Businessman with hand on chin looking at tablet PC held by colleague in office
Financial literacy

Observe best practices when dealing electronically with the CRA

As CPA Canada VP of taxation Bruce Ball explains, practitioners need to ensure their documentation is organized and their information is secure at all times

Businessman with hand on chin looking at tablet PC held by colleague in officeWhen working with portals and tax filings, you should be just as careful as you would when dealing with any sensitive information (Getty Images / Westend 61)

Electronic tax filing has long been the norm rather than the exception. As usage of cloud-based services and online portals continues to grow, it is always advisable that CPAs review best practices  for themselves and their clients for the tax filing season.

“Although CRA’s Represent a Client portal provides a wealth of information and services to CPAs and their clients, there are a number of areas where firms need to keep risk management in mind,” says Bruce Ball, FCPA, CPA Canada’s vice-president of taxation.

Here is a look at some of the areas where some accounting firms can brush up on their policies and practices for electronic tax filing.


Ensuring the utmost security when staff and clients are using CRA portals is critical.

Advise staff and clients to use unique usernames where possible for any tax-related access and bank accounts, as well as any other online services that contain sensitive personal information.

“A lot of people tend to use the same username and password for the CRA as they do on less sensitive sites where being hacked is not as significant a concern,” says Ball. “If a hacker figures out those credentials, they may try them on other sites such as a client’s bank or CRA.”

The Canadian Centre for Cybersecurity provides a practical list of tips on passwords (e.g., they should be unique, have a minimum character length, use special characters and numbers and be updated regularly).

“We live in a world where there are very few reasons not to use a password manager,” says Chad Davis, co-founder of LiveCA LLP and co-host of the AutomationTown Podcast. “Every app deserves its own unique password and two-factor authentication turned on if allowed. Otherwise, you're a sitting duck for malicious opportunists.”


CPA firms should establish policies around the different levels of access to Represent a Client (RAC) for different staff members. Since access for Level 2 or 3 allows users to view and change information, including fund transfers, it should be granted only to staff members who need it and fully understand how to use it.

Partners and former staff should be removed immediately from RAC on their departure.

It is also important to regularly review your list to ensure that all individuals who are no longer with the firm have in fact been deleted and that unauthorized persons have not been added by mistake.

Make sure your clients have authorized your firm through your business number or a RAC group identifier and not through individual firm members. Otherwise, you will lose online access to the client’s documents if that member leaves the firm.

In a situation where a client leaves your firm, it is important to have procedures in place to ensure your firm is no longer listed in RAC as the client’s authorized representative. This is for their safety as well as your own. If authorization has not been cancelled, someone at your firm could continue to view or make changes to the taxpayer’s information, and the CRA could continue to contact you concerning questions on their tax affairs. It is also advisable to periodically review the clients listed in Represent a Client to ensure that the list is current.


While the CRA’s online services have comprehensive documentation, firms should also download all key elements of a tax file (e.g., notices of assessment) for their own records.

Having properly documented files on hand is especially critical if you are removed as an authorized representative, as you will no longer have access to these key elements in the event of a client dispute, says Ball. “Remember, the CRA system is not an extension of your files and you may need access to key documents in future. Not having access to key information may make defending yourself more difficult.”

When returns are filed electronically, the T183 form is proof that your client has approved the tax return you are filing on their behalf. But there are other significant actions you can take for clients in RAC if you have level 2 access. So, a good additional practice is to make sure clients approve any significant account changes (e.g., larger transfers between accounts) to prevent any future misunderstandings.

Do not use email for highly sensitive information that may include social insurance numbers such as tax slips and returns. Not only is email insufficient in terms of security; you could risk sending an email to the wrong person inadvertently. Use secure client portals instead.

“IT professionals talk constantly about how unsecure email is,” says Ball. “It’s much better to load information on a secure portal as clients are getting much more used to the practice.”


If a My Account, My Business Account, or Represent a Client account is compromised, CRA will revoke access as a means to block unauthorized third parties attempting to gain access.

It is important to regularly monitor online accounts for suspicious activity, whether done by the taxpayer in My Business Account or in My Account or the advisor in Represent a Client. Flags to watch out for include changes to banking information, addresses, business or personal information, or benefit applications. “It’s very important to make sure nothing strange is going on,” says Ball.

Scams are another area where CPAs need to be vigilant on behalf of their clients, says Davis. “With the increasing popularity of CRA scams, it is more important than ever for tax professionals to stay up to date on the latest tactics used by scammers to gain access to sensitive client information.”

He advises accountants to regularly check credible sources such as the Canadian Anti-Fraud Centre, the Better Business Bureau, the Competition Bureau and the Office of the Privacy Commissioner of Canada. The CRA also maintains a list of phone, email, text and mail scams on their website.

“Accountants should regularly communicate and educate customers about potential CRA scams through as many mediums as possible, including social media and email,” adds Davis. “It can be crucial in preventing financial loss and identity theft.”


While many of the CRA’s recommended best practices should be second nature for CPAs, firms don’t always think critically about risk, says Ball. “When working with portals and tax filings, you should be just as careful as you would when dealing with any sensitive information. Make sure that your documentation is organized, your information is secure at all times, and you communicate with your clients as much as possible.”


Find out more about the CRA’s new self-serve digital filing services options for T3 trust returns, T1 adjustments and more. And make sure to review the most recent personal income tax changes for 2022 and beyond.

Plus, keep up to date on important tax issues, such as running a high-quality tax practice, with our tax blog.