Protecting Tax Professionals' Interests

Protecting Tax Professionals' Interests

Indian tax professionals — chartered accountants, advocates, tax practitioners and enrolled consultants — operate in FY 2026-27 under a materially higher risk load than five years ago. Faceless assessments under Section 144B record every position you take. The Digital Personal Data Protection Act (DPDP), 2023 makes you a Data Fiduciary for client information. Clients challenge fees when tax disputes go badly. The answer to all of it is the same: formalise what was once informal — in contracts, in documentation systems, in data practices and in billing discipline.

Why 2026 Has Raised the Stakes for Every Tax Advisor

Three regulatory shifts have converged to increase professional exposure simultaneously.

Faceless assessments (Section 144B, Income-tax Act, 1961) mean every submission to the National Faceless Assessment Centre (NFAC) is the full record. There is no scope to "clarify verbally later." The AO who reads your response is not the same person who issued the notice. If the submission is ambiguous, incomplete or internally inconsistent, it stands as it is.

The DPDP Act, 2023 classifies any person who determines the purpose and means of processing personal data as a "Data Fiduciary." When your practice receives a client's PAN, Aadhaar, salary slips, bank statements or financial records for the purpose of preparing returns or advising on tax, you are that fiduciary for that data. Penalties under the Act are graduated and go up to Rs. 250 crore for certain categories of breach, as prescribed by the Data Protection Board once operational. Even before those maximums are tested in practice, breach notification obligations and consent documentation requirements add real operational overhead.

Enhanced penalty and prosecution provisions under both the Income-tax Act and the CGST Act, 2017 can reach advisors. Section 122(1A) of the CGST Act — directed at persons who cause or abet the making of a false return — creates at least theoretical exposure for advisors who facilitate incorrect GST filings. Section 276C of the Income-tax Act, dealing with wilful attempts to evade tax, is directed at taxpayers, but summonses to advisors during investigations are not uncommon and carry reputational cost even when no charge follows.

The cumulative effect: a single engagement that turns adversarial can generate a disciplinary inquiry before ICAI (for chartered accountants), Bar Council proceedings (for advocates), a DPDP complaint, a civil suit for professional negligence, and reputational damage — all running simultaneously, all drawing on the same team's time.

The Engagement Letter: Your First and Strongest Defence

An engagement letter is a contract. It defines what you agreed to do, on what terms and for what fee. Without one, any dispute becomes a credibility contest between your recollection and the client's — and clients tend to develop creative memories when their tax bill is large.

ICAI's Guidance Note on Terms of Engagement recommends written engagement letters for all engagements. For statutory audit, SA 210 (Agreeing the Terms of Audit Engagements) makes it mandatory. For non-audit tax work, the practical necessity is identical even if there is no equivalent standard.

What Every Engagement Letter Must Contain

For AY 2027-28 compliance work, a properly drafted letter should address all of the following:

1. Specific scope — name every return, every statement, every year: "Income-tax return (ITR-6) for FY 2026-27 for [Entity], PAN [XXXXXX]. TDS quarterly statements (Form 24Q, 26Q) for Q1–Q4 FY 2026-27." Not "general tax compliance."
2. Explicit exclusions — state in plain terms what you are not doing: "This engagement does not include representation in scrutiny assessments, appeals before CIT(A) or ITAT, transfer pricing documentation, any matters relating to prior years, or any GST compliance unless separately engaged."
3. Reliance clause — "We rely solely on information and records provided by you and your staff. We will not independently verify source documents unless separately engaged to conduct such verification. The accuracy, completeness and timeliness of information provided to us is entirely your responsibility."
4. Client obligations and timelines — specify when data must be provided to you, with a clear statement that delays caused by the client shift the responsibility for any missed deadline or consequential interest and penalty.
5. Fees and billing milestones — set out the fee structure (fixed, hourly or value-based), the invoicing schedule and payment terms. For an annual retainer of, say, Rs. 1,80,000, consider four quarterly invoices of Rs. 45,000 each — never a single year-end invoice.
6. Liability cap — limit your aggregate liability to fees paid for the relevant engagement year, or a defined multiple, and expressly exclude consequential and indirect losses. Under Indian contract law, liability caps between commercial parties are enforceable provided they were brought to the other party's attention at signing.
7. Termination and handover — specify notice periods and your obligation to return original documents within a stated number of days. Do not assert a lien over original records you did not create.
8. Data-processing notice — state the categories of personal data you will receive, the purpose for which it will be processed, and that it will not be shared except as required by law or as authorised by the client.

Scope Addenda: When the Work Changes

Scope creep is a major source of fee disputes. When a client sends you a second entity, a previous assessment year not in the original letter, or a new matter entirely, do not commence work until a one-page written addendum is signed. The addendum should state: additional scope, additional fee, timeline, and that all other terms of the original letter apply.

