CPA-Firm Readiness in the Mega Analyzer: Why a Generic SEO Scan Doesn't See AICPA Peer Review, Circular 230, or FTC Safeguards Rule Gaps

When I run a generic site audit against a CPA firm, the report tells me useful things about meta descriptions and HSTS headers and image alt text. It does not tell me whether the AICPA Peer Review status is referenced on the audit-services page, whether the partner bios would surface in ChatGPT when somebody asks for a private-equity-experienced CPA in Boise, or whether the contact page acknowledges the FTC Safeguards Rule that made every CPA firm in the country a "financial institution" under GLBA in June 2023. Those are the checks that matter to the firm. The generic SEO ones are scaffolding.

The Mega Analyzer's new CPA-Firm Readiness section runs only when a page looks like an accounting / CPA firm, and surfaces the checks a managing partner would actually want their web team to handle. Detection requires at least one strong signal (the word "certified public accountant" or "CPA" or "accounting firm" in the body, a title containing those terms, an AccountingService or Accountant schema type, a URL path like /our-people/ or /audit-and-assurance-services/) plus one or two supporting signals (AICPA mention, peer-review mention, tax-services language, business-valuation language, QuickBooks / Sage mention, the partner-with-PLLC pattern). False positives on an accounting-trade publication or a vendor product site are possible but rare and harmless.

What it catches

AICPA membership statement on the About / homepage. AICPA membership is the canonical authority anchor for a US CPA firm in both reader-visible and machine-readable terms. It is the CPA equivalent of bar-association membership for lawyers. The analyzer flags missing AICPA mention on About and firm-level pages, and recommends adding both visible text and a memberOf reference in the firm's AccountingService JSON-LD.

Peer Review status on the audit-services page. The AICPA Peer Review Program requires all firms performing attest services (audits, reviews, compilations) to undergo peer review every three years. Firms enrolled in PCPS, EBPAQC, or GAQC have their reports searchable in the public file. Adding the review status (and a link to the public file if applicable) is the CPA equivalent of "verified by an independent reviewer" — and prospective employee-benefit-plan auditees and not-for-profit boards selecting auditors increasingly ask to see it.

IRS Circular 230 §10.30 acknowledgment on tax pages. Circular 230 §10.30 governs how tax practitioners advertise: no false / fraudulent / misleading / deceptive / coercive / unfair statements. Permitted content includes professional credentials, experience, services, and fees. The analyzer flags tax pages that do not acknowledge practice before the IRS under Circular 230 with a footer line; the analog of attorney-advertising notice on a law firm site. The text of the regulation lives in Treasury Dept Circular 230; enforcement is the IRS Office of Professional Responsibility.

Tax-outcomes disclaimer on tax pages. The CPA equivalent of "Prior results do not guarantee a similar outcome." Recommended language: "Tax outcomes depend on the specific facts of each engagement; no representations as to results are made in this material."

FTC Safeguards Rule / GLBA acknowledgment on the Privacy or About page. As of June 9, 2023, the FTC Safeguards Rule at 16 CFR Part 314 classifies CPA firms as "financial institutions" under the Gramm-Leach-Bliley Act and requires them to maintain a written information security program (WISP) with nine specific elements per §314.4, a designated Qualified Individual to supervise it, and breach notification to the FTC within 30 days of any breach affecting 500 or more customers (2023 amendment). IRS Pub 4557 is the practical compliance guide. The analyzer flags missing public reference to this on Privacy / About / Security pages, where prospective audit and tax clients increasingly look during procurement.

Independence statement on the audit / assurance page. AICPA Code of Professional Conduct independence rules apply to all attest engagements. A one-line statement of independence (Yellow Book where applicable) is standard for firms bidding on employee-benefit-plan audits, single-audits, and governmental work.

