An independent cybersecurity review across leading Texas CPA and tax firms reveals a wide range of results. Firms that prepare returns hold extremely sensitive taxpayer data, yet many show significant gaps in basic email authentication.
Using data from audit.emailmenow.com, we evaluated each firm’s domain across SPF, DKIM, DMARC, transport security, and website security headers.
Cybersecurity Scores of Major Texas Accounting Firms
Overall compliance scores from audit.emailmenow.com, measured June 2, 2026. Re-run any domain at the link to verify.
| Rank | Firm | Domain | Overall Score | Performance Level |
|---|---|---|---|---|
| 1 | Weaver | weaver.com | 71% | Strong |
| 2 | Maxwell Locke & Ritter | mlrpc.com | 70% | Strong |
| 3 | ATKG | atkgcpa.com | 64% | Good |
| 3 | Doeren Mayhew | doeren.com | 64% | Good |
| 5 | Lane Gorman Trubitt | lgt-cpa.com | 60% | Above Average |
| 5 | FORVIS Mazars | forvis.com | 60% | Above Average |
| 7 | Calvetti Ferguson | calvettiferguson.com | 58% | Average |
| 7 | Atchley & Associates | atchleycpas.com | 58% | Average |
| 9 | Carr, Riggs & Ingram | cricpa.com | 55% | Average |
| 10 | Whitley Penn | whitleypenn.com | 54% | Average |
| 10 | Henry & Peters | henrypeters.com | 54% | Average |
| 12 | PKF Texas | pkftexas.com | 50% | Below Average |
| 12 | Saville | savillecpa.com | 50% | Below Average |
| 14 | Montgomery Coscia Greilich | mcgcpa.com | 48% | Below Average |
| 15 | Goldin Peiser & Peiser | gppcpa.com | 44% | Weak |
| 16 | Sutton Frost Cary | sfcllp.com | 38% | Weakest |
What the Results Reveal
- Weaver (71%) and Maxwell Locke & Ritter (70%) lead, but no firm reaches a strong (85%+) posture.
- The majority sit in the 44–60% range — a sign that enforced DMARC (
p=reject), strict SPF, and transport protections are widely missing, despite the sensitive taxpayer data these firms hold. - Weak email authentication fuels the tax-season phishing and client-payment fraud that increasingly target CPA firms.
Why This Matters for CPA & Tax Firms
The IRS (Publication 4557) requires every tax professional to maintain a written information security plan (WISP) to keep a PTIN, and the FTC Safeguards Rule backs it with enforcement. Tax season is also peak phishing season for tax pros. Weak email authentication makes client-payment and refund fraud far easier.
See also — national audit
- Major U.S. CPA Firms (national)
- Major U.S. Tax Preparers (national)
- National Payroll Providers (national)
Recommendations for Accounting Firms
- Enforce DMARC (
p=reject), strict SPF (-all), and DKIM signing. - Add MTA-STS and website security headers.
- Document your WISP and run recurring security awareness training before filing season.
Protect your firm and your clients. Run a free Instant Cybersecurity Audit at audit.emailmenow.com/?industry=cpa-firms.
Contact EmailMeNow IT Consulting for help with your IRS-ready written security plan and email hardening.
Source & methodology: Overall compliance scores from the free scan at audit.emailmenow.com, measured June 2, 2026 — each domain checked for email authentication (SPF, DKIM, DMARC), transport security (MTA-STS/TLS), website security headers, and network security. Re-run any domain at the link to verify.