Most of the questions we get before an engagement begins aren't about the regulation. They're about the process. How long does this take? What do you need from us? Who needs to be involved? What do we get at the end, and who sees it?
This post answers all of them.
How long it takes
A standard engagement runs twelve weeks from kickoff to delivery. That timeline assumes timely document production on the client side and reasonable stakeholder availability for interviews and site visits. Both are manageable with a little internal coordination - we provide a structured information request and a scheduling guide at the outset specifically to prevent bottlenecks.
The twelve weeks breaks down into four phases:
Weeks one and two are information gathering and scheduling. We review governance documents, prior assessments, proxy disclosures, and any existing security materials under NDA. We schedule stakeholder interviews across security, tax, legal, facilities, and IT. Site visit logistics are coordinated for the residence and primary office.
Weeks three through six are fieldwork. Physical security assessments at the primary residence and primary corporate office. Digital exposure analysis, PII data broker inventory, and reverse-image OSINT on the executive. Structured interviews with the executive, security leadership, and adjacent stakeholders.
Weeks seven through nine are analysis. Facts and circumstances are consolidated against §1.132-5(m), ASIS guidelines, NFPA 731, and NTAC frameworks. The risk matrix is built with severity, likelihood, and mitigation weighting. Draft recommendations are reviewed internally before finalization.
Weeks ten through twelve are study production and delivery. The final Independent Security Study is written, reviewed, and delivered digitally to the designated recipients. A briefing to the board or tax counsel is available on request.
Expedited delivery is available when facts and circumstances require a compressed timeline - typically a proxy filing deadline, a litigation event, or a change in executive status. Expedited engagements carry an additional fee and require prioritized document production and stakeholder access on the client side.
What you need to provide
An ISS is only as good as the factual record it's built on. We provide a detailed information request at kickoff that organizes what we need into categories. The typical list includes:
Corporate governance documents, including board resolutions related to the security program, any prior threat assessments, and relevant proxy disclosures. Employment agreements or compensation committee materials referencing security benefits. Incident documentation - any documented threats, concerning communications, or security events involving the executive. Existing security vendor contracts and service descriptions. Insurance and risk management documentation where relevant.
On the access side, we need site access to the primary residence and primary corporate office for physical assessment, and stakeholder availability for structured interviews. The interview schedule typically includes the executive, their spouse or partner if willing, the security director or CSO, outside security vendors, tax counsel, and legal or HR representatives. We coordinate scheduling to minimize disruption - interviews are conducted in structured one-hour sessions.
Nothing on this list is unusual for a company that already has a functioning security program. For companies building from scratch, we walk you through each item and help you identify what you have versus what needs to be created.
What you receive
The engagement produces a set of deliverables, not a single combined document. That structure is intentional - different parts of an audit defense and a proxy disclosure process rely on different pieces of the file.
The primary deliverable is the Independent Security Study itself. It documents the threat basis, the facts and circumstances assessed, the determination regarding 24-hour protection, the recommended security measures, and the framework for consistent application and periodic reassessment. The language is drafted with IRS examination in mind - defensible, specific, grounded in the factual record.
Supporting the study are the component reports that feed into it: a physical security assessment for the residence and the corporate office, a digital risk and exposure analysis, and a PII exposure inventory. These exist as standalone documents within the engagement file, not just as sections of the main report. On examination, having the underlying methodology documented separately strengthens the audit defense.
The engagement file also includes an implementation tracker - a structured document that maps each recommendation to a responsible party and documents the evidence of consistent application. This is the operational bridge between the study and the tax position. It's what connects the ISS to the W-2 exclusion when the IRS asks.
How the report is handled
Every engagement operates under NDA from the first call forward. That's not a courtesy - it's how the engagement is structured, and it covers the entire team.
Final reports are marked "Confidential - Restricted Distribution" and delivered only to the stakeholders designated by the employer. The standard recipients are Legal, Tax, HR, and Security leadership. We don't distribute beyond that list, and we don't retain copies of client documents beyond the period required for our own audit trail.
We do not publish client names. We do not reference engagements in case studies, marketing materials, or publicly available content. This isn't a policy we adopted reluctantly - it reflects the nature of the work. The facts documented in an ISS are sensitive by definition. Discretion is a structural feature of how this firm operates.
Who leads the work
Every engagement is led by a senior partner who signs the study. That person has federal protective, investigative, or intelligence experience - the background that makes an ISS credible to an IRS examiner and to the board that commissioned it.
The lead is supported by digital risk and OSINT analysts on the exposure work, and by physical security professionals with residential and corporate assessment experience. The people who conduct the assessment are the people whose names and credentials appear in the file.
If you want to understand whether your situation warrants an engagement before any commitment is made, a scoping call is the right first step. No charge, no obligation.
This post is for informational purposes and does not constitute tax or legal advice. Readers should consult qualified tax and legal counsel regarding the treatment of specific programs.