How to Comply with the New SSTSs
06/05/2024
William Stromsem, CPA, J.D., George Washington University School of Business
AICPA promulgated three new Statements on Standards for Tax Services (SSTS) covering data protection, reliance on tools and tax representation that became effective on January 1, 2024. Prior SSTSs were carried over and reorganized but contain no new requirements and will not be dealt with in this article, assuming that you already have policies in place to work with them.
The new SSTSs do not have bright-line standards and mostly use flexible terms like reasonable efforts, due professional care, due diligence and professional judgment. (See prior article on SSTSs.) The SSTSs tend to use “should” instead of the more mandatory “must,” so the compliance is somewhat flexible and hedged. This should give comfort to CPAs in tax practice, and the SSTSs might be thought of as providing a defensible standard against regulatory sanctions and liability claims.
The new SSTS on data protection requires members to make “reasonable efforts to safeguard taxpayer data, including data transmitted or stored electronically” and consider “applicable privacy laws when collecting and storing data.” It does not require encryption or ask us to do any more than most practitioners are currently doing to protect taxpayer privacy. The new SSTS on reliance on tools requires only that members exercise professional care when using a tool, that members exercise “appropriate” professional judgment when using a tool, and that they “take reasonable steps to determine that the tools are appropriate for the intended purpose.” The new SSTS on representation requires that a practitioner determine that technical competence exists, follow applicable agency or court rules, act with integrity and professionalism, comply with applicable rules on timeliness of responses, consider confidentiality responsibilities for the taxpayer, suspend or withdraw from engagement if the case appears to be going into criminal issues, and review with the client the consequences of a proposed agreement with a tax authority.
Note that the AICPA standards reflect current external legislative, regulatory and judicial standards. AICPA would not want to set more lenient standards, misleading practitioners to believe that they were in compliance with external standards, and having the standards look weak to outside regulators and the public. AICPA would also not want to set more rigorous standards, placing a self-regulatory burden on members and placing them at a competitive disadvantage to non-CPA practitioners. So, in general, compliance with the SSTSs may help avoid sanctions by other regulators.
The SSTSs are binding under the AICPA Code of Professional Conduct. You may be tempted to think that there are likely to be few disciplinary actions by AICPA with the new flexible standards and that in the rare instance of a successful action against a CPA, AICPA’s most extreme sanction is to expel you from the organization, with a major consequence being the loss of AICPA group-term life insurance. However, this ignores the fact that the IRS and state professional licensing authorities all review AICPA sanctions – if you are sanctioned by AICPA, you may also see an action brought by other regulators. AICPA disciplinary actions are published on its website, and IRS sanctions are published in the IRS Bulletin, with each regulatory body reviewing the work of the other, and with state licensing authorities often having the same standards also reviewing AICPA and IRS sanctions. If your IRS practice rights are terminated, your firm must choose between giving up IRS practice or terminating you because the IRS does not want a sanctioned CPA to be able to work indirectly through others in the firm. Violations can result in a loss of your job, your right to practice before the IRS, or your CPA license, as well as your valuable professional reputation. Another major concern with failing to comply with the SSTSs is that these standards are often used in malpractice claims that a CPA was not acting in accordance with professional standards.
The issue, then, is how do we show compliance with these flexible standards. You do not have to get it right with the benefit of hindsight, but you do have to be prepared to show a reasonable effort to satisfy the requirements. Again, there are no bright lines, but there are several ways to evidence your efforts that may be helpful.
Training on Professional Standards, Including the New SSTSs
A training session on the SSTSs will help your staff members to be aware of ethical issues and know how to exercise professional judgment and due professional care. The training might include some close calls, bringing a good discussion of current and better practices. This will help your associates and staff recognize when they are in an area where there are issues. Plus, it shows your firm’s effort to act in accordance with the standards. Be sure to keep a record of the training to be able to show your efforts.
Written Policies
A firm might consider various policies to help support a claim of compliance with the SSTSs, such as:
- Client data protection policies, including record retention and destruction. Your Written Information Security Plan (WISP) should suffice but be sure to update it. Note that the IRS is occasionally requesting this at the completion of an audit. (See article, Don’t Forget to Check Your WISP!.)
- A policy that requires employees to report possible professional standards issues in writing to a more senior professional in the firm, emphasizing to everyone that this is an important part of quality review. Resolution of the issue might provide a defense against penalties or liabilities by showing, for example, why a preparer decided that a position taken met the applicable IRS and SSTS standards (substantial authority for undisclosed positions, reasonable basis for disclosed positions, more-likely-than-not standard for tax shelters and realistic possibility of success for other issues where there is no regulatory standard). These are set in SSTS No. 1, which is the only bright-line standard in the SSTSs. Even these may be subject to different opinions as to the level of certainty for the position.
- Consider using ethics compliance checklists whenever a sensitive issue arises. This analysis may help avoid problems and can show that the firm exercised professional judgment and due professional care in resolving an issue. This documentation may be helpful in a future claim of an ethics violation or a professional liability claim.
- Ensure that everyone in the firm is aware of the importance of documentation to comply with the soft requirements of the SSTSs. Substantiation will help you recall your efforts when the issue arises during an IRS audit, a disciplinary action or a liability claim for failing to comply with professional standards. Regulatory sanctions and liability claims may arise years after the event; without records, it may be difficult to recall, let alone defend yourself.
- Develop policies on the use of generative artificial intelligence tools. You might have a staff member who heavily uses ChatGPT for research, and you don’t even know it. Your firm might require a researcher to disclose the use of an AI tool and the specific tool used when it is a major source of a work product. This might be in an in-house cover memo that transmits the research.
Engagement Letters
Consider the need for engagement letters, particularly in client representation work. Although the SSTSs do not require engagement letters, they may help limit your exposure to unreasonable client expectations. The engagement letter should clearly state what is being done and what is not being done. This will help, for example, if a criminal issue arises in a controversy, and the CPA must withdraw from the engagement. Otherwise, the client may feel entitled to be reimbursed for the extra costs of bringing in a second professional.
Summary
The new SSTSs does not place any new specific requirements on CPAs—we are already expected to meet the requirements of the AICPA Code general standards (rule 1.300.001), IRC penalty provisions, IRS regulations, Circular 230, privacy protection law and other standards. However, practitioners should be prepared to show that they have complied with the SSTSs to protect against a penalty or lawsuit based on the practitioner allegedly failing to meet professional standards. It is not just complying with the standards, but it is being prepared to show your reasonable efforts to meet them. This can be done largely by training, firm policies that require documentation and engagement letters. Implementation of these procedures will help make compliance with ethical standards a routine part of your firm’s tax practice.
Comments