A 4-CPA firm serving the retiree market across The Villages and Sumter County faced the AI question right before tax season. Two of the four CPAs had been informally using consumer ChatGPT for tax research, IRS notice response drafting, and client letter templates. The managing partner had assumed the work product was fine and the data exposure was minimal. A conversation with the firm’s outside counsel changed that.

The reality: every prompt that contained a client SSN, EIN, or account number was sending customer financial information to a service that had no contractual relationship with the firm, did not opt out of training by default, and was outside the firm’s Written Information Security Plan. IRS Publication 4557 and the FTC Safeguards Rule both apply to every paid tax preparer handling customer financial information — and the firm’s WISP did not address AI tools at all.

With tax season six weeks away, the firm needed AI productivity for the busiest stretch of the year and a rapid path to compliance documentation that the IRS and the FTC would both recognize.

Simply IT had the firm operational on the AI gateway in 11 days, well ahead of the tax season deadline. The setup included enterprise-tier access to Claude, ChatGPT, and Perplexity through a single firm login, automatic redaction of SSNs, EINs, account numbers, dates of birth, and partner allocations, and audit logging that integrated with the firm's existing Written Information Security Plan documentation.

Per-role permissions distinguished between the four CPAs and the firm's two paraprofessionals. CPAs had broader access including tax research, IRS notice response drafting, and engagement-letter drafting. Paraprofessionals were scoped to administrative tasks and document organization. Multi-factor authentication was enforced on every account, satisfying both the IRS Security Summit MFA mandate and the FTC Safeguards Rule MFA requirement.

The Written Information Security Plan was updated with a one-page AI Policy Addendum covering acceptable use, vendor management, and the firm's annual review process. The designated Qualified Individual under the FTC Safeguards Rule formally signed off on the AI deployment as a covered processing system. A self-audit against IRS Publication 4557 was performed with documented findings — the firm passed every safeguard category in subsequent review.

The firm completed tax season with measurable productivity gains and zero compliance incidents. During the peak six weeks, the team averaged 22 hours of recovered time per CPA per week. Engagement letters that had been taking 35 minutes were drafted in 8. IRS notice responses that had taken 90 minutes were drafted in 22 and revised by the CPA. Tax research questions were answered in minutes with cited Code, Reg, and Rev Rul references the CPA verified.

FTC Safeguards Rule and IRS Publication 4557 alignment was documented and reviewed. A subsequent firm self-audit found zero exceptions across both frameworks. The Written Information Security Plan was updated with the AI Policy Addendum and signed off by the firm's designated Qualified Individual. The audit log captured an average of 39 PII redactions per day during peak season — SSNs, EINs, and account numbers that would have leaked to consumer AI without the redaction layer.

The managing partner commented that the firm's tax season was the smoothest in years, in significant part because AI had absorbed work that had historically driven late nights for the CPAs. Simply IT continues to manage the gateway and the firm's broader IT environment, with quarterly compliance reviews scheduled around the firm's Written Information Security Plan cadence.