracted values to source document — all dollar amounts must match exactly.
• DEXT-TO-QBO INTEGRATION TEST: Create a test expense receipt in Dext (photograph a sample receipt). Verify that Dext processes the receipt, extracts vendor/amount/date, and publishes the transaction to the correct QuickBooks Online company file within 5 minutes. Check QBO to confirm the transaction appears with correct vendor, amount, date, and account categorization.
• BOTKEEPER RECONCILIATION TEST: In a test QBO company file, create 10 sample bank transactions (mix of deposits and withdrawals) with known correct categorizations. Allow Botkeeper to process and categorize them. Verify that at least 8 of 10 transactions are correctly categorized without human intervention. For the remaining 2, verify they are flagged for review rather than incorrectly categorized.
• BOTKEEPER BANK RECONCILIATION TEST: After one full month of transaction data in the test QBO file, run Botkeeper's bank reconciliation process. Verify that the reconciliation completes with zero unexplained differences between the bank statement balance and the QBO balance. If discrepancies exist, verify they are flagged with clear descriptions.
• TAXGPT AGENT CONNECTION TEST: On the dedicated Drake Tax workstation/VM, launch the TaxGPT Desktop Agent. Verify it successfully connects to TaxGPT cloud services (green status indicator). Have the agent open Drake Tax, navigate to a test client, and open a blank 1040. Verify the agent can type data into Drake fields, navigate between forms, and save the return. This validates RPA connectivity.
• TAXGPT DRAFT RETURN ACCURACY TEST: Prepare a test case with known-correct return data: W-2 showing $75,000 wages and $12,000 federal withholding, 1099-INT showing $500 interest income, standard deduction, single filer. Submit source documents to TaxGPT and have the agent prepare a draft return in Drake. Compare every line of the AI-prepared return against a manually-prepared return for the same data. All amounts must match. Expected AGI: $75,500, Standard Deduction: $15,000 (2025), Taxable Income: $60,500.
• TAXGPT COMPLEX RETURN TEST: Prepare a moderately complex test case: married filing jointly, two W-2s, Schedule C freelance income with business expenses, itemized deductions (mortgage interest via 1098, charitable contributions, state taxes), and one dependent child. Submit to TaxGPT. Verify all schedules are generated (Schedule C, Schedule A, Schedule 8812 for child tax credit), all amounts are correct, and QBI deduction is calculated if applicable.
• §7216 CONSENT VALIDATOR TEST: Attempt to trigger TaxGPT processing for a test client that does NOT have a signed §7216 consent form in TaxDome. Verify that the system blocks processing and generates an alert. Then upload a signed consent form, re-trigger processing, and verify it proceeds. This validates the compliance gate is functioning correctly.
• MFA ENFORCEMENT TEST: Attempt to log into each critical system (TaxDome, Drake Tax Online, Dext, Botkeeper, QBO, Microsoft 365) with correct username and password but WITHOUT completing MFA. Verify that access is denied in every case. Then complete MFA with YubiKey and verify access is granted. Document any system that allows password-only access — these must be remediated immediately.
• FIREWALL POLICY TEST: From an accounting workstation on VLAN 10, attempt to access a non-whitelisted cloud service (e.g., a personal Dropbox URL). Verify the connection is blocked by the FortiGate firewall. Then access an approved service (app.taxgpt.com). Verify the connection succeeds. Check FortiGate logs to confirm both the block and allow events are logged.
• BACKUP RESTORE TEST: Initiate a restore of a test client's data from Veeam backup (email, OneDrive files) to a test location. Verify that all files restore successfully and are readable. Also restore a Drake Tax backup file and verify the client return opens correctly in Drake. Measure and document restore time — should be under 30 minutes for a single client's data.
• TAXDOME WORKFLOW AUTOMATION TEST: Create a test client in TaxDome, send them a tax organizer via the client portal. Log into the portal as the test client, upload the required documents, and mark the organizer as complete. Verify that the TaxDome workflow automation triggers correctly: stage advances, notification is sent to the assigned preparer, and (if configured) the Dext/TaxGPT integration is triggered.
• SAFESEND RETURN DELIVERY TEST: Process a completed test return through SafeSend Returns from Drake Tax. Verify that SafeSend correctly assembles the return package (federal, state, cover letter, e-file authorization forms), sends the delivery email to the test client, and that the client can access the return using their authentication credentials (last 4 SSN + DOB). Verify e-signature functionality on Form 8879.
• END-TO-END PIPELINE TEST: Execute the complete workflow for one test client from document upload through return delivery. Time each stage: document upload -> Dext extraction -> TaxGPT draft preparation -> QA review prompt -> human review -> SafeSend delivery. Document total elapsed time and note any bottlenecks or failures. Target: complete pipeline in under 4 hours for a standard 1040 (excluding human review time).
• ANOMALY DETECTOR TEST: Seed a test QBO company with 3 months of normal transaction history, then add 5 anomalous transactions in the current month (one duplicate payment, one amount 3x historical average for vendor, one new vendor over $500, one round-number $5,000 transaction, one transaction at $9,800 near reporting threshold). Run the Reconciliation Anomaly Detector agent. Verify it flags all 5 anomalous transactions with appropriate severity levels.

