Tax ethical standards in data protection and reliance on tools

Editor: Arthur Auerbach, CPA, CGMA

To follow ethical behavior in the accounting profession, CPAs must observe the AICPA Code of Professional Conduct (the AICPA Code). CPAs who perform tax services must also follow the AICPA Statements on Standards for Tax Services (SSTSs). The SSTSs apply to members of the AICPA and CPAs in states that have adopted them as their enforceable code of professional ethics. Effective Jan. 1, 2024, the SSTSs were revised to reorganize the previous standards and add new ones to keep pace with the evolving CPA profession.

The revised SSTSs include guidance on CPAs’ responsibilities for reliance on tools and protecting client data. Technology allows CPAs to perform tax services efficiently and effectively. The goal of technology and the use of tools is to improve the CPA’s performance of services, not to replace the CPA. During the course of a tax engagement, CPAs possess sensitive client data. This column focuses on the revised tax ethical standards for reliance on tools and protecting client data.

Background

SSTS Section 1.3 provides guidance for members’ responsibilities related to the protection of taxpayer data obtained while providing tax services (SSTS ¶1.3.1). During an engagement, a CPA receives sensitive data from a client. This data can include, but is not limited to, an employer identification number, the taxpayer’s Social Security number, the client’s bank account number, and the client’s bank routing number. A member should make reasonable efforts to safeguard taxpayer data and should be cognizant of applicable laws regarding collecting and storing data (SSTS ¶¶1.3.4 and 1.3.5).). Furthermore, the new standard on data protection does not replace or alter existing guidance established in the “Confidential Client Information Rule” (ET §1.700.001), pursuant to the AICPA Code (SSTS ¶1.3.3).

SSTS Section 1.4 provides guidance for members relying on tools used while rendering tax services such as tax preparation, tax representation, and tax consultation (SSTS ¶1.4.1). The tools can include, but are not limited to, tax preparation software, a tax research library, tax planning software, data analytics, and artificial intelligence (AI) technology (SSTS ¶1.4.2). Members are still required to exercise due professional care when relying on an electronic tool, and the use of such a tool does not absolve the member of professional responsibilities under AICPA and other relevant standards (SSTS ¶¶1.4.3 and 1.4.4).

Previous Tax Adviser articles and columns have discussed the revised SSTSs and reliance on tools. Holets, “Technology and Tax Standards: Understanding New SSTS Section 1.4 — Reliance on Tools,” 56–9 The Tax Adviser 22 (September 2025), provided a general overview of the revised SSTSs related to reliance on tools. Slatten and Marietta, “SSTS 1.4: A Practical Discussion of Software Reliance,” 56–10 The Tax Adviser 80 (October 2025), provided a practical discussion of reliance on tools. In addition, Plascencia, “Understanding the Updated Tax Ethical Standards,” 54–7 The Tax Adviser 34 (November 2023), provided a general overview of the revised SSTSs using practical sample cases. This column focuses on tax ethical standards for the protection of taxpayer data and reliance on tools, using sample practical scenarios.

Practical illustrations

In the following sample cases, the revised SSTSs are used to address a CPA’s professional responsibilities. The cases cover sample tools and general data protection controls in tax compliance engagements, tax representation engagements, and tax consulting engagements. The cases address the relevant professional ethical standards related to data protection and reliance on tools.

Case 1: Tax compliance services

A CPA firm has decided to outsource selected tasks of tax return preparation to an external firm. These tasks include initial data entry from source documentation into the tax return preparation software. The tax return preparation software is hosted online and can be accessed only with assigned credentials. Clients will upload documentation via the CPA firm’s data–sharing portal application. The data–sharing portal app was internally created by the CPA firm’s information technology department.

The data–sharing portal has an authentication feature that sends a code to the client that the client must enter before they can upload any documentation. The CPA firm asks clients to mask or redact any unnecessary personal identifiable information (PII), such as taxpayer identification numbers (TINs). The CPA firm forwards the redacted tax documentation to the external firm.

The external firm prepares the return, including conducting an initial review. The external firm then tells the CPA firm that the return is ready for final review and completion. The tax preparation software automatically encrypts files when emailing tax returns. The CPA firm conducts a final review of the tax return once it is received from the external outsourcing firm.