Person + Accountant schema on CPA bios. schema.org/Accountant is a subtype of Person. AI search engines and Google Knowledge Graph rely on it to identify CPAs as entities. Without it, when somebody asks ChatGPT "who handles agriculture accounting in southern Idaho," the AI cannot reliably name CPAs from firms that have not emitted the markup. The analyzer flags missing ["Person","Accountant"] schema on any URL path matching CPA-bio conventions (/our-people/, /our-team/, /partners/, /principals/, /professionals/, /leadership/, /advisors/) — and also on pages whose title matches "<First> <Last>, CPA".

hasCredential with state-board recognition + alumniOf accounting school on bios. Two fields on the Person + Accountant schema that materially improve AI-citation quality. hasCredential with credentialCategory: "license", recognizedBy.name: "<State> Board of Accountancy", and the state board's URL gives AI search a verifiable hook. alumniOf (the school where the accounting degree was earned) is the authority signal — Brigham Young, Idaho State, BYU-Idaho, University of Idaho, College of Western Idaho, and Boise State have meaningfully different signature in AI answers for an Idaho CPA, fairly or not.

memberOf for AICPA + state society on bios. Two additional attributes on the bio: AICPA membership and state-society membership (Idaho Society of CPAs, California Society of CPAs, etc.). Sectoral bodies like NACVA (Certified Valuation Analyst), AGA (Association of Government Accountants), and IIA (Institute of Internal Auditors) add depth.

AccountingService schema on service pages. schema.org/AccountingService is a subtype of LocalBusiness. Service pages and capability pages should carry it so AI search has a machine-readable hook into the firm's service taxonomy. The check fires on URLs matching /services/, /tax/, /audit-and-assurance/, /business-valuation/, /client-accounting/, /cas/, /advisory/, /expertise/, /industries/.

PostalAddress + openingHours on office pages. LocalBusiness (or AccountingService as its subtype) with branch-office data, PostalAddress, telephone, and openingHoursSpecification is the schema pattern for "open now" tax-season queries and Maps local-pack eligibility. The analyzer flags missing data on URL paths matching /offices/, /locations/, /contact/.

Invalid @type: ["Person","Organization"] on the global firm node. Specific sitewide anti-pattern. A CPA firm is an Organization (specifically AccountingService, a LocalBusiness subtype, which is itself an Organization subtype) — not a Person. The combined typing is not schema.org-valid and creates an ambiguous entity that Google's Knowledge Graph reconciler can ignore or merge incorrectly. Rank Math, Yoast, and several other WordPress SEO plugins emit this when "Person or Company" is set to Person but a logo and a firm name are also configured. Fix is a single CMS setting change — the @id cascades from #person to #org automatically.

What the check ships with

When the section finds issues, the user gets three pills and one inline button:

• 📖 Learn (blog) points to this post.
• 🔍 Audit on E-E-A-T tool opens /tools/eeat-analyzer/?url=…&autorun=1 so the user can drill into the broader authority profile.
• ⚙ Fix on Schema Bundle opens /tools/schema-fix-bundle/?url=…&autorun=1 which emits the missing Person, Accountant, AccountingService, and Organization blocks ready to paste.
• ⚖ Copy CPA-readiness fix prompt is the inline ai-prompt-ready-btn that copies a structured prompt with the actual findings, ready to paste into Claude or ChatGPT for one-shot remediation.

The prompt is structured the way the rest of the analyzer's fix prompts are: the page context (firm-level vs CPA bio vs service vs office vs tax vs audit), the specific findings, a numbered list of remediation tasks with example schema blocks inline, and constraints (do not invent license numbers or peer-review ratings, do not hallucinate school names or AICPA section memberships, validate against rich-results-test before deploy).

