AICPA Issues Proposed Revisions to Statements on Standards for Tax Services

The AICPA has released an exposure draft of significant proposed changes to the Statements on Standards for Tax Services.[1] The AICPA states it will consider all comments received by December 31, 2022.  These proposed standards would be effective no earlier than January 1, 2024.

The document also contains an invitation to comment on potential later revisions to the Statements that could create quality control guidance for tax practices.

Proposed Changes

The exposure draft would both reorganize the Statements on Standards for Tax Services and create three new standards.  As the Introduction in the Explanatory Memorandum section of the document states:

As part of those efforts, the task force:

  • Developed a new structure to organize the SSTSs by type of tax work performed,

  • Updated the existing standards to better reflect the current and possible future state of the tax profession and

  • Drafted three new standards surrounding data protection, reliance on tools and the representation of clients before taxing authorities.[2]

Proposed Reorganization of the Statements

As the AICPA did with the Code of Professional Conduct, the Institute is looking to reorganize the standards, this time using a practice-based organizational structure for these standards.  The AICPA in the “Explanation of proposed revisions to the SSTSs” listed the four broad standard areas as follows:

  • Standard 1 includes general tax guidance with broad applicability (includes new standards on data protection and reliance on tools)

  • Standard 2 includes tax return preparation guidance

  • Standard 3 includes guidance specific to providing tax advice

  • Standard 4 includes guidance for members providing tax representation services (new standard)[3]

Much of the reorganization simply takes the existing set of standards and distributes them among the renumbered practice-based standards.  The explanation explains the proposed restructuring as follows:

This revision project has reorganized the standards so that most of the existing standards have been incorporated into either general standards (Standard 1) or compliance standards (Standard 2). Because the proposed new standards around data protection and reliance on tools are applicable to different types of tax services, they were also included with the general standards. The existing standard as related to tax advisory services (Standard 3) and the new standard related to representation services (Standard 4) were determined to be unique and have been separately stated. This alignment is intended to assist members in applying standards to specific tax practice situations and to help them understand the scope and expectations of these standards.[4]

The document contains a section providing a mapping of the current standards to the location where they will be found under the new standards, as well as changes that may be made to the current standards.

Proposed Data Protection Standard (Proposed Section 1.3)

In the explanation the AICPA gives the justification for proposing to add these provisions to the standards:

The subject of the protection of taxpayer data has exponentially grown over time and has gained global importance as technology now allows for the transfer and storage of large amounts of confidential financial information with the simple press of a button. In many cases, this data is never seen in a hard copy format. The task force believed it was important to implement a standard which ensures members adopt reasonable safeguards to protect taxpayer data, both in electronic format and otherwise.

The task force also recognized that constant advances in technology make it challenging to identify any one set of standards with broad applicability across all tax practices. The purpose of the new standard is to expressly state a member’s responsibility to make a reasonable effort to safeguard confidential client information. It was broadly written to consider the variability among member practices as well as continuingly changing privacy laws and technology.[5]

The statement provides the following proposed standard at 1.3.4 and 1.3.5:

1.3.4. A member should make reasonable efforts to safeguard taxpayer data, including data transmitted or stored electronically.

1.3.5. A member should consider applicable privacy laws when collecting and storing taxpayer data.[6]

The proposed explanation section, running from 1.3.6 to 1.3.13 gives more details on how a CPA in tax practice is expected to fulfill the proposed standards.

The explanation begins by emphasizing the term reasonable is being used in the standard to recognize that there is no “one size fits all” methodology that will be appropriate for all firms or for all time:

1.3.6. The statement uses the term “reasonable,” knowing that actions or behaviors considered “reasonable” may differ over time, among members and from firm to firm based on size and resources. The absence of any bright-line rules was purposeful, allowing for changing technology, laws, guidance and practice.[7]

A more detailed discussion of appropriate safeguards to be considered is found at 1.3.7:

