Say your company pays $500,000 a year to keep the CEO safe. Alarm system at the house, a trained driver, digital risk monitoring, a few flights on the corporate aircraft that the board required for security reasons. All of it is money the company wrote a check for. And all of it lands in the same place by default: the CEO's W-2, as taxable compensation.
At a 37% federal rate plus state tax plus the gross-up most companies pay to cover the executive's added tax bill, that $500,000 can cost the company closer to $750,000 by the time everyone's made whole. The executive didn't ask for most of the security. The board required it. The company paid for it. And yet the tax code starts from the position that all of it is compensation.
There is an exception. It's narrow, it's been on the books for forty years, and most companies that should use it either don't know about it or don't set it up correctly. It's called the working condition fringe benefit exclusion for security, and it lives in Treasury Regulation §1.132-5(m).
That exception has a gatekeeper. Meet the requirements, and the security costs come off the executive's W-2. Miss them, and every dollar is compensation. The gatekeeper is the Independent Security Study.
What an Independent Security Study actually is
An Independent Security Study (ISS) is a formal compliance report produced by an independent third party. It does three things: documents the specific facts that support a genuine concern for the executive's safety, determines whether those facts justify round-the-clock protection, and specifies the narrower set of security measures appropriate to the actual threat environment.
If the study concludes that 24-hour protection isn't necessary, and the company implements the study's specific recommendations consistently, the security measures are treated for tax purposes as if full 24-hour protection had been provided. Home alarm? Not taxable. Trained bodyguard/chauffeur? Not taxable. Residential cameras? Not taxable. The company still deducts the expense. The executive pays no income tax on it.
That treatment only exists because the regulation carved a specific pathway for it. Without the ISS, the default is that everything is income.
The engagement produces a set of specialized reports that build into the final study, rather than a single combined deliverable. A physical security assessment, a digital risk and exposure analysis, and a PII exposure inventory each address a distinct dimension of the threat environment and the recommended measures. That structure matters because different parts of an audit defense rely on different parts of the file.
Why companies commission these studies
Tax treatment is the first reason. For a typical public-company executive security program, the difference between treating costs as compensation versus as a working condition fringe can be six or seven figures a year. Multiply by several named executive officers over several years, and the math becomes an audit committee conversation.
Audit defensibility is the second. Without a study, the company is relying on its own judgment about whether security qualifies for favorable treatment. With a properly conducted study, the company is relying on an independent third party's documented analysis. On an IRS examination, the difference between those two postures is material.
Proxy disclosure is the third. For public companies, security costs appear in the Summary Compensation Table under SEC Item 402. The ISS doesn't resolve the disclosure question, which operates under its own rules, but it produces the factual record the company needs to explain the program in the proxy narrative.
Then there's a fourth reason many boards have added recently. The killing of UnitedHealthcare CEO Brian Thompson in December 2024 prompted hard questions about executive protection at companies that had never thought carefully about it. Allied Universal reported executive protection assessments ran 10 to 15 times pre-December 2024 volumes by early 2025. UnitedHealth Group's 2024 proxy disclosed $1.7 million in executive security spending for the first time, against zero the prior year. Boards are now asking whether their programs are structured correctly, and whether the tax treatment holds up.
What the regulation actually requires
The Treasury regulation sets a high bar for two reasons: it wants genuine threat cases to qualify, and it doesn't want executive perquisites dressed up as security to qualify.
Four requirements matter, and all four have to be met.
The study has to be performed by an independent third party. The regulation uses "independent" deliberately. A firm that also sells the executive protection services the study recommends, installs the residential hardening, provides the drivers, or refers clients to vendors who do any of that has a structural conflict. The IRS doesn't have to disqualify the study on that basis alone, but the conflict weakens audit defense substantially. Most ISS providers sell downstream security services. This firm doesn't.
The assessment has to be objective and cover all facts and circumstances. Both words matter. The study can't skip uncomfortable facts. If the executive has declined security in the past, that's a fact. If the spouse is the one generating public exposure rather than the executive, that's a fact. An honest study documents what's actually there, including facts that cut against the conclusion the client might prefer.
The recommendations have to be reasonable. The measures the study recommends have to actually address the documented concerns. If the facts point to residential targeting risk and the recommendations focus on workplace security, the package doesn't match the analysis. The regulation also requires proportionality. A program too minimal to meaningfully respond to the documented risk fails. So does one so expansive it looks like a benefit program wearing a security costume.
