WASHINGTON – The Security Summit partners today unveiled a special new sample security plan designed to help tax professionals, especially those with smaller practices, protect their data and information.

The special plan, called a Written Information Security Plan or WISP, is outlined in a 29-page document that’s been worked on by members of the Security Summit, including tax professionals, software and industry partners, representatives from state tax groups and the IRS.

Federal law requires all professional tax preparers to create and implement a data security plan. The Security Summit group – a public-private partnership between the IRS, states and the nation’s tax industry – has noticed that some tax professionals continue to struggle with developing a written security plan.

In response to this need, the Summit – led by the Tax Professionals Working Group – has spent months developing a special sample document that allows tax professionals to quickly set their focus in developing their own written security plans.

“Tax professionals play a critical role in our nation’s tax system,” said Carol Campbell, director of the IRS Return Preparer Office and co-lead of the Summit tax professional group. “But for many tax professionals, it is difficult to know where to start when developing a security plan. The Summit members worked together on this guide to walk tax pros through the many considerations needed to create a Written Information Security Plan to protect their businesses and their clients, as well as comply with federal law.”

Each year, the Security Summit partners highlight a “Protect Your Clients; Protect Yourself” summer campaign aimed at tax professionals. This is the fourth in a series of five tips for this year’s effort. These are issued each Tuesday to coincide with the Nationwide Tax Forums, which help educate tax professionals on security and other important topics.

There are many aspects to running a successful business in the tax preparation industry, including reviewing tax law changes, learning software updates and managing and training staff. One often overlooked but critical component is creating a WISP.

“There’s no way around it for anyone running a tax business. Having a written security plan is a sound business practice – and it’s required by law,” said Jared Ballew of Drake Software, co-lead for the Summit tax professional team and incoming chair of the Electronic Tax Administration Advisory Committee (ETAAC). “The sample provides a starting point for developing your plan, addresses risk considerations for inclusion in an effective plan and provides a blueprint of applicable actions in the event of a security incident, data losses and theft.”

Security issues for a tax professional can be daunting. The Summit team worked to make this document as easy to use as possible, including special sections to help tax professionals get to the information they need.

“We have tried to stay away from complex jargon and phrases so that the document can have meaning to a larger section of the tax professional community,” said Campbell. “It is not intended to be the final word in Written Information Security Plans, but it is intended to give tax professionals a place to start in understanding and attempting to draft a plan for their business.”
 
A security plan should be appropriate to the company’s size, scope of activities, complexity and the sensitivity of the customer data it handles. There is no one-size-fits-all WISP. For example, a sole practitioner can use a more abbreviated and simplified plan than a 10-partner accounting firm, which is reflected in the new sample WISP from the Security Summit group.

Once completed, tax professionals should keep their WISP in a format that others can easily read, such as PDF or Word. Making the WISP available to employees for training purposes is encouraged. Storing a copy offsite or in the cloud is a recommended best practice in the event of a natural disaster.

Additional resources
Tax professionals also can get help with security recommendations by reviewing IRS Publication 4557, Safeguarding Taxpayer Data, and Small Business Information Security: The Fundamentals by the National Institute of Standards and Technology. The IRS Identity Theft Central pages for tax pros, individuals and businesses have important details as well.

Publication 5293, Data Security Resource Guide for Tax Professionals, provides a compilation of data theft information available on IRS.gov. Also, tax professionals should stay connected to the IRS through subscriptions to e-News for Tax Professionals and social media.

The IRS also recommends tax professionals create a data theft response plan, which includes contacting the IRS Stakeholder Liaisons to report a theft.

WASHINGTON — The Internal Revenue Service today is reminding those who have registered, or are required to register, large trucks and buses that it’s time to file Form 2290, Heavy Highway Vehicle Use Tax Return. The IRS strongly encourages using e-file and filing before the payment deadline of Aug. 31, 2022, for vehicles first used in July 2022.