The final review can include, but is not limited to, reviewing applicable tax law from the CPA’s tax research library and conducting sample test computations when necessary. The CPA firm knows that the tax staff of the external firm are properly trained and that the external firm possesses a reliable tax research library. Additionally, the CPA firm has reviewed and is satisfied with the external firm’s control over data protection. The CPA firm performed an adequate background review of the external firm. The CPA firm uses a paid subscription library employed by numerous CPA firms. The CPA firm uses a popular online tax preparation software program that continuously receives positive reviews from users. The CPA firm encrypts each client file in the tax preparation software. The CPA firm has installed commercial security software on all its computers and has verified that the external firm has done the same. The CPA firm has developed and implemented a security data plan to ensure that clients’ confidential information is protected.

In this case, the CPA firm is making reasonable efforts to safeguard client data by encrypting data sent between multiple parties, using secure data–sharing platforms, using security software, and implementing strong password policies(SSTS ¶1.3.7). The CPA firm is allowed to use tools hosted by a third party and to outsource specific tasks, as long as it makes reasonable efforts to ensure that the client data shared is properly protected (SSTS ¶1.3.8).

In this case, the CPA is satisfied with the controls of the tax preparation software provider and the external firm. The CPA firm can outsource a task or function, but its responsibility cannot be outsourced. The CPA firm is responsible for exercising due diligence in the performance of services. The CPA firm should take steps to limit the amount of confidential taxpayer information that it possesses (SSTS ¶1.3.9). In this case, the CPA firm asks clients to redact PII and requests clients’ TINs only when needed during the tax return preparation process.

The CPA firm should be cognizant of any applicable privacy laws related to data protection. The Gramm–Leach–Bliley Act (GLBA), P.L. 106–102, requires tax return preparers to have a written information security plan (WISP) (SSTS ¶1.3.11). In this case, the CPA firm has a documented security plan. The CPA firm should review the plan to ensure it complies with the GLBA by referring to IRS Publications 4557, Safeguarding Taxpayer Data, and 5708, Creating a Written Information Security Plan for Your Tax & Accounting Practice.

A CPA can use a tool during a tax service engagement (SSTS ¶1.4.5)). In this case, the CPA is using the tax preparation software and the tax research library. The source of the tool should be considered; subscription–based tools generally have more weight than independent online sources (SSTS ¶1.4.6). The CPA firm is using tools that are highly rated by other tax return preparers. Additionally, the tax research library is subscription–based.The firm’s CPA using the tool remains responsible for the final work product in accordance with the SSTSs and other relevant authority (SSTS ¶1.4.7). The tool used does not replace the CPA’s responsibility for exercising professional judgment (SSTS ¶1.4.8). By using a combination of tools during an engagement, the CPA enhances their understanding of the tax issue, allowing the CPA to exercise due professional care. In this case, the CPA is fulfilling their professional responsibilities by conducting a final review after receiving the tax return from the external outsource firm.

Case 2: Tax representation services

A CPA who specializes in representing taxpayers before the IRS is considering using tax resolution software that contains a client management module that assists in monitoring and tracking each tax representation engagement. The software contains myriad useful tools, including integration with the IRS’s Transcript Delivery System, a voluminous library of sample IRS letters, a digital copy of the Internal Revenue Manual, specialized calculators for certain cases and analytics, and AI–powered tools that assist in evaluating each case and providing possible resolutions. Each client file can be encrypted by a password in the software.

The CPA has reviewed and is satisfied with the software’s controls for protecting confidential data. The software has received positive reviews from many CPAs, enrolled agents, and attorneys specializing in tax representation services. Clients upload documentation via the CPA’s data–sharing portal application. The data–sharing portal app is hosted externally and is subscription–based. The CPA also uses a subscription–based tax research library and tax preparation software when necessary. When receiving documentation from clients, the CPA asks them to mask or redact PII, such as TINs. The CPA encrypts each document containing PII when communicating with the IRS and with clients. The CPA has a documented security data plan in place.

As in the first case, the CPA is making reasonable efforts to safeguard client data by encrypting data sent among multiple parties, using secure data–sharing platforms, using security software, and implementing strong password policies within the firm (SSTS ¶1.3.7). Since the CPA is using tools that are hosted by a third party, the CPA should make reasonable efforts to ensure that the client data shared is properly protected by the third party. In this case, the CPA is satisfied with the controls of the tax resolution software provider (SSTS ¶1.3.8). The CPA should be aware of any applicable privacy laws related to data protection. Similar to the first case, the CPA has a WISP in conformance with the GLBA (SSTS ¶1.3.11). The CPA should review the plan to ensure it complies with the GLBA by referring to IRS Publications 4557 and 5708.

