Top Loss Prevention Trends
Q: More and more of our clients are requesting some form of comfort and/or verification type letters from our firm. Are we putting the firm at risk by complying with such requests?
A: Over the years, CPAs have shared their frustrations and concerns with CAMICO regarding veiled threats they’ve received from aggressive brokers, lenders, and other third parties (investment funds, USDA-FSA, etc.) alleging clients would be harmed in some way if letters are not provided that confirm their clients meet specific financial qualifications. Some have gone as far as to suggest that the client should seek "a more cooperative" CPA.
Carefully evaluate the risks associated with accommodating such requests. This requires a great deal of professional judgment as you attempt to achieve the delicate balance of minimizing your risks while managing client and third-party expectations. For example, since professional standards do not require CPAs to provide any letters to third parties, what are the risks of saying "no" (e.g., losing the client or being sued by the client should the loan fall through) versus the risks of saying "yes" (e.g., falling below the professional standard of care, becoming a "deep pocket" target for the lending institution were the client to default).
CAMICO has noted an uptick of clients asking their CPA to certify in writing to an investment fund that the client meets "accredited investor" qualifications. Under SEC rule 506(c), anyone selling investments that require "accredited investor" status must take appropriate due diligence steps to verify the individual’s accredited investor status. Individuals who base their qualifications on annual income will need to submit tax and financial documents and will likely also be asked by the investment fund to provide an accredited investor verification letter from either a CPA, attorney, investment broker or other professional advisor. Evaluating whether your firm should comply with a client’s request for such a letter requires the exercise of professional judgment (risks of saying "no" versus risks of saying "yes") noted above.
If you choose to accommodate a request, document only the facts, and clearly detail the scope and limits of the services the firm performed for the client. Refrain from speculation or comments regarding future events and don't provide opinions or conclusions not supported by the services performed. And never make assurances regarding the accuracy or completeness of the information provided unless the scope of your services enables you to provide such assurances, as doing so would also violate AT Section 9101 Interpretation 2, Responding to Requests for Reports on Matters Relating to Solvency (AT §9101.23-.25).
CAMICO letter templates address a variety of scenarios, including ones suitable for responding to accredited investor requests, and we can help you tailor a response if necessary. For more information on this topic or to access letter templates, refer to CAMICO's Members-Only Site (www.camico.com) on the Engagement Letter Resource Center. The accredited investor request response letter is in the "Other Services Letters" section.
—Katherine Pangelina, CPA
Q: What should I do when my clients want me to contractually agree to broad indemnification and/or hold harmless terms? Am I putting my firm at risk?
A: CPA firms are continuing to experience an uptick in clients trying to embed indemnification and/or hold harmless clauses in various agreements with the firm. Many of the indemnity and/or hold harmless clauses embedded in such agreements attempt to shift all liability from the client to the CPA firm, and have broad language that extends the CPA firm’s responsibilities to more than just the professional services being performed.
Given the nature and scope of the CPA/client relationship, there may be many contributory components to the underlying facts and circumstances that should go into the assessment of determining actual "fault." For example, did the CPA solely contribute to the cause of the damage as a result of their negligence, or did the client or one of its representatives contribute, in part, to the underlying cause of the mistake? Most people would support and agree with the concept that if a mistake is made that results in damage to someone else, the party that made the mistake should be held responsible to "make it right." However, a broad blanket indemnification and/or hold harmless clause may contain legal conditions and caveats that are not necessarily appropriate with respect to the professional services being provided by the accounting firm and would be problematic for any CPA firm who agrees to such terms and conditions.
Therefore, it’s important that before you contractually bind your firm to an arrangement of this significance, you take the time to understand all the implications of the legalese in the agreement in order to make an informed decision on terms and conditions that may pose a higher standard and/or greater liability to the firm than what would normally be anticipated. Make sure you are comfortable with the agreement and the expectations that will fall on your firm. Be prepared to reject the client opportunity if you cannot negotiate the terms to your satisfaction. Consult with CAMICO to review the agreement if you are unsure as to the exposure related to the indemnity and/or hold harmless language that may be included in an agreement.
