CAMICO has collected valuable insights and information from the experience of more than 8,000 CPA firms across the country and from our own jury experience, research and consultations with defense attorneys. Here are 30 valuable lessons we have learned from the past 30 years to help CPAs and their firms better manage professional liability risk exposures. To learn more about each of these tips, click the ‘Read More’ link at the end of this list.
- What is your job? At the core of risk management insight is how the general public and juries view the CPA’s job. Our experience tells us that the CPA’s job is to advise and warn, to advise of opportunity and warn of risk. And not just the client, but third parties, especially when financial statements are being issued.
- ‘Limited services’ does not mean ‘limited responsibility.’ The CPA’s responsibility is defined by: 1) the nature of the service, and 2) the length of time the CPA has provided the service. Five years of servicing a small business is enough for a jury to expect the CPA to have a profound understanding of the business, even if only tax returns and compilations were involved.
- Embezzlements — don’t miss the low hanging fruit. Embezzlement claims against CPAs are often the easiest to avoid, yet CPAs often miss red flags because they don’t see embezzlement prevention as their job. Upon accepting the client and biannually, send a short letter to all small business clients, explaining embezzlement risks and how to minimize them.
- Hindsight is perfect. When everything and everybody is judged in hindsight, the embezzlement is always easier to spot. CPAs should: a) understand the extent of their duty, b) educate the client about embezzlement risk, c) emphasize the need for bank reconciliations, and d) instruct the owner to open all bank statements.
- Respect the ‘rec.’ Many clients do not timely reconcile their bank statements. In hindsight, if an embezzlement occurs, this tardiness becomes a red flag of fraud that should have put the CPA on alert. Train staff to pay attention to bank reconciliation tardiness and defects, and to communicate these issues to the client.
- Never swallow anything bigger than your head. CPAs often attempt to deliver services that stretch their knowledge and skills — sometimes to the breaking point. Be honest — if the engagement is not a good fit for the firm’s expertise or staffing, acknowledge it. Obtain the necessary expertise, or serve the client by referring them elsewhere.
- Is this the kind of client you want? Communicate with predecessor accountants and third parties to obtain as much information as possible about the client. For some engagements, CPAs will need to consider potential or actual conflicts of interest, and whether independence and objectivity are impaired in appearance or in fact.
- Trust but verify. Background checks should be considered for all significant engagements. Credit checks and public record checks are critical, but background checks are about more than the financial condition of the client, such as source of referral, conflicts of interest, client staff turnover, and several other factors.
- Bridge the gap. Use an engagement letter for every engagement: new engagements, repeat engagements, routine engagements, and especially with changed engagements. By clearly defining an engagement’s purpose, scope, services and limits (specifically what you will and won’t do), you can avoid "the expectation gap."
- Proactively manage fee issues. Disclose clearly to clients in the engagement letter how the firm is paid and what its arrangements are with third-party providers. Include billing and collection policies as well as stop-work provisions that can be enforced if payments are not received in accordance with the policies. Consider requiring a retainer.
- Be the pig, not the sausage. When used correctly in the right situations, mediation and arbitration are cost-effective and efficient options to litigation, though they are not always recommended. Confirm with your legal counsel and liability insurer the applicability of Alternative Dispute Resolution agreements in your state.
- Knowing is better than suspecting. Note any red flags in clients’ background, wealth status and other information indicating they may have financial interests located in other countries. Be sure to include a question pertaining to FBAR and FATCA in the tax organizer, and make inquiries about information regarding other sources of income.
- Be wary of any wire transfer requests. In the era of cybercrime and email address spoofing, be wary of any wire transfer requests made via email (either for the firm’s or the client’s accounts) and only proceed after verbally confirming with the client that they want the wire to proceed and in accordance with the directions in the email.
- Don’t fall on the sword. Avoid admitting liability or assuming damages under the contract/engagement with the client or other parties. Doing so could exclude the claim from coverage under the professional liability policy, and it increases risk. Avoid agreements that include Hold Harmless or Indemnification provisions.
- When fraud is suspected, punt. If fraud or misappropriation of assets is suspected, recommend in writing to the client that a fraud exam or forensic investigation under a separate engagement be conducted by a qualified professional. If the client declines, obtain the declination in writing.
