CPAs manage a significant amount of valuable data for themselves and their clients, such as tax ID numbers, social security numbers and net income. Keeping the data safe is a major responsibility. Accounting Today reported on the role of the Federal Trade Commission (FTC) Safeguards Rule in the use of artificial intelligence (AI) in these offices.
Practices increasingly use AI to help with data management and security. Ironically, that technology can become a security risk by itself. How can a CPA practice utilize AI tools effectively while still being responsible for the client data that cybercriminals constantly attempt to access? This area is where the 2023 FTC Safeguards Rule comes in.
One of the most significant risk areas related to AI in accounting is confidentiality. Information processed, analyzed and summarized is subject to the AI tool's cybersecurity vulnerabilities. Users should weigh the value of using AI for a specific application against the potential to expose sensitive information.
Users also need to remember that AI is fallible. It has been proven to produce incorrect or biased results. Viewing AI results with a discerning eye is vital to identify nonsensical responses that perpetuate biases or stereotypes. Often, these kinds of results can be avoided by providing good prompts. According to Accounting Today, guides and training programs for writing effective AI prompts are beginning to surface throughout the Web. A CPA practice must follow federal regulations regarding cybersecurity as a business that stores personally identifiable information about its clients.
In the cybersecurity industry, the FTC has purview over what it defines as financial institutions or "companies that offer consumers financial products or services like loans, financial or investment advice, or insurance." Accounting practices fall under this definition and must comply with the agency's Safeguards Rule. This set of regulations contains nine main requirements. These include naming a "qualified individual" to head the firm's cybersecurity efforts, carrying out a risk assessment, regularly testing the system for vulnerabilities and monitoring a firm's service providers' cybersecurity compliance.
A written information security plan (WISP) is the foundation of an accounting practice's cybersecurity system. This document enumerates what the firm would do if a security breach occurred. It contains information on who makes final decisions, who to contact and how to contain the breach.
For CPAs, having a WISP is critical because they must certify on their application for a Preparer Tax Identification Number (PTIN) that they have a WISP in place. Without a PTIN, CPAs cannot file taxes for their clients. Accounting firms that still need an up-to-date WISP and follow other Safeguards Rule compliance requirements are in danger of having their PTINs revoked, Accounting Today said.
Experts offer several tips to help with the AI transition. The first is that adoption does not need to happen simultaneously. Practices can try AI a little at a time, utilizing it for one application and adding more as the staff adjusts. Accounting Today reported that products from different AI providers can be tested and compared. Additionally, utilizing clean data is vital. AI cannot make good reports using insufficient data, so the practice should follow good data management practices. Training is also essential since AI constantly evolves, and associates need continuous training.