Built for accounting agencies — 14-day free trial

A cert expiry on your IRS e-filing proxy during tax season isn't a downtime event — it's an IRC §6651(a)(1) failure-to-file event for every client whose return doesn't make April 15.
5-25% penalties of unpaid tax. CPA professional liability is engaged. The agency cannot manually file paper extensions for 500+ clients in 48 hours.

Accounting agencies building client portals, tax-prep platforms, and DOR submission relays for CPA firms deal with IRS e-Services Modernized e-File (MeF) cert chain failures during tax season triggering IRC §6651(a)(1) failure-to-file penalties (5-25% of unpaid tax) and CPA professional liability for clients incurring the penalty, state DOR portal cert dependencies (CA CDTFA, NY NYSDOL, FL DOR each with their own cert chain and CAA requirements) where CAA tightening from unrelated security audits breaks quarterly sales-tax filings, and AICPA SSAE 18 SOC 2 Type II + state CPA board cybersecurity requirements being compromised when client portal certs expire and clients submit W-2s, 1099s, and financial statements over unencrypted connections. Merlonix monitors every CPA-attached subdomain so the tax-season exposure surfaces 30 days before the failure window opens.

Start free for 14 days How it works

No credit card for the trial. Cancel any time.

Check cadence (Agency): 5 min
SSL pre-expiry alert: 30 days
Independent DNS resolvers: 3
Vendors watched: 11

Where accounting agencies get caught out

Three failure modes where SSL expiry creates IRS e-filing collapse during tax season, multi-state DOR cert chain mismatches that break quarterly sales-tax filings invisibly, and AICPA SOC 2 Type II + state CPA board cybersecurity-control failures.

Accounting agencies building client portals, tax-prep platforms, and DOR submission relays for CPA firms deal with IRS e-Services Modernized e-File (MeF) cert chain failures during tax season triggering IRC §6651(a)(1) failure-to-file penalties (5-25% of unpaid tax) and CPA professional liability, multi-state DOR portal cert dependencies (CA CDTFA, NY NYSDOL, FL DOR with its legacy Entrust trust anchor, TX Comptroller) where CAA tightening from unrelated SOC 2 hardening breaks quarterly sales-tax filings invisibly (discovered only at next quarter-end), and AICPA SSAE 18 SOC 2 Type II Trust Services Criteria CC6.7 compromised when client portal certs expire and W-2s, 1099s, K-1s, and brokerage statements transmit over unencrypted connections during the audit period of review.

IRS e-Services Modernized e-File (MeF) requires TLS to a specific cert chain rooted at the IRS root CA, with the agency's submission cert chaining to a CA on the IRS-approved list (currently DigiCert, Entrust, IdenTrust, Sectigo, GlobalSign). MeF submissions are required for Form 1040 returns from preparers who file 11+ returns annually (IRC §6011(e) e-file mandate). When the agency's e-filing proxy cert expires during tax season — worst case: between March 1 and April 15 — every client's electronic filing fails with a MeF protocol error. The agency cannot manually file paper extensions for 500+ clients in 48 hours; even Form 4868 extensions require either e-filing or postal mail by April 15. Penalties under IRC §6651(a)(1) (failure-to-file) start at 5% per month up to 25% of unpaid tax. CPA professional liability is engaged for any client incurring the penalty — the CPA's engagement letter typically includes a guarantee of timely filing if the client provides documents by the agreed deadline

An accounting agency operates the e-filing proxy infrastructure (efile.cpafirmname.com) for a regional CPA firm with 600 individual tax clients and 80 small-business clients. The cert on efile.cpafirmname.com expires on March 14 — exactly four weeks before April 15. The renewal automation failed two months earlier because the IRS rotated their MeF endpoint cert chain (added Sectigo to the approved CA list) and the agency's chain validation logic was hard-coded to the old approved list. The expiry is discovered Monday March 14 when the firm's senior tax partner notices no e-files have submitted since Friday. The agency engineer triages, identifies the chain validation logic, fixes it, re-runs the renewal — but the four-day backlog (Friday + weekend + Monday) has 240+ client returns queued. The agency races to clear the backlog, but the firm's tax partners are concerned about the remaining 28 days. Every client return submitted during the backlog window risks acceptance delays at the IRS that push the filing past April 15