1.3.7. Appropriate safeguards should be implemented to protect both member and taxpayer data stored within the member’s information systems platform. Appropriate safeguards should be based on current recommended practices, and may, for example, include the installation and use of commercial security software to prevent unwanted or unauthorized access to information, encryption of data that is sent between multiple parties over the internet, the use of secure networks, strong password policies, use of firewalls and use of secure data sharing/collaboration platforms.

a. A member should consider other industry standards, such as the AICPA’s Privacy Management Framework and Trust Services Criteria when developing a privacy program.[8]

The explanation next goes on at 1.3.8 to explain that CPAs have responsibilities to consider data risks that might exist at third parties the CPA uses for its tax service, such as the tax return software provider who handles electronic filing for the firm:

1.3.8. Members may use electronic tools owned and hosted by others, such as tax return preparation software, or may outsource certain tasks, such as converting paper documents to electronic information. Members should take reasonable efforts to confirm that taxpayer information properly shared with others in the course of providing a service is appropriately protected.[9]

The explanation also suggests that CPAs consider limiting the amount of data the firm retains since, obviously, data that does not exist on the firm’s servers can’t be at risk of unauthorized access:

1.3.9. A member should take reasonable steps to limit the amount of taxpayer confidential information in the member's files. For example, the member should collect only the information necessary to perform the services for which the member is being engaged or otherwise approved to perform by the taxpayer, returning or redacting any confidential taxpayer information unnecessary to complete the services. This may also include insisting that any personally identifiable information (PII) or personal health information (PHI) be masked/anonymized prior to receipt by the member. Additionally, adherence to appropriate document retention and destruction policies can help to ensure that taxpayer data is properly removed from a member's information systems once it is no longer needed under the respective statute of limitations or the member's document retention policies.[10]

The explanation also discusses the requirement for CPAs to have developed plans for how the firm would react in the case of a data breach at 1.3.10:

1.3.10. In developing safeguards, members should also consider steps to be taken in the event of a data breach, including compliance with notification obligations. For example, the Federal Trade Commission (FTC) provides recommendations that include securing systems and fixing issues that are attributed to the breach. Consider forming a plan to quickly respond to those affected by the breach. Notify appropriate authorities of the breach as required by law.[11]

The need to understand and comply with privacy laws is discussed at 1.3.11:

1.3.11. Members should consider applicable privacy laws. For example, the Financial Services Modernization Act of 1999 (also referred to as the Gramm-Leach-Bliley Act (GLBA)), requires professional tax return preparers to ensure the security and confidentiality of customer (i.e., taxpayer) financial information. As part of the implementation of the GLBA, the FTC issued the Safeguards Rule, requiring the development of a written information security plan that describes the program put in place to protect taxpayer information commensurate with relative firm size of the member and complexity of services provided. Additionally, under these rules, return preparers are responsible for taking steps to ensure that their affiliates and service providers safeguard taxpayer information in their care. As with many privacy laws, the FTC has subsequently updated the rule to keep pace with technology and members should periodically review applicable privacy laws to keep abreast of applicable rules.[12]

Taxing agencies, such as the IRS, also impose requirements on those involved in tax practice that the CPA must comply with, as discussed in 1.3.12:

1.3.12. A member should have general knowledge of the current security expectations of taxing authorities and taxpayers. Data security is a topic addressed in the tax press and by taxing authorities. For example, at the time of this writing, the IRS has a webpage with links to various publications and other information related to data protection. Members are not expected to become experts in this area, but it is reasonable that a member avail himself or herself of the information made generally available to tax professionals on the subject, including those referenced in section 1.3.7.1.[13]

Finally, the discussion concludes with responsibilities the CPA has to train employees regarding data security issues at 1.3.13:

1.3.13. Training is a vital component of any data protection plan. A member should make reasonable efforts to ensure all non-member personnel who the member supervises should be trained and informed about data protection. For example, staff should be informed how to recognize phishing emails and the dangers of opening or downloading attachments from unknown senders.[14]

Proposed Standard on the Use of Tools By the CPA

The standard discusses the use of various practice aids and research sources by the CPA, broadly describing such items as tools under the proposed standard.  Proposed standard section 1.4.2 defines tools as follows:

1.4.2. For purposes of this section, a tool is a resource used in the provision of tax services. Tools include, but are not limited to, tax preparation software, tax research publications (paper or electronic), tax-related calculation aides, tax planning software, state and local tax aids, online data search engines, data analytics, statistical models, artificial intelligence and relevant professional publications and resources.[15]

The standard discusses the care a CPA must use when selecting and using a tool, as well as the requirement that the CPA must accept the ultimate responsibility for complying with professional standards.  The standard, found at 1.4.3 and 1.4.4 provides:

1.4.3 A member should exercise appropriate professional judgement and professional care when relying on a tool.

1.4.4. A member may reasonably rely on tools used in providing tax services to a taxpayer. Use of the tool does not absolve the member of his or her professional obligations under AICPA or other applicable ethical standards.[16]

The explanations portion of 1.4 provides additional discussion to clarify the application of this standard in practice.

The use of tools is noted as being a best practice generally for CPA firms, to help insure delivery of quality services:

1.4.5. Tools developed for use in the provision of tax services provide significant benefits to members. It is generally a best practice of a member to rely on such tools to a certain extent to improve efficiency and client service.[17]

CPAs should consider the source of the tool when determining the level of reliance on the tool:

1.4.6. The source of the tools must be considered when determining the appropriate level of reliance on that tool. For example, subscription-based tax research tools and resources may have more weight than opinion articles from independent internet sources.[18]

While understanding the point that the task force is attempting to make here, readers should not shorten this to simply deciding all subscription-based services should be given more weight than any independent internet sources.  The world isn’t quite that simple and every editorial source will eventually publish erroneous guidance (including CPE manuals from major providers of paid CPE).

For example, some subscription-based services are only updated annually.  It is incumbent upon the CPA to understand when any material was last updated and note that, for instance, a paperback tax handbook published in January (such as the CCH Master Tax Guide, RIA Federal Tax Handbook, Quickfinder, or The Tax Book) will not contain information on laws passed during the year in question, even those that might have retroactive impact. Often such sources will have some source of updated information, but the CPA must remember to check those update sources rather than merely relying on the printed book.

Similarly, many binding authorities are first published by courts and taxing agencies on the internet, representing the ultimate authority even if they aren’t provided by a publisher to which the CPA is paying a subscription fee.  That is, the full opinion of a published Tax Court opinion posted by the United States Tax Court carries more weight than a summary of that case published by a major tax publisher in their daily news service.

At 1.4.7 the explanation points out that the CPA is ultimately responsible for ensuring accurate results are obtained by the tool, and that includes insuring that tax preparation software properly computes the returns:

1.4.7. A member who employs tools in providing tax services remains responsible for the completed work product in accordance with the various other standards contained in the statements. Accordingly, members should take reasonable steps to satisfy themselves that the results presented by the use of various tools are reliable. For example, a member should confirm that the calculation of taxable income and tax liability for an income tax return that is completed using professional tax return preparation software is accurate and meets the standards for tax return positions established in 2.1, Tax Return Positions.[19]

Finally, at 1.4.8 the explanation again emphasizes that the CPA cannot transfer responsibility to the tool:

1.4.8. Tools should be used to enhance or improve the member's understanding of a tax issue, not to supplant the member's professional judgement. For example, when preparing a Federal Form 1040, U.S. Individual Income Tax Return, a member must still attest under penalties of perjury that, to the best of the preparer's knowledge and belief, the return and accompanying schedules are true, correct and complete. That responsibility cannot be transferred entirely to reliance on a tool.[20]

Proposed Statement on Standards for Tax Services No. 4, Standards for Members Providing Tax Representation Services

The final new provision is placed in its own standard, Proposed Statement on Standards for Tax Services No. 4, Standards for Members Providing Tax Representation Services.

The Introduction explains what this proposed standard would cover:

4.1.1. This statement sets forth the applicable standards for a member representing a taxpayer with a power of attorney before an applicable taxing authority. Representing a taxpayer in various tax matters could involve application of other standards. The focus of this statement is on the representation relationship itself.

4.1.2. In addition to the AICPA, applicable taxing authorities may impose specific guidance related to the representation of taxpayers, such as Circular 230. These standards can vary between taxing authorities and by type of tax.[21]

In this case, the statement has six distinct subsections:

4.1.3. The member, and any individuals working with or for the member, should have or take steps to obtain technical competence in the subject matter involved. This includes competence in the technical tax area involved as well as the tax practice and procedures of the taxing authority. For this purpose, competence follows the definition established in Section 10.35 of Circular 230.

4.1.4. The member should take appropriate steps to ensure compliance with all relevant professional and regulatory obligations when representing a taxpayer.

4.1.5. The member should act with integrity and professionalism in all dealings with the taxing authority. This includes not unduly delaying or impeding the taxing authority.

4.1.6. Information requested by the taxing authority should, with taxpayer approval, be provided by the member on a timely basis unless there is a good-faith belief that the information is privileged.

4.1.7. The member should consider if the taxpayer’s conduct may be fraudulent or criminal in nature. If so, the member should advise the taxpayer to retain legal counsel and refrain from further representation.

4.1.8. Upon completion of the examination by the taxing authority, the member should review any documents or computations detailing the results of the examination for correctness and discuss with the taxpayer the consequences of agreeing to these conclusions.[22]

The explanation begins by noting that competence for a representation engagement requires more than just technical tax competence in the area under examination.  The CPA must also have competence in dealing with tax practice issues as well, something not generally covered in continuing education courses that aren’t ones specifically related to tax practice:

4.1.9. Competency is an important issue for professionals who provide tax representation services. While continuing professional education tends to focus on tax law updates or more complex technical tax issues, members often overlook the complicated rules of tax practice and procedure that go hand in hand with representation of taxpayers. Members dealing with tax agencies should be knowledgeable about the procedural issues they may encounter while representing taxpayers.[23]

The explanation goes on to point out specific areas that could impact representation:

4.1.10. Members should consider multiple areas which could impact a taxpayer representation engagement. Among other items, this may include:

a. Consulting with a local law firm to determine whether the representation would constitute the unauthorized practice of law;

b. Determining whether CPA licensure in another jurisdiction may be required;

c. Executing any taxpayer authorizations required by the taxing authority such as powers of attorney;

d. Determining whether the member may be facing a conflict of interest such as representing other taxpayers who are taking a contrary position;

e. Establishing and documenting in writing an understanding with the taxpayer regarding objectives of the engagement, services to be performed, taxpayer’s acceptance of its responsibilities, member’s responsibilities and any limitations of the engagement.[24]

Finally, the explanation points out potential conflict of interest issues that must be considered:

4.1.11. When representing taxpayers, members are required to comply with all conflict-of-interest standards, such as Section 1.000.020, Ethical Conflicts of the Code of Professional Conduct.[25]

Invitation to Comment on Tax Practice Quality Issues

Not part of the proposed standard is an invitation to comment on tax practice quality control issues and whether they should be part of the Statements on Standards for Tax Services in the future.  If this was to become part of the SSTSs, there would need to be a new proposed revision to the Statements issued, with an appropriate comment period.

The AICPA specifically asks those commenting on this area to answer four questions:

ITC1 . How do you define quality management in tax? Please be as specific as possible.

ITC2. What role do you think the AICPA should undertake regarding quality management in tax? Please explain your rationale.

ITC3. To preserve the ability to self-regulate, do you believe the AICPA should consider quality management in tax for potential inclusion in future SSTSs? If "no," how should quality management in tax be addressed? Please provide your reasoning.

ITC4. How do you currently approach and ensure adherence to quality management within your tax function?

·       What challenges do you experience?

·       What type of application material would be helpful from the AICPA?[26]

[1] Revised Statements on Standards for Tax Services: An Exposure Draft and Invitation to Comment, American Institute of Certified Public Accountants, August 29, 2022, https://www.aicpa.org/resources/download/tax-standards-ssts-exposure-draft-and-invitation-to-comment (retrieved September 4, 2022)

[2] Revised Statements on Standards for Tax Services: An Exposure Draft and Invitation to Comment, American Institute of Certified Public Accountants, August 29, 2022

[3] Revised Statements on Standards for Tax Services: An Exposure Draft and Invitation to Comment, American Institute of Certified Public Accountants, August 29, 2022

[4] Revised Statements on Standards for Tax Services: An Exposure Draft and Invitation to Comment, American Institute of Certified Public Accountants, August 29, 2022

[5] Revised Statements on Standards for Tax Services: An Exposure Draft and Invitation to Comment, American Institute of Certified Public Accountants, August 29, 2022

[6] Revised Statements on Standards for Tax Services: An Exposure Draft and Invitation to Comment, American Institute of Certified Public Accountants, August 29, 2022

[7] Revised Statements on Standards for Tax Services: An Exposure Draft and Invitation to Comment, American Institute of Certified Public Accountants, August 29, 2022

[8] Revised Statements on Standards for Tax Services: An Exposure Draft and Invitation to Comment, American Institute of Certified Public Accountants, August 29, 2022

[9] Revised Statements on Standards for Tax Services: An Exposure Draft and Invitation to Comment, American Institute of Certified Public Accountants, August 29, 2022

[10] Revised Statements on Standards for Tax Services: An Exposure Draft and Invitation to Comment, American Institute of Certified Public Accountants, August 29, 2022

[11] Revised Statements on Standards for Tax Services: An Exposure Draft and Invitation to Comment, American Institute of Certified Public Accountants, August 29, 2022

[12] Revised Statements on Standards for Tax Services: An Exposure Draft and Invitation to Comment, American Institute of Certified Public Accountants, August 29, 2022

[13] Revised Statements on Standards for Tax Services: An Exposure Draft and Invitation to Comment, American Institute of Certified Public Accountants, August 29, 2022

[14] Revised Statements on Standards for Tax Services: An Exposure Draft and Invitation to Comment, American Institute of Certified Public Accountants, August 29, 2022

[15] Revised Statements on Standards for Tax Services: An Exposure Draft and Invitation to Comment, American Institute of Certified Public Accountants, August 29, 2022

[16] Revised Statements on Standards for Tax Services: An Exposure Draft and Invitation to Comment, American Institute of Certified Public Accountants, August 29, 2022

[17] Revised Statements on Standards for Tax Services: An Exposure Draft and Invitation to Comment, American Institute of Certified Public Accountants, August 29, 2022

[18] Revised Statements on Standards for Tax Services: An Exposure Draft and Invitation to Comment, American Institute of Certified Public Accountants, August 29, 2022

[19] Revised Statements on Standards for Tax Services: An Exposure Draft and Invitation to Comment, American Institute of Certified Public Accountants, August 29, 2022

[20] Revised Statements on Standards for Tax Services: An Exposure Draft and Invitation to Comment, American Institute of Certified Public Accountants, August 29, 2022

[21] Revised Statements on Standards for Tax Services: An Exposure Draft and Invitation to Comment, American Institute of Certified Public Accountants, August 29, 2022

[22] Revised Statements on Standards for Tax Services: An Exposure Draft and Invitation to Comment, American Institute of Certified Public Accountants, August 29, 2022

[23] Revised Statements on Standards for Tax Services: An Exposure Draft and Invitation to Comment, American Institute of Certified Public Accountants, August 29, 2022

[24] Revised Statements on Standards for Tax Services: An Exposure Draft and Invitation to Comment, American Institute of Certified Public Accountants, August 29, 2022

[25] Revised Statements on Standards for Tax Services: An Exposure Draft and Invitation to Comment, American Institute of Certified Public Accountants, August 29, 2022

[26] Revised Statements on Standards for Tax Services: An Exposure Draft and Invitation to Comment, American Institute of Certified Public Accountants, August 29, 2022