William Stromsem, J.D., CPA, George Washington University School of Business

AICPA promulgated revised Statements on Standards for Tax Services (SSTS) that will go into effect on Jan. 1, 2024. These are binding technical standards under AICPA’s Professional Responsibilities, and they may be used for self-regulation by the profession and would likely be considered standards of practice for any legal claims against practitioners.

Many state boards of accountancy – including the Texas State Board – also incorporate the SSTS as part of their professional rules of conduct for CPAs. (See TSBPA Rule 501.62.)

Practitioners need to know what is in the revised SSTS, but there is not much that is new or controversial. In general, the “new” standards do not place new requirements on practitioners, do not place them at a competitive disadvantage to non-members and will not expose practitioners to greater liability – the rules generally reflect existing legal rules in the Internal Revenue Code, Treasury regulations, IRS rulings, Circular 230 and court decisions.

Other than some housekeeping for existing standards, there are three new standards: data protection, use of tools and representation services.

Data Protection Standard

This new standard explains an AICPA member's responsibility to protect taxpayer data. The standard is mostly common sense and recommends what most good practitioners are already doing to protect client records. The standard requires members to make “reasonable efforts to safeguard taxpayer data, including data transmitted or stored electronically” and consider “applicable privacy laws when collecting and storing data.” This is a continuation of our existing professional responsibilities of client confidentiality and external requirements in the Code, Treasury regulations and court decisions to protect taxpayer information. Protecting taxpayer data is clearly an important consideration in a flash-drive, online world where data can be copied and transmitted in bulk.

Further amplification of the standard recommends the use of security software, encryption for saved and transmitted data, secure networks, use of passwords, firewalls, and secure data sharing and collaboration platforms. The explanation of the standard clearly allows members to continue using external tax return preparation and other software but says that members should make reasonable efforts to be sure that information is appropriately protected. Members are to take reasonable steps to limit client confidential information maintained in their files and document retention policies are recommended. Members should consider a contingency plan in case of a data breach. Members should consider various privacy laws and should have a general knowledge of the security expectations of the IRS and other regulatory agencies. Members should make reasonable efforts to ensure that personnel are trained and informed about privacy protection.

There are few mandates, basically recommending that members consider certain actions or take reasonable steps to support security. Most members already consider these items and take reasonable steps to protect data, but reading the standard may trigger some new ideas.

The standard is flexible, with “reasonable” appearing numerous times in the Explanations section of the standard. Reasonable is a relative term as described in the standard’s Explanation, which says that “actions or behaviors considered reasonable may differ over time, among members and from firm to firm based on size and resources.”

Reliance on Technology Tools

This new standard provides guidance for members in relying on tools to provide tax services, including return preparation, consulting services and taxpayer representation. Tools are broadly defined to include, but not be limited to, “tax preparation software, tax research publications (paper and electronic), tax-related calculation aides, tax planning software, state and local tax aids, online data search engines, data analytics, statistical models, artificial intelligence, and relevant professional publications and resources.”

The standard requires members to exercise professional care when using a tool, something that is already covered in the AICPA Code of Professional Conduct and in court decisions requiring CPAs to exercise “due professional care.” Members must also exercise “appropriate” professional judgment when using a tool. Members can reasonably rely on tools used for providing tax services, but that reliance does not absolve the member from fulfilling their professional obligations under the AICPA “or other applicable ethical standards.”

Probably the greatest use of this standard will be in the use of generative artificial intelligence (AI) for tax research and writing. AI queries a variety of databases that are known or unknown to the practitioner, and sometimes results have been at least inaccurate. Sometimes AI seems to make things up, depending on the query and the databases consulted, extrapolating from other information that it analyzes. In a case over the summer, two New York attorneys blamed ChatGPT when they were sanctioned by a U.S. judge for submitting a legal brief with six fictitious case citations. The SSTS encourages the use of tools to improve efficiency and client service but says that a member, “should take reasonable steps to determine that the tools are appropriate for the intended purpose.” However, it does not say how this should be done, leaving it to the professional judgment of the practitioner in using professional care. Possibly this vagueness is intended to set a standard in flexible terms that might provide cover for CPAs who could say that they met the professional standard of reasonable care and professional judgement. 

Providing Tax Representation Services

New SSTS No. 4 is largely a collection and update of prior standards of compliance services, recognizing that practitioners have expanded tax representation services. It requires practitioners to become competent in the tax practice and procedures of the taxing authority as well as technical competence in the area of controversy. The practitioner is to “take appropriate steps to comply with applicable professional and regulatory obligations in connection with representing the taxpayer.” Members are to “act with integrity and professionalism in dealings with the tax authority,” including timeliness of responses. The member must consult the AICPA Code of Professional Conduct regarding the treatment of confidential client information in responding to any request from a taxing authority. When an examination is completed, the member should discuss the results with the taxpayer, along with the consequences of agreeing to the exam conclusions, consistent with any terms of the engagement.

If a member becomes aware of fraudulent or criminal conduct, the member is to consider whether to continue the professional or employment relationship and may also recommend legal consultation.

In the Explanations of this standard, members are to consider:

• Whether the representation might constitute the unauthorized practice of law and for this, CPA members who are not attorneys might consult an attorney,
• Whether the representative is licensed in the relevant jurisdiction representation,
• Whether a power of attorney or other taxpayer authorization is required for the
  representation,
• Whether the member has any conflict of interest in the matter, and
• Whether there is an adequate engagement letter detailing the objectives of the engagement, the services to be performed, the taxpayer’s acceptance of its responsibilities, the member’s responsibilities, and any limitations on the engagement.

Additional guidance in the form of Interpretations and FAQs are in the process of being updated to reflect the reorganization of the revised standards. This updated guidance will be published soon.