Lawsuits against accounting firms can range from petty annoyances to major financial hits — and they’re not diminishing in size or frequency. Traditionally, the most frequent claims against a firm are for tax engagements, while the most severe claims in terms of monetary damages are in audit. However, spanning all categories of practice is the failure to detect fraud.
“Three out of 10 audit claims against small to midsized firms include an allegation of failure to detect fraud,” said Ken Mackunis, executive vice president of Aon
Affinity, the program administrator of the American Institute of CPAs’ professional liability program. “With the deteriorating economy in 2008, more fraud schemes emerged, generating claims against accountants for failure to detect fraud. Normally, this would fluctuate with economic conditions, but we’re not seeing the numbers diminish currently with the improving economy.”
And it’s not just in the audit area, according to Mackunis. “Over the past five years, one in 10 of all claims includes the failure to detect fraud,” he said. “This is regardless of service, and includes tax, bookkeeping, and other services.”
“The public perceives the CPA as a person who should be finding fraud,” agreed John Raspante, senior vice president for risk management at North American Professional Liability Insurance Agency. “The CPA’s antennae should go up in any engagement, not just in attest work. The more material and frequent claims are where the CPA didn’t catch fraud — that will never change.”
In addition to training staff to detect fraud, firms should develop a professional skepticism about fraud, Raspante indicated. “They should develop fraud awareness,” he said. “They should go into an engagement with the assumption that there is fraud present.”
Ron Parisi, CPA, Esq., of Fremont, Ohio-based Reardon, Kolbe & Parisi Inc., recommends that firms have a mentor program that encourages young associates to trust their instincts in investigating abnormal situations for possible fraud. “It’s a firm-by-firm decision as to how formal to make the program,” he said. “It’s good to bring in someone to facilitate a mentor program, probably once a quarter or twice a year.”
LINES OF DEFENSE
The understanding of what the engagement involves is critical to liability exposure, since these claims are generated by a misunderstanding of the scope of services to be provided by the accountant. “That’s why having a clear engagement letter is such an important risk control tool,” Mackunis said. “The first line of defense is the engagement letter. The second is documenting any changes to the engagement document, and the third is documenting any off-the-cuff guidance you give to the client.”
“Get a signed, living engagement letter,” recommended Parisi. “It lives and is subject to change as the engagement grows.”
“It’s traditional advice, but it’s true,” agreed Raspante. “Tighten up your engagement letters. Make them as close to bullet-proof as possible. Use your insurance carrier’s samples, or an attorney’s. They’re contracts, and if they are created properly, they are a huge line of defense.”
Blinded by the desire to expand their business, firms can get into trouble when they practice outside of their area of competence.
“Know your business and your industry,” said Mackunis. “We’ve seen a disproportionate amount of claims where firms practice in an area that is not their specialty.”
Bill Thompson, a CPA and president of CPA Mutual RRG, agreed. “Don’t take on any engagement that you are not qualified to do,” he said. “Some troublesome areas are not only financial statement preparation, but also tax issues such as like-kind exchanges, estate planning, and anything that has to do with wills and trusts. These are better left to people with expertise in those areas.”
For example, an accountant who handles small businesses and does personal tax returns may get a client who is an Internet-based sales company, observed Raspante. “This is seemingly a non-risk engagement, but one of the problems is all the different sales tax rules regarding Internet sales. You have to match the client’s industry with the accountant’s knowledge and skillset. The two should dovetail, and when they don’t there is the added risk of liability.”
“We had a claim last year where the accountant took on a new client who was in the flower industry,” he added. “He didn’t realize that when you sell through wire services, it’s where the order is taken, not where the delivery takes place, that counts. Because he did not know the rules, the vendor was selected for examination, and was assessed $5,000. If you take on an assignment in a particular industry, there are industry guides and seminars. You can get the skills, but you should do so before you do the work.”
Randy Werner, loss prevention executive at Camico, has observed an increase in competency issues. “It’s what I call ‘You don’t know what you don’t know’ issues,” she said. “If a CPA has certain types of clients that only comprise a very small part of their revenue base (15 percent or less) and has not kept up with standards or the client’s needs changed and the CPA was unaware of the available types of tax savings due to a lack of knowledge, it can create problems. For example, the CPA might have been unaware of an S corporation that could have saved on taxes by electing QSub status.”
LONG PRE-ENGAGEMENTS
Ralph Picardi, of Lapping & Picardi LLP, said that firms should focus on engagement risk assessment before beginning an assignment. “That’s my terminology to describe the process by which a firm would screen incoming clients to decide which to take and which not to take, and also to screen existing ones,” he said.
Picardi, an attorney and former CPA who specializes in defending malpractice claims against CPAs, also emphasized engagement letter drafting, more effective communications with clients, and staff development.
“Firms should not only emphasize recruiting qualified people, they must ensure that they maintain an appropriate level of staffing within the firm and on engagements, and training those people correctly,” he said. “And then there’s engagement review. A firm should have an effective system for reviewing the work the firm is doing, both at the moment as engagements are going on, but also after the fact. There should be an internal inspection process that randomly selects an engagement after the work is done to see how well the firm did. It’s important for the firm to have not only a review being performed by the engagement team members themselves, but a second level of review by someone not a member of the engagement team.”
“It’s harder for small firms because some just don’t have enough staff to do it,” Picardi said. “But it’s when you get lone wolves and no one reviewing their work that you get into trouble, which is the whole logic behind the peer review program.”