For a more detailed discussion of this topic, see the article "Indemnification … Understand Your Risks” in IMPACT 112 (October 2018), available on CAMICO’s Members-Only Site (www.camico.com) under Knowledge Tree, CAMICO Publications, IMPACT, 2018, IMPACT 112.
—Suzanne M. Holl, CPA
Q: As a CPA firm, we understand that we may be at high risk from social engineering scams. What cybersecurity measures does CAMICO recommend to minimize our exposure to becoming a victim of one of these scams?
A: Social engineering is one of the most dangerous types of cybersecurity threats to all types of businesses. CPAs are at high risk of such attempts due to the type of information that firms gather and store. The definition of social engineering in the context of data security is the use of techniques such as sending links to deceive and lure individuals into divulging confidential or personal information. That information may then be used for fraudulent purposes or encouraging the opening of attachments that download malware in order to gain access to a computer or network.
"Phishing" is one type of social engineering whereby the information in an email attempts to convince a user that the email is from a legitimate source and the user needs to respond to the request by clicking a link. Possible goals of the hacker/thief in this instance are:
- to procure even a small bit of information about the individual or the firm that may be used to hack the system, but also to appear to be a legitimate user;
- to send phishing emails to others in the firm to appear as if they are a client in order to convince a firm to authorize payment of funds;
- to commit some other fraudulent act under the guise of legitimacy; or
- to simply download malware such as ransomware.
Other types of phishing emails may contain virus-filled attachments which, when opened, will also download malware. These types of emails are also purportedly from trusted sources or offer media content that seems perfectly innocent, such as cute cat videos.
As employees are the most common entry point for phishing attacks, a firm's best protection against social engineering attempts is to make continuous efforts to raise staff awareness of the importance of ongoing vigilance and enhanced skepticism with each and every email and online interaction. Raising the cybersecurity IQ of all employees will help tremendously in guarding against a breach and will minimize your firm's potential exposure. For example, all users must be educated and trained to recognize social engineering attempts and taught to always guard their login/authentication credentials both in the office and at home. Education can come in many different forms, both formal and informal. Consider sharing some of the "real-life" examples with staff of the potential scam emails received by members of your firm. Such examples can help to heighten awareness of the nature and types of scams that are of threat to your firm.
In multiple studies completed by big players in the data security industry, user education and training have proven to be an organization's best defense for very little cost, especially in comparison to all the other technological solutions. In fact, effective education and training can reduce a firm's risk of a breach by as much as 91%.
The purpose behind cybersecurity awareness education and training is to alter risky behaviors and, hopefully, create a sense of shared accountability. Although it may not seem obvious, employees want to know what to do to assist in data security but often lack the necessary knowledge and skills. Additional risk management guidance and information on this topic is available on the CAMICO Members-Only Site (www.camico.com) in the Cyber/Data Security Resource Center.
—Randy R. Werner, J.D., LL.M./Tax, CPA
Q: Many baby boomer–owned businesses seek assistance from their CPAs regarding the sale and pricing of their businesses. CPAs must consider and navigate professional standards when choosing whether to assist. You want to help, but can you?
A: There has been an uptick in requests by clients asking CPAs to assist with the pricing and sale of their closely held businesses.
CPAs are trusted advisors, but we don't always possess the requisite skills necessary for the services we are asked to perform, and occasionally the services asked of us may impair our objectivity or independence.
