Attention FAE Customers:
Please be aware that NASBA credits are awarded based on whether the events are webcast or in-person, as well as on the number of CPE credits.
Please check the event registration page to see if NASBA credits are being awarded for the programs you select.

AI Can Be a Security Risk to CPA Practices Despite Its Benefits

By:
Karen Sibayan
Published Date:
Oct 29, 2024

 

iStock-686690190 Robot Robotics Bots AI Artificial Intelligence

CPAs manage a significant amount of valuable data for themselves and their clients, such as tax ID numbers, social security numbers and net income. Keeping the data safe is a major responsibility. Accounting Today reported on the role of the Federal Trade Commission (FTC) Safeguards Rule in the use of artificial intelligence (AI) in these offices.

Practices increasingly use AI to help with data management and security. Ironically, that technology can become a security risk by itself. How can a CPA practice utilize AI tools effectively while still being responsible for the client data that cybercriminals constantly attempt to access? This area is where the 2023 FTC Safeguards Rule comes in. 

One of the most significant risk areas related to AI in accounting is confidentiality. Information processed, analyzed and summarized is subject to the AI tool's cybersecurity vulnerabilities. Users should weigh the value of using AI for a specific application against the potential to expose sensitive information. 

Users also need to remember that AI is fallible. It has been proven to produce incorrect or biased results. Viewing AI results with a discerning eye is vital to identify nonsensical responses that perpetuate biases or stereotypes. Often, these kinds of results can be avoided by providing good prompts. According to Accounting Today, guides and training programs for writing effective AI prompts are beginning to surface throughout the Web. A CPA practice must follow federal regulations regarding cybersecurity as a business that stores personally identifiable information about its clients.  

In the cybersecurity industry, the FTC has purview over what it defines as financial institutions or "companies that offer consumers financial products or services like loans, financial or investment advice, or insurance." Accounting practices fall under this definition and must comply with the agency's Safeguards Rule. This set of regulations contains nine main requirements. These include naming a "qualified individual" to head the firm's cybersecurity efforts, carrying out a risk assessment, regularly testing the system for vulnerabilities and monitoring a firm's service providers' cybersecurity compliance. 

A written information security plan (WISP) is the foundation of an accounting practice's cybersecurity system. This document enumerates what the firm would do if a security breach occurred. It contains information on who makes final decisions, who to contact and how to contain the breach.  

For CPAs, having a WISP is critical because they must certify on their application for a Preparer Tax Identification Number (PTIN) that they have a WISP in place. Without a PTIN, CPAs cannot file taxes for their clients. Accounting firms that still need an up-to-date WISP and follow other Safeguards Rule compliance requirements are in danger of having their PTINs revoked, Accounting Today said.

Experts offer several tips to help with the AI transition. The first is that adoption does not need to happen simultaneously. Practices can try AI a little at a time, utilizing it for one application and adding more as the staff adjusts. Accounting Today reported that products from different AI providers can be tested and compared. Additionally, utilizing clean data is vital. AI cannot make good reports using insufficient data, so the practice should follow good data management practices. Training is also essential since  AI constantly evolves, and associates need continuous training.  

Click here to see more of the latest news from the NYSSCPA.