Truckers that have a highway motor vehicle with a taxable gross weight of 55,000 pounds or more registered in their name must file Form 2290 and pay the tax. However, on vehicles they expect to use for 5,000 miles or less (7,500 for farm vehicles), they’re required to file a return, but pay no tax. If the vehicle exceeds the mileage use limit during the tax period, the tax becomes due.

The filing deadline is not tied to the vehicle registration date. Taxpayers must file Form 2290 by the last day of the month following the month in which the taxpayer first used the vehicle on a public highway during the taxable period, regardless of the vehicle’s registration renewal date.

Vehicles first used on a public highway during the month of July 2022 must file Form 2290 and pay the appropriate tax between July 1 and August 31. Any additional taxable vehicles placed on the road during any month other than July should be prorated for the months during which it was in service. IRS.gov has a table to help determine the filing deadline.

File and pay the easy way

Get the facts

Gather the required information

Filing options

Payment options

More information:

Today, the IRS published the latest executive column, “A Closer Look,” which features Doug O’Donnell, IRS Deputy Commissioner, Services & Enforcement, encouraging taxpayers not to wait to file their tax returns. “Every year, millions of people need more time to file their taxes and many focus their attention on the mid-October filing extension deadline,” said O’Donnell. “This year, there are special factors at play that make it even more important for people to make sure they don’t wait to file until the last minute before the Oct. 17 deadline and that, to the extent possible, they file electronically,” Read more here. Read the Spanish version here.

“A Closer Look” is a column from IRS executives that covers a variety of timely issues of interest to taxpayers and the tax community. It also provides a detailed look at key issues affecting everything from IRS operations and employees to issues involving taxpayers and tax professionals.

Check here for prior posts and new updates.

Notice 2022-33 extends the deadlines for amending a retirement plan or individual retirement arrangement to reflect certain provisions of Division O of the Further Consolidated Appropriations Act, 2020, Pub. L. 116-94, 133 Stat. 2534 (2019), known as the Setting Every Community Up for Retirement Enhancement Act of 2019 (SECURE Act), and section 104 of Division M of the Further Consolidated Appropriations Act, 2020, known as the Bipartisan American Miners Act of 2019 (Miners Act), by modifying Notice 2020-68, 2020-38 IRB 567, and Notice 2020-86, 2020-53 IRB 1786. In addition, this notice extends the deadline for amending a retirement plan to reflect the provisions of section 2203 of the Coronavirus Aid, Relief, and Economic Security Act (CARES Act), Pub. L. 116-136, 134 Stat. 281 (2020).

Notice 2022-33 will be in IRB:  2022-34, dated August 22, 2022.

WASHINGTON — Storm victims in parts of Kentucky now have until Nov. 15, 2022, to file various individual and business tax returns and make tax payments, the Internal Revenue Service announced today.

The IRS is offering relief to any area designated by the Federal Emergency Management Agency (FEMA) as qualifying for individual or public assistance. Currently, individuals and households that reside or have a business in Breathitt, Clay, Floyd, Johnson, Knott, Leslie, Letcher, Magoffin, Martin, Owsley, Perry, Pike and Wolfe counties in Kentucky qualify for tax relief. The same relief will be available to any other locality added later by FEMA. The current list of eligible localities is always available on the disaster relief page on IRS.gov.

The tax relief postpones various tax filing and payment deadlines that occurred starting on July 26, 2022. As a result, affected individuals and businesses will have until Nov. 15, 2022, to file returns and pay any taxes that were originally due during this period.

This means individuals who had a valid extension to file their 2021 return due to run out on Oct. 17, 2022, will now have until Nov. 15, 2022, to file. The IRS noted, however, that because tax payments related to these 2021 returns were due on April 18, 2022, those payments are not eligible for this relief. 

