P1: IML/FFX P2: IML/FFX QC: IML/FFX T1: IML
PublicAcc WL040/Bidgolio-Vol I WL040-Sample.cls June 19, 2003 16:55 Char Count= 0
152 PUBLICACCOUNTINGFIRMSaggressive vision: “to be the recognized global leader
in IT governance, control and assurance” (http://www.
isaca.org). ISACA accomplishes this goal by offering ser-
vices such as research, setting industry standards, and
providing information, education, certification, and pro-
fessional advocacy.
One of the certifications ISACA oversees is the CISA
(Certified Information Systems Auditor). It also operates
the IT Governance Institute, believing information tech-
nology is no longer simply an enabler of an enterprise’s
strategy but is also an integral part of the strategy. ISACA
has been leading the way by developing “globally applica-
ble information systems auditing and control standards”
(http://www.isaca.org).
As Gallegos, Manson, and Allen-Senft (1999, p. 6) in-
dicated, “Technology has impacted the auditing profes-
sion in terms of how audits are performed (information
capture and analysis, control concerns) and the knowl-
edge required to draw conclusions regarding operational
or system effectiveness, efficiency and integrity, and re-
porting integrity.” CPA firms must face the challenges by
providing more IT training to their staff so that they can
broaden the range of services and effectively deliver those
services to their clients.Legal and Regulatory Issues
Much of the work of CPA firms involves financial data that
clients want to protect, as appropriate. Thus, when more
and more financial data and client communications about
that data are performed or are made available electron-
ically, CPA firms need to understand the technology, as
well as the law, to be sure that confidential data is pro-
tected by privacy features in their system and their firm’s
office routines. In addition, a limited confidentiality priv-
ilege, added to the federal tax system in 1998, requires
that CPA firms be aware of how the confidentiality of pro-
tected records is maintained so that clients do not lose any
CPA–client privilege that may exist with respect to certain
records. Another legal and regulatory concern for some
CPA firms involves proper advising of clients subject to
SEC rules to be sure that financial information posted to
a Web site is properly and timely presented. These key
concerns—privacy, confidentiality, and Web posting of fi-
nancial data—are explained next.Federal Privacy Law
Many CPA firms are subject to the privacy provisions of the
1999 Gramm–Leach–Bliley (GLB) Act. The privacy pro-
visions apply to a broad range of financial services that
includes preparation of nonbusiness tax returns and fi-
nancial and tax planning. The act prohibits those sub-
ject to it from disclosing nonpublic personal information
without authorization. The act also directs the Federal
Trade Commission (FTC) to issue regulations on the dis-
closure required by companies subject to the privacy pro-
visions. The FTC (2000) issued final regulations in May
2000 and CPAs had to be in compliance by July 1, 2001.
CPA firms subject to the FTC regulations must provide
a disclosure notice to new clients and an annual disclosure
to all clients that accurately depicts the firm’s privacy pol-
icy. The disclosure must explain the firm’s practices andpolicies regarding privacy, including such items as the cat-
egories of nonpublic personal information collected and
other data the firm might disclose, the client’s right to
opt out of any disclosures by the firm, and how a client’s
nonpublic personal information is maintained in a secure
and confidential manner. The AICPA Web site provides
members with information about complying with the act,
including sample disclosure letters that can be sent to
clients.
The new disclosure rules are most relevant to a CPA
in terms of the notice requirement. CPAs are already sub-
ject to disclosure and confidentiality rules by their licens-
ing state, the AICPA, and the federal tax law. For exam-
ple, Rule 301 of the AICPA Code of Professional Conduct
states that “a member in public practice shall not disclose
any confidential client information without the specific
consent of the client.” Internal Revenue Code (IRC) sec-
tion 6713 imposes a penalty on any tax return preparer
who discloses information provided to him or her for re-
turn preparation or uses such information for any purpose
other than to prepare or assist in preparing a tax return.
IRC section 7216 provides that such disclosure is a misde-
meanor if the disclosure is done recklessly or knowingly.Confidentiality Privilege
In 1998, the IRS Restructuring and Reform Act created a
limited confidentiality privilege for clients of CPAs. This
new provision (IRC section 7525) extends the common
law attorney-client privilege of confidentiality with re-
spect to tax advice to any federally authorized tax practi-
tioner (attorneys, CPAs, enrolled agents, and enrolled ac-
tuaries). This privilege is intended to apply to the same
extent as it would between a taxpayer and an attorney;
however, it does not expand the attorney–client privilege.
The section 7525 privilege, if otherwise applicable, ap-
plies totax advicefurnished to a client-taxpayer or po-
tential client-taxpayer. However, the privilege may only
be asserted in a noncriminal tax matter before the IRS
and any noncriminal tax proceeding in federal court by
or against the U.S. “Tax advice” is defined as advice given
by an individual with respect to a matter within the scope
of the individual’s authority to practice as a federally au-
thorized tax practitioner (per Treasury Department Cir-
cular 230) that involve matters under the IRC. Thus, the
section 7525 privilege cannot be asserted to prevent any
other regulatory agency (such as the SEC) or person from
compelling the disclosure of information. The section
7525 privilege does not apply to any written communica-
tion between a federally authorized tax practitioner and a
director, shareholder, officer, or employee, agent, or rep-
resentative of a corporation in connection with the pro-
motion of the direct or indirect participation of the corpo-
ration in any tax shelter (per the definition at IRC section
6662(d)(2)(C)(iii)). CPAs need to check their state’s law to
see if the state has conformed to the federal privilege.
Section 7525 goes beyond Rule 301, Confidential Client
Information, of the AICPA Code of Professional Con-
duct (noted earlier), because the section 7525 privilege is
legally enforceable and generally will prevent disclosure,
even if compelled by the IRS through a summons.
The existence of a CPA-client privilege means that
CPAs need to understand the basics of the attorney–client