Fall 2023

The Code of Professional Conduct for CPAs has a requirement to keep client information confidential and to develop processes that ensure adequate implementation of safeguards in their firms. As information technology has become integral to the operation of all aspects of providing client services, the methods of securing information are evolving and becoming more challenging, particularly for small and midsize accounting firms.

When considering information safeguards, there are two aspects that we tend to link together: the protection of data (including information from and about clients and the firm’s own data, including software and other proprietary material) and the security of systems from outside intruders. Generally, intruders into your system will either seek client-related information for misuse (such as identity theft) or will lock up firm information via ransomware.

Larger firms have greater access to resources, including information technology (IT) departments and dedicated, appropriately trained professionals who are accountable for not just software updates, but also monitoring system security and developing data protection protocols. IT departments also train all levels of staff in appropriate data access procedures and verify that protocols are adhered to through continuous monitoring. Big company resources also include highly sophisticated security systems that enable the appropriate protection of both client data and firm processes. All firm personnel – from new hires to seasoned professionals – are required to complete periodic training to ensure they are aware of the most recent developments and that they understand and follow firm data protection protocols. This is all a part of these organizations’ quality control systems.

Medium-size firms may have access to some of these resources, but it is unlikely that they have the same level of capital required to invest in the personnel and technology that the largest firms can muster. The approach of medium-size firms needs to be a blended model, relying on some installed technology and a key person on staff who is responsible for coordinating with outside consultants. Staff training is usually a part of medium-size firms’ data protection policies, but continuous monitoring may not necessarily take place due to resource limitations, both in personnel and technology. These firms rely more on the individual responsibility of every member of the firm exercising good data hygiene practices.

Small firms and sole practitioners have the same level of responsibility for protecting data and instituting cybersecurity measures, but due to resource limitations they usually lack the in-house information technology and personnel to fulfill these responsibilities on their own. To achieve compliance with security requirements, small firms frequently outsource these functions to consultants who specialize in providing the necessary safeguards.

The PICPA Insights white paper, The State of Pennsylvania Accounting Firms in 2023, noted that the “greater use of technology requires a layered approach to data security, an essential rather than optional feature of client service delivery.”¹ However, many of the survey respondents in the single-member and small firms categories, and even some of the medium-size firms, “appear to fall short of meeting the Federal Trade Commission’s (FTC) data safeguard regulations, which apply to tax preparers.” IRS Publication 4557, Safeguarding Taxpayer Data,² states that the FTC Safeguards Rule requires tax return preparers to create and enact written information security plans to protect client data. Publication 4557 offers an overview of guidance on compliance with the regulations, which includes the required design and implementation of a safeguards program and the regular monitoring and testing of its operation.

The shortcoming identified in the survey that was used to compile the white paper is troubling, especially since single-member and small firms regularly provide client services consisting of tax preparation. It appears that these firms may be vulnerable to data incidents and related liabilities. If a positive note can be gleaned from the survey, respondents did indicate an intention to increase technology budgets.

Discussions with a CPA at a small firm on the topic of data protection served to highlight the need of these practitioners to turn to outside IT providers for security, which primarily has been limited to antivirus software and password protected email communication.

For small and medium-size firms that are serious about data protection, complying with the requirement to have a written information security plan is a good starting place to review and update your processes. IRS Publication 5708 (10-2022)³ is a good resource. The publication provides step-by-step guidance for getting started and a template for creating the plan with sample attachments.

One key component of the plan is assessment of risks. The outlined steps serve as a map to where firm vulnerabilities may be. A listing of the types of information collected and used by the firm may prompt a re-evaluation of what is actually necessary and what may be superfluous. So, in addition to enhancing security the plan can create efficiencies.

Identifying potential types of loss – both internal and external – is not dissimilar to a financial audit team performing the required brainstorming of fraud risk assessment when planning an audit. Potential threats may include theft, obliteration, or inadvertent disclosure, and cover a range of mishaps from weather disasters to remote intrusion into computer systems. Collecting the potential risks in writing is a useful step for any size organization because it increases awareness of what may be necessary to prepare in a difficult situation. This process is not a once and done, however. It should be repeated at least annually to get ahead of potential new hazards.