The Nov. 15, 2022 deadline also applies to quarterly estimated income tax payments due on Sept. 15, 2022, and the quarterly payroll and excise tax returns normally due on Aug. 1 and Oct. 31, 2022. Businesses with an original or extended due date also have the additional time including, among others, calendar-year partnerships and S corporations whose 2021 extensions run out on Sept. 15, 2022 and calendar-year corporations whose 2021 extensions run out on Oct. 17, 2022.    

In addition, penalties on payroll and excise tax deposits due on or after July 26 and before Aug. 10, will be abated as long as the deposits are made by Aug. 10, 2022.

The IRS disaster relief page has details on other returns, payments and tax-related actions qualifying for the additional time.

The IRS automatically provides filing and penalty relief to any taxpayer with an IRS address of record located in the disaster area. Therefore, taxpayers do not need to contact the agency to get this relief. However, if an affected taxpayer receives a late filing or late payment penalty notice from the IRS that has an original or extended filing, payment or deposit due date falling within the postponement period, the taxpayer should call the number on the notice to have the penalty abated.

In addition, the IRS will work with any taxpayer who lives outside the disaster area but whose records necessary to meet a deadline occurring during the postponement period are located in the affected area. Taxpayers qualifying for relief who live outside the disaster area need to contact the IRS at 866-562-5227. This also includes workers assisting the relief activities who are affiliated with a recognized government or philanthropic organization.

Individuals and businesses in a federally declared disaster area who suffered uninsured or unreimbursed disaster-related losses can choose to claim them on either the return for the year the loss occurred (in this instance, the 2022 return normally filed next year), or the return for the prior year (2021). Be sure to write the FEMA declaration number – DR-4663-KY − on any return claiming a loss. See Publication 547 for details.

The tax relief is part of a coordinated federal response to the damage caused by these storms and is based on local damage assessments by FEMA. For information on disaster recovery, visit disasterassistance.gov.

WASHINGTON – With identity thieves continuing to target the tax community, Internal Revenue Service Security Summit partners today urged tax professionals to learn the signs of data theft so they can react quickly to protect clients.

The IRS, state tax agencies and the tax industry – working together as the Security Summit – reminded tax professionals that they should contact the IRS immediately when there’s an identity theft issue while also contacting insurance or cybersecurity experts to assist them with determining the cause and extent of the loss.
 
“Tax pros much be vigilant to protect their systems from identity thieves who continue to look for ways to steal data,” said IRS Commissioner Chuck Rettig. “Practitioners can take simple steps to remain on the lookout for signs of data and identity theft. It’s critical for tax pros to watch out for these details and to quickly take action when tell-tale signs emerge. This can be critical to protect their business as well as their clients against identity theft.”

This is the third in a summer series of five Security Summit news releases aimed at raising awareness among tax professionals about data security. The special Protect Your Client; Protect Yourself campaign is designed to help protect against tax-related identity theft by increasing attention on basic security steps that tax professionals and others should take to protect sensitive information.

One common concern the IRS hears from tax professionals is that they did not immediately recognize the signs of data theft.

Summit partners are urging tax professionals to watch out for these critical signs:

• Client e-filed returns rejected because client’s Social Security number was already used on another return.
• More e-file acknowledgements received than returns the tax pro filed.
• Clients responded to emails the tax pro didn’t send.
• Slow or unexpected computer or network responsiveness such as:
• • Software or actions take longer to process than usual,
  • Computer cursor moves or changes numbers without touching the mouse or keyboard,
  • Unexpectedly locked out of a network or computer.

Tax professionals should also watch for warning signs when clients report they’ve received:

• IRS Authentication letters (5071C, 6331C, 4883C, 5747C) even though they haven’t filed a return.
• A refund even though they haven’t filed a return.
• A tax transcript they didn’t request.
• Emails or calls from the tax pro that they didn’t initiate.
• A notice that someone created an IRS online account for the taxpayer without their consent.
• A notice the taxpayer wasn’t expecting that:
• • Someone accessed their IRS online account,
  • The IRS disabled their online account,
  • Balance due or other notices from the IRS that are not correct based on return filed or if a return had not been filed.