CPAs valuing businesses needn't have a business valuation credential but must comply with Statement on Standards for Valuation Services (SSVS1), which has been effective since 2008. The standard applies to CPAs performing engagements to estimate the value of a business or a business interest. And as with everything else CPAs do, CPAs must possess the professional competence to perform the services they undertake. The AICPA code of conduct’s "General Standards Rule"1 indicates CPAs can "undertake only those professional services that [they] can reasonably expect to [complete] with professional competence." Performing a valuation engagement with professional competence involves special knowledge and skill. CPAs performing valuation services need the requisite knowledge of valuation principles and theory and the necessary skill in the application of such principles that enable them to apply appropriate valuation approaches and methods, obtain and analyze appropriate data, and use their professional judgment in developing estimates of value. Rules of thumb can be helpful in assessing the reasonableness of a price, but they are no substitute for an estimate of value performed under SSVS1.
Many clients trying to get a "quick and dirty" estimate will want their CPA to perform a calculation using a rule of thumb they believe to be reasonable for their industry and/or to allow the potential buyer to rely on the CPA’s valuation. Rule of thumb estimates are not acceptable substitutes for a valuation performed under SSVS1. In addition, if the CPA is engaged by both sellers and potential buyers, this poses a conflict of interest that can’t be overcome by the parties acknowledging and waiving the conflict.
As always, CAMICO policyholders can call the Loss Prevention department at 1.800.652.1772 for guidance if presented with a similar situation. We can assist you with navigating the potential issues with your actual fact pattern. Additional risk management resources, as well as sample valuation engagement letters, are available on CAMICO’s Members-Only Site (www.camico.com).
—Duncan B. Will, CPA/ABV/CFF, CFE
Q: I prepare a federal and a few state income tax returns for my business client. The business sells merchandise to out-of-state customers throughout the United States. Given the Supreme Court ruling involving sales tax and remote sellers (Wayfair), what are my responsibilities regarding advising my client on potential sales tax filing requirements in the various states?
A: The 2018 Supreme Court's decision in South Dakota v. Wayfair, Inc. ("Wayfair") gives rise to enhanced complexities with respect to sales tax compliance. To minimize any potential allegation from a client that you somehow fell short of your professional responsibilities, even if you are not engaged to render any sales tax compliance services, CAMICO recommends that if you have not already done so, you send a notification letter to business clients that may be impacted by the Wayfair case to “warn and advise” of potential sales tax collection and remittance requirements.
In addition, CAMICO recommends that your tax engagement letters specifically detail the scope and limits of the engagement, which should include language confirming that the client is responsible to furnish you with all the information necessary to identify all states in which the client does business or derives income and the extent of business operations in each relevant state. Given the significance of the Wayfair decision to some of your clients, it may also be prudent to include a disclaimer clause in your income tax engagement letters that specifically identifies that your engagement is limited to preparing the identified federal and state(s) income tax returns and that your firm is not rendering any services designed to assess the client’s sales and use tax risks and potential exposure to substantial (“economic”) nexus.
For a more detailed discussion of Wayfair, see the article “The Wayfair Decision—Additional Sales Tax Collection and Reporting for Out-of-State Sales May Be Required” as well as the referenced sample client notification letter in IMPACT 113, issued December 2018. This can be found on the CAMICO Members-Only Site (www.camico.com) under Knowledge Tree, CAMICO Publications, IMPACT, 2018, IMPACT 113.
Q: I’ve recently read something about the IRS and syndicated conservation easement transactions. A couple of my individual tax clients have a K-1 reporting a charitable deduction from a syndicated conservation easement. What are my responsibilities when preparing the individual return?
A: Your responsibilities to your client from a risk management perspective should include the following three-step process: inform, advise, and document.
As you may know, on November 12, 2019, the IRS in IR-2019-182 announced an increase in enforcement activity of syndicated conservation easement transactions. The IRS information release, however, does not change the underlying rules or treatment of this type of reportable transaction, which was addressed by the IRS in Notice 2017-10. In the 2017 notice, the IRS identified certain syndicated conservation easements as listed transactions and required taxpayers as well as material advisors to report information about such transactions. Syndicated conservation easement transactions that are required to be reported are those that involve one or more investors that receive promotional materials offering prospective investors in a pass-through entity the possibility of a charitable contribution deduction that equals or exceeds an amount that is two and one-half (2.5) times the amount of the investor’s investment. Most tax practitioners who are engaged merely to prepare tax returns do not fall into the category of "material advisor," although tax practitioners do have some potential exposure.
