The general principles behind protecting your firm from liability may remain the same over time, but it still requires constant vigilance.
"There are new trends all the time," said Suzanne Holl, senior vice president for loss prevention at liability insurer Camico. "You have to be aware of them, and stay alert on how you will manage the process to minimize your exposure."
A very recent concern is the exposure generated by business associate agreements, she noted. "There's been a resurgence of business associate agreements," she said. "For CPAs who have health care clients, this can create issues."
Last year, the Department of Health and Human Services released omnibus regulations under the Health Insurance Portability and Accountability Act, including changes made by the Health Information Technology for Economic and Clinical Health Act. "Some of the sweeping changes directly affect business associates," said Holl. "CPAs who have access to protected health information are considered to be 'business associates,' regardless of whether that access comes directly from a covered entity, which may be your client, or through another third-party business associate of the covered entity."
As a result, Holl said, "If you have health care clients that fall under the definition of 'covered entities' under HIPAA, and you have access to [personal health information] when performing your duties and responsibilities, regardless of whether you actually exercise this access, you are considered a business associate."
"CPAs should not accept more duties and responsibilities than they already have," said Holl. "Once you contractually accept more responsibility, you're held to that higher standard. In the CPA world, where you're reviewing financial statements, you may have access to confidential client information. There need to be reasonable safeguards for the confidentiality of that information. This would include the 'need to know' rule. You don't want to have everyone, even within your own firm, have access to confidential information."
Part of the "need to know" safeguard is to make sure that clients do not give you more confidential information than what you absolutely need, she indicated.
"Business associate agreements are being executed for covered entities to obtain from their business associates satisfactory assurances that the business associate will appropriately safeguard the PHI it receives or creates on behalf of the covered entity," Holl said. "Many of the business associate agreements we have reviewed contractually shift liability and obligations from the covered entity to the CPA firm. We recommend that before you contractually bind your firm to the terms and conditions of a BAA, you should take the time to understand all the implications of the agreement and determine that you don't contractually expose you or your firm to standards higher than what you are already obligated to comply with. Accept only the terms required by HIPAA, and do not agree to terms that expand exposure to the firm."
CPAs are also increasingly being asked to sign nondisclosure agreements, said Holl. "They try to broaden the definition of what should be confidential to the point where they seek to make CPA work papers part of the confidential information, and try to maintain or gain ownership of the CPA's work product and work papers. If the client is allowed to broaden the definition of what is confidential client information to include CPA work papers, then conceivably the CPA may be in breach by responding to a valid subpoena or to a peer review. Once again, these agreements have to be modified so that you don't take on more responsibility and obligation over and above what you're already required to by professional standards."
MORE RISKS
"There is growing concern over data security within the CPA firm," explained Tom Henell, chief operating officer of NAPLIA, the North American Professional Liability Agency. "In particular this happens because we've become such a mobile society. Everything is done in the cloud. E-mail sent from smart phones goes back and forth over different platforms, so there's the issue about maintaining data security across the multiple platforms that are coming out."
"The thing to do, from the risk management standpoint, is spell it out within the engagement letter," he advised. "Acknowledge to your clients what platforms are used to transfer data back and forth, and get agreement that when they communicate, there is the potential for the communication being not secure."
And of course, if one phone is lost or stolen, there is the potential for data from the entire office to be compromised, Henell cautioned: "Our office uses an app that allows us to remotely wipe clean a phone, laptop or any mobile device in the event it is lost or stolen."
Holl noted an increase in firms' sensitivity regarding background checks for new hires. "We love to see growth in accounting work, but we're getting a lot of calls on this," she said. "When the background information comes back, firms aren't sure what they can do with it. For example, is declaring bankruptcy or having a foreclosure enough to cause the firm to rescind a job offer? Our answer is that if you did not indicate the offer was contingent on a background check, rescinding is probably not a good thing. Also, if it's not related to the applicant's prospective job duties and there is no exposure to client funds, there's no reason not to hire the individual. It's a good idea to issue the offer letter while reserving the right to rescind the offer in the event that detrimental information comes in the background check."
PROTECTING YOUR REPUTATION
Any lawsuit, whether the allegations are true or not, can harm an accounting firm's reputation, observed David Lo Verso, vice president of underwriting for accountants and wealth advisors' professional liability insurance at Jorgensen & Co.
"In our increasingly litigious environment, it's helpful to get a head start in understanding what areas in the accounting world present the greatest liability," he said. "Implementing sound risk management procedures will greatly increase your chances of reducing your firm's liability."
Lo Verso summarized his suggestions on protecting your firm from liability in the following things to do -- and to avoid doing.
- Bill frequently to avoid suing for delinquent fees. "No one wants to collect unpaid fees, but if you do need to, go about it in a professional way," he said. "Billing more often will allow your clients to understand the process of the professional engagement, and allow them to budget small payments."
- Do make sure you are qualified for the services the client demands. "Your clients expect you to be the most knowledgeable and up-to-date trained professional. After all, it's their money you are handling," he said. "So stay on top of licensing requirements and the ever-changing revisions to state laws and statutes."
- Do update your engagement letters as the engagement changes. "Over the years, the use of engagement letters has become more common and more of a requirement, rather than an option," he said. "By making sure each engagement is always documented with the proper services being provided, you can mitigate damage claims brought by disgruntled clients."
- Do exercise due diligence when it comes to prospective new clients before taking on the engagement. "There is a high percentage of 'failure to discover embezzlement or fraud' claims," Lo Verso noted. "These go across all scopes of engagements, but the largest exposure matters tend to arise from audit engagements for investment entities that turn out to be a Ponzi scheme or the like. It's easy to take on as many clients as you want; it is a business, after all."
- Don't let your judgment get clouded when performing services. "If you take on clients that happen to be friends outside of your professional relationship, do not allow yourself to succumb to the problems that come along with this," he explained. "Having a healthy separation of church and state will help you avoid actions that might suggest you are anything but independent from your client."
- Don't give out spontaneous accounting advice. "It's easy to get wrapped up in a busy tax season and rush through a client's question. To avoid any misrepresentation, examine each question as if they were sophisticated enough to be a new engagement," he suggested. "If you find yourself giving quick information, document it after the fact, of what you conveyed to the client to avoid any confusion between the client and yourself."
- Don't rush into new areas of practice. "Audits of financial institutions and publicly traded companies are the standard for high-risk activities. Business consulting and managerial advisory services are the new norms for high exposure and liability. Declaring yourself an expert in a particular field of practice is risky, so always make sure you are qualified in what you are doing."