Public PerceptionJury research shows that the public, including clients, perceive that the CPA's fundamental job is to "advise and warn" — to advise clients of opportunities and to warn them about risks. Juries believe the CPA's "advising and warning" antennae should be hyper-sensitive during economic downturns. Some even believe "anyone can do a CPA's job when times are good, but during difficult times — that's when the CPA really needs to bear down." In other words, expectations are elevated when economic times are challenging.
For example, when something goes wrong with a business during difficult economic times, behaviors begin to change, sometimes to the point where clients will perceive the CPA as having failed to advise and warn. Clients may deflect blame and rationalize, "What occurred isn't necessarily my fault … Is it possible someone else allowed this to happen? … Maybe I can blame someone else, and possibly recover our loss … Yeah, I think it was their fault."
Also, looking at events in hindsight means history can be rewritten to benefit the client: "Why didn't my CPA warn me about what was going to happen? I was relying on my CPA's expertise for financial help."
When economic times are challenging, professional skepticism must increase, not just to protect yourself and your client, but to protect other key stakeholders (e.g., the readers of the financial statements, lenders). History has proven that desperate times will cause some clients to take desperate measures, leading to deceit.
Loss prevention tip: Do NOT carry the burden of your client's problems and permit yourself to become a victim for your clients. Loyalty to a client doesn't take precedence over maintaining your professional standards of integrity, independence and objectivity. It is not worth jeopardizing your reputation or your own financial security in an attempt to mitigate or minimize client dilemmas.
Risk of FraudThe struggling economy in the aftermath of the COVID-19 pandemic has placed many entities and individuals under financial strain. Increased financial need increases pressure and rationalization (two components of Donald Cressey's fraud triangle) for fraudulent behavior (e.g., "My line of credit has been canceled." "My retirement funds shrank." "I need this money.") Understanding the gravity of these pressures is crucial to effective fraud prevention and detection.
For example, organizations in nearly every sector are cutting expenses and laying off workers. Furloughs and reduced expenditures can compromise existing internal controls and lead to fewer fraud prevention measures. CAMICO's claims experience has shown that when people perceive an opportunity to commit fraud (the third side of Cressey's fraud triangle) and get away with it, they are more inclined to defraud. (More information about the fraud triangle is available from the Association of Certified Fraud Examiners at: https://www.acfe.com/fraud-triangle.aspx.)
Fraud can have a devastating impact on CPAs as well if firms don't embrace due professional care (a foundation of our profession's general standards) in defining the scope of their services and properly responding when fraud is identified or suspected. Public perception is that CPAs are expected to have a "nose for fraud," regardless of the limitations of the engagement. The expectation that CPAs will detect fraud is extremely difficult to meet, but the expectation to advise and warn is much less difficult. By advising and warning clients of their fraud/defalcation exposures and responsibilities, CPAs can minimize liability stemming from the expectation CPAs will detect fraud.
Exercising professional skepticism goes hand-in-hand with the expectation that CPAs have a duty to advise and warn. Regardless of the services performed, CPAs cannot provide absolute assurance that fraud has not been committed.
Practical loss prevention tips to minimize exposure to fraud-related claims include:
- Periodically warn clients of embezzlement risk.
- Encourage clients to require vacations as well as job and task rotation (fraudsters can’t take the chance that the evidence of their fraud will surface on someone else’s watch).
- Offer clients additional services, such as:
- Internal control assistance.
- Two-tiered bank reconciliation services, one that performs additional procedures which might detect fraudulent transactions, and another that does not.
- Encourage clients to perform fraud risk assessments (and consider serving as the discussion leader).
- Suggest clients establish fraud/ethics hotlines.
- Recognize potential independence and objectivity impairment; ask yourself whether you can be objective when evaluating potential fraud that you did not discover when performing your previous services, and then document that assessment.
- Retain contemporaneous defensive documentation for having performed or suggested each of the above steps.
For additional CAMICO guidance, policyholders are encouraged to access the Fraud Resource Center on the CAMICO Members-Only Site (https://www.camico.com).
Social Engineering Scams/Fraudulent Wire TransfersCPAs continue to be at high risk of social engineering attempts due to the type of information firms gather and store, and CAMICO has observed an uptick in the frequency of these attempts.
"Phishing" is one of the more common social engineering scams. The goals of the hacker/thief in this type of scam are to:
- procure even a small bit of information that may be leveraged to hack the system while appearing to be a legitimate user,
- send phishing emails that appear to be from a client to convince an organization to authorize payments,
- commit some other fraudulent act under the guise of legitimacy, or
- download malware such as ransomware.
CAMICO policyholders have experienced a rise in fraudulent email requests for wire transfers. Fraudulent wire transfers frequently cause large dollar losses. If the fraudster controls the client's and the firm's email, commonly referred to as a "man in the middle" attack, and the fraudulent request mimics previous legitimate requests, it is very difficult for the firm to identify the request as illegitimate. When the fraud is discovered after the transfer, the funds are usually not recoverable. Domestic banks are often not helpful in preventing fraudulent transfers, as laws tend to limit their risk exposure and enable them to deny responsibility.
