Tax ethics and use of generative AI systems

Editor: James Sansone, CPA

The growing use of generative artificial intelligence (GAI) systems in CPA tax practices raises a host of ethics questions. This column addresses some of them in three areas, with reference to an established framework of standards and laws governing tax practice. Those areas are: exercising due diligence in tax services, conflicts of interest, and protection of taxpayer data.

It helps to distinguish types of GAI systems. One is a proprietary GAI system (PGAI), a GAI system owned by a CPA or law firm that is completely firewalled from outside systems and has access to all the firm’s client and research databases.

A second type is a hosted GAI system, or HGAI, such as Blue J Legal. This type of system is hosted and maintained by a third party and does not have identifiable client information. The HGAI operator maintains the system, keeping it current with law changes. The user of the HGAI system inputs redacted client facts and circumstances, and the HGAI does the analysis and produces a memorandum or report.

A third type of GAI is a PGAI maintained by an outsourced provider. Last but not least are the external large language models, or LLMs, such as ChatGPT and Bard.

The tax ethics framework is a summation of the following authorities:

• The CPA licensure laws of the state or states in which a firm or practitioner operates. Those laws often incorporate standards promulgated by standard-setting bodies such as the AICPA, FASB, etc. by reference, giving them the full effect of law.
• The AICPA Statements on Standards for Tax Services (SSTSs);
• Treasury Circular 230, Regulations Governing Practice Before the Internal Revenue Service (31 C.F.R. Part 10);
• The Internal Revenue Code, notably, Secs. 6662 and 6694;
• Treasury regulations;
• The AICPA Code of Professional Conduct (AICPA Code);
• PCAOB Rules Sections 3501—3502 and 3520—3524, with respect to registrants;
• FASB ASC Topic 740;
• The AICPA Tax Practice Quality Control Guide and Practice Aids;
• International ethics standards such as the International Ethics Standards Board for Accountants; and
• Litigation-imposed standards.

The recently revised SSTSs became effective on Jan. 1, 2024. The revised SSTSs include four new standards that affect firms’ use of GAI.

Exercising due diligence in tax services

SSTS No. 1 contains general standards for tax practitioners. SSTS Section 1.1.6 establishes the requirement to exercise due diligence in advising on tax positions. The AICPA published a white paper prepared by the Tax Practice Responsibilities Committee titled Due Diligence in Tax Services to define “due diligence” in this context. As a white paper, the document is not authoritative but defers to the SSTSs as authoritative literature.

The white paper boils down the SSTSs and federal standards into four essential components:

1. Reasonable inquiry into the facts and circumstances;
2. Ensuring information provided to Treasury and the IRS is accurate and complete;
3. Reliance on the work of others must be reasonable; and
4. Adequate documentary evidence that a taxpayer is entitled to a deduction or credit must exist.

The focus of federal standards is on Circular 230, Section 10.22, which requires a practitioner to exercise due diligence as to accuracy with respect to preparation and filing of tax returns, affidavits, and other documents with the IRS and written or oral representations made to the IRS or Treasury.

Paragraph (b) of Circular 230, Section 10.22, was added with the June 2014 rewrite. It construes due diligence as to accuracy as being satisfied when relying on the work of another when the relying practitioner uses reasonable care in engaging, supervising, training, and evaluating the person(s) performing the work. Those considerations are normally addressed in a system of tax practice quality control. See also Circular 230, Section 10.33(b), and SSTS Section 2.3. Note that SSTS Section 2.3 includes any other knowledge a member might have, while Circular 230 does not incorporate that language.

Note also that Circular 230 does not address reliance on tools, as does SSTS Section 1.4.2, which defines a tool as a resource used in the provision of tax services. The standard continues: “Tools include, but are not limited to, tax preparation software, tax research publications (paper or electronic), tax-related calculation aides, tax planning software, state and local tax aids, online data search engines, data analytics, statistical models, artificial intelligence, and relevant professional publications and resources.”

SSTS Section 1.4.3 requires members to exercise appropriate professional judgment and care when relying on tools in providing tax services. More importantly, the standard clearly indicates that the tax professional retains all professional obligations whether or not the professional uses a GAI system or any other tool. Tax practice quality control often relies on three levels of review of tax returns: mechanical, technical, and signer/partner review.

Mechanical review is making sure the taxpayer data was input correctly and the tool performed calculations correctly based upon the data that was input. Technical review is checking for issues, resolving them, and checking for information that is not in the data supplied by the taxpayer. Signer, or partner, review is a “does it look right, given what the signer knows about the taxpayer and the taxpayer’s activities?” level of review.