Documentation Hygiene: Building an Evidence Trail That Holds Up

An engagement letter establishes the terms. Documentation hygiene creates the evidence base that allows you to defend your conduct if challenged — by a client, by ICAI, by the income-tax department or by a court — two years after the event.

The standard to aim for: if you are removed from the picture entirely, could your file explain what was agreed, what was advised, what the client confirmed, and why the position adopted was reasonable? If the answer is no, the file is incomplete.

Practical steps that work in practice:

• Summarise every verbal instruction within 24 hours. "As discussed this afternoon, we will adopt the following position on the rental income disclosure: [X], on the basis of CBDT Circular No. [Y] dated [date]. Please confirm if you have any objection by [date]." If the client does not object, the lack of response is itself confirmatory in most disputes.
• Export WhatsApp conversations to PDF at month-end and store in the client folder. Indian tribunals and courts have admitted WhatsApp messages as evidence. Your messages are only useful as evidence if they have been preserved systematically — not just sitting on a personal phone that could be lost, stolen or reset.
• Maintain a computation file for every return that maps source data → adjustments → final figures, with inline notes wherever professional judgment was applied: "Deduction under Section 35(1)(ii) restricted to X on the basis of [authority] because [reason]. Client confirmed acceptance by email dated [date]."
• Version-control every draft. "ITR_FY2627_Draft_v2_20260720.pdf" is a defensible record. "Final.pdf" is not. Store every version; disk space is negligible, litigation is not.
• Record your case-law basis. For every advised position that goes beyond a plain reading of the statute, note the authority — "CBDT Circular No. [X]"; "jurisdictional High Court in [Assessee] v. CIT, [Year] [citation]"; "ITAT Mumbai Bench in [matter], [citation]." This demonstrates professional competence and protects against a finding of negligence.

DPDP Act, 2023: What Tax Professionals Must Do Now

The Digital Personal Data Protection Act, 2023 is in force. The implementing rules (Digital Personal Data Protection Rules) are being notified in phases. The Act's core obligations — processing personal data only for documented purposes, with reasonable security safeguards, and notifying the Data Protection Board and affected individuals on a breach — already apply.

Five concrete actions your practice can complete in the next 30 days:

Step-by-Step DPDP Compliance for a Tax Practice

1. Map your data inventory. Prepare a simple register: what personal data do you hold (PAN, Aadhaar, salary slips, balance sheets, health data from medical professionals' returns), where is it stored (email, shared drive, cloud software, physical files), who can access it, and how long you retain it.
2. Document the processing purpose in every engagement letter. "We will process the personal data you provide — including financial records, PAN, Aadhaar and bank account details — for the purpose of preparing and filing your income-tax returns and advising on tax matters." This is your lawful basis under the Act.
3. Implement role-based access. Not every team member needs to see every client file. Configure your document management system, email folders or cloud drive with access restricted to those who need it for the engagement. This is both a DPDP obligation and good practice management.
4. Draft a breach-response checklist today. Under the DPDP Act, you must notify the Data Protection Board and affected individuals of a personal data breach without undue delay. Before a breach happens, designate who makes the call, what template notification you will use, and what forensic steps you will take to contain the breach. A one-page checklist is sufficient for a small practice.
5. Bind your vendors contractually. If you use an outsourced bookkeeping team, a payroll processor, a cloud-based filing utility or a data entry service provider, they are "Data Processors" acting on your instructions. Your service agreement with them must require equivalent security standards and restrict use of client data to the stated purpose. Add a data-processing clause to every vendor agreement at the next renewal.

Minimum technical measures: encrypted storage, two-factor authentication on all portals and email accounts, and a log of who accessed client files. These are neither expensive nor complex.

Faceless Assessments and Appeals: A Protocol for Representation

The Faceless Assessment Scheme under Section 144B operates entirely through the income-tax e-filing portal (incometax.gov.in). The NFAC in Delhi coordinates; the assessment unit can be anywhere in India. The absence of a local relationship means process discipline is everything.

Before the engagement begins:

• Register as an Authorised Representative (AR) on the portal under the client's PAN. Upload a valid Power of Attorney. Verify that the client's registered email and mobile are ones you monitor — NFAC notices are sent to these, and a missed notice results in an ex parte order.
• Set up a dedicated inbox or folder rule for the client's PAN so that portal notifications do not get buried.

During the assessment:

1. Acknowledge every notice on the day it is received. The response window under Section 144B is typically 15–30 days. Portal acknowledgement of receipt is separate from your substantive response — do both promptly.
2. Submit responses as indexed PDFs. Name files systematically: AY2627_S143(3)_Notice2_Response_20261015.pdf. The portal preserves your submissions; maintain a parallel archive in your own document management system.
3. Screenshot the portal acknowledgement for every submission and save it with the file. This is your proof of timely submission if the portal later has an error or if the department claims non-receipt.
4. Cite authorities precisely in every submission. "Section 37(1) of the Income-tax Act, 1961; CBDT Circular No. [X] dated [date]; jurisdictional High Court in [Assessee] v. CIT [citation]." Vague positions invite additions; cited positions invite analysis.
5. Maintain a deadline calendar with dual reminders — 10 days before and 3 days before each deadline. Assign a named file owner for each matter who is responsible for the calendar entry.

