Editor: Roby B. Sawyers, CPA, Ph.D.
New technologies have changed how tax practitioners provide and store client deliverables and generally make it easier to provide tax services to a broader base of clients. However, recent remote-working arrangements due to COVID-19 have highlighted that complications come with the increased use of tools and technology in CPAs' jobs. What are CPAs' professional responsibilities in the new working world?
This discussion begins at the foundation of a tax practitioner's professional responsibilities — the basic principles set forth by the IRS; the AICPA Code of Professional Conduct (AICPA Code); Treasury Circular 230, Regulations Governing Practice Before the Internal Revenue Service (31 C.F.R. Part 10); and codes of ethics and rules of professional conduct under state boards of accountancy. Through these basic principles, this column examines the impact and complications when providing client service remotely.
This column focuses on three areas that are especially impacted by technology changes: (1) attracting new clients; (2) providing services virtually; and (3) protecting client information. Technology is a large investment for a tax practitioner, and its impact often depends on many factors, including the focus of the practice, size, and expertise of the firm. While some focus areas discussed may impact medium to large firms more than smaller firms (e.g., use of client collaboration tools), firms of all sizes are increasingly relying on technology to provide services in a more virtual manner than ever before.Attracting new clients
Tax practitioners may increase their visibility and attract new clients more through social media advertising than through existing client referrals, word of mouth, or standard print media. While accepting new clients is ultimately a business decision for a tax practitioner, he or she may want to consider certain risks before committing to providing services. The AICPA's Tax Quality Control Guide offers guidance on evaluating risks when accepting new clients, including:
- Suitability of information provided by a client for an engagement;
- Identity of the client and potential risks to the firm taking on the engagement;
- Potential conflicts of interest that may arise from accepting the engagement;
- Timeline for completing the engagement;
- Availability of firm resources required for the engagement; and
- Whether firm personnel overseeing the client have the necessary knowledge to perform the services required (AICPA Tax Practice Quality Control Guide (Reviewed Feb. 20, 2020)).
While IRS and AICPA guidance does not directly address issues related to obtaining new clients online or through social media, these rules still have a direct bearing on what is allowable when seeking new clients through virtual mediums. Rules relating to solicitation are particularly relevant for practitioners who are advertising online through email marketing campaigns or social media. Prospective clients developed through social media should be screened carefully to avoid having to terminate a client relationship. It is also important to remember to appropriately use engagement agreements and obtain required consents before providing services.
Circular 230 provides specific guidelines for practitioners regarding improper solicitation that are applicable to advertising online or in social media. Circular 230, Section 10.30, prohibits public communication or private solicitation "containing a false, fraudulent, or coercive statement or claim." Similarly, the AICPA Code's "False, Misleading, or Deceptive Acts in Advertising or Solicitations" interpretation prohibits members from seeking to obtain clients in a manner that "would be considered false, misleading, or deceptive" (ET §1.600.010.02).
For this reason, it is important to confirm that any claims or statements made online or through social media are not misleading, because even truthful statements can be misleading if they are presented in a way that creates an unjustified expectation of specific results. The American Bar Association's Model Rules of Professional Conduct (MRPC) are instructive in this regard. Comment 2 to MRPC 7.1 explains that "[a] truthful statement is misleading if a substantial likelihood exists that it will lead a reasonable person to formulate a specific conclusion about the lawyer or the lawyer's services for which there is no reasonable factual foundation." Consider including a disclaimer with qualifying language to mitigate the possibility of a statement creating unjustified expectations or misleading the public, and consult with outside counsel regarding applicable consumer protection laws.
Circular 230 provides specific guidance for communicating fee information though an electronic method. Section 10.30(c) requires practitioners who use e-commerce communications to retain a copy of the actual communication, with a list of the persons to whom the communication was distributed. This definition is broad enough to apply to advertising on social media and may be a challenge for a practitioner to implement. It may be sufficient to rely on the social media platform's history of posts or other communications, but it is important to understand the platform's retention policy and how dates of communications are recorded. Alternatively, a screenshot of the webpage on which the communication appeared can be saved. The copy must be retained for 36 months from the date of its last transmission or use.
