Disappearing Client Funds

If your firm is responsible for controlling client funds, then your internal controls should be robust enough to prevent the misuse of funds. The types of engagements providing this service range from basic bookkeeping and bill-paying on behalf of clients to business management engagements in which the firm controls the client’s day-to-day financial affairs. Other high-risk engagements prone to misappropriation include executor and trustee engagements.

Establish a combination of internal financial and security controls; utilize screening processes and background checks for employees and partners with signatory authority over client funds. An engagement letter describing the services being provided and their limitations should be signed by the client.

Firms with authority over client funds to provide business management or bill-paying services, including wire transfers for high net worth clients, can be susceptible to fraudulent wire transfer schemes.

These may occur when email requests for wire transfers are fraudulently initiated to resemble prior legitimate transfer requests. Often, the email accounts of a CPA firm and their clients are commandeered by hackers who alter the communications between the two parties (known as a "man-in-the-middle attack"). The firm and the client believe they are communicating with each other but are being tricked into initiating the fraudulent transfer. The transfers are often made to banks in foreign countries or through a U.S. bank to a foreign bank. Funds are usually not recoverable once the transfers are made.

Alternatively, hackers may trick email recipients into clicking a link or opening a document with enabled macros ("phishing"), allowing malware to be installed and giving the hacker the ability to access and control the recipient's email or enter their network.

Loss Prevention Tips
Use your professional skepticism to avoid becoming lulled into a sense of comfort regarding email and other communications from clients and third parties. Any requests for money to be transferred to a bank account unfamiliar to you is often a red flag, especially if the new account is in another country.

If the firm's protocol is to permit requests for wire transfers to be made via email, then have a procedure in place to confirm requests other than email and proceed with the wire only after confirming with the client that the request is legitimate. This includes, but is not limited to, confirming the dollar amounts, the name of the financial institution, and the actual bank account number. To verify the authenticity of the request, confirm information only known to the client (ask questions to which hackers would not know the answers).

Educate all employees about good cyber-hygiene and how to avoid phishing attempts that target them with social engineering techniques designed to install malware or to deceive and elicit confidential information.

Share this post

Leave a comment

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.

Latest Articles

  • 29 Oct

    CAMICO and CPA Mutual Reach Agreement

    CAMICO and CPA Mutual Conclude Agreement to Transfer Accountants Professional Liability Insurance Program to CAMICO

    CAMICO, the nation's largest CPA-owned and directed program of insurance and risk management for the accounting profession, has reached an agreement with CPA... read more

  • 02 Oct

    Navigating Complex Conflicts of Interest

    While potential "conflict of interest" issues often arise because of married clients getting a divorce, other types of "splits" that may involve a dispute among shareholders, LLC members, partners and beneficiaries also present potential conflict-of-interest situations. The latter scenario... read more

  • 19 Aug

    Do You Believe You Will Never Be Sued?

    Some CPAs believe that they will never be sued and therefore believe they do not need professional liability or other forms of insurance. The reasons for this position vary, but some common ones include, "I don't make mistakes," "All of my clients are friends," or "I do tax work only." The... read more