Another beneficial process would be to formally inventory all equipment, including where it is located and what information may be stored there. This effort ensures that all items are properly accounted for and secured in an appropriate manner. This is a good habit for firm management that may be prompted by the written information security plan.

Documented safety measures should cover both physical hard copy and electronic data. Firm policies often include destruction guidelines whereby outdated and unnecessary paper files are shredded according to a schedule that meets legal requirements. A similar process should be in place to delete out-of-date or obsolete electronic records to reduce the risk of potential data loss. Another aspect of the data handling policies should describe when and to whom data may be shared and who in the firm is authorized to do so. This ensures that CPAs are in compliance with the Code of Professional Conduct and the IRS Safeguarding Taxpayer Data requirements.

Network protection should include a firewall, anti-virus and malware protective software, user-specific passwords that change at scheduled intervals, and timely updates to operating software patches and security updates uniformly applied to all user equipment. Technology event logs should be monitored and reviewed. In the absence of internal personnel with the necessary technical skills to do this, the use of outside consultants for these tasks is appropriate. Implementing the use of a two-factor authentication policy to increase network system protection also is recommended.

The embrace of a hybrid work environment has increased in recent years. With this flexibility there surely is a need to set remote access policies, but the folks working from home may not be the gap in the armor many believe it to be. One would think remote work from home would create higher risks, but a recent article in Entrepreneur⁴ cites a study by the Farmer School of Business at Miami University, where researchers found that “remote workers exhibit a higher level of cybersecurity awareness and take more security-related precautions than their in-office counterparts.” The study was published in the July 2023 issue of Computers & Security. The seemingly counterintuitive result is attributed to complacency among in-office workers who assume that cyberthreats are handled by the firm on their behalf.

To tighten up this misconception among staff, an employee code of conduct with respect to data needs to be included in the personnel manual, during the onboarding process for new staff, as well as via repeated training of all staff, including firm leaders. Reminding each individual of their own role and responsibility in cybersecurity is critical.

Most data breaches occur as a result of phishing scams, so it is essential that everyone is aware of such risks. Email security programs may screen out the most obvious ones, but the only truly effective prevention is awareness and vigilance by all members of the organization. Cybercriminals use fake logos and deceptive messages, so hypervigilance by all is needed. CPAs are prime targets, especially during busy times. It is vital that reminders of the risks of phishing emails are emphasized and then re-emphasized. A good policy is to use IT consultants to follow up relevant training by testing the staff in their identification of suspicious emails.

Despite best efforts, data incidents may still take place. Therefore, the written information security plan should include incident response plans and a breach notification plan. These prepared plans increase the likelihood of an effective response should a data incident occur. Having a designated person who will coordinate the response reduces the crisis panic that might otherwise occur. Maintaining cybercrime liability insurance as a rider to professional liability insurance also is recommended. Contacting IT consultants to assist with securing affected systems and remediating the incident should be a first step, followed by notifications to local law enforcement, state and federal agencies, and, if necessary, anyone whose data was affected.

Most of the responsibility for the planning and implementation of best practices with respect to data handling and cybersecurity rests with the CPAs and firms since they are repositories of voluminous sensitive records. Practitioners recognize their role in the safekeeping of their clients’ information, but considering the risks more broadly may be necessary.

A recent report⁵ from several U.S. senators based on a long-running investigation revealed that tax software companies for years extensively shared data with big tech firms, including Meta and Google. The tax preparation companies named were those that participated in the IRS Free File program that allowed individuals to self-prepare and e-file their tax returns. The report exposed the unauthorized disclosure of sensitive client information, although the participating companies and the big tech companies that received the data claimed that the data was anonymous. But, it is well known, data aggregator technology allows big technology companies to recombine information to the personal level, which is what allows them to use it in targeted advertising or for other purposes.

