Technological competence for tax practitioners is receiving increased attention from the IRS. Circular 230, which outlines rules governing those who practice before the IRS, has an entire section on “competence.” According to this guidance, tax practitioners must have the knowledge, skill, thoroughness, and preparation for any tax engagement they take on. In essence, we cannot accept work that we are not qualified to do and treat clients like guinea pigs to see if we can make it happen.
When we think of competence, we may not instinctively think of the skillful use of technology in our business, but this too can become an ethical issue. If we or our employees do not have the knowhow to ensure that deadlines are met and client confidence is maintained as we complete work digitally, we are not fulfilling our obligations to the taxpayer. If we are transmitting returns and delivering work product digitally, we need to have an established system of securing taxpayer data and safely transferring it.
In this article, we will walk through best practices and key questions to ask to ensure your tax practice is complying with Circular 230’s requirement for technological competence.
Every Tax Practice Must Have a WISP
The Federal Trade Commission requires tax practitioners to have a written information security plan (WISP). The central goal here is to ensure that taxpayer data is protected. As part of the plan, your tax practice must:
-
Designate a qualified individual to coordinate the actual information security program
-
Assess the risks specific to how your practice is set up and determine if you have effective safeguards
-
Design and implement safeguards program, including regular check-ins to ensure the program is serving its purpose and that it is evolving as the business changes
-
Ensure that your service providers and contractors abide by the same safeguards
-
Implement multi-factor authentication for your information systems or equally secure access controls
- Report any security incidents to the FTC if 500 or more people are affected
The IRS provides a free guide for creating a WISP that you can reference for further detail.
Protect Your Data
Start by being honest about your risks, especially if you work from a home office. When you are in a space where you are used to convenience, you may be tempted to neglect security measures. However, many of the steps you can take are fairly simple compared to the complications and headaches that will arise if you become involved in a security breach. For instance, if you work from home, is your Wi-Fi network broadcast? If anyone can see the name of your home network, this can open you up to security risks. Look into setting up a hidden network instead. Similarly, you will want to make sure that your sensitive data is not constantly accessible online. Instead, back up taxpayer data to a secure external source that is not connected full-time to a network.
Other best practices for protecting taxpayer data include:
Ensuring your computer is receiving regular security updates. Some tax practitioners turn off security updates toward the end of tax session because they are afraid of computer issues—when they should be more worried about compromising their data security! You also want to install software updates as soon as they are ready and use a reliable antivirus and anti-malware program. Keep in mind that if your WISP states that you have computer security measures in place, but you don’t actually follow through on them, your cyber insurance may deny your claim if a security issue occurs.
Setting up an approved system for sending and receiving sensitive taxpayer information.
Let’s say you have successfully implemented a rule that your employees do not send sensitive data via email, but your clients continue to email tax-related files to you. If your WISP says that you do not accept files by email but you accept these emails when they come from a client, you are not following your own WISP policy. What you can do instead is block attachments from coming through via email. Then you can simply tell clients that you are unable to receive attachments via email and instruct them to go through your secure portal instead.
This is also true for submitting information to the IRS. For instance, say you need to submit a power of attorney form or tax information authorization form to allow you to handle a tax matter on behalf of your client. Rather than using older and less secure systems like faxing these forms, you can use the IRS’ online submission portal to avoid the need to print or email sensitive information or expose your CAF number.
Using strong passwords.
Far too many people rely on easy-to-hack passwords like “123456” or even “Password” itself. Consider using a password manager program that allows you to set helpful parameters such as the total number of characters required. These programs will actually automatically generate a secure password that fits the criteria and save it securely. This allows you to create a unique, strong password for every account or device you have.
Wiping or destroying old computers.
You cannot simply throw out or donate an old computer without having it completely wiped of every ounce of information. You can learn how to do this yourself or outsource the task to a trusted professional service.
Limit Access to Information
In addition to creating a secure environment for the data you handle, you also need to be selective about what type of information you are storing. For instance, avoid collecting more personal identification information (PII) than you absolutely need to complete a tax engagement. Sometimes clients overshare and send us sensitive information that we don’t even need. Clients may send along brokerage account statements or medical statements that are not directly relevant for their tax return. Avoid collecting this data if possible or avoid saving it in your own database. This automatically reduces risk since you have fewer sensitive items that could become compromised.
Make sure you have a clear document retention policy. Don’t retain PII longer than is necessary or legally required. Some tax practitioners are tempted to save every tax return they have ever prepared. Of course, there may be cases where your client has a passive loss that is being carried forward, and you may need to save certain documents to substantiate that loss years down the road. The same is true for basis of property and retaining documents that show your client was entitled to claim depreciation. Rather than save every single document “just in case,” be thoughtful about which documents are likely to be called up to substantiate a future claim and store files that are not actively being used in a place that is not accessed on a regular basis.
Similarly, you will want a secure method of destroying unneeded documents. You might keep a lock box in your office to hold physical papers that need to be shredded. You can buy a small shredding machine, or you can hire a service that will bring a shredding truck to your office and provide a certificate confirming that everything has been shredded. If your practice is primarily digital, you will want to make sure all employees know the steps to take to permanently delete a document everywhere it could be saved.
Lastly, restrict who in your business has access to what information. Not every employee needs to be able to view PII for every tax engagement. Consider how to set up your digital and physical filing infrastructure so that only each employee can only view the necessary information.
Summary
Is technological competence an ethical issue? If your tax practice does not take the necessary measures to protect taxpayer data, including creating a written information security plan, then you are not in compliance with Circular 230 ethical requirements, and you are not upholding your responsibilities to the taxpayer. In our increasingly digital age, every employee at your company needs to develop technological competence and be held accountable for following every rule laid out in your WISP.
To stay up to date on ethical requirements for your tax practice and provide your clients with greater peace of mind, sign up to become a Certified Tax Planner today.