Finally, Section 10.30(c) of Circular 230 also requires practitioners to stop any attempts to contact prospective clients who have requested that the practitioner stop soliciting them. Thus, it is important to keep track of any communications actively "pushed" to prospective clients and provide recipients the ability to opt out. An opt-out message and link should be included with any email communications that are sent to current or potential clients.
Compliance with this rule may be more difficult for social media posts, although generally people opt in to them by following a business on the social media platform. However, care should be used on platforms on which a user may have reached out to connect with specific people. Until there is more guidance, practitioners should monitor followers or connections who request they be removed from future social media posts.
Use of engagement letters and consents
Although there is no formal requirement for a tax practitioner and a client to enter into annual engagement agreements, it is generally a best practice to do so to clarify services being offered and technology used in the services provided and to outline the terms of the business relationship. In fact, Circular 230 explains that it is a best practice to communicate "clearly with the client regarding the terms of the engagement" (Circular 230, §10.33(a)(1)). This includes determining how the client intends to use the advice and developing a "clear understanding with the client regarding the form and scope of the advice or assistance to be rendered" (id.).
To the extent that external third parties or technology tools are used when providing the services, consideration should be given to providing details on the tools or parties that will collect, use, or store this information. It may be necessary to obtain consent at the start of the engagement. For example, if there is any potential for the disclosure of tax return information, the appropriate Sec. 7216 consent should be obtained.
If a practitioner's business includes both tax preparation and other nontax services, it is important to understand when information a client provided is later used to prepare a tax return. For example, a business that provides both financial planning and tax preparation services may be able to use information provided online for financial planning to offer tax preparation services. But once that information is used to prepare the client's return, it becomes tax return information subject to the consent requirements under Sec. 7216 (see Regs. Sec. 301.7216-1(b)(3)(ii), Example 2).
Therefore, before providing advice to any new client, even one obtained through electronic communications, consider that the terms and scope of service should be memorialized in an engagement agreement and/or statement of work. This process can be facilitated by using technology such as digital signature features in PDF documents or electronic signature tools. Appropriately using these tools may be particularly helpful in the current COVID-19 environment when it may be harder to obtain a traditional "wet" signature from clients. When using these tools, it is important to note that contracts and other nongovernmental documents typically have fewer regulatory concerns than IRS documents and those of state taxing authorities.Providing services virtually
While the ways in which tax practitioners interact with their clients have changed materially over the last 20 years, tax practitioners' professional responsibilities have largely remained intact. The AICPA Code's "Due Care Rule" (ET §0.300.060) requires the practitioner to perform professional services with competence and diligence, and to adequately plan and supervise any professional activity for which the member is responsible.
Maintaining competence under professional standards
Under the "Due Care Rule," tax practitioners should "strive continually to improve competence and the quality of services" (ET §0.300.060.01). Competence is described as a combination of obtaining the necessary education and experience and maintaining it through continued education.
The competence standard under Circular 230 requires practitioners to possess the "appropriate level of knowledge, skill, thoroughness, and preparation necessary for the matter for which the practitioner is engaged" (Circular 230, §10.35(a)). Circular 230 allows for various methods of being competent, including consultation with experts or studying the relevant law.
Technology is increasingly interwoven into successfully providing professional services to clients. Currently, there are no professional standards that consider the practitioner's reliance on tax tools. However, practitioners should, through continuing education, maintain an understanding of existing tax compliance tools and remain up to date on new tax laws and regulations. Tax practitioners' reliance on technology should not replace their compliance with the competency standard.
Developing a better due diligence process
Under the AICPA Code (ET §0.300.060.05), due care requires practitioners to be diligent in providing services to clients. This diligence requirement imposes four responsibilities for services rendered — the practitioner must be: (1) prompt; (2) careful; (3) thorough; and (4) observe applicable technical and ethical standards. Due diligence under Circular 230 extends to the reliance on the work product of another person, and reasonable care is required in engaging, supervising, training, and evaluating that person (Circular 230, §10.22(b)).