- Don’t go from “hero to zero.” Do not open attachments or hyperlinks if they were not requested or the e-mail is suspicious or questionable. Do not follow instructions to “enable macros” or “enable content” even if it’s to “install security scan features” (which could be malware)—even if it appears to come from a trusted source.
- Lock the doors to the castle. Encrypt hard-drives, electronic data, electronic files, and e-mail. This will help protect: data in the event a computer or drive is lost or stolen, personally identifiable information, files and email attachments, and entire email messages, including the body of the message.
- Protect your crown jewels. A remote mobile device security service is an effective way to provide safeguards capable of activating a “kill switch” if security has been compromised. Remote security enables a user to prevent access to protected files, or to execute complete data wiping in the event a device has been lost or stolen.
- Beware of high-risk clients and engagements. Real estate, construction, financial industries, limited partnerships, public offerings, buy/sell transactions, and any deals that look too good to be true are often risky. The clients involved may require more detailed scrutiny and attention. Offer and document internal control warnings.
- CPA-to-lender letters: Don’t put yourself at risk. Before responding to third-party requests from lenders, receive written consent from the client before disclosing tax return information. Document only facts. Refrain from speculation, conclusions that were not part of the services rendered, and any form of assurance regarding matters of solvency.
- Report potential claims, errors and omissions. Early notification of a potential error will help claims specialists assist in mitigating the impact of the error. Early notification may also comply with the reporting requirements of the policy, helping preserve coverage if a claim is later asserted. Policyholders may benefit in a variety of ways from early reporting.
- A social media policy is a ‘must have’. Be sure the firm has a policy that includes a code of conduct, sets forth acceptable and unacceptable communications, and requires certain disclosures and disclaimers, including social media. Have a human resources professional review employee policies to consider whether they inhibit employees’ rights.
- Don’t treat employees like family. If the bond in the office between management and employees is akin to family, the firm can be at risk. Partners and managers sharing personal experiences and feelings, using inappropriate language, and speaking about other employees can create an atmosphere of dysfunction. Friendly is fine; family is not.
- Have you got what it takes? If the firm is controlling client funds and writing checks to pay client bills, take appropriate steps to safeguard the funds. Find out whether procedures are in place for accepting such engagements. Gain a detailed understanding and establish controls that will prevent the misuse of client funds.
- Do I have a conflict of interest? While “conflict of interest” issues often arise because of “break-ups” between spouses in a family law matter, many other types of “splits” can entail a “divorce” or dispute among shareholders, LLC members, partners and beneficiaries. Some situations may require professional guidance and advice.
- Consult an attorney before accepting a trusteeship. Consult with an attorney or risk adviser who specializes in trusts before accepting a trustee or executor engagement, particularly if the firm does not frequently perform this service. Trustee and executor engagements are often high risk, and CPAs should become informed before accepting them.
- Address client-induced “heartburn.” Difficult client behavior such as slow payments, withheld information or documents, and unresponsiveness should be remedied, or the CPA may need to disengage. A red flag: when information appears to be deliberately withheld, and the CPA is urged by the client to proceed without it.
- How to … get professional help. Because of client confidentiality and other rules and regulations, a CPA in receipt of a subpoena should consider the information in the client file and the recent communications with the client or any parties involved, and contact a professional liability risk adviser or attorney before responding.
- Get off of my cloud. Cloud services are a form of outsourcing, and CPAs are responsible for the steps necessary to ensure that client information is protected, including security and controls over the users’ confidential and private information. Disclose to clients the use of third-party service providers, including cloud services.
- Be prepared for kryptonite. Develop and implement a firm succession or continuation plan in the event of a long-term disability, emergency, or retirement. A continuation plan may help avoid risk exposures such as future lawsuits against the CPA, or his or her estate, and it will help spouses, families and heirs figure out what to do.
Bonus Tip: When in doubt, give us a shout!
Contact a specialist at your professional liability and employment practices liability insurance carrier whenever a question or concern arises about an engagement or a client. Claims experience comes from CPAs taking action before consulting a risk adviser, often with dire consequences. Better safe than sorry.
To learn more about each of these tips, click the 'Read More' link.