If your firm is responsible for controlling client funds, then your internal controls should be robust enough to prevent the misuse of funds. The types of engagements providing this service range from basic bookkeeping and bill-paying on behalf of clients to business management engagements in which the firm controls the client’s day-to-day financial affairs. Other high-risk engagements prone to misappropriation include executor and trustee engagements.
Establish a combination of internal financial and security controls; utilize screening processes and background checks for employees and partners with signatory authority over client funds. An engagement letter describing the services being provided and their limitations should be signed by the client.
Firms with authority over client funds to provide business management or bill-paying services, including wire transfers for high net worth clients, can be susceptible to fraudulent wire transfer schemes.
These may occur when email requests for wire transfers are fraudulently initiated to resemble prior legitimate transfer requests. Often, the email accounts of a CPA firm and their clients are commandeered by hackers who alter the communications between the two parties (known as a “man-in-the-middle attack”). The firm and the client believe they are communicating with each other but are being tricked into initiating the fraudulent transfer. The transfers are often made to banks in foreign countries or through a U.S. bank to a foreign bank. Funds are usually not recoverable once the transfers are made.
Alternatively, hackers may trick email recipients into clicking a link or opening a document with enabled macros (“phishing”), allowing malware to be installed and giving the hacker the ability to access and control the recipient’s email or enter their network.
Loss Prevention Tips
Use your professional skepticism to avoid becoming lulled into a sense of comfort regarding email and other communications from clients and third parties. Any requests for money to be transferred to a bank account unfamiliar to you is often a red flag, especially if the new account is in another country.
If the firm’s protocol is to permit requests for wire transfers to be made via email, then have a procedure in place to confirm requests other than email and proceed with the wire only after confirming with the client that the request is legitimate. This includes, but is not limited to, confirming the dollar amounts, the name of the financial institution, and the actual bank account number. To verify the authenticity of the request, confirm information only known to the client (ask questions to which hackers would not know the answers).
Educate all employees about good cyber-hygiene and how to avoid phishing attempts that target them with social engineering techniques designed to install malware or to deceive and elicit confidential information.