These are just a few examples. Tax pros should ensure they have the highest security possible and react quickly if they sense or see something amiss.

If the tax pro or their firm are the victim of data theft, immediately:

•  Report it to the local IRS Stakeholder Liaison

Liaisons will notify IRS Criminal Investigation and others within the agency on the practitioner’s behalf. Speed is critical. If reported quickly, the IRS can take steps to block fraudulent returns in the clients’ names and will assist tax pros through the process.

•  Email the Federation of Tax Administrators at StateAlert@taxadmin.org

Get information on how to report victim information to the states. Most states require that the state attorney general be notified of data breaches. This notification process may involve multiple offices.

•  Be pro-active with clients that could have been impacted and suggest appropriate actions, such as obtaining an IP PIN or completing a Form 14039, Identity Theft Affidavit if applicable. See the early Security Summit reminder about the importance of IP PINs.

Find more information at Data Theft Information for Tax Professionals.

Additional resources

• Publication 5293, Data Security Resource Guide for Tax Professionals, provides an overview resources about how to avoid data theft.
• Tax professionals can also get help with security recommendations by reviewing IRS Publication 4557, Safeguarding Taxpayer Data, and the IRS Identity Theft Central pages for tax pros.
• Tax pros should also review Small Business Information Security: The Fundamentals by the National Institute of Standards and Technology
• Also, tax professionals should stay connected to the IRS through subscriptions to e-News for Tax Professionals and Social Media.
• For more information, see Boost Security Immunity: Fight Against Identity Theft.

Revenue Procedure 2022-29 modifies and supersedes Revenue Procedure 2006-36, 2006-38 I.R.B 498.  It sets forth the procedures for other Government agencies and members of the public to request the creation of special statistical studies and compilations involving return information pursuant to section 6108(b) of the Internal Revenue Code. It further sets forth the criteria for determining reasonable fees for costs associated with the creation of the special statistical studies and compilations.

Revenue Procedure 2022-34 provides indexing adjustments required by statute for certain provisions under section 36B.  Specifically, this revenue procedure updates the applicable percentage table used to calculate an individual’s premium tax credit for taxable years beginning in calendar year 2023 and updates the required contribution percentage for plan years beginning after calendar year 2022.

Revenue Procedure 2022-34 will be in IRB: 2022-33 dated 8/15/2022.

Today, the IRS published the latest executive column, “A Closer Look,” which features Nancy Sieger, IRS Chief Information Officer, discussing one of the most complex modernization programs in the federal government, Customer Account Data Engine 2 (CADE 2), and why it’s important to continue funding. “CADE 2 is a database and multi-faceted processing engine that enables faster refund processing, improved fraud detection and faster case resolution,” said Sieger. “We have completed important work over the last year to help our customers get the assistance they need, in addition to improving the agency’s underlying technology infrastructure. Our continued progress depends on Congressional appropriations that fund IRS operations and our continuing modernization and cybersecurity activities.” Read more here. Read the Spanish version here.

“A Closer Look” is a column from IRS executives that covers a variety of timely issues of interest to taxpayers and the tax community. It also provides a detailed look at key issues affecting everything from IRS operations and employees to issues involving taxpayers and tax professionals.

Check here for prior posts and new updates.

WASHINGTON – As part of a special Security Summit series, the Internal Revenue Service, state tax agencies and nation’s tax industry warn tax professionals to beware of evolving scams designed to steal client data.

The Security Summit partners continue to see instances where tax professionals have been vulnerable to identity theft phishing emails that pose as potential clients. The criminals then trick practitioners into opening email links or attachments that infect computer systems with the potential to steal client information.

The Summit also warns tax professionals using cloud-based systems to store and prepare tax returns and information to make sure they use multi-factor authentication in light of recent attacks. Specifically, the Summit partners urge people using cloud-based platforms to use multi-factor options like phone, text or tokens. This can avoid potential vulnerabilities with authentication done just through email, which is easier for identity thieves to access.