Client Handoff

The client handoff session should be a structured 3-hour meeting with the firm's partners, senior accountants, and administrative staff, divided into three segments:

Segment 1 — Operations Training (90 minutes):

• Document scanning workflow: how to use ScanSnap iX2500, proper document preparation (remove staples, orient pages), batch scanning procedures, and troubleshooting paper jams
• TaxDome client portal management: sending organizers, managing client uploads, monitoring pipeline stages, using the client messaging system
• Dext document review: how to review AI-extracted data, correct errors, approve/reject items, and train the AI by correcting categorizations
• Botkeeper monitoring: how to review AI-categorized transactions, handle flagged items, approve month-end reconciliations
• TaxGPT workflow: how to submit returns for AI preparation, monitor agent progress, handle agent errors, and review draft returns
• SafeSend Returns: how to process completed returns for delivery, track client signature status

Segment 2 — Review & Quality Assurance Training (45 minutes):

• How to use the Tax Return Quality Assurance Checker prompt with GPT-4.1
• How to interpret anomaly detection reports from the Reconciliation Anomaly Detector
• Mandatory human review checklist for every AI-prepared return (provide printed checklist)
• Escalation procedures when AI output appears incorrect
• How to provide feedback to improve AI agent accuracy over time

Segment 3 — Security & Compliance Review (45 minutes):

• §7216 consent process: when and how to obtain AI processing consent from new clients
• MFA usage: YubiKey registration, backup procedures, what to do if a key is lost
• WISP review: walk through the firm's Written Information Security Plan, ensure all staff understand their responsibilities
• Incident response: what to do if a data breach is suspected, who to contact, documentation requirements
• Password and access policies: review firm's credential management practices

Documentation to Leave Behind:

Success Criteria to Review Together:

Maintenance

Monthly Maintenance Tasks (MSP Responsibility):

• Review and apply security patches to all workstations (via Intune — verify compliance report shows 100% patched)
• Verify FortiGate firmware is current and UTP signatures are updating daily
• Check SentinelOne/EDR agent health across all endpoints — remediate any offline agents
• Review Botkeeper categorization accuracy metrics — if accuracy drops below 90%, investigate root cause (new vendor patterns, chart of accounts changes)
• Verify all backup jobs completed successfully — spot-check one random restore
• Review TaxGPT Desktop Agent connectivity logs — ensure agent uptime > 99% during business hours
• Check Dext extraction accuracy reports — flag any document types with declining accuracy
• Review Azure AD sign-in logs for suspicious activity (impossible travel, failed MFA attempts)
• Generate and review monthly security posture report for the firm

Quarterly Maintenance Tasks:

• Full backup restore test (select random client, restore all data, verify integrity)
• Review and update firewall rules — remove any temporary exceptions, verify AI vendor IP/FQDN whitelists are current
• Review user access across all platforms — remove any departed employees, verify role assignments
• Update WISP document with any changes to firm operations, technology, or personnel
• Review AI agent performance metrics with firm management — returns processed, accuracy rates, time savings
• Check for software version updates across all platforms (TaxGPT, Dext, Botkeeper, TaxDome, Drake Tax) — schedule updates during non-peak periods
• Review §7216 consent expiration dates — flag clients whose annual consent is approaching expiration

Annual Maintenance Tasks:

• Conduct or coordinate annual penetration test (required by FTC Safeguards Rule) — budget $2,000–$5,000
• Conduct bi-annual vulnerability assessment (can be done with internal tools + Nessus/Qualys)
• Renew all software subscriptions (Drake Tax, TaxGPT, Dext, Botkeeper, TaxDome, SafeSend, M365)
• Review and renew cyber liability insurance policy
• Update §7216 consent forms if AI vendors have changed
• Review and update the full WISP document — annual review is required by IRS
• Conduct annual security awareness training for all firm staff (phishing simulation + training)
• Review AI vendor SOC 2 reports — request current attestation letters from TaxGPT, Dext, Botkeeper
• Evaluate new AI capabilities and features released during the year — recommend upgrades
• Budget planning for next fiscal year's AI and security investments

Tax Season Preparation (September–December):

• Update Drake Tax to current tax year version
• Update TaxGPT agent for current year tax law changes
• Test full pipeline with current-year sample returns before January
• Verify all bank feed connections are active in QBO
• Send §7216 consent renewal requests to all existing clients
• Scale up TaxGPT agent capacity if needed for expected return volume
• Ensure all ScanSnap scanners are cleaned and functioning (run cleaning sheets)
• Pre-configure TaxDome organizers for the new tax year

SLA Considerations:

• During tax season (January 15 – April 15): 4-hour response / 8-hour resolution SLA for any system affecting return preparation
• Off-season: next business day response / 48-hour resolution standard SLA
• Critical security incidents (suspected breach, ransomware): 1-hour response, 24/7 coverage required
• AI platform outages: escalate to vendor support immediately; maintain manual fallback procedures

Escalation Path:

• L1 (MSP Helpdesk): Scanner issues, basic login problems, password resets, general workstation support
• L2 (MSP Senior Tech): AI platform configuration issues, integration failures, Dext/Botkeeper/TaxDome troubleshooting, bank feed reconnection
• L3 (MSP Solutions Architect / vCISO): Compliance concerns, §7216 questions, WISP updates, security incidents, AI accuracy degradation, vendor escalations
• Vendor Support: TaxGPT (enterprise support channel), Dext (partner support), Botkeeper (partner success manager), Drake (support hotline 828-524-8020)

Model Retraining / AI Tuning Triggers:

• Dext: Retrain when extraction accuracy for a document type drops below 95% — correct errors in Dext to improve the learning model
• Botkeeper: Review categorization rules when a new major vendor is added, chart of accounts is restructured, or client's business model changes significantly
• TaxGPT: Annually updated by vendor for tax law changes; report persistent errors to TaxGPT support for model improvement
• Anomaly Detector: Update historical baseline data annually; adjust threshold parameters if false positive rate exceeds 20% or false negative rate is observed
• QA Checker Prompt: Update annually for tax law changes; add new review criteria based on IRS compliance focus areas for the current filing season