Individuals participating in such transactions must file Form 8886 with their tax returns and material advisors must file Form 8918. From a risk management perspective, CAMICO recommends that you should inform your client of the newly announced increased enforcement activity; advise the client to contact your firm if they believe they have engaged in any questionable syndicated conservation easement transactions; and lastly, document your communications with the client. CAMICO has developed a client communication template for your reference.
For additional information on syndicated conservation easements, refer to the CAMICO Alert on “Newly Added Reportable Transactions” issued March 2017, available on CAMICO’s Members-Only Site (www.camico.com) under the “eAlerts” section, for additional information.
—Anthony Cooper, J.D., MBT
Q: We are struggling to manage an employee who is calling in sick frequently, sometimes hours after he is expected in the office. His job responsibilities include interfacing with firm clients, and we are concerned because he has indicated that he suffers from acute depression. How do we deal with the absenteeism due to his depression, and what will happen when our busy season begins and the stress increases?
A: Mental health disorders have become an epidemic. Research now shows that one in five adults suffers from mental health problems, which include symptoms such as depression, mood fluctuations, anxiety, suicidal thoughts, and so on. Mental health disorders can also manifest as physical ailments such as heart disease, muscle and joint pain, migraine headaches, and extreme fatigue, to name a few. Absenteeism due to mental health disorders can result in a loss of productivity and poor workplace morale for those employees left to pick up the extra work.
For employers it can be difficult to balance the needs of the firm with the needs of the employee while navigating the various employment laws that could influence the situation.
First and foremost, the firm should focus on the impact caused by the frequent absenteeism on productivity and client service. Work with the employee in considering any request(s) for accommodation suggested by the employee's healthcare provider. Depending on the size of the firm, the level of accommodation required may vary. Accommodations could include a reduced work schedule, temporary leave of absence, or simply time off for medical appointments.
As with any illness/injury, details surrounding the employee's absenteeism should not be discussed with staff. Management is often in the difficult position of protecting the employee and responding to frustrated co-workers. While employees may speculate, it is important that management provide an open door for hearing frustrations but not divulge confidential information.
Co-workers may want to lend an ear to provide support, but under no circumstances should a co-worker or manager step into the shoes of a therapist. Instead, they should encourage the employee to seek professional help.
Benefit plans that include mental health treatment and/or access to a firm-sponsored Employee Assistance Program may provide the much-needed support for an employee struggling with mental health issues. Firms should provide resources if possible and include policies in their employee handbook addressing medical and personal leaves of absence.
Each situation is different, and unfortunately there isn’t a standard procedure to follow. Therefore, to ensure compliance with any applicable employment laws and to mitigate potential risks, CAMICO recommends that the firm reach out to their employment practices risk advisor and/or legal counsel to discuss options.
Top Claims Trends
Q: I am engaged to provide business management or accounting services that include bill pay services through wire transfer or check. How important is it that I confirm each payment request verbally?
A: If the request is not one that occurs regularly, is not expected, or is not familiar to the firm (including the payee/bank information), then verbal confirmation is imperative! Because of their busy schedules, clients may not want to be contacted regarding each bill pay request and may advise that confirmations should be done via email. However, hacking is becoming more and more commonplace in today's society. If the client's email has been hacked, or if your email has been hacked, or both, any wire transfer request could have come from a fraudster/hacker.
Hackers may start by requesting small amounts in order avoid alerting the payer, or they may review the inbox and insert themselves into a scheduled wire transfer by changing the recipient bank instructions. When hackers finally start requesting payment amounts that cause the firm or the payer to question the requests, it is usually after thousands of dollars have already been transferred to the fraudster.
