5 minute read
Top IRS Tips for Safeguarding Taxpayer Data
Coaxis
Every tax professional in the United States — whether at a major accounting firm or an individual practice — is a potential target for sophisticated, well-funded and tech-savvy cybercriminals worldwide, the Internal Revenue Service (IRS) warns. Why? Because CPAs have access to significant amounts of confidential financial and personal client information.
And, as the use of technology to access that data increases, so does the risk to taxpayers, according to the Association of International Certified Professional Accountants (AICPA). It cites an 80% increase in reported data breaches of CPA firms between 2014 and 2020.
To address this growing threat, data protections are among three new tax standards proposed by the AICPA and scheduled to take effect on Jan. 1, 2024. Specifically, Section 1.3.4. of AICPA’s Statements on Standards for Tax Services reads: “A member should make reasonable efforts to safeguard taxpayer data, including data transmitted or stored electronically.”i
This new standard offers a few broad suggestions such as using virtual private networks (VPNs), strong passwords and firewalls; but ultimately, it expects members to customize their data protection efforts based on their particular facts and circumstances.
The IRS has also elevated its warning for tax professionals to be on guard against new and ongoing cyberthreats, launching an information campaign focused on five fundamental tips to help protect their firms and taxpayers from data theft.
IRS TAX TIP #1 Encourage Clients to Sign Up for Identity Protection PINs
The IRS Electronic Tax Administration Advisory Committee describes the IP PIN as “the number one security tool currently available to taxpayers from the IRS. This tool is the key to making it more difficult for criminals to file false tax returns in the name of the taxpayer.” The IP PIN is a six-digit number known only to the taxpayer and the IRS. CPAs cannot obtain an IP PIN for their clients, who instead have to verify their identities directly to the IRS. The easiest way for them to do so is at visiting “Get an IP PIN.”ii
IRS TAX TIP #2 Avoid Spear Phishing Scams
This is one of the most successful tactics cybercriminals use against CPAs. Posing as a potential client, they craft personalized email conversations that eventually entice the tax professional into opening an embedded link or attachment that secretly downloads software that gives the thieves remote access to their computers and systems.
IRS TAX TIP #3 Know the Tell-tale Signs of Identity Theft
Many tax professionals who report data thefts to the IRS missed the clues that a theft had occurred. Signs to watch for include multiple clients suddenly receiving IRS letters requesting confirmation that they filed a tax return, seeing e-file acknowledgements for far more tax returns than they filed, and computer cursors that seem to move on their own.
When an identity theft issue occurs, the IRS encourages CPAs to notify them immediately and also contact cybersecurity experts to assist with determining the cause and extent of the loss. Tax professionals can also stay up to date on the latest threats, scams and other news by registering for the IRS’ Quick Alertsiii and e-News for Tax Professionals.iv
IRS TAX TIP #4 Help Clients Protect Themselves when Working from Home or Traveling
With work-from-home and hybrid workplace policies becoming more commonplace, taxpayers may find themselves conducting their financial affairs in a different way. CPAs can help clients protect themselves by providing basic tips on computer security, such as using two-factor authentication and secure VPNs. Cyber-smart tactics can protect both the taxpayer and the tax preparer.
IRS TAX TIP #5 Create a security plan
There are many aspects to managing a successful CPA firm, including reviewing tax law changes, staying current with software updates and providing staff training. One often overlooked but critical component is creating a security plan. More than just a best practice, federal law enforced by the Federal Trade Commission requires all professional tax preparers to create and implement a written data security plan.
Continued on page 30
Sole Proprietor Dedicated Server
Managed Hosting for Major Financial Software
• Private Hosted Environment Customized for Sole Proprietor CPAs
• Affordable Solution: $249 Per Month (includes 1 up to 2 Users)
• Solution Includes: a File Server and Application Server, 250GB Storage, Backup, Multi-Factor Authentication, Anti-Virus, Anti-Malware/Anti-Ransomware, 10 Hours Monthly Application Support (Phone/Email), and more
• Solution Requirements: Functional Workstation Running Windows 10 or MAC latest IOS, Twain Compliant Printer/Scanner, Microsoft Office365 (E3 or ProPlus with Email), High Speed Internet Connection
• Financial Software Hosting Expertise: Thomson Reuters, Wolters Kluwer, Drake Software, Intuit®, and Others
• Compliant with GLBA, HIPPA, and CJIS
• SOC 2 Type 2 Unqualified Audit Opinion
Continued from page 28
The IRS has joined with software developers, payroll and financial tax product processors, tax professional organizations and financial institutions, and state tax administrators to protect taxpayers and counter evolving criminal tactics. Known as the Security Summit, the group recom mends a Written Informa tion Security Plan (WISP) to protect businesses and clients while providing a blueprint for action in the event of a security incident. Having a WISP also helps CPAs respond to other situ ations that can disrupt their ability to conduct normal business such as fire, flood and other natural disasters ranging from hurricanes to tornados.
An effective WISP should focus on employee management and training, information systems and detecting and managing system failures. There is no one-sizefits-all solution. Instead, a WISP should be appropriate for a company’s size, scope of activities, complexity and the sensitivity of the customer data it handles. For instance, a sole practitioner can use a more abbreviated and simplified plan than a 10-partner accounting firm.
Defending against the threat of cyberattacks can seem like an overwhelming proposition. Cybersecurity firms like Coaxis can help ease the burden with a multi-pronged approach that covers the following: includes protecting both hardware and software assets such as end-user devices, data center resources, networking systems and cloud resources.
2. EMPLOYEE TRAINING, POLICIES AND PROCEDURES
Employees are considered the weakest link when it comes to cybersecurity. An organization can have the gold standard in IT infrastructure protections but still be vulnerable if an employee falls victim to social engineering and inadvertently clicks on a malicious link or responds to a fraudulent email.
3. ANNUAL CYBERSECURITY AUDITS
These are designed to provide an in-depth assessment of an organization’s ability to defend itself against cyberattacks and detect vulnerabilities that can pose a threat.
4. PENETRATION TESTING
Commonly known as ethical hacking, this involves authorized “white-hat hackers” who deploy current methods and tactics used by cybercriminals to determine if an organization’s IT infrastructure can withstand a similar attack in real life. Conducted monthly, it provides a proactive element that complements annual security audits.
(i) www.journalofaccountancy. com/issues/2022/dec/ proposed-aicpa-tax-standardsaddress-new-concerns.html
(ii) www.irs.gov/identity-theft-fraudscams/get-an-identity-protection-pin
(iii) www.irs.gov/e-file-providers/ subscribe-to-quick-alerts
(iv) www.irs.gov/e-file-providers/ join-e-news-for-tax-professionals
Coaxis Hosting is an endorsed program for the FICPA that provides CPA firms with a fully hosted and managed network solution designed to remove the complexities of federal and industry compliances, curb the demands of maintaining an IT infrastructure, and greatly minimize the threat of cybercrime. It owns and operates a private single-tenant data center built, operated and maintained to strict ANSI/TIA-942 Site - Rated 3 standards. In addition, the company’s services are compliant with GLBA, HIPAA HITECH, CJIS, and an Industry Audit SOC 2 Type 2- Unqualified Audit Opinion. Coaxis also partners with SXIPHER, a leading ethical hacking company that supports clients in shifting from a defensive to an offensive posture by providing in-house penetration tests.
