For Florida CPA firms, AI rollouts have to clear two specific bars before any other consideration: IRS Publication 4557 (the safeguards every paid tax preparer is required to implement) and the FTC Safeguards Rule (which applies to any business handling customer financial information, including every CPA firm). Both predate the AI era but apply directly. Here is the practical path firms are using to deploy AI during tax season without breaking either.
What Pub 4557 Actually Requires
IRS Publication 4557 requires every paid tax preparer to maintain a written data security plan, implement multi-factor authentication on tax software access, encrypt taxpayer data, conduct regular employee training, and maintain ongoing review. The IRS Security Summit MFA mandate has been in effect since 2023 and applies to every authorized e-file provider. Non-compliance can result in suspension of e-file privileges — an existential issue for any tax practice.
The FTC Safeguards Rule (16 CFR 314), updated in 2023, applies to every CPA firm handling customer financial information. It requires a Written Information Security Program, a designated Qualified Individual, annual risk assessments, encryption, multi-factor authentication, audit logging, and continuous monitoring or annual penetration testing.
Where AI Trips Pub 4557 And Safeguards
The trigger point is almost always the same: a CPA copies and pastes client tax data — SSNs, EINs, account numbers, partner allocations, K-1 distributions, financial statements — into a consumer AI tool to ask a question or draft a letter. That data has now left the firm’s control. The audit log of who-accessed-what-when no longer covers it. The encryption posture is broken. The MFA requirement on the tax-software side is sidestepped because the AI tool is outside that boundary entirely.
The High-ROI AI Use Cases For CPAs
- Tax research: plain-English questions about tax code interpretation with cited Code/Reg/Rev Rul references through Perplexity or Claude.
- Client letter drafting: first-draft engagement letters, tax planning memos, K-1 explanations, and IRS notice response templates.
- Tax return review: structured review of preparer-completed returns with consistency checks against client’s prior-year return and source documents.
- Workflow automation: drafting Excel formulas, QuickBooks reports, and reconciliation logic without leaking client data.
- IRS correspondence: first-draft response letters to CP2000s, exam letters, and other IRS notices, all redacted and reviewed by the CPA.
The Setup That Keeps You Compliant
Multi-vendor AI access through a governed hub. MFA on every account. Automatic redaction of SSNs, EINs, account numbers, and dates of birth before prompts leave the firm. Vendor training opt-out enforced contractually. Audit logging that ties every prompt to a named CPA or staff member. A one-page AI Policy Addendum to your Written Information Security Plan. Annual employee security training updated to cover AI usage. Quarterly review of audit logs and access permissions.
Steve Condit founded Simply IT to bring enterprise-grade IT management to small and mid-sized businesses across North Central Florida. With over 30 years of IT experience and a background in the US Marine Corps, Steve built Simply IT around the principle that local businesses deserve the same quality of technology partnership that large companies take for granted — without long-term contracts or national call center support.