SSTS Section 1.4.7 affirms that the tax practitioner employing tools remains responsible for the completed work product. SSTS Section 1.4.8 extends that responsibility by noting that the signer is still making a statement under penalties of perjury when signing the return (see also SSTS Section 2.3.5). Therefore, according to SSTS Section 1.4.7, the practitioner should take reasonable steps to determine that the tools used are appropriate for their intended purpose. What does “reasonable steps” mean? Should practitioners require a System and Organization Controls (SOC) 2 or 3 report to document their ability to rely on the tools? GAI systems are dynamic/learning. What are “reasonable steps” with a learning tool?

So the question is: How will due-diligence expectations be fulfilled when work is performed by a GAI? These same four essential components enumerated in the AICPA white paper will still likely be the guide. For GAI systems, SOC Trust Services are also important with respect to fulfilling due-diligence expectations. SOC 2 services will likely apply to PGAI and SOC 3 to LLMs. The due-diligence expectations will apply to the use of all types of GAI systems.

One possible takeaway from the discussion of due diligence is what may be a proliferation in SOC services with respect to tax tools. That may mean this area is a source of the new types of work that may be performed as firms morph their business models to capitalize on competitive strengths through the use of GAI systems. Academia will likely need to morph programs to combine both tax backgrounds and systems backgrounds. A frightening thought is that the expansion of skill sets may lead to yet another 30 credits of education necessary for a tax/SOC professional.

Conflicts of interest

Circular 230, Section 10.29, addresses conflicting interests. Section 10.29(a) defines an interest as conflicting if:

• The representation of one client will be directly adverse to another client; or
• There is a significant risk that the representation of one or more clients will be materially limited by the practitioner’s responsibilities to another client, a former client or a third person, or by a personal interest of the practitioner.

The AICPA Code, Section 0.300.030.03, addresses conflicting interests as well. It first identifies who is the “public” that is served as including clients, credit grantors, governments, employers, investors, and the business/financial community. It goes on to say:

In discharging their professional responsibilities, members may encounter conflicting pressures from each of those groups. In resolving those conflicts, members should act with integrity, guided by the precept that when members fulfill their responsibility to the public, clients’ and employers’ interests are best served.

SSTS Section 2.3.2 establishes responsibility with respect to information known in connection with preparing returns. It states a member may in good faith rely without verification on information furnished by the taxpayer or by third parties. However, a member should not ignore the implications of information furnished and should make reasonable inquiries if the information furnished appears to be incorrect, incomplete, or inconsistent either on its face or on the basis of other facts known to the member.

SSTS Section 2.3.4 expands that duty to require a member to “consider relevant information actually known by that member from other sources, including the tax return of another taxpayer. When using such information, a member should consider any limitations imposed by any law or rule relating to confidentiality.”

One might be concerned about who is the preparer in this instance. A large firm may have information in its files that is incorrect, incomplete, or inconsistent (the “three i’s”), but that flaw is unknown to a preparer employed by the firm on a return. This standard is problematic and compels a firm to have a robust client acceptance process for identifying conflicts, similar to a law firm’s process. What happens when the firm completes a return for one client who takes one position with certain facts and the client’s sibling who is also involved in the position does not even tell the preparer about it? What happens when a preparer of one sibling’s return is unaware of the other sibling’s positions on a return prepared by another preparer at the same firm?

Clearly, a proprietary GAI must integrate a conflicts utility. Should standard operating procedure for each return include a GAI-driven scan for conflicting information and the “three i’s”? PGAI systems can rapidly identify conflicts of interest. A firm system of quality control can be significantly enhanced by incorporating PGAI conflicts checks into client acceptance and engagement acceptance decision-making processes.

Protection of taxpayer data

The protection of taxpayer data is one of the largest ethics issues in tax practice. SSTS Section 1.3.1 sets forth the applicable standards for a member’s responsibilities related to the protection of taxpayer data obtained in the course of rendering services for a taxpayer. SSTS Section 1.3.2 amplifies that authority to include electronic data: “The increasing use of technology by individuals and businesses, together with a growing awareness of data breaches and identity theft, has resulted in a growing sensitivity toward and need to focus on the protection of taxpayer data, including electronic data.”