An accounting agency operates the e-filing proxy infrastructure for Regional Tax Partners, a 25-CPA regional firm in the Midwest serving 600 individual tax clients and 80 small-business clients. The e-filing proxy is hosted at efile.regionaltaxpartners.com — a tax-software-integrated relay that receives client returns from the firm's tax-prep platform and submits to IRS e-Services MeF. The cert on efile.regionaltaxpartners.com chains through DigiCert (one of the five IRS-approved CAs as of the 2026 tax season). Two months ago (mid-January 2026), the IRS published an update to the MeF Authorized Issuer list adding Sectigo. The agency's chain validation logic — which validates the chain at e-filing submission time as a defense-in-depth check — was hard-coded against the previous five-CA list (DigiCert, Entrust, IdenTrust, GlobalSign, Symantec/now-DigiCert). The Symantec→DigiCert consolidation in 2017 already required a list update; the agency engineer who wrote the hard-coding chose against using a dynamic list. The 2026 update adding Sectigo broke the agency's validation logic for any future cert renewal — but didn't cause an immediate issue because the existing cert was issued by DigiCert (still on the list) and wasn't up for renewal yet. The cert's 90-day cycle hits its renewal window on March 11. The agency's renewal automation requests a new cert from Let's Encrypt (chains through IdenTrust, on the approved list — but the agency hard-coded its own chain check to require specific intermediate CAs that no longer match what LE serves). The automation rejects the cert and falls back to the previous cert, which expires March 14 (Monday). All e-filings from Monday morning onward fail with MeF Authentication errors. The firm's senior tax partner notices Monday afternoon when the e-filing acknowledgment reports for the morning batch are empty. The agency engineer is paged; investigation takes 4 hours to identify the chain validation logic; fix + redeploy takes 2 hours; cert renewal takes 1 hour. By 11 PM Monday, e-filing is restored. The four-day backlog (Friday before, weekend, Monday): 240+ client returns. Clearing the backlog takes 48 hours. April 15 deadline: 24 days away. The firm's tax partners are concerned about IRS-side acceptance delays — the MeF acknowledgment cycle is typically 24-48 hours but can stretch to 5-7 days during tax season under load. Any client return that doesn't receive an "Accepted" acknowledgment by April 15 may be deemed not-filed for §6651(a)(1) purposes (the e-file submission timestamp is the filing date if and only if the return is ultimately accepted). The agency's engagement contract with the firm includes a tax-season uptime SLA; the SLA is triggered. The firm's engagement letters with clients include a timely-filing guarantee; for any client whose return is delayed past April 15 due to the agency's outage, the firm must absorb the penalty under the guarantee — and the firm's indemnity from the agency is triggered for those penalties. The agency's E&O policy is triggered. Reputation exposure with the firm and the firm's peer network of regional CPA firms is significant.

State Department of Revenue (DOR) portals each run their own cert chain and CAA requirements. CA CDTFA (sales/use tax) requires submission endpoints to chain back to specific CAs; NY NYSDOL has a different requirement; FL DOR uses its own dedicated chain; TX Comptroller has a different chain. The agency operating a multi-state sales-tax filing service must maintain compatibility with each state's cert chain requirements simultaneously. When the agency tightens its CAA records on its primary submission endpoint during a security audit (CAA tightening is a common SOC 2 hardening recommendation), the next 90-day cert renewal issues against the tightened CA list. If the resulting cert chain is no longer compatible with one or more state DOR portals, submissions to those states fail. Late-filing penalties accrue per-state, per-month — CA: 10% of tax due per month up to 30%; NY: 10% + 1.5% per month interest; FL: 10% + 1% per month. The failure is discovered only at next quarterly filing time (the previous quarter's filing was already submitted before the CAA change took effect)