Use your professional skepticism to avoid being lulled into a false sense of security. Any requests for money to be transferred to a bank account unfamiliar to you should be a red flag, especially if the new account is in another country. If the firm's protocol with clients is to permit requests for wire transfers to be made via email, then establish and follow procedures to confirm requests using a mechanism other than email and proceed with the transfer only after confirming with the client (ideally by phone or in person) that the request is legitimate. This includes, but is not limited to, confirming the dollar amounts, the name of the financial institution, and the bank account number. To validate the authenticity of the request, confirm information only known to the client (ask questions to which hackers would not know the answers).
Practical loss prevention tips to minimize fraudulent wire transfer exposure:
- Slow down. Whether working in the office or remotely, take the time necessary to validate suspicious or unexpected email.
- Establish written protocols. The firm should establish written protocols with clients for handling client funds, especially as it relates to handling wire transfer requests. Consider establishing dollar thresholds above which verbal consent would be required if clients do not want to be "bothered" to approve each request. In addition, document who the authorized client representative(s) would be for providing such consent if/when the client is not available. Please see "Addendum to Engagement Letter - Protocols for Executing Wire Transfers" at the link included in the IMPACT 119 email.
- Proceed with caution. With the increased number of claims related to fraudulent wire transfers, best practice in the absence of any written protocols to the contrary would be to verbally confirm ALL wire transfer requests with these clients to minimize risk.
- Strongly consider incorporating a limitation of liability clause into your engagement letters when handling client funds. This language will better align the risk associated with these types of engagements with your reward (fees). This language should be clear and conspicuous, to articulate that the client is making an informed decision in accepting such terms.
The following is an example of such a limitation of liability clause limiting exposure to a multiple of fees collected (CAMICO's rule of thumb is typically three times fees collected). Consult with your legal advisor to validate the appropriateness of using this type of language, as state and/or regulatory requirements may warrant further consideration regarding the efficacy and enforceability of such a clause.
In recognition of the relative risks and benefits of this agreement to both the client and the accounting firm, the client and the accounting firm have discussed and have agreed on the fair allocation of risk between them. As such, the client agrees, to the fullest extent permitted by law, to limit the liability of the accounting firm to the client for any and all claims, losses, costs, and damages of any nature whatsoever, so that the total aggregate liability of the accounting firm to the client shall not exceed [agreed factor] times the total fees collected by the accounting firm for services rendered under this agreement. The client and the accounting firm intend and agree that this limitation apply to any and all liability or cause of action against the accounting firm, however alleged or arising, unless otherwise prohibited by law. For additional CAMICO guidance, policyholders are encouraged to access the Cyber/Data Resource Centeron the CAMICO Members-Only Site (https://www.camico.com).
Other Important Risk Management Steps for CPA Firms During Difficult Economic Times
- Identify clients that may pose higher risk. If your practice specializes in certain industries, or you have a significant client in a certain industry, brainstorm with another partner or someone else servicing the account to extrapolate regarding the perceived risks. Play the “what if” game: What if the economic downturn causes the loss of a client’s customers or a line of credit? What kind of services are we rendering? What will happen if …?
This process helps you recognize risk stress points. If the firm is performing financial statement services, for example, the likely areas of higher risk exposure are inventory, accounts receivable, intangible assets, revenue recognition or bad debts. There may be valuation or other estimate issues when it comes to certain assets, and the valuation standards may exacerbate the risks and increase the need to explore the possibility these areas could be materially misstated.
- Increase the level of professional skepticism. Professional skepticism is a mindset that includes maintaining a questioning mind and being alert for red flags and/or inconsistencies. Although the profession tends to focus on the importance of professional skepticism for auditors, the reality is that the public expects CPAs to maintain an appropriate level of professional skepticism in all client interactions and services. To that end, the CPA should not assume that management is dishonest nor assume unquestioned honesty. In exercising professional skepticism, the CPA should not ignore red flags and/or inconsistencies because of a belief that management is honest. It is worth noting that the Association of Certified Fraud Examiners 2020 Report to the Nations (their most recent biannual survey) indicated perpetrators in executive/upper management and the accounting department committed frauds averaging $596,000 and $200,000, respectively, and represented 11.9% and 14.0% of the frauds in the survey, respectively.
- Prioritize defensive documentation. Defensive documentation, or the lack thereof, is always a critical issue in any claim scenario. When there is no accurate written description of the engagement, claimants can more easily assert the CPA was responsible for: 1) providing services the CPA did not consider part of the engagement, and 2) guaranteeing the results of whatever transaction the claimants initiated while the CPA’s services were engaged. By documenting the understanding between you and the client, you minimize your chances of facing litigation, because the engagement letter will leave little or no room for misunderstanding — a common foundation for lawsuits. If you find yourself in the middle of a lawsuit, your engagement letter will serve as documented evidence of the duties your firm agreed to perform. So, a well-defined/clearly drafted engagement letter is of utmost importance in today’s economic climate.
Follow-up significant client meetings with a written memorialization of who was present, what was discussed, action items agreed upon, and who was responsible for each. When a client asks you to attend a meeting, it would be safe to assume that the client is effectively asking you to "bless" whatever action is discussed at the meeting. That assumption is probably applicable in virtually all preliminary "what if" type meetings. How can you clarify the client’s expectations, serve the client, and protect yourself?
A written memorialization of the meeting is probably the most important tool you can use to communicate with your client and to ensure that both you and the client are proceeding with the same expectations and assumptions.
CAMICO policyholders with questions regarding this article or other risk management questions should contact the Loss Prevention department at firstname.lastname@example.org, or call our advice hotline at 800.652.1772 and ask to speak with a Loss Prevention Specialist.