A CPA may use tools during a tax engagement (SSTS ¶1.4.5). In this case, the CPA is using the IRS resolution software, an AI–powered tool within the software, and the tax research library. The source of the tool should be considered. Subscription–based tools generally have more weight than independent online sources (SSTS ¶1.4.6). The tax representation software and subscription–based tax research library are both highly rated among peers. A tool does not replace the CPA’s responsibility for the work product in accordance with the SSTSs and other relevant authority (SSTS ¶1.4.7). The tool used does not replace the CPA’s responsibility for professional judgment (SSTS ¶1.4.8). Using a combination of tools not only enhances the CPA’s understanding of the tax issues but also allows the CPA to perform the engagement with due professional care.

Case 3: Tax consulting services

To assist in streamlining select tax consulting services, a CPA practitioner is considering using tax planning software that contains an AI–powered tool. The tax planning software provides tax projections and tax savings computations. The software requires the CPA to upload the most recent tax return filed. The software then goes through a series of questions to further refine tax strategies specifically tailored to each client, providing specific recommendations. The tax planning software integrates with the subscription–based tax research library that the CPA uses. The CPA plans to conduct sample test computations to verify computations provided by the tax planning software. The tax planning software does not require taxpayer data, such as a TIN.

Before uploading the tax return to the software, the CPA will ensure that each client’s TIN and other sensitive information are masked. When receiving documentation from clients, the CPA requests that PII be redacted. The CPA requests taxpayer data only when required for a tax form filing. The tax planning software, including the AI–powered tool, is favorably reviewed by other CPA practitioners. The CPA has implemented a WISP.

A CPA may use tools during a tax engagement (SSTS ¶1.4.5). In this case, the CPA is using tax planning software that contains an AI–powered tool. Another tool that the CPA is using is the tax research library. The source of the tool should be considered; subscription–based tools generally have more weight than independent online sources (SSTS ¶1.4.6). The tax planning software and subscription–based tax research library are both highly rated products within the profession. The final work product remains the CPA’s responsibility; the CPA is ultimately responsible for performing tax services in accordance with the SSTSs and other relevant authority (SSTS ¶1.4.7). The tool used does not replace the CPA’s responsibility for professional judgment (SSTS ¶1.4.8). Using a combination of tools not only enhances the CPA’s understanding of the tax issues but also allows the CPA to perform the engagement with due professional care. The CPA’s use of multiple combined tools allows them to meet their professional ethical tax responsibilities.

The CPA can use tools hosted by a third party, but the CPA is responsible for making reasonable efforts to ensure client data is protected (SSTS ¶1.3.8). The CPA is satisfied with the tax planning software‘s controls.The CPA should take steps to limit the amount of confidential taxpayer information they possess (SSTS ¶1.3.9). In this case, the CPA is requesting clients to redact PII. The CPA should be cognizant of any applicable privacy laws related to data protection, such as the GLBA.

Key takeaways from the standards on data protection and reliance on tools

These sample cases provide a practical approach in applying the revised SSTSs related to data protection and reliance on tools. The issues in professional tax ethics addressed in the standard on data protection are: (1) Members should make reasonable efforts to safeguard taxpayer data; (2) the standard does not replace or alter existing standards on confidential client information; and (3) applicable privacy laws should be considered. The issues in professional tax ethics addressed in the new standard on reliance on tools are: (1) Due professional care in performance of duties should be exercised when relying on tools, and (2) the use of a tool does not absolve the member of professional responsibilities. Best practices should be employed to allow members to meet professional responsibilities under the SSTSs. Best practices can include, but are not limited to, using a combination of tools during tax engagements, having a robust system of safeguards to protect client data, using subscription–based tools, and adding multiple layers of security to and encrypting files containing sensitive client data.

Contributors

Luis Plascencia is a CPA practitioner and accounting educator in Illinois. He is an active member of the Illinois CPA Society, the AICPA, and the National Association of State Boards of Accountancy and serves on the state board of accountancy in Illinois (Illinois Board of Examiners). Arthur Auerbach, CPA, CGMA, is an independent tax consultant in Atlanta. Auerbach is chair and Plascencia is a member of the AICPA Tax Practice and Procedures Committee. For more information about this column, contact thetaxadviser@aicpa.org.