An accounting agency operates a multi-state sales-tax filing service (filings.salestaxagency.com) for 80 e-commerce client businesses across 45 states. During a SOC 2 Type II hardening project, the agency tightens the CAA record on its submission endpoint to pin to DigiCert. The next 90-day cert renewal issues a DigiCert-chained cert. CA CDTFA accepts it. NY NYSDOL accepts it. FL DOR rejects it because FL DOR's submission API has a hard-coded trust anchor at a specific Entrust intermediate cert (legacy from FL DOR's 2018 e-services portal redesign). The agency doesn't notice because Q1 2026 filings were already submitted before the CAA change took effect. Q2 2026 filings (due April 20 for quarterly filers, July 20 for monthly filers in late-pay states) start failing for the 18 client businesses with FL nexus

An accounting agency operates a multi-state sales-tax filing service for 80 e-commerce client businesses with sales-tax nexus across 45 states (most are concentrated in CA, NY, TX, FL, IL — the high-volume e-commerce states). The submission infrastructure is filings.salestaxagency.com — a relay that receives transaction data from clients' e-commerce platforms (Shopify, BigCommerce, WooCommerce) and submits aggregated sales-tax filings to each state DOR via the state's e-services portal. The cert on filings.salestaxagency.com chains through DigiCert. The agency runs a SOC 2 Type II hardening project in early 2026; one recommendation from the auditor is to tighten CAA records to pin to specific commercial CAs only (rather than allowing any CA, which is the LE-permitting default). The agency tightens the CAA at salestaxagency.com to allow only DigiCert. The next 90-day cert renewal for filings.salestaxagency.com (early April 2026) issues a DigiCert-chained cert. The cert installs and serves correctly. CA CDTFA accepts the new cert chain (DigiCert is on CA CDTFA's approved list). NY NYSDOL accepts the new cert chain (DigiCert is on NY's approved list). FL DOR rejects the new cert chain at the submission API. FL DOR's e-services portal — redesigned in 2018 under a state IT project — has a hard-coded trust anchor at a specific Entrust intermediate cert; submissions presenting a chain that doesn't terminate at that exact intermediate are rejected with HTTP 502 and a generic "TLS validation failed" message. The agency's automation doesn't alert because the Q1 2026 filings (due April 20 for quarterly filers, due on rolling deadlines for monthly filers) were already submitted in late March, before the cert renewal. Q2 filings begin in early July. The 18 client businesses with FL nexus see their FL filings fail every retry. The agency's ops team notices when FL DOR sends notice-of-non-filing letters to the client businesses; the clients forward to the agency demanding explanation. The agency engineer investigates; identifies the FL DOR Entrust trust anchor; obtains a new cert from Entrust (requires opening a new account with Entrust, validating the domain, paying the cert fee); installs alongside the DigiCert cert in a SNI-based config that serves DigiCert to most state DORs and Entrust specifically to FL DOR. Late-filing penalties for the 18 FL-nexus client businesses: 10% of FL sales tax due per month, plus 1% interest per month, accruing from the original due date until filing is accepted. For an average client business with $50,000 quarterly FL sales tax, one month late = $5,000 penalty + $500 interest. Across 18 clients × 1 quarter = ~$100,000 in penalties + interest. The agency's engagement contracts with the client businesses include filing-deadline SLAs and indemnity for filing failures caused by agency infrastructure; the indemnity is triggered. The agency's E&O policy is triggered.

AICPA Statement on Standards for Attestation Engagements (SSAE) 18 governs SOC 2 reports. The SOC 2 Type II Trust Services Criteria include CC6.7 (the entity restricts the transmission of information to authorized users) and CC6.8 (the entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software). Encryption-in-transit on client portals carrying taxpayer financial data is implicitly required under CC6.7. State CPA boards (CA Board of Accountancy under the AICPA-aligned audit standards in CA Bus. & Prof. Code §5050; NY State Board for Public Accountancy under NY Education Law §7401; TX State Board under Texas Occ. Code §901.252) have analogous cybersecurity requirements as part of CPA license maintenance. When a CPA client portal's cert expires and clients submit W-2s, 1099s, K-1s, brokerage statements, and financial statements over an unencrypted connection, the SOC 2 Type II attestation is potentially compromised at the next audit period — the trust criteria don't allow exceptions for "the cert expired briefly." State CPA board complaints from affected clients are possible

