How It Works

Upon arrival at the testing center, the CPA exam candidate's fingerprints are scanned into the system. Candidates must also bring identification documents, such as a driver's license or passport, to authenticate their identity. These are scanned to capture the candidate's name, address, birth date/age, and document number. This identifying information may be recalled by BIMS for subsequent candidate visits to testing centers at any location. Candidate information and fingerprint templates are stored at a centralized database with the latest computer security safeguards, according to NASBA. A digital image of the CPA exam candidate is also taken at the testing center and is stored separately. Candidates who refuse to provide the necessary identification documents and fingerprints are not allowed to take the exam.

Purported Benefits

The NASBA website states that BIMS is used to:

• verify that candidate's identity each time he or she returns to a Prometric test center from a rest break, to take another Exam section, etc.,

• protect candidates'privacy by enabling movement around the test center without the requirement that identification documents be carried and presented regularly,

• identify and guard against testing fraud by detecting and preventing test-taking by unauthorized candidates, and

• improve security of test centers by preventing unauthorized individuals from accessing restricted areas.

In recent communications with the CPA Journal editors, both NASBA and the AICPA cited the widespread use of fingerprinting for other professional licensing exams to improve test integrity and security.

Concerns

Critics of the CPA exam's new identification system have expressed concerns that the proverbial pendulum has swung too far away from privacy protection in the name of security. The fingerprinting program has been compared by some to the Big Brother nightmare of George Orwell's 1984. One of these concerns involves the integrity of the procedures for encrypting and electronically storing candidates' fingerprints and other identifying information for an indefinite period of time. The Uniform CPA Examination Alert newsletter from fall 2007 states: “On subsequent visits to Prometric test centers—even years later—fingerprint records will be available at check-in for comparison to confirm the identities of candidates” (www.cpaexam.org/alerts/download/cpaalertfall0.pdf).

As with any technology, biometric fingerprinting is not foolproof. A common problem of fingerprinting software is the risk of false negatives. One example would be when a candidate with an existing template attempts to retake the exam but is not recognized by the system.

One outspoken candidate has asked, “Does it make sense that a U.S. passport is sufficient identification to travel the world and enter the United States, but not to take the CPA exam? Does the CPA exam really need to exceed the security requirements established by the Department of Homeland Security?”

The adequacy of prior disclosure of the new procedures has also been questioned. As of September 2008, the AICPA's website still displayed the Uniform CPA Examination Candidate Bulletin dated December 2007 (www.aicpa.org/download/members/div/career/mini/candidate_bulletin_200712.pdf), which makes no mention of the fingerprinting requirement.

I'm thankful that this issue doesn't directly affect me—I passed the CPA exam long before technology took over with the computer-based test (CBT) and fingerprinting. But if this measure is supposed to enhance the integrity of the exam by preventing someone other than the CPA candidate from taking the test, I have to wonder how widespread this problem has really been over the years: How many CPA candidates were able to find someone else to take the CPA exam for them? Or are the exam administrators making a mountain out of a molehill?

The CPA Journal editors would like to hear from you on this issue.