Avoiding these schemes is the second in a five-part series from the IRS, state tax agencies and the nation’s tax community – working together as the Security Summit that highlight critical steps tax professionals can take to protect client data. The focus of the Security Summit series – part of the Protect Your Clients, Protect Yourself campaign – is to urge tax professionals to work to strengthen their systems and protect client data.

“Identity theft scammers continually try new schemes to steal client personal and financial information from tax professionals. We continue to see a barrage of emails aimed at tax professionals trying to trick them into providing valuable access to identity thieves,” said IRS Commissioner Chuck Rettig. “And we continue to urge people to use multi-factor authentication, including those using cloud-based services. Constant vigilance is necessary, not just during tax season but year-round. We urge tax pros, both large operations and smaller ones, to consider these invaluable recommendations to help protect their clients and themselves.”

Phishing emails or SMS/texts (known as “smishing”) attempt to trick the recipient into disclosing personal information such as passwords, bank account numbers, credit card numbers or Social Security numbers. Tax pros are a common target.

Scams may differ in themes, but they generally have two traits:

A specific kind of phishing email is called spear phishing. Rather than the scattershot nature of general phishing emails, scammers take time to identify their victim and craft a more enticing phishing email known as a lure. Scammers often use spear phishing to target tax professionals.

In a reoccurring and very successful scam, criminals posed as potential clients, exchanging several emails with tax professionals before following up with an attachment that they claimed was their tax information. This scam gained energy as many tax professionals worked remotely and communicated with clients over email versus in-person or over the telephone because of the pandemic.

Once the tax pro clicks on the embedded URL and/or opens the attachment, malware secretly downloads onto their computers, giving thieves access to passwords to client accounts or remote access to the computers themselves.

Thieves then use this malware known as a remote access trojan (RAT) to take over the tax professional’s office computer systems, identify pending tax returns, complete them and e-file them, changing only the bank account information to steal the refund.

In the past, criminals have used ransomware attacks to shut down a variety of companies. Criminals can use similar, smaller scale tactics against tax pros. When the unsuspecting tax professional opens a link or attachment, malware attacks the tax pro’s computer system to encrypt files and the thieves hold the data for ransom.

Another emerging scheme the IRS has seen involves weak security from tax professionals using cloud-based systems to store client data. While many cloud-based systems are secure, tax professionals using these should ensure they’re using strong multi-factor authentication on these to avoid thieves accessing their sensitive information.

The IRS has observed multiple instances – frequently involving smaller tax professionals or businesses – where individual accounts on cloud-based platforms have been compromised. Identity thieves’ access these and then use existing data from taxpayer returns to file new tax returns seeking refunds, frequently by mail.

These cloud-based accounts are more vulnerable when tax pros do not use strong multi-factor authentication to validate who is using the platform. Summit partners urge using authentication methods besides email, which can be easier for thieves to access and allow entry into tax professional accounts. Using text, phone calls or tokens are safer options.

These scams highlight the importance of the basic security steps recommended by the Security Summit to protect data:

For tax professionals, securing their network to protect taxpayer data is their responsibility as a tax preparer.

To help tax professionals guard against phishing scams and better protect taxpayer information, the IRS Publication 4557, Safeguarding Taxpayer Data. This IRS publication contains some of the latest suggestions such as using the multi-factor authentication option offered by tax software products and helping clients get an Identity Protection Pin.

Additional resources
In addition to reviewing IRS Publication 4557, Safeguarding Taxpayer Data, tax professionals can also get help with security recommendations by reviewing Small Business Information Security: The Fundamentals by the National Institute of Standards and Technology. The IRS Identity Theft Central pages for tax pros, individuals and businesses have important details as well.

Publication 5293, Data Security Resource Guide for Tax Professionals, provides a compilation of data theft information available on IRS.gov. Also, tax professionals should stay connected to the IRS through subscriptions to e-News for Tax Professionals and Social Media.

For more information, see IRS.gov.