Since your client will view you as the last line of defense in protecting their funds, it is much harder to defend a claim where it is alleged that you are the reason for the loss, especially if you could have prevented the fraudulent transfer by simply making a phone call to the client to confirm that the request was legitimate. This includes, but is not limited to, confirming the dollar amounts, the name of the financial institution, and the actual bank account number as well as any other relevant information to effect the transfer. As a further example, almost all banking institutions require verbal confirmations for wire transfers, and if they receive a verbal confirmation from you, the bank will wash its hands of the situation and put the onus for the losses back on you.
Be aware of one further risk: In today's technological era, a lot of people have visual voicemail — i.e., if you leave your client a voicemail asking them to confirm the wire transfer, then the voicemail is converted into text in an email and sent to the possibly compromised email address. The hacker may then respond using the compromised email to confirm the wire transfer since they are sitting in the client’s inbox (or having the emails redirected to them). This is called a "man-in-the-middle" attack. Therefore, the verbal confirmation needs to be actual verbal contact with the client, not an exchange of text converted voicemails.
—Sandra Schneider, J.D.
Q: What is the best practice to minimize the risk of a claim alleging negligence for not having detected fraud?
A: That’s a great question. Cases involving alleged failure to detect fraud or defalcation are a large fraction of CAMICO’s Claims files. Fraud committed against your clients creates problems for them and risk for you, and the longer you have provided services to the client, the more likely parties will allege you're to blame.
The risk isn't isolated to attest services such as audit or review engagements. Accountants impacted may have only been engaged to prepare tax returns. In some cases, accountants helped vet and hire the fraudster, reconciled the client's bank accounts, and had informal discussions with the owner or principal about the organization's internal controls. These are all actions that, it may be argued, increase the potential exposure in cases where the accountant is alleged to have been negligent in not having detected wrongdoing. The additional risk shouldn't preclude you from providing this guidance but shouldn’t be ignored, either.
Regardless of the services being performed, when accountants identify something that does not make sense, they cannot ignore the issue. Accountants must maintain professional skepticism in every engagement—regardless of the relationships they may have with the client or the client’s representatives. Don’t let the natural reluctance to address conflicts with people you know and like keep you from asking the hard, often uncomfortable questions that need to be answered to resolve these matters.
Many fraud exposures can be avoided or reduced by accountants asking follow-up questions. This includes less-experienced accountants with significant client contact. When you come across something that doesn’t make sense, keep asking questions until you're satisfied. Don't hesitate to request documentation and to look skeptically at documentation provided. Fraudsters frequently use technological advances to produce fraudulent support. Trust your gut. Question the authenticity of the support provided to you if it doesn’t pass your “smell test.”
—Mark Rooks, J.D.
Q: What is the difference between an informal request for records and a subpoena?
A: An informal request for records could come as an email, fax, call or letter from former clients, shareholders or an attorney requesting client information, but the request is not in form of a subpoena. In civil matters, absent a subpoena, CAMICO suggests that an insured first obtain written consent from the client to produce any documents to the requesting party. However, situations may vary. Therefore, it is best to consult with the CAMICO Claims department prior to providing any documents.
A subpoena is usually a formal request for documents and/or appearance, typically requested by an attorney in the course of litigation, or by a government agency in the course of a criminal or civil investigation. An attorney or other party may issue a subpoena because he or she believes you are in possession of information that will establish facts relevant to the underlying case. However, sometimes a subpoena may indicate you are a target in the underlying case by seeking information that could implicate you as possibly liable for the matter being investigated or litigated.
A person, attorney or firm will send a subpoena to formally request documents, a court hearing, or deposition. Subpoenas may contain different types of requests. A subpoena may request that an individual or group testify in a deposition, at a court hearing, or at trial surrounding subjects related to the pending lawsuit.
