Skip links

The Devil Is In The Details

CPA’s for years have become very familiar with completing the PITN forms or Preparer Tax Identification Number, the IRS provides an application checklist for this process. If you apply online the application process takes around 15 minutes, should you be old school then maybe you are submitting Form W-12 which obviously extends out the application time length in many cases by weeks.

For seasoned CPA’s we just shared what you already knew and now you are left thinking why did I waste your time on something you already knew. Let’s talk about something you may not have known though. Let’s take a deeper look at what you signed.

The Cyber Security Landscape For CPA’s

With access to such sensitive and critical financial information, cybercriminals certainly understand the treasure trove of data CPA’s access on a daily basis. Krebs on Security an amazing resource on the on-going cyber warfare going on shared details of a group that particularly targetted CPA’s for example. His article from 2018 shared some of the tactics used to steal data from CPA practices, this particular article focuses on a keylogger tool to obtain sensitive data.

As you read the article you will understand that the likely mechanism of delivery for this was probably email, it often is. In 2019 alone, for example, 85% of email was malicious and still to this day remains a common method of exploit.

CPAs remain a constant target making matters worse cybercriminals are investing in new tools, automation, AI to name a few to obtain client critical data. In other words, threats continue to increase which could have a huge impact on your client relationships in the future.

Small Print

So with the threats continuing to evolve and sadly many CPA firms making wild assumptions about the current state of security in the practices they own the government decided to “help” firms like yours.

When completing your PITN application a simple little checkbox was added to the most recent form. I have included the example from the W12 form below-






As you can see from the above example, you as a professional tax preparer, and let’s go bold on this one “I am aware that paid tax preparers must have a data security plan to provide data and system security protections for all taxpayer information.” – in simple terms, you should have documented security plan that is available explaining how you protect your client’s data.

If you are simply signing off on this without having this documented plan then you can draw your own conclusions. What is your written security plan for your CPA practice?

In 2018 the IRS released this cybersecurity for tax professionals document that outlines many of the standards required.

Any security plan that is drafted on your behalf must take into account your current cybersecurity stance together with the lawful expectations of the IRS and FTC. Most certainly this is not simply a one and done approach your organization constantly needs to align with best practices to remain compliant.

From simple steps of appointing a security officer within your CPA firm, establishing policies to mitigate risk to understanding penalties under IRC code 7216, 6713, and more your organization needs external third-party assistance to stand any remote chance of complying with your legal requirements as a professional organization.

We have helped many practices put together efficient working security plans for their own CPA practices. Putting together a written security plan is both time-intensive and requires knowledge of FTC and IRS expectations of your CPA firm.

Do you need help aligning your CPA practice with Federal law protecting your client’s data? Our vCIO team is ready to tackle your challenges. Contact us┬átoday to find out what a vCIO can do for your business.