The problem identified in the Senate report pertains to tax preparation by the do-it-yourself segment, not by CPAs. It does not directly relate to PICPA members or small CPA firms.

However, the software providers named in the report also sell tax software to CPAs. The AICPA annually surveys CPAs and firms about the tax software they use and how they rate the various features and capabilities of these products. The most recent survey published was in the August 2022 issue of the Journal of Accountancy,⁶ which noted that about one third of the firms within the 1 or 2-6 preparers categories used software that is sold by the same companies that were identified in the Senate report. Whether their clients’ data was compromised is at this time unknown.

In some instances, the software is downloaded to the firm’s own computer system and the actual client data is stored on the firm’s server, where presumably it is protected by the firm’s own data protection procedure. However, as software providers move more to a subscription model where processing takes place through an internet connection and data is stored in the cloud (which is on servers contracted by the software provider), data security soon gets outside the control of the users.

Client bookkeeping and related accounting are among the more frequently offered services by small CPA firms in addition to tax preparation. The most widely used program in this market is one sold by a company identified in the Senate report for data sharing with outside the companies.

Like the tax programs, the bookkeeping software is increasingly available only on a subscription model, where the processing and data are both located on outside servers. This presents another challenge for smaller firms trying to ensure data protection and cybersecurity. Not connecting to the internet is not an option, so ensuring that all connections are secure is the first step. Verifying that data is properly encrypted for transmission becomes a shared responsibility for the IT system used internally by the CPA, the internet provider they use, and the software provider. For small and medium firms, this often requires the use of outside IT consultants. But quality must be preeminent. Selecting the most economically priced software and IT support may harbor unanticipated risks.

News media periodically report on cyberintrusions, even at the largest, most sophisticated technology firms. Some are commonly known companies, while others are ones that operate in the background, providing essential services in an ever more connected world of commerce. Cyberintrusions often originate from entities outside the United States, and their targets are often large companies, health care organizations, and government agencies. Their objective is the extraction of large ransom payments for restoring access to IT systems. For small and medium-size CPA firms, the more common risk is from cybercriminals intent on identity theft. The sensitive personal data gathered through client services present a tempting target. CPAs have earned the trusted adviser status by providing competent professional services in a client-focused, responsive manner. To maintain the confidence and respect of clients, CPAs now must be aware of and respond to the challenges that have arisen in the connected, technology-aided business environment.

A key feature, in addition to investment in the technology necessary to continue providing services, is to plan for protecting the most critical components of these systems. Accept that developing a written plan and implementing information security actions are not burdensome bureaucratic requirements among other compliance chores. Take the opportunity to focus on potential threats and proactively plan how to reduce their likelihood of occurrence and handle them should they happen to arise. This is a valuable component of operating a CPA practice in the 21st century. Technology and training are both essential to meet today’s needs, and embracing them will hopefully provide more reassuring results when a future survey of the State of Pennsylvania Accounting Firms is conducted. 

¹ Insights, The State of Pennsylvania Accounting Firms in 2023, PICPA (2023).
² Safeguarding Taxpayer Data, A Guide for Your Business, IRS Publication 4557.
³ www.irs.gov/pub/irs-pdf/p5708.pdf
⁴ Gleb Tsipursky, “Why In-Office Work Is the Real Threat to Cybersecurity,” Entrepreneur (June 13, 2023).
⁵ Offices of Sens. Warren, Wyden, Blumenthal, Duckworth, Sanders, and Whitehouse, and Rep. Porter, Attacks on Taxpayer Privacy: How The Tax Prep Industry Enabled Meta to Harvest Millions of Taxpayers’ Sensitive Data, U.S. Senate (July 2023).
⁶ Paul Bonner, “2022 Tax Software Survey,” Journal of Accountancy (Aug. 1, 2022).

Ibolya (Ibi) Balog, CPA, CGMA, is a consultant with Asterion Inc. in Allentown and a member of the Pennsylvania CPA Journal Editorial Board. She can be reached at ibalog@verizon.net.