An important part of providing good client service is obtaining the necessary information from the client to provide those services. Providing services in a virtual environment may increase this challenge for practitioners. Multiple transmissions of information may be difficult to organize, and various file formats may make it difficult to ascertain whether information is missing or incomplete. Practitioners should check to be sure that they can readily access the information provided and it is in a readable format upon receipt. Also, staff should track and confirm information that has been received and information that remains outstanding and clearly communicate back to the client what information is missing.
Tools like tax organizers and checklists can help practitioners keep track of services and identify missing information or additional considerations. In addition, incorporating a standard set of procedures for the firm may assist with efficiency and increased quality control. The AICPA's Tax Practice Quality Control Guide includes a sample tax practice quality control document that can be used as a guideline. It sets forth objectives, policies, and procedures to meet the requirements of a tax practitioner's professional responsibilities.
Obtaining original signatures
As discussed earlier, there may be greater flexibility in obtaining digital signatures for nongovernmental documents. However, signature requirements for documents submitted to the IRS can quickly turn complicated as fraud and abuse are always IRS concerns. Adding to the complexity, signature requirements may vary depending on local state tax filing rules (see CCH Axcess Tax, "States That Support eSign"). Tax returns, other than those filed electronically, require an original signature. Separately, returns filed electronically with the IRS require an original signature on Form 8879, IRS e-File Signature Authorization, prior to filing by an Electronic Return Originator. (For additional information, see IRS Publication 1345, Handbook for Authorized IRS e-file Providers of Individual Income Tax Returns, available at irs.gov/pub/irs-pdf/p1345.pdf.) Tax practitioners may find the IRS Electronic Signature (e-Signature) Program Manual Transmittal (Dec. 3, 2019) a useful reference guide to confirm compliance with IRS e-signature policies (see Internal Revenue Manual §10.10.1).
Practitioners need to allow sufficient time and understand any client limitations (such as limited access to printing) when trying to obtain an original signature in advance of the tax filing deadline. Due to the recent COVID-19 pandemic, the IRS issued limited guidance on when digital signatures would be accepted, however, that guidance did not change the requirement for requiring a wet signature on a non-electronically filed return. As of this writing, that IRS guidance on electronic signatures applies only to returns filed through Dec. 31, 2020 (see IRS Memorandum NHQ-01-0620-0002 (June 12, 2020), superseding IRS Memorandum NHQ-01-0320-0001 (March 27, 2020)).Protecting client information
Data privacy is an elusive target for all businesses and has been for some time. Shortly after the data breach of a large retailer's systems in November 2013, which led to the exposure of personally identifiable information (PII) of more than 70 million taxpayers, both the U.S. government and federal regulators began shining a light on cyber criminals targeting small businesses. In 2018, the House Small Business Committee chair reported that over 70% of all cyberattacks are on small businesses (see Chabot, "Protecting the Cybersecurity of Small Businesses and Their Consumers," The Hill (Feb. 13, 2018)).
Further, the SEC noted that not only are small businesses targeted by cyberattacks, they are the principal targets of cybercrime (Aguilar, "The Need for Greater Focus on the Cybersecurity Challenges Facing Small and Midsize Businesses" (Oct. 19, 2015)). Tax practitioners, often also small businesses, integrated with their clients through tax return information and supporting documentation, could be particularly attractive to those seeking to gain access to sensitive personal and financial data.
The risk of cyberattack grows more every day, especially in the current COVID-19 tax environment in which practitioners are consulting more electronically and sending an increased amount of personal data through cyberspace. However, the need to protect data is neither new nor voluntary. The Gramm-Leach-Bliley Act of 1999, P.L. 106-102, gave the Federal Trade Commission the authority to regulate protocols around information safeguards for businesses "significantly engaged" in providing financial products or services. These businesses, which include tax practitioners, have an obligation to clients to provide certain basic levels of data privacy and security.
In the current regulatory environment, in which states have also enacted security-breach notification laws, tax practitioners have various allies to assist them in thinking through appropriate data privacy and security guidelines. At the federal level, through various publications and its "Taxes. Security. Together." campaign, the IRS informs the taxpayer and tax preparer that the responsibility for protecting data is a shared one (IR-2019-127 (July 16, 2019); see also IRS Publication 4557, Safeguarding Taxpayer Data; IRS Publication 3112, IRS e-file Application & Participation; and IRS Publication 5293, Protect Your Clients; Protect Yourself: Data Security Resource Guide for Tax Professionals). The IRS-led Security Summit group works with various private partners and the public to provide guidance on ever-evolving practices to enhance data privacy safeguards.