For Faceless Appeals under the Faceless Appeal Scheme, 2021 (Section 250(6B)), use the e-Appeal module. Preserve signed copies of Form 35 (Memorandum of Appeal), the Statement of Facts and all Grounds of Appeal, and every rejoinder — all timestamped and indexed.

Fee Protection, Billing Discipline and the ICAI Code of Ethics

The most predictable post-dispute client behaviour is to contest your fees after an unfavourable tax outcome. Three billing habits prevent this:

• Invoice in stages. For an annual compliance retainer of Rs. 2,40,000, raise four quarterly invoices of Rs. 60,000 each. Do not deliver a year's work and present a year's invoice.
• Advance retainers for representation work. Faceless scrutiny responses, appeals before CIT(A) and ITAT matters routinely run 12–24 months. A retainer covering three to six months of estimated time — paid upfront and drawn down against invoices — protects you if the client relationship deteriorates mid-engagement. This is not a contingent fee arrangement; it is a pre-payment against billed time, which is entirely permissible.
• Written addenda for every scope change. Before touching work outside the original letter, send a one-page addendum, get it countersigned, and invoice accordingly. This applies even for loyal long-standing clients.

On the ICAI Code of Ethics: The 2020 edition, aligned with the IESBA Code, rests on five fundamental principles: integrity, objectivity, professional competence and due care, confidentiality, and professional behaviour. For tax work, the flashpoints in practice are:

• Advocacy vs. facilitation. You may present the strongest technically supportable case for a client. You may not prepare or assist in preparing a return you know contains false information. If a client insists on a position you believe is untenable and declines your contrary advice, document your advice in writing, and if the client persists, consider whether you must withdraw under the Code.
• Contingent fees. Charging a fee contingent on the outcome of a tax proceeding — "I will charge you 15% of the refund we obtain" — is prohibited for ICAI members in practice. Agree all fees, whether fixed, hourly or value-based, before commencing work.
• Conflicts of interest. If you act for two companies in the same group, or for a company and its directors individually, in a matter where their interests diverge, you must disclose the conflict and obtain informed consent from all affected parties — or decline one of the engagements.

For advocates, the applicable framework is Chapter II, Part VI of the Bar Council of India Rules, which governs professional conduct including restrictions on touting, contingent fees and advertising.

Common Mistakes That Leave Professionals Exposed

These are the gaps that appear most often when a tax professional's conduct is examined after a dispute:

• Using a generic engagement letter for all clients. A letter that does not specify the assessment year, the entity's PAN, and the exact scope of services has limited contractual value. Customise every letter — it takes 20 minutes and protects against months of litigation.
• Giving all substantive advice over phone with no written follow-up. "He told me to file it this way" is not a defence when there is no written record. The 24-hour email summary rule is non-negotiable.
• Failing to verify portal contact details at the start of each year. Check that the email and mobile registered on the income-tax e-filing portal, GST portal and MCA V3 match what you are monitoring. A notice sent to a deactivated email is still a served notice.
• Storing client data on personal devices or unmanaged messaging apps. This is simultaneously a DPDP Act exposure and a potential breach of ICAI's professional conduct requirements on confidentiality.
• Not updating professional indemnity (PI) insurance as the practice grows. A PI policy adequate for Rs. 30 lakh annual fee income becomes dangerously inadequate at Rs. 1.5 crore. Review coverage at the start of each financial year against your largest single-engagement liability.
• Retaining papers for less than the statute of limitations. Under Section 148A, the income-tax department can issue a notice to reassess up to 10 years back in certain cases. The CBDT expects contemporaneous documentation. For GST, Rule 56 of the CGST Rules requires records for 6 years from the due date of the annual return for the relevant year. Your retention policy must match the longest applicable period.

Worked Example: What a Documentation Gap Actually Costs

The engagement: A CA firm in Pune handles income-tax return filing and advisory for a private limited company, billing Rs. 1,50,000 per year. The terms were agreed verbally; no engagement letter was signed. No written addendum was raised when the firm began handling the director's personal return as well.

What went wrong: The company's director invested Rs. 50 lakh in a residential property during FY 2024-25 without informing the CA. The CA filed the company's ITR and the director's personal ITR for AY 2025-26 on the information provided. During a faceless assessment under Section 143(3) r/w 144B for AY 2025-26, the AO made an addition of Rs. 50 lakh to the director's personal income under Section 69 (unexplained investment). Penalty under Section 271(1)(c) was levied at 100% of tax — approximately Rs. 7,50,000 (at the applicable effective rate on Rs. 50 lakh of addition for an individual in the highest bracket).

