Page 591 - TaxAdviser_2022
P. 591
SSTS 1.3., Data Protection Members of the task force believe SSTS 1.4., Reliance on Tools
New standards most AICPA member tax practices New standards
Section 1.3.4. A member should already take appropriate efforts to safe- Section 1.4.3. A member should
make reasonable efforts to safeguard guard taxpayer data. This belief is sup- exercise appropriate professional
taxpayer data, including data trans- ported by the relatively small number judgement and professional care
mitted or stored electronically. of data theft reports to the IRS across when relying on a tool.
all tax preparers, not just CPAs: 211 in
Section 1.3.5. A member should 2020 and 222 in 2021 though June 30 Section 1.4.4. A member may
consider applicable privacy laws (IRS, “Boost Security Immunity: Fight reasonably rely on tools used in
when collecting and storing tax- Against Identity Theft”). However, providing tax services to a taxpayer.
payer data. even one data breach is too many, and Use of the tool does not absolve the
cybercriminals continue to increase their member of his or her professional
CPAs involved in tax return prepara- efforts. The task force therefore wanted obligations under AICPA or other
tion have access to significant amounts to put in place a sensible standard that applicable ethical standards.
of confidential financial and personal would be supported by continuing edu-
information. As the role of technol- cation efforts around data protection. CPAs rely on technology to provide
ogy in accessing that confidential data A CPA firm planning to apply services more today than at any point in
increases, the risk to taxpayer data also the new standard first must consider history. That trend will likely continue
increases, as demonstrated by an increase whether the firm’s existing data protec- with the introduction of artificial intel-
of more than 80% in data breaches re- tion efforts are reasonable. As explained ligence, data science, quantum comput-
ported by CPA firms between 2014 and in SSTS Section 1.3.6., factors including ers, and other developing technologies.
2020 (Shinn and Jorgensen, “Cybersecu- the impact of continuing technological However, tax professionals do not have
rity: An Urgent Priority for CPA Firms,” developments, member-specific factors written standards allowing them to
51 The Tax Adviser 276 (April 2020)). such as the type of service being provid- place a degree of reliance on these tools
Therefore, the task force believed it ed, and firm size are taken into account when providing services. The task force
was important to implement a standard when considering whether a plan is rea- identified the need for a standard that
that ensures members adopt reasonable sonable. For example, a sole practitioner protects members by defining when
safeguards to protect taxpayer data, both would not be expected to have a plan as they may reasonably rely on tools used
electronic and otherwise. complex as that of a 100-member firm in the performance of tax services.
However, the task force also rec- but would be expected to take basic SSTS Section 1.4. applies to a
ognized that continuous advances in steps to protect taxpayer data, which broad range of tools including but not
technology make it challenging to might include installing and using virus- limited to tax preparation software, tax
identify any one set of standards with scanning software, using VPN software, calculation tools, and tax research tools.
broad applicability across all tax prac- and securing computers with a password. Members are allowed to reasonably rely
tices. Therefore, instead of defining Also note that the Gramm-Leach-Bliley on tools as long they use appropriate
required elements for a data security Act, P.L. 106-102, establishes a require- professional judgment and professional
plan, the task force drafted a standard ment for tax preparers to implement an care in selecting and using that tool.
requiring members to make “reasonable information security plan. The AICPA For example, it would generally not be
efforts” to safeguard taxpayer data. The has developed a sample template avail- reasonable for a member to assume a
standard’s accompanying explanation able to Tax Section members. tax return prepared using a standard tax
does give examples of possible data Once members have verified they compliance software package was com-
security plan components, such as the have taken reasonable efforts to protect plete without reviewing the prepared
use of virtual private networks (VPNs), taxpayer data, they should consider tax return itself. The member should
strong password policies, and firewalls, whether additional steps are advisable. also employ a normal tax return review
but all members are ultimately expected For example, members may choose to process, taking steps such as confirming
to customize their data protection ef- put in place a plan to ensure unneces- that taxable income computed by the
forts based on their particular facts and sary client data is not maintained, mask tax return software matches the expect-
circumstances. The standard also calls personally identifiable information ed taxable income from the taxpayer’s
out the vital role training should have where permissible, and/or establish a trial balance.
in a data protection plan, especially for training program around data protec- In the case of tools used for tax
nonmember personnel. tion measures. research, the member may not be able
www.thetaxadviser.com November 2022 49
