Don’t expose yourself: Liability risks for