Not all Independent Security Studies are the same. The regulation is specific about what a qualifying study looks like, and the differences between a defensible study and a weak one aren't subtle. For companies responsible for hiring an ISS firm, understanding the four requirements isn't just due diligence. It's the difference between a study that holds up on audit and one that doesn't.
Treasury Regulation §1.132-5(m)(2)(iv) sets out the conditions. All four have to be met. Meeting three out of four isn't a partial credit situation.
Requirement one: independence
The study has to be performed by an independent third party. The regulation uses that word deliberately, and the IRS looks for what any attestation function requires: no financial interest in the outcome, no ongoing operational role in the client's security program, no contingent compensation, no referral relationships with vendors who provide the recommended services.
This is where most ISS providers fail, structurally and not incidentally.
Look at the list of companies offering ISS work. Nearly all of them also sell executive protection services, operate driver programs, provide TSCM sweeps, install residential security hardware, or refer clients to vendors who do. Some are honest about this; others describe themselves as "independent" because the ISS team sits in a different business unit than the services team. That's not independence. It's a disclosure.
The conflict matters for a specific reason. An ISS firm that also sells the recommended services has a financial interest in recommending more services, in qualifying borderline cases, and in conclusions that generate downstream revenue. The regulation's independence requirement exists to prevent exactly that conflict from infecting the analysis.
An engagement where the same firm conducts the study and then staffs the executive protection program is not a qualifying Independent Security Study for purposes of the working condition fringe exclusion, regardless of how it's marketed. Tax counsel representing the client on a future audit will recognize this immediately.
The right question to ask any ISS firm before engaging: Do you sell, install, or staff any of the security measures you recommend? A clear no is the only acceptable answer.
Requirement two: objective assessment of all facts and circumstances
"Objective" and "all" are both operative. Neither is a soft standard.
An objective assessment means the firm cannot start from the conclusion the client wants and work backward to support it. This sounds obvious until you see how common the opposite approach is. A company wants its CEO's security program to qualify for the working condition fringe exclusion. A firm willing to produce that result regardless of what the facts say is providing a document, not an analysis. That document fails requirement two.
The regulation requires the study to be grounded in "all facts and circumstances." The uncomfortable facts have to be in the record. If the executive has declined security arrangements in the past, that fact goes in the study. If the company has been providing what looks more like lifestyle enhancement than threat response, the study has to confront that. If the threat environment is genuinely low-level despite the executive's visibility, the study has to say so.
This requirement also has a real operational dimension. A thorough assessment of all facts and circumstances requires a structured methodology for gathering them. Interview protocols covering the executive, their family, corporate security, communications staff, and legal counsel. Physical site assessments at both the corporate office and the residence. Digital exposure analysis to understand what publicly available information could facilitate physical targeting. Open-source threat intelligence specific to the executive's industry, litigation history, and public profile.
Our firm's engagement produces a set of specialized reports that feed into the final study rather than delivering a single combined document. A physical security assessment, a digital risk and exposure analysis, and a PII exposure inventory each address a distinct dimension of the threat environment. That structure exists because "all facts and circumstances" is not a checklist item. It requires documented methodology across multiple categories of exposure, and each category contributes separately to an audit file that can be reconstructed years later.
Requirement three: reasonable recommendation
The regulation requires that the study recommend the full 24-hour overall security program is not necessary, and that this recommendation be reasonable under the circumstances.
Reasonableness has two parts.
The first is fit. The measures the study recommends have to actually address the concerns the study documents. A study that identifies residential targeting risk and then recommends only workplace security has a logical gap. The package doesn't match the analysis. That's not a defensible recommendation.
The second is proportionality. The regulation explicitly permits geographically or situationally scoped programs. Security for certain foreign travel but not domestic. Ground transportation security during a specific litigation window but not in ordinary circumstances. These narrower programs can be reasonable. What the regulation won't accept is a program so thin it isn't really a response to the documented risk, or a program so expansive it starts to look like a lifestyle upgrade dressed up as threat response.
The proportionality question is where much of the legitimate analytical work in ISS practice actually lives. The facts may support some measures but not others. The study has to track the analysis to the conclusions precisely. If the recommendations are reasonable and proportionate, the company can implement that specific set of measures and get the tax treatment. If the study overshoots the facts to justify a more expensive program, the whole thing weakens.
Requirement four: consistent application
This is the requirement that most programs fail, and the regulation's own examples leave no ambiguity about the consequence.
The employer has to apply the specific security recommendations from the study on a consistent basis. Consistent means all of them, across time, with documentation. Not most of them. Not all of them during the first year and a few after that. All of them.
Example 5 from §1.132-5(m)(8) is the cautionary tale the regulation itself provides. A company commissions a study recommending workplace security and ground transportation security. The company provides only the commuting security. The result: no overall security program is deemed to exist. The commuting value is taxable. The study is effectively useless for the tax position the company was trying to support.
That outcome is not unusual. Security programs are implemented by security directors and facilities teams. The tax position is maintained by tax directors and outside tax counsel. Neither group has visibility into the other's work by default. The security budget gets adjusted. The study doesn't get updated. The tax team assumes everything's fine. Nobody checks. An audit surfaces the gap years later.
The fix is organizational. The ISS has to be tracked like any other tax-sensitive position, with a named owner, an implementation inventory, and documented evidence that each recommended measure is actually in place. When measures change, either the study gets updated or the tax treatment has to be adjusted.
Our engagement file includes an implementation tracker that maps each recommendation to an owner and documents the evidence of consistent application. That tracker isn't optional. It's the document that connects the study to the tax position when the IRS asks.
The four requirements define what makes a study defensible. They also define what makes one undefendable. A study produced by a firm that sells the recommended services fails on independence. A study produced without structured interviews, site assessments, and digital exposure analysis fails on objectivity. A study with generic recommendations disconnected from the documented facts fails on reasonableness. And a study that the client implements inconsistently fails on the last requirement, regardless of how good the study itself was.
When evaluating ISS firms, these four requirements are the right frame for every question you ask. Can you demonstrate genuine independence, including no downstream revenue tied to recommendations? What does your methodology for gathering "all facts and circumstances" actually look like? How do you assess proportionality between documented concerns and recommended measures? And what do you provide to help the client track consistent implementation over time?
If you'd like to walk through how those questions apply to your program, we're glad to do a scoping call before any engagement.
This post is for informational purposes and does not constitute tax or legal advice.