A subpoena also may request that the individual or group produce documents or other physical things relating to the lawsuit. In criminal matters, CAMICO generally recommends requesting issuance of a subpoena prior to producing any documents or disclosing any confidential client information. Providing documents to a governmental agency (e.g., the IRS), absent a subpoena, could potentially take place "as a one-time courtesy," depending on the nature of the request. Again, as situations may vary, it is best to consult CAMICO prior to taking any action.
What to do if you are served with a subpoena:
- Seek experienced assistance — contact CAMICO immediately.
- Make sure your client knows about the subpoena.
- Obtain client consent to produce confidential records.
- Provide the client an opportunity to object.
- Produce records/provide testimony after obtaining client consent.
- Respond prior to the Date of Action Required.
- Comply with any legitimate court order compelling compliance.
What does the CPA have to do prior to producing records?
- Obtain client consent. Although technically only tax documents are considered privileged under 7216, we recommend you obtain client consent for any document production.
- Get the client to make a formal objection if client refuses to consent.
- Notify subpoenaing party of no consent, thus no compliance, if client refuses consent.
- Comply with any legitimate court order compelling compliance.
There are many considerations when there is a request or subpoena for client records. They include:
- Is there risk of a claim?
- Possible third-party claims: Is there a potential for a third party not involved with the litigation making a claim?
- Threat/demand letter from litigant’s attorney: Has there been a specific request for compensation or services?
- Significant engagement scope changes.
- Investigation of financial fraud/tax fraud: Most government subpoenas do not require client consent.
- Conflicts of interest.
- Consumer notice requirements: There are specific requirements to which a subpoena must adhere to be considered valid.
- Protection of workpapers (proprietary? e.g., Business & Professions Code, Calif. BPC Sec. 5037).
- IRC Section 7216 Confidentiality objections: Section 7216 prohibits an accountant who provides services in connection with the preparation of federal income tax returns from disclosing information “furnished to him for, in connection with, the preparation of any such return” except pursuant to an order of a court or certain other specified exceptions, including written consent of the taxpayer.
- Impact of objections by client.
Scope and status of engagement will also impact assessment of risk in all of these areas. For safe measures, it is advised to inform CAMICO immediately upon receipt or notice of a subpoena. More information is available on the CAMICO Members-Only Site (www.camico.com) In the Subpoena Services Resource Center.
Q: If a non-managing client member requests information or changes on a tax return, how do I respond, and what are my obligations?
A: As the tax professional and pursuant to the engagement, generally, your obligation is to the entity, not the individual partners, members or shareholders. Therefore, you should take direction from the individual designated to handle tax matters (e.g., tax matters partner). Any issues that individual owners may have with the preparation of the return or any professional services rendered should be redirected to the individual designated to handle tax matters.
The individual authorized to sign the engagement letter on behalf of the entity will often be the designated tax matters person. However, in the case of partnership or LLC treated as a partnership, be mindful of the IRS's partnership audit rules effective for partnership tax years beginning in 2018. Under the new partnership audit rules, each partnership shall have a designated "partnership representative." This representative has the sole authority to act on behalf of the partnership, and both the partnership and the partners will be bound by those actions. In other words, partners who are not the "partnership representative" no longer have a legal right to receive notices or participate in a tax audit, appeals or any associated judicial review. These issues must be addressed on an annual basis. For additional information on the new partnership audit rules, refer to the CAMICO Alert on "New IRS Tax Audit Rules for Partnerships" issued March 2018, available on CAMICO’s Members-Only Site (www.camico.com) under the "eAlerts" section. See also the Addendum to the sample engagement letter for Partnership Income Tax Preparation – Expanded version, available on the CAMICO Members-Only Site in the Engagement Letter Resource Center.
It is important to determine who has been designated the partnership representative for the tax year the request for information or course of action is being made. It is also important to note that partnership representatives can be and typically are substituted with a receiver, bankruptcy trustee, or the like, in the event of receivership or bankruptcy of the entity.
1ET Section 1.300.001