An accounting agency operates the client portal (portal.cpafirmname.com) for a mid-sized CPA firm with 220 clients (high-net-worth individuals, small businesses, professional practices). The cert expires due to a Let's Encrypt renewal failure during a Q3 firm-wide infrastructure freeze (the firm imposed a code-freeze during the tax-extension deadline window in mid-September; the agency's renewal automation requires a deploy to pick up a cert config change and was blocked by the freeze). During the 9-day cert-expired window, 47 clients submit W-2s, 1099s, K-1s, and brokerage statements through the portal — the data transmits over the expired cert. The firm's SOC 2 Type II audit period begins October 1. The auditor flags the cert-expiry window as a control failure under CC6.7

An accounting agency operates the client portal for Mid-Market Tax Advisors, a 12-CPA firm serving 220 clients across high-net-worth individuals (40), small businesses (130), and professional practices (50 — mostly dental, medical, and legal). The portal handles document upload (W-2s, 1099s, K-1s, brokerage statements, business financials), engagement letter signing (DocuSign integration), and document delivery (final returns, advisory memos). The portal is hosted at portal.midmarkettaxadvisors.com with a Let's Encrypt cert on a 90-day cycle. The firm maintains AICPA SOC 2 Type II attestation; the most recent Type II report covers October 1, 2025 through September 30, 2026 (the firm uses an October 1 fiscal year for SOC 2 audit cadence). The firm imposes a firm-wide code-freeze every September from September 1 through October 15 to ensure stability during the tax-extension deadline week (October 15). The freeze prohibits any production code change without partner-level approval. The agency's LE renewal automation runs continuously and is exempt from the freeze, but the automation requires a config change (a new ACME challenge endpoint configured the previous quarter) that requires a deploy to apply. The deploy is blocked by the freeze. The previous cert expires September 9 — mid-freeze. The agency engineer notices the expiry alert; cannot deploy the config change to fix the renewal; escalates to the firm's managing partner for partner-level approval to deploy during the freeze. The managing partner is out-of-office at a CPA conference; the request sits in queue. By September 18 (9 days post-expiry), 47 clients have submitted documents through the portal — the documents transmit over the expired cert. Mobile Safari users (most clients on mobile) get a hard block on iOS 18+ if the site isn't HSTS-preloaded; the portal isn't preloaded, so users see the warning and most click through to complete submission. Desktop Chrome users get the warning and most click through. Discovery happens September 18 when the managing partner returns and approves the deploy. The agency engineer deploys the config change, the renewal succeeds, the cert is restored. The firm's SOC 2 Type II audit period begins October 1. The auditor performs the period-of-review testing and identifies the cert-expiry window in the systems-availability log review. Under SOC 2 Type II Trust Services Criteria CC6.7, the auditor flags this as a control failure: the entity did not maintain transmission encryption controls during the 9-day window. The audit report records a "qualified opinion" with the cert-expiry exception explicitly listed; the firm's sales pipeline of new institutional clients (which is contingent on a clean SOC 2 Type II report) is impacted for the next year. State CPA board complaints are also possible: any client who submitted documents during the expired-cert window and later experiences a data-breach or identity-theft event has standing to file a complaint with the state CPA board (CA Board of Accountancy if the firm is CA-domiciled, NY State Board for Public Accountancy if NY-domiciled). The agency's engagement contract with the firm includes a cybersecurity SLA and indemnity; the indemnity is triggered for the SOC 2 audit's qualified opinion impact on the firm's revenue. The agency's E&O policy is triggered.

How it works

SSL and DNS monitoring for accounting agencies across IRS e-Services Modernized e-File proxies (tax-season failure-to-file exposure under IRC §6651(a)(1)), multi-state DOR submission endpoints (per-state late-filing penalty exposure when CAA tightening breaks chain compatibility), and SOC 2 Type II-scope client portals (AICPA + state CPA board cybersecurity-control exposure).