Tax practitioners understand that the data being gathered and/or transmitted could be subject to applicable privacy laws. Given this information, many tax preparers wonder after putting together security plans, becoming knowledgeable about various forms of fraud, and having a recovery plan in place, what else can be done to thwart an inadvertent loss. Before even reaching into the world of electronic interaction, there are a number of steps that can be taken, such as: (1) incorporating privacy filters and screens; (2) physically locking down devices; and (3) using nonstandard passwords that both time out for a locked screen and expire after a short period of time.
Wi-Fi security is well known as a first line of defense, but continuous updates of security software to combat data infiltration via malware and phishing will help guard against new threats. Introducing and periodically revisiting educational programs on data privacy can provide critical guidance for staff. That training could include how to back up files, outline appropriate incident response procedures, and highlight the firm's policies on two-factor authentication, client-list confidentiality, and blocking access to firm and client data on personal devices.
When evaluating their firm's data protection policies, practitioners should consider elements such as: (1) how the firm receives and sends PII (i.e., whether password protection and encryption are used or data is transmitted through a secure information portal); (2) how the firm's vendors, clients, and other third parties address data protection and email security; (3) how the firm invests in data privacy training for clients, including reminders about ways to protect their data, such as credit monitoring. Practitioners should also have frank conversations with revenue authority representatives on how the revenue authorities are protecting their clients' data, particularly privacy during an examination.
Cyberattack methods evolve, so a firm's data privacy policies must also evolve. It is important to continuously audit data workflow to understand places of weakness to buttress, especially as new vendors, clients, or representatives are added.
Retaining client documents
In many cases, tax practitioners receive more client information (including PII) than needed and have been known to retain the information for longer than required. As the transfer of information has shifted from hard copy to an electronic format, consideration should be given to how it can be securely received and stored.
Generally, it would be expected that by interfacing virtually, clients would be more inclined to retain original copies of documentation, thereby reducing a tax practitioner's need to return original documents to the client. While this may be true, it is still important that tax practitioners retain a copy for their records. If client data is transferred through a client portal or a third-party client collaboration tool, the tax practitioner may want to determine whether that information should be transferred into a specifically designated and secure client data repository for document retention purposes rather than remaining in the collaboration tool itself.
When evaluating secure data repositories, practitioners may want to consider: (1) limiting who can access client files (i.e., allowing access to the engagement team only); (2) understanding the security infrastructure of third-party vendors, including network and internet/cloud providers; and (3) establishing an information backup policy. Lastly, a tax practitioner's staff plays an important role in the proper handling and storing of client documentation, and any documentation retention policy should be included when training staff.
Adapting to the fast-changing environment
The world is changing quickly, and practitioners must be vigilant about changes in technology — and be cognizant of both its capabilities and limitations. The current professional responsibility standards have remained effective in providing a framework for a tax practitioner in navigating the changing technology landscape. Ultimately, the incorporation of new technologies to increase client base, collaborate and meet clients remotely, and to securely transfer information should support tax practitioners in serving their clients in today's ever-changing working world.
|Kathryn Clymer-Knapp, J.D., LL.M., is a senior manager of Ernst & Young LLP in Boston. Christopher M. Whitcomb has a J.D. from Hofstra University School of Law and an LL.M. from Georgetown University Law Center. Felicia J. Nickerson, J.D., LL.M., is a senior manager of Ernst & Young LLP in Atlanta. Ms. Clymer-Knapp, Mr. Whitcomb, and Ms. Nickerson are all members of EY's Tax Quality group. Roby B. Sawyers, CPA, Ph.D., is a professor of taxation and accounting in the Department of Accounting, Poole College of Management at N.C. State University. Ms. Clymer-Knapp and Prof. Sawyers are members of the AICPA Tax Practice Responsibilities Committee. For more information on this article, contact firstname.lastname@example.org.