The expectation that due professional care includes safeguarding taxpayer data is stated in SSTS Section 1.3.4 and amplified by SSTS Section 1.3.5 by incorporating by reference applicable privacy laws, which have proliferated at the federal, state, and international levels. Data protection standards are becoming increasingly complex along with information technology. The use of GAI systems that gather, analyze, report, and learn only further complicates compliance with applicable privacy protections. SSTS Section 1.3.7 sets expectations for taxpayer information security at the time the standards were issued, implying that change is expected as new tools and systems become available.

The use of GAI relies on retention of massive quantities of information, including taxpayer information. SSTS Section 1.3.9 states that members should obtain only the information they need to perform the engaged service, keep it only as long as a record retention policy indicates, and then delete it. So, there is a conflict between what the GAI systems “want” (everything possible) and what this standard says members can keep in their files.

SSTS Section 1.3.11 refers to that requirement and the related “Safeguards Rule,” which requires the development, implementation, and maintenance of a written information security plan (WISP). That WISP should contemplate distinguishing taxpayer information from discoverable/usable information available to GAI systems and protected taxpayer information. Keeping the WISP current may be a challenge because the data available to a GAI is dynamic and its algorithms are “learning,” meaning they are dynamic as well. In addition to the WISP, the firm’s quality control system must contemplate taxpayer data protection.

A critical component of the ethics construct for taxpayer data protection is Secs. 7216 and 6713. Sec. 7216 protects taxpayers by limiting tax preparers’ ability to disclose or use taxpayer information. It provides for a penalty of up to $1,000 or one year in prison per violation. The penalties are coordinated with Sec. 6713, which raises the maximum penalty to $100,000.

Certain disclosures and uses are permitted, some without consent and some with taxpayer consent (see Regs. Secs. 301.7216-1 and -2). PGAI and HGAI systems will likely fall within the definition of “auxiliary services” in Regs. Sec. 301.7216-1(b)(2)(iii) and thus not require consents for disclosure. Auxiliary services are provided when a person holds themselves out to tax return preparers or taxpayers as performing auxiliary services. For example, see Rev. Rul. 2010-5 for malpractice insurance providers’ identification as auxiliary services.

According to Regs. Sec. 301.7216-1(b)(5), “disclosure” means “the act of making tax return information known to any person in any manner whatever.” The term “use” is defined in Regs. Sec. 301.7216-1(b)(4) as “any circumstance in which a tax return preparer refers to, or relies upon, tax return information as the basis to take or permit an action.” Details are important here. The example in Regs. Sec. 301.7216-1(b)(4)(ii) says if you ask if a client is interested in making an individual retirement account contribution because you or your software notes the taxpayer is eligible to do so, this is use within the meaning of the regulation and would require the taxpayer’s consent. If you ask as a normal part of data gathering (such as in an organizer), it would not be considered use of tax return information.

How will PGAI systems steer clear of violations for use and disclosure? Consider where the GAI is located. Disclosure and use consents vary between domestic and non-U.S. disclosures. How will users test and certify PGAI systems as compliant? For external LLMs, how will receipt of improperly exposed confidential taxpayer information be protected against, if at all?

How will PGAI systems distinguish between what can be used and what cannot be used by that system? How much does the tax professional need to know about the system’s “black box” and how client information will be protected? Will redaction of identifying information be adequate to protect taxpayer data? Who will perform the redaction? Test the process? Certify the process has adequate controls on which the tax professional can reasonably rely? For GAI systems, SOC Trust Services can be important with respect to fulfilling expectations for protection of taxpayer data.

GAI systems and firms of the future

The preceding discussion is limited to three ethics issues, and many more will be raised as firms explore, build, and use GAI systems. Cybersecurity systems protecting GAI will be challenging to create and maintain. One important takeaway is the expansion of the knowledge bases and skill sets of incoming tax professionals and the continuing-education needs of tax professionals, who must now be highly literate in both tax law and use of GAI systems. An expansion of SOC services for these GAI systems is highly likely as well.

A perhaps related concern is whether, in their billings, firms should realize a rate of return on their accumulated intellectual property and investment in a GAI system and other tax tools. That would represent a paradigm shift for many firms. Regardless, it is safe to say that GAI systems, if not already in use, will be in firms’ future, one in which tax ethics considerations will no doubt be compounded.

Contributors

Edward R. Jenkins, CPA, CGMA, is a Professor of Practice in Accounting at Pennsylvania State University and managing member of Jenkins & Co. LLC in Lemont, Pa. James Sansone, CPA, is a managing director at RSM US LLP. Jenkins and Sansone are members of the AICPA Tax Practice Responsibilities Committee. For more information on this column, contact thetaxadviser@aicpa.org.