The client's response: The director issued a legal notice to the CA claiming the firm "failed to advise on the disclosure requirement" and should bear the penalty. An ICAI complaint was lodged.

With proper documentation (what should have happened):

• Engagement letter for the director's personal return: explicit reliance clause; client's obligation to disclose all capital transactions above Rs. 2 lakh.
• Email from CA to director in June 2025: "For your personal ITR (AY 2025-26), please confirm all investments in immovable property, shares, securities, jewellery and other assets during FY 2024-25 for disclosure in Schedule AL."
• Director's email reply: listed only bank FDs; made no mention of property purchase.

Outcome: ICAI inquiry finds no professional misconduct — the CA asked the right question in writing; the client withheld the answer. Civil suit fails. Professional indemnity insurance covers legal costs of Rs. 1.8 lakh.

Without documentation: No engagement letter, no email trail. The director's version — that the CA should have identified the discrepancy from the capital account in the director's loan account — cannot be rebutted. ICAI inquiry runs 20 months, consuming approximately 70 hours of senior partner time (at a conservative opportunity cost of Rs. 5,000/hour = Rs. 3,50,000). Legal fees for defending the inquiry: Rs. 2.5–3 lakh. Two referred clients withdraw engagements on hearing of the inquiry.

The arithmetic: The documentation that would have prevented this — one customised engagement letter (2 hours of drafting time) and one structured email in June — had a cost of essentially zero. The undocumented gap cost the practice upward of Rs. 6–7 lakh in direct and opportunity costs, over and above the stress and reputational exposure.

Technology, Security and Practice Sustainability

A tax practice in 2026 that circulates client documents over personal Gmail, stores files on an unencrypted local hard drive, and tracks deadlines on a paper diary is exposed on two fronts simultaneously: operationally and under the DPDP Act.

The minimum credible technology stack, at any practice size:

• Practice-management software — products such as Taxbase, IRIS, SAG Infosystem or ProIntellect offer client onboarding, task assignment, deadline tracking and audit trails integrated with MCA V3 and the income-tax portal.
• Document management with version control and role-based access — configure permissions so each team member accesses only the client files they own. Cloud-based options with MFA (multi-factor authentication) are acceptable provided the vendor agreement includes a data-processing clause.
• Automated reconciliation — import 26AS, AIS/TIS data from the income-tax portal and GSTR-2B from the GST portal into your reconciliation tool to identify mismatches before filing rather than during scrutiny. The time saving across a portfolio of 200 clients is material; the error reduction is more so.
• Encrypted offsite backup, tested quarterly. Ransomware events are not hypothetical. A tested offsite backup is the difference between a bad week and a practice-ending event.
• Secure client portal for document exchange. Personal email is not appropriate for documents containing Aadhaar numbers, salary data or financial statements.

On continuing professional development: ICAI requires members in practice to complete a minimum number of structured CPD hours per year (check the current ICAI CPD pronouncement for the precise requirement). For FY 2026-27, priority topics include Finance Act 2026 amendments, GST Council changes, DPDP Rules once notified, and any revisions to the ICAI Code of Ethics. Block CPD into your Q1 calendar — not March.

Professional indemnity insurance: review coverage at the April start of each year. Group PI schemes through ICAI are worth comparing against standalone policies from public sector insurers (New India Assurance, United India) and private sector carriers. The review should reset the sum insured against your largest single-engagement liability, not your average engagement fee.

Key Takeaways

• Sign a bespoke written engagement letter before commencing every engagement — specify the exact entity, PAN, assessment year and scope; use explicit exclusions, a reliance clause and a liability cap. A generic template is better than nothing but provides limited protection.
• Document every consequential instruction, advice and agreed position in writing within 24 hours of the conversation. An email summary costs two minutes and is potentially worth years of litigation.
• Begin DPDP Act compliance now — map your data inventory, document your processing purpose in engagement letters, implement role-based access, draft a breach-response checklist and bind your vendors contractually.
• Use the e-filing portal's AR module for all faceless work — retain portal acknowledgement numbers, maintain a parallel timestamped archive, and set dual calendar reminders at 10 days and 3 days before every deadline.
• Invoice in stages and use written addenda for scope changes — never complete a year's work and present a year-end invoice; require a signed addendum before commencing out-of-scope work.
• Review professional indemnity cover annually against your largest engagement exposure, not your average fee; the ICAI group scheme is a practical starting point for benchmarking the premium.
• A conflicts check, a confidentiality protocol and a structured CPD plan are not administrative formalities — they are the three underpinnings of a practice that survives regulatory scrutiny, client disputes and the accelerating pace of Indian tax law change.