“Of course,” said Picardi, “we can discuss as much risk management as you want, but at the end of the day you’ve got to do a good job, otherwise there will be claims. Risk management only takes you so far.”
GET IT IN WRITING
“Be vigilant about client acceptance, client retention, and documentation,” advised Mackunis. “Everyone says that engagement letters are a key line of defense. They should be considered in every engagement. All conversations, advice and guidance provided the client should be documented.”
“CPAs often fail to document the advice they give, and memories become faded,” said Raspante. “The client misinterprets, and years later a claim might arise with very little documentation to protect the accountant.”
For example, Raspante described a situation where a CPA’s client was a restaurant owner who hired veterans and unemployed individuals. The CPA told the client that these individuals potentially qualified for the targeted jobs credit, and he could file refund claims, but that he needed information on the veterans and also on the unemployed individuals. The client never supplied that information to the CPA, and later hired a new accountant. The statute of limitations ran out and the former client was precluded from the claim. The first CPA got the blame and had no documentation of his request to the client to supply the information. “It became a ‘he said, she said’ battle in court, and the jury took the side of the client,” he explained.
“With e-mails, it’s much easier to provide documentation,” Raspanted noted. “It’s an effective way to establish both understanding and proof of understanding with your client. E-mail should be used more frequently and firms should train their staff on the advantages of using e-mail.”
In the end, he said, “If it’s not written down, the consensus is that the advice was never provided, and the client inevitably wins.”
It pays to have a risk-averse way of thinking as part of the firm culture, advises Mackunis. “Think about risk every day, because that will start to influence your culture and factor into other decisions,” he said. “Make risk management part of your staff education and training program so it becomes part of the culture of the firm.”
“Firms need to focus on training and continuing education,” agreed Raspante. “It’s an investment in protecting the firm. Everyone in the firm should be trained, including secretaries and administrative people. They need to have some knowledge of issues in the profession. Happy clients are not litigants, while unhappy clients start looking for a new CPA, and it becomes the basis for claims.”
As part of the process of client acceptance and re-acceptance, Parisi recommends “honest partner conversations” to ferret out bad clients. “These can take place at partner-level meetings and at retreats,” he said. “This is the biggest problem when you have large claims — there’s a partner with one client that no one ever asked about. It can get out of control and become a mess.”
DIGITAL THREATS
Mackunis, Thompson and Parisi all noted the rapidly increasing importance of cyber-security. “I think that’s going to be a huge exposure for CPAs moving forward,” said Thompson.
Parisi recommended that the small and midsized firm consider hiring an outside consultant. “We have an IT professional, but we also hired a consultant who specializes in the area,” he said. “CPA firms are a treasure trove of information for cyber-thieves. As a small practitioner, we are very open to cyber-attacks. In all my years in the professional liability space, this is the No. 1 threat for small CPA firms.”
Every firm could probably generate a list of business practices that it would like changed to reduce cyber-security lapses, observed Camico’sWerner. “However, our suggestion would be to make small changes that do not increase the complexity or the cost, thereby reducing a firm’s risk. For instance, most firms have employees who travel with mobile devices, and often these devices contain confidential client information. This raises the firm’s risk profile immensely because these devices can be easily lost or stolen. However, if a firm modifies its data access policy and does not allow an employee to store confidential data on the device, but rather requires them to access the data through a virtual private network such as Citrix or Microsoft Remote Desktop, then in the event of a loss, the firm’s compliance issues and security issues can be mitigated — data never leaves the server and the need for backup and recovery is nearly, if not completely, negated.”
“Keep your virus protection up to date,” advised Rickard Jorgensen, president of Jorgensen & Co., the managing general underwriter of the CPA Gold program. “In the past few months, there has been a significant increase in the frequency of wire transfer scam attacks against accounting firms. What we’ve seen recently are groups overseas targeting CPA firms and hacking their systems and stealing their information, and most recently we saw an elaborate fraud where they actually filed tax returns as if they were filed by the CPA firms.”
“On a recent occasion, one of our clients arrived at his office to be greeted by three FBI agents who thought he was the scammer, not the victim,” Jorgensen said. “It could take 12 months to get sorted out, and in the interim the client is losing money on interest and use of the funds.”
Not every professional liability policy covers the situation, according to Jorgensen. “The CPA has not made an error,” he explained. “There has to be some proof of wrongdoing by the CPA for coverage to apply and the CPA has not made an error, but has been hacked. We apply a rider to cover these situations, but it’s important for the CPA firm to ensure they have this type of coverage.”
Jorgensen recommends the following steps to strengthen cyber-security:
- Remove spyware. At a minimum, run a monthly full scan with anti-virus software on all computers on your network.
- Establish controls on shared drives and folders. If sharing of directories and files over your network is not essential, file sharing should be disabled.
- Check for security patches to your systems at least weekly and implement within 30 days.
- Change factory default settings to ensure that your information security systems are securely configured.
- Have a way to detect access or attempts to access sensitive information.
- Become aware of what sensitive or private data is in your custody, along with whose data it is, where it is, and how to contact individuals if their data is breached.
- Authenticate and encrypt all remote access to your network and require such access to be from systems that are at least as secure as your own.
- Have a company policy governing security and acceptable use of company property. The policy should address network access by employees, contractors or any other person with access to the company’s network.
- Limit access to data on a need-to-know basis.
- Consider outsourcing your data security to a specialist firm or have staff responsible for maintaining and training in data security.
- Have a prominently disclosed privacy policy and honor it.
- At least once a year, provide security awareness training for everyone who accesses your network.
For more, see our slideshow of