Merlonix monitors SSL expiry and DNS integrity across every CPA-attached subdomain — portal.* (client document portal), efile.* (IRS MeF proxy), filings.* (state DOR submission relay), intake.* (client intake) — and catches cert expiry on tax-season-critical infrastructure 30 days before any IRS MeF submission can fail and trigger §6651(a)(1) penalties, before any state DOR submission can fail and accrue per-state late-filing penalties, and before any client portal cert expiry can create a SOC 2 Type II audit exception. Each CPA subdomain gets independent monitoring because each one has independent regulatory exposure that flows back to the agency under the engagement's cybersecurity SLA and indemnity provisions.

Add every CPA-attached subdomain — portal., efile., filings., intake., plus the firm's primary marketing domain — with DNS TXT verification that catches cert expiry on tax-season-critical infrastructure 30 days before the IRS MeF or state DOR submission window opens

Verify ownership with a DNS TXT record on the apex domain. All CPA-attached subdomains under that apex — portal.* (client document portal), efile.* (IRS MeF e-filing proxy), filings.* (state DOR submission relay), intake.* (client intake forms) — are added without additional verification. Monitoring every CPA-attached subdomain catches cert expiry on tax-season-critical subdomains 30 days before the failure window opens — well before any IRS MeF submission can fail and trigger IRC §6651(a)(1) penalties for the firm's 600+ tax clients, well before any state DOR submission can fail at quarter-end and accrue late-filing penalties, and well before any client portal cert expiry can create a SOC 2 Type II audit exception under CC6.7. Under two minutes per firm.

CAA inheritance monitoring across registrar changes, SOC 2 hardening projects, and code-freeze windows — surfacing the CAA tightening that breaks state DOR cert chain compatibility invisibly between quarterly filing cycles

Three independent DNS resolvers check every CNAME and CAA record on every monitoring interval, walking the CAA inheritance chain from the apex up. When a CAA record is tightened during a SOC 2 hardening project (a common SOC 2 Type II recommendation), the change is detected in the first check cycle — and the implications for state DOR cert chain compatibility (FL DOR's Entrust trust anchor, CA CDTFA's approved CA list, NY NYSDOL's requirements) are surfaced before the next cert renewal issues a chain that may be incompatible with one or more state DOR portals. Code-freeze windows (typical at CPA firms during tax-extension week in mid-October) that block deploys for renewal config changes are also tracked as a risk signal.

SSL monitoring 30 days before expiry across IRS MeF e-filing proxies, multi-state DOR submission endpoints, and SOC 2 Type II-scope client portals — independent per-subdomain checks because each one has independent regulatory exposure

Full SSL chain validation on every CPA-attached subdomain. Independent checks catch cert expiry 30 days before the failure window opens — enough time to coordinate any chain validation logic updates (e.g., when the IRS updates the MeF Approved Issuer list, as happened January 2026 with the addition of Sectigo), test the new cert against the IRS MeF endpoint plus each in-scope state DOR endpoint, and avoid any deploy collision with firm-wide code-freeze windows during tax season. The 30-day lead time covers both the 90-day Let's Encrypt cert cycle and the worst-case code-freeze + partner-approval cycle for cert config deploys.

Vendor status for IRS e-Services MeF, the major state DORs (CA CDTFA, NY NYSDOL, FL DOR, TX Comptroller, IL DOR, OH DOT, PA DOR, NJ DOT), the tax-prep platform vendors (Drake, Lacerte, ProSeries, UltraTax, CCH ProSystem fx), and Let's Encrypt — to distinguish vendor-side incidents from per-firm SSL configuration failures

Merlonix monitors IRS e-Services MeF status (status.irs.gov), the major state DOR portals' status pages, and the tax-prep platform vendors' status pages alongside the firm's cert state — so when IRS MeF has a platform-wide incident (common during peak tax-season load), you see the vendor event clearly rather than spending hours investigating whether the firm's efile.* subdomain has a cert problem. State DOR status monitoring is particularly important during quarterly filing windows (April 20, July 20, October 20, January 20 for quarterly filers) when DOR portals are under load and may experience transient TLS issues.

What the numbers mean for accounting agencies

Monitoring built for accounting agencies where one CPA firm portfolio means an IRS MeF e-filing proxy (tax-season failure-to-file exposure for 500+ clients), a multi-state DOR submission relay (per-state late-filing penalty exposure across 30+ states with different cert chain requirements), and a SOC 2 Type II-scope client portal (audit-period control exception exposure under AICPA Trust Services Criteria CC6.7 and state CPA board cybersecurity rules).