The employer has to apply the recommendations consistently. This is where most programs fail on audit. The regulation's Example 5 is the cautionary tale: a company commissions a study recommending both workplace security and ground transportation security, then provides only the commuting security. No overall security program is deemed to exist. The commuting value becomes taxable. Years of exclusions collapse.
That failure pattern is common because security implementation and tax compliance often run in different parts of the organization. The security director implements what the facilities budget supports. The tax director assumes the full study is being applied. Neither checks with the other. An audit surfaces the gap years later.
Who should commission a study
The short answer is any company providing meaningful executive security to people whose visibility is tied to their role.
Some situations where a bona fide concern is clear: a public-company CEO with a consumer-facing brand, regular media presence, active social media, and a home address posted in activist forums. A general counsel entering a six-month window with a major product liability trial, a Senate hearing, and an FDA advisory committee meeting all overlapping. A founder-CEO who took the company public and retains significant visible ownership.
Some situations where the regulation's "generalized concern" language cuts harder: a CFO of a large financial services firm with no public profile, no threats, no unusual digital exposure. A division head whose role is senior but not public-facing. These are cases where the facts may not support a bona fide concern, and an honest study will say so. A firm willing to write that finding is doing the client a favor, not disappointing them.
Companies usually know which category they're in. When they don't, a 30-minute scoping call is usually enough to clarify. No engagement required.
What makes a study defensible on audit
Three things beyond the four regulatory requirements.
Dates matter. The study has to be prospective or contemporaneous, not a retroactive justification of existing arrangements. A study completed after an audit letter arrives, opining on measures implemented years earlier, won't support the historical exclusions. Backdating isn't an option, and reputable firms won't do it.
Documentation has to hold up years later. The factual record the study relied on (interview logs, site observations, threat documentation, digital exposure findings) needs to survive long enough to be produced on examination. A complete engagement file includes all of this as a standard component, not an add-on.
Periodic re-evaluation is mandatory. The regulation requires the employer to periodically evaluate whether the bona fide concern still exists. A study done in 2022 and never refreshed is a study the IRS can challenge. Triggers for reassessment include credible threat escalation, major litigation, workforce actions generating hostility, change in executive role, change in residence, and significant increases in digital targeting. Absent specific triggers, a full review every three years is a reasonable baseline.
What the study doesn't do
An ISS isn't a tax opinion. It documents the facts and recommends the measures. The client's tax counsel decides what treatment to apply. Qualified ISS firms work alongside tax counsel on every engagement, not in place of them.
It isn't legal advice on disclosure. The SEC Item 402 analysis operates under different rules than the IRS test. The same expense can be a non-taxable working condition fringe and a disclosable perquisite. The study supports both analyses but substitutes for neither.
It isn't a one-time event. Periodic re-evaluation is required by the regulation, and trigger-based reassessment is good practice. A firm that performs your study should expect to be refreshing it.
And it isn't a sales pitch for security services. If the firm that performs the study also wants to sell the guards, the drivers, or the digital protection they recommend, the study's independence is structurally compromised. The regulation's independence requirement exists to prevent exactly that conflict.
What to ask before hiring a firm
A few questions that cut to the point quickly.
Do you sell, install, or staff any of the security measures you recommend? Independence here is binary. Any hedging is informative.
How do you handle cases where the facts don't support a bona fide concern? The right answer includes something like "we write that finding, and the client knows before engagement that we will." Any suggestion the study will support a desired conclusion regardless of facts is disqualifying.
What does your engagement file look like? You want to hear about interview logs, evidence registers, implementation trackers, and independence statements. Vague answers suggest the firm isn't thinking about audit defensibility.
How do you coordinate with tax counsel? A good answer acknowledges the study isn't tax advice and describes how the handoff works. Overstating what the study does is a flag.
What's your re-evaluation cadence? Annual check-ins plus trigger-based reassessment is the right shape. A one-and-done study creates exposure later.
The bottom line
An Independent Security Study isn't a formality. It's the specific document the IRS requires before a company can provide executive security on a tax-advantaged basis without round-the-clock protection. Done right, it converts a taxable perquisite program into a working condition fringe program, saves the executive and the company meaningful tax, and produces the audit file that holds up on examination. Done wrong, the exposure sits quietly on the books until someone notices.
If you're working through whether an ISS makes sense for your organization, we're happy to do a scoping call before any engagement. There's no obligation and no charge.
Avren Advisory is an independent advisory firm that performs IRS §132 Independent Security Studies as its sole service. The firm does not sell, install, or staff any security services and maintains no referral relationships with providers who do. This post is for informational purposes and does not constitute tax or legal advice.