AI in a CPA practice brings benefits and responsibilities

Tax numbers, social security numbers, net income, etc. CPAs manage a tremendous amount of valuable information for themselves and their clients. Keeping it safe is a serious responsibility.

The field is increasingly turning to artificial intelligence to assist with data management and security, but paradoxically this technology itself can also pose security risks. How can a CPA practice use AI tools effectively while remaining accountable for client information that cybercriminals regularly attempt to access? That’s where the Federal Trade Commission’s Safeguards Rule of 2023 comes into play.

Using AI to streamline operations

While AI can perform mundane tasks such as composing emails and providing customer service through a chatbot, its greatest value lies in processing large amounts of information and making it accessible to humans.

Artificial intelligence has countless use cases in accounting. AI can be used to analyze and categorize customer receipts and learn to identify questionable or duplicate entries. It’s possible research and summarize information from disparate sources in far less time than a human could, while freeing up the accountant’s time to develop insights and make decisions about the data. AI can view and analyze historical data and create budget forecasts.

When complex tax issues arise, AI can conduct detailed legal research to identify relevant laws and regulations. It can be used to automate tax returns. The list is essentially endless.

Risks to be aware of

However, a tool as powerful as AI comes with risks. One of the biggest risk areas associated with AI in accounting is confidentiality. Information being processed, analyzed, summarized, and the like becomes subject to the AI ​​tool’s own cybersecurity issues. Users must weigh the value of using AI for a particular application against the possibility of exposing sensitive information.

Users should also remember that AI is not infallible. It has been shown to produce results that are incorrect or biased. It is important to look at AI results with a critical eye, to look for answers that do not make sense or that perpetuate biases or stereotypes. Often these types of results can be avoided by providing good guidance. Guides and training programs for writing effective AI prompts are starting to pop up on the internet.

Responsibilities under the FTC Safeguards Rule

As a business that stores personally identifiable information about its clients, a CPA practice must follow federal regulations regarding cybersecurity. In the area of ​​cybersecurity, the Federal Trade Commission has jurisdiction over what it defines as financial institutions, i.e.: “Companies that offer consumers financial products or services, such as loans, financial or investment advice or insurance.” Accounting practices fall squarely within this definition and must therefore comply with the FTC’s Safeguards Rule. These regulations contain nine main requirementsincluding elements such as appointing a qualified individual to lead the company’s cybersecurity efforts, conducting a risk assessment and regularly testing the system for vulnerabilities, and monitoring a company’s service providers for their compliance with cybersecurity regulations .

Forming the foundation of an accounting firm’s cybersecurity system is one Written information security plan. This umbrella document identifies what the company would do in the event of a security breach: who makes the final decisions, who to contact and how, and how to contain the breach. For CPAs, having a WISP is critical because they must certify that they have a WISP when applying for a Preparer Tax Identification Number. Without a PTIN, a CPA cannot file taxes for their clients. Accounting firms that do not have an up-to-date WISP and follow other compliance requirements of the Safeguards Rule are at risk of having their PTINs revoked.

Experts provide some tips to help make the transition to AI.

• Adoption does not have to happen all at once. Practices can try AI piecemeal, using it for one application and then adding more as staff get used to it. Products from different AI providers can be tested and compared.
• Using clean data is crucial. AI can’t create good reports from bad data, so it’s important to follow good data management practices.
• Training is key. AI is constantly changing and to make the most of it, employees need ongoing training.

Balancing the rewards and risks behind AI tools is critical. Use the Safeguard Rules as a guide to ensure FTC compliance and risk management.