Accessibility overlay detection rides alongside

In the same release the analyzer ships a sitewide sub-check that fires on any vertical: if the page has installed an accessibility-overlay widget (accessiBe, UserWay, AudioEye, EqualWeb, or Recite Me), the report surfaces a hard-fail card explaining that overlays do not constitute WCAG 2.1 / 2.2 AA conformance and do not protect against ADA Title III lawsuits. Three lines of evidence:

1. FTC v. accessiBe — consent order finalized April 2025 imposed a $1M penalty on accessiBe for false claims that its overlay achieved WCAG compliance. The order prohibits future misrepresentations.
2. UsableNet 2024 ADA Title III tracker — 1,023 of approximately 4,000 ADA website lawsuits in 2024 explicitly cited the overlay widget as a barrier rather than a remedy. Defendant sites using overlays were sued at the same rate as sites without them — sometimes higher, because the overlay creates new keyboard-navigation bugs.
3. DOJ March 2022 web-accessibility guidance reaffirms that ADA Title III applies to commercial websites and that compliance is measured against the WCAG conformance of the underlying HTML / CSS / ARIA — not against the presence of a widget. Robles v. Domino's Pizza, 913 F.3d 898 (9th Cir. 2019) established that the ADA applies to commercial websites tied to physical places of public accommodation; a CPA firm with offices qualifies.

The correct remediation path is to fix the page source. Run the full WCAG 2.1 + 2.2 AA audit at /tools/wcag-accessibility-audit/ to identify the actual barriers — focus order, ARIA roles, contrast ratios, focus indicators, target size on mobile, the new WCAG 2.2 SC 2.4.11 "Focus Not Obscured" and 3.3.8 "Accessible Authentication." Then remediate the underlying code so the page is genuinely accessible. The overlay does not buy time — it buys litigation exposure.

Where it draws the line

The check does not try to be peer-review counsel. It does not encode the AICPA Code of Professional Conduct in detail, the state-board rules for the 55 U.S. and territorial accountancy boards (each with its own advertising and continuing-education rules), the Yellow Book independence requirements for governmental audits, or the SOC 1 / SOC 2 attestation standards. The firm's peer reviewer and the firm's designated Qualified Individual under the FTC Safeguards Rule should be the final reviewers on policy language; the analyzer surfaces the gap and provides the lookup so they can ship correctly.

The check also does not encode multi-state mobility rules. Most CPA firms are licensed in one or two state boards but practice across state lines under substantial-equivalency mobility. The analyzer flags missing Person+Accountant schema and missing recognizedBy: <State Board> on a bio as an AI-visibility issue; it does not opine on whether a single-state-licensed CPA's bio needs a jurisdictional disclaimer for the practice they do in other states. That is a peer-reviewer and Board-of-Accountancy conversation.

And the check is, by intent, vertical-gated. A page that is not detected as a CPA / accounting firm gets none of these red cards. A vendor selling cloud accounting software to CPAs, an accounting-trade publication, and a college accounting department all share vocabulary with CPA firms but have different schema expectations. The detector requires multiple signals before the section appears at all.

Why these checks exist

The audits that surfaced this section were two regional accounting firms' public sites — both well-ranked in the INSIDE Public Accounting Top 500. Strong sitewide JSON-LD coverage. Every location page with LocalBusiness + AccountingService + GeoCoordinates + OpeningHoursSpecification + FAQPage. Mobile presentation clean on six viewport sizes. Accessibility statements linked sitewide and no overlay widget installed (correct).

But across 200+ pages on the larger of the two: no AICPA membership statement, no Peer Review reference, no Circular 230 acknowledgment on the tax page, no FTC Safeguards / GLBA reference on the Privacy page, no hasCredential or alumniOf or memberOf on any of 23 partner bios, and the partner-bio Person markup pointed to the WordPress admin user account ("CMSAdmin") rather than the partner. A generic SEO scan does not surface those as critical findings; it cares that meta descriptions are present and that the canonical is set. Both were fine on this site.

What is the actual cost of those gaps? When somebody asks ChatGPT "who handles agriculture business valuation in southeast Idaho," the AI does have an indexed corpus and can produce an answer. The answer is reconstructed from the markup it can read. If the firm's partners do not appear as ["Person","Accountant"] entities with state-board credentials and AICPA membership, the AI cites whoever does. The firm becomes invisible on the queries that decide its $300-an-hour valuation-services inquiries.