The Code of Professional Conduct for CPAs has a requirement to keep client information confidential and to develop processes that ensure adequate implementation of safeguards in their firms. As information technology has become integral to the operation of all aspects of providing client services, the methods of securing information are evolving and becoming more challenging, particularly for small and midsize accounting firms.

When considering information safeguards, there are two aspects that we tend to link together: the protection of data (including information from and about clients and the firm’s own data, including software and other proprietary material) and the security of systems from outside intruders. Generally, intruders into your system will either seek client-related information for misuse (such as identity theft) or will lock up firm information via ransomware.

Larger firms have greater access to resources, including information technology (IT) departments and dedicated, appropriately trained professionals who are accountable for not just software updates, but also monitoring system security and developing data protection protocols. IT departments also train all levels of staff in appropriate data access procedures and verify that protocols are adhered to through continuous monitoring. Big company resources also include highly sophisticated security systems that enable the appropriate protection of both client data and firm processes. All firm personnel – from new hires to seasoned professionals – are required to complete periodic training to ensure they are aware of the most recent developments and that they understand and follow firm data protection protocols. This is all a part of these organizations’ quality control systems.

Medium-size firms may have access to some of these resources, but it is unlikely that they have the same level of capital required to invest in the personnel and technology that the largest firms can muster. The approach of medium-size firms needs to be a blended model, relying on some installed technology and a key person on staff who is responsible for coordinating with outside consultants. Staff training is usually a part of medium-size firms’ data protection policies, but continuous monitoring may not necessarily take place due to resource limitations, both in personnel and technology. These firms rely more on the individual responsibility of every member of the firm exercising good data hygiene practices.

Small firms and sole practitioners have the same level of responsibility for protecting data and instituting cybersecurity measures, but due to resource limitations they usually lack the in-house information technology and personnel to fulfill these responsibilities on their own. To achieve compliance with security requirements, small firms frequently outsource these functions to consultants who specialize in providing the necessary safeguards.

The PICPA Insights white paper, The State of Pennsylvania Accounting Firms in 2023, noted that the “greater use of technology requires a layered approach to data security, an essential rather than optional feature of client service delivery.”¹ However, many of the survey respondents in the single-member and small firms categories, and even some of the medium-size firms, “appear to fall short of meeting the Federal Trade Commission’s (FTC) data safeguard regulations, which apply to tax preparers.” IRS Publication 4557, Safeguarding Taxpayer Data,² states that the FTC Safeguards Rule requires tax return preparers to create and enact written information security plans to protect client data. Publication 4557 offers an overview of guidance on compliance with the regulations, which includes the required design and implementation of a safeguards program and the regular monitoring and testing of its operation.

The shortcoming identified in the survey that was used to compile the white paper is troubling, especially since single-member and small firms regularly provide client services consisting of tax preparation. It appears that these firms may be vulnerable to data incidents and related liabilities. If a positive note can be gleaned from the survey, respondents did indicate an intention to increase technology budgets.

Discussions with a CPA at a small firm on the topic of data protection served to highlight the need of these practitioners to turn to outside IT providers for security, which primarily has been limited to antivirus software and password protected email communication.

For small and medium-size firms that are serious about data protection, complying with the requirement to have a written information security plan is a good starting place to review and update your processes. IRS Publication 5708 (10-2022)³ is a good resource. The publication provides step-by-step guidance for getting started and a template for creating the plan with sample attachments.

One key component of the plan is assessment of risks. The outlined steps serve as a map to where firm vulnerabilities may be. A listing of the types of information collected and used by the firm may prompt a re-evaluation of what is actually necessary and what may be superfluous. So, in addition to enhancing security the plan can create efficiencies.

Identifying potential types of loss – both internal and external – is not dissimilar to a financial audit team performing the required brainstorming of fraud risk assessment when planning an audit. Potential threats may include theft, obliteration, or inadvertent disclosure, and cover a range of mishaps from weather disasters to remote intrusion into computer systems. Collecting the potential risks in writing is a useful step for any size organization because it increases awareness of what may be necessary to prepare in a difficult situation. This process is not a once and done, however. It should be repeated at least annually to get ahead of potential new hazards.