Accounting agencies operating client-facing tech for CPA firms need monitoring that recognizes each CPA-attached subdomain has independent regulatory exposure — because the IRS MeF failure during tax season is silent in its early hours (the e-filing acknowledgment cycle takes 24-48 hours, so a cert expiry on Friday afternoon may not surface until Monday morning), the state DOR chain mismatch is silent across an entire quarter (the previous quarter's filings were already submitted before the CAA change took effect; the failure surfaces only at next quarter-end), and the SOC 2 Type II control exception is silent until the audit's period-of-review testing identifies the cert-expiry window in the systems-availability log review.

< 10 min

Time from DNS change to alert — catches CAA tightening introduced by SOC 2 hardening projects (a common recommendation that silently breaks state DOR cert chain compatibility for FL DOR's Entrust trust anchor and similar legacy chains) before the next 90-day cert renewal issues an incompatible chain, plus registrar nameserver changes during tax season

30 days

SSL expiry warning lead time — enough time to coordinate any chain validation logic updates required by IRS MeF Approved Issuer list changes (Sectigo was added January 2026), test the new cert chain against the IRS MeF endpoint plus every in-scope state DOR endpoint, and avoid deploy collisions with firm-wide code-freeze windows during tax-extension week (typically September 1 - October 15)

11 vendors

Upstream services monitored — IRS e-Services MeF status, the major state DOR status pages (CA CDTFA, NY NYSDOL, FL DOR, TX Comptroller, IL DOR), the tax-prep platform vendors (Drake, Lacerte, ProSeries, UltraTax, CCH ProSystem fx), and Let's Encrypt. Distinguishes a vendor-side incident from a per-firm SSL configuration failure

200 assets

Maximum monitored domains on the Agency plan — covers a full CPA-vertical portfolio: 25+ CPA firms each with portal.*, efile.*, filings.*, intake.*, and apex subdomains. Multi-state CPA firms with separate filings subdomains per state nexus (filings.ca.cpafirmname.com, filings.ny.cpafirmname.com) are absorbed without per-domain fees

Pricing

Flat monthly fee. Every CPA-attached subdomain, every IRS MeF proxy, every state DOR submission endpoint included.

No per-firm charges. No per-state fees. Pick the tier that fits your CPA-vertical portfolio and monitor every tax-season-critical subdomain (portal.*, efile.*, filings.*, intake.*) under each firm's apex without billing surprises.

See full feature comparison →

Starter

For solo developers or two-person agencies operating a single CPA firm's client portal, IRS e-filing proxy, and state DOR submission endpoint under one apex domain.

$29/ month

10 monitored assets
1 seat
15-min check cadence
SSL + DNS + vendor monitoring
Email + Slack alerts

Start with Starter

Most chosen

Team

For accounting agencies managing 5-10 CPA firm clients with separate portal.*, efile.*, filings.*, and intake.* subdomains per firm, plus the firm's primary marketing domain.

$79/ month

50 monitored assets
5 seats
10-min check cadence
SSL + DNS + vendor monitoring
Email + Slack alerts

Start with Team

Agency

For agencies with a full CPA-vertical client roster including multi-state CPA firms with sales-tax nexus across 45+ states (separate filings.* subdomains per state nexus), SOC 2 Type II-scope client portals, and IRS MeF proxies handling 500+ tax clients per firm during peak tax season.

$199/ month

200 monitored assets
15 seats
5-min check cadence
SSL + DNS + vendor monitoring
Email + Slack alerts

Start with Agency

Know when your IRS MeF e-filing proxy is approaching cert expiry — 30 days before tax season, not 28 days before April 15 with 240+ returns backlogged.

Add your first CPA firm subdomain in under two minutes. Client document portals, IRS MeF e-filing proxies, state DOR submission relays, and client intake forms across every firm in your portfolio are monitored from the same dashboard. 14-day trial, no card required.

Start free for 14 days Read the agency SSL checklist →