That is the specific gap the CPA-Firm Readiness section closes. The generic checks tell you the markup is missing; the CPA section tells you what to put there and why, and the WCAG-overlay sub-check tells you the widget you installed is not a defense.

Related reading

• The Mega Analyzer — one URL, every audit in one pass — the umbrella post.
• Legal-Site Readiness in the Mega Analyzer — the sibling vertical from the previous round. CPA-Firm Readiness reuses the same detection → checks → fix-prompt pattern.
• WCAG 2.1 / 2.2 AA Accessibility Audit — the dedicated audit tool for the underlying-code remediation path.
• Schema Validator + Schema Fix Bundle — emits the JSON-LD blocks ready to paste into the firm's CMS.
• AI Bot Allowlist Validator — companion check; verifies the 30 AI / search bots can actually read the firm's pages.
• Mobile Presentation Parameters — the audit surface that catches viewport bugs the desktop audit misses.

Fact-check notes and sources

Regulatory + standards

• Treasury Department Circular 230 — Regulations Governing Practice Before the IRS — §10.30 governs solicitation; prohibits false / fraudulent / misleading / deceptive / unfair statements. Permits credentials, experience, services, fees.
• FTC Safeguards Rule — overview — 16 CFR Part 314; effective June 9, 2023; applies to CPA firms as financial institutions.
• FTC Safeguards Rule § 314.4 — required elements — nine elements of the required written information security program.
• IRS Publication 4557 — Safeguarding Taxpayer Data — the practical compliance guide for tax preparers.
• AICPA on FTC Safeguards Rule — AICPA / CPAI guidance for firms.
• AICPA Code of Professional Conduct — Section 1.600 (advertising), Section 1.200 (independence).
• AICPA Peer Review Program public file search — enrolled firms' review reports.
• NASBA Mobility — Substantial Equivalency — CPA multi-state practice mobility.
• INSIDE Public Accounting Top 500 firms — annual industry rankings.

Web accessibility law

• DOJ March 2022 web accessibility guidance — reaffirmed ADA Title III applies to commercial websites.
• Robles v. Domino's Pizza, 913 F.3d 898 (9th Cir. 2019) — established ADA Title III applies to commercial websites tied to physical places of public accommodation.
• FTC v. accessiBe — consent order — $1M penalty, finalized April 2025, for false WCAG-compliance claims.
• Law Office of Lainey Feingold — UserWay 2025 class-action lawsuit — defendant-side fraud / misrepresentation claims against overlay vendor.
• UsableNet 2024 ADA web + app accessibility report — 1,023 of ~4,000 lawsuits in 2024 cited the overlay widget as a barrier.
• WCAG 2.2 — W3C Recommendation, 5 October 2023 — new SC 2.4.11, 2.5.7, 2.5.8, 3.2.6, 3.3.7, 3.3.8.
• WCAG 2.1 — W3C Recommendation, 5 June 2018 — baseline.

Schema standards

• schema.org/AccountingService — subtype of LocalBusiness.
• schema.org/Accountant — subtype of Person.
• schema.org/ProfilePage — 2023 type for person + organization profile pages; supported by Google Rich Results Test.
• schema.org/EducationalOccupationalCredential — for hasCredential.
• Google: structured-data guidelines for local businesses — Google's documentation for LocalBusiness and subtypes.

---

This post documents an analyzer check, not legal, accounting, or tax advice. AICPA, IRS, FTC, and state-board citations are pointers to authoritative texts. The firm's peer reviewer, designated Qualified Individual under the FTC Safeguards Rule, and (where applicable) audit-quality counsel should sign off on visible disclaimer and compliance language before production deploy. Schema.org recommendations follow Google's structured-data guidance; validate every emitted JSON-LD block against Google's Rich Results Test and the Schema.org validator before deploy.

If you build sites for the accounting industry, The $20 Dollar Agency ($9.99 on Kindle) is the playbook I wrote for the boutique that ships pages a managing partner can actually approve — AEO + GEO + SEO for a small firm budget, without an outside agency retainer.