Another beneficial process would be to formally inventory all equipment, including where it is located and what information may be stored there. This effort ensures that all items are properly accounted for and secured in an appropriate manner. This is a good habit for firm management that may be prompted by the written information security plan.

Documented safety measures should cover both physical hard copy and electronic data. Firm policies often include destruction guidelines whereby outdated and unnecessary paper files are shredded according to a schedule that meets legal requirements. A similar process should be in place to delete out-of-date or obsolete electronic records to reduce the risk of potential data loss. Another aspect of the data handling policies should describe when and to whom data may be shared and who in the firm is authorized to do so. This ensures that CPAs are in compliance with the Code of Professional Conduct and the IRS Safeguarding Taxpayer Data requirements.

Network protection should include a firewall, anti-virus and malware protective software, user-specific passwords that change at scheduled intervals, and timely updates to operating software patches and security updates uniformly applied to all user equipment. Technology event logs should be monitored and reviewed. In the absence of internal personnel with the necessary technical skills to do this, the use of outside consultants for these tasks is appropriate. Implementing the use of a two-factor authentication policy to increase network system protection also is recommended.

The embrace of a hybrid work environment has increased in recent years. With this flexibility there surely is a need to set remote access policies, but the folks working from home may not be the gap in the armor many believe it to be. One would think remote work from home would create higher risks, but a recent article in Entrepreneur⁴ cites a study by the Farmer School of Business at Miami University, where researchers found that “remote workers exhibit a higher level of cybersecurity awareness and take more security-related precautions than their in-office counterparts.” The study was published in the July 2023 issue of Computers & Security. The seemingly counterintuitive result is attributed to complacency among in-office workers who assume that cyberthreats are handled by the firm on their behalf.

To tighten up this misconception among staff, an employee code of conduct with respect to data needs to be included in the personnel manual, during the onboarding process for new staff, as well as via repeated training of all staff, including firm leaders. Reminding each individual of their own role and responsibility in cybersecurity is critical.

Most data breaches occur as a result of phishing scams, so it is essential that everyone is aware of such risks. Email security programs may screen out the most obvious ones, but the only truly effective prevention is awareness and vigilance by all members of the organization. Cybercriminals use fake logos and deceptive messages, so hypervigilance by all is needed. CPAs are prime targets, especially during busy times. It is vital that reminders of the risks of phishing emails are emphasized and then re-emphasized. A good policy is to use IT consultants to follow up relevant training by testing the staff in their identification of suspicious emails.

Despite best efforts, data incidents may still take place. Therefore, the written information security plan should include incident response plans and a breach notification plan. These prepared plans increase the likelihood of an effective response should a data incident occur. Having a designated person who will coordinate the response reduces the crisis panic that might otherwise occur. Maintaining cybercrime liability insurance as a rider to professional liability insurance also is recommended. Contacting IT consultants to assist with securing affected systems and remediating the incident should be a first step, followed by notifications to local law enforcement, state and federal agencies, and, if necessary, anyone whose data was affected.

Most of the responsibility for the planning and implementation of best practices with respect to data handling and cybersecurity rests with the CPAs and firms since they are repositories of voluminous sensitive records. Practitioners recognize their role in the safekeeping of their clients’ information, but considering the risks more broadly may be necessary.

A recent report⁵ from several U.S. senators based on a long-running investigation revealed that tax software companies for years extensively shared data with big tech firms, including Meta and Google. The tax preparation companies named were those that participated in the IRS Free File program that allowed individuals to self-prepare and e-file their tax returns. The report exposed the unauthorized disclosure of sensitive client information, although the participating companies and the big tech companies that received the data claimed that the data was anonymous. But, it is well known, data aggregator technology allows big technology companies to recombine information to the personal level, which is what allows them to use it in targeted advertising or for other purposes.

The problem identified in the Senate report pertains to tax preparation by the do-it-yourself segment, not by CPAs. It does not directly relate to PICPA members or small CPA firms.

However, the software providers named in the report also sell tax software to CPAs. The AICPA annually surveys CPAs and firms about the tax software they use and how they rate the various features and capabilities of these products. The most recent survey published was in the August 2022 issue of the Journal of Accountancy,⁶ which noted that about one third of the firms within the 1 or 2-6 preparers categories used software that is sold by the same companies that were identified in the Senate report. Whether their clients’ data was compromised is at this time unknown.

In some instances, the software is downloaded to the firm’s own computer system and the actual client data is stored on the firm’s server, where presumably it is protected by the firm’s own data protection procedure. However, as software providers move more to a subscription model where processing takes place through an internet connection and data is stored in the cloud (which is on servers contracted by the software provider), data security soon gets outside the control of the users.

Client bookkeeping and related accounting are among the more frequently offered services by small CPA firms in addition to tax preparation. The most widely used program in this market is one sold by a company identified in the Senate report for data sharing with outside the companies.

Like the tax programs, the bookkeeping software is increasingly available only on a subscription model, where the processing and data are both located on outside servers. This presents another challenge for smaller firms trying to ensure data protection and cybersecurity. Not connecting to the internet is not an option, so ensuring that all connections are secure is the first step. Verifying that data is properly encrypted for transmission becomes a shared responsibility for the IT system used internally by the CPA, the internet provider they use, and the software provider. For small and medium firms, this often requires the use of outside IT consultants. But quality must be preeminent. Selecting the most economically priced software and IT support may harbor unanticipated risks.

News media periodically report on cyberintrusions, even at the largest, most sophisticated technology firms. Some are commonly known companies, while others are ones that operate in the background, providing essential services in an ever more connected world of commerce. Cyberintrusions often originate from entities outside the United States, and their targets are often large companies, health care organizations, and government agencies. Their objective is the extraction of large ransom payments for restoring access to IT systems. For small and medium-size CPA firms, the more common risk is from cybercriminals intent on identity theft. The sensitive personal data gathered through client services present a tempting target. CPAs have earned the trusted adviser status by providing competent professional services in a client-focused, responsive manner. To maintain the confidence and respect of clients, CPAs now must be aware of and respond to the challenges that have arisen in the connected, technology-aided business environment.

A key feature, in addition to investment in the technology necessary to continue providing services, is to plan for protecting the most critical components of these systems. Accept that developing a written plan and implementing information security actions are not burdensome bureaucratic requirements among other compliance chores. Take the opportunity to focus on potential threats and proactively plan how to reduce their likelihood of occurrence and handle them should they happen to arise. This is a valuable component of operating a CPA practice in the 21st century. Technology and training are both essential to meet today’s needs, and embracing them will hopefully provide more reassuring results when a future survey of the State of Pennsylvania Accounting Firms is conducted. 

¹ Insights, The State of Pennsylvania Accounting Firms in 2023, PICPA (2023).
² Safeguarding Taxpayer Data, A Guide for Your Business, IRS Publication 4557.
³ www.irs.gov/pub/irs-pdf/p5708.pdf
⁴ Gleb Tsipursky, “Why In-Office Work Is the Real Threat to Cybersecurity,” Entrepreneur (June 13, 2023).
⁵ Offices of Sens. Warren, Wyden, Blumenthal, Duckworth, Sanders, and Whitehouse, and Rep. Porter, Attacks on Taxpayer Privacy: How The Tax Prep Industry Enabled Meta to Harvest Millions of Taxpayers’ Sensitive Data, U.S. Senate (July 2023).
⁶ Paul Bonner, “2022 Tax Software Survey,” Journal of Accountancy (Aug. 1, 2022).

Ibolya (Ibi) Balog, CPA, CGMA, is a consultant with Asterion Inc. in Allentown and a member of the Pennsylvania CPA Journal Editorial Board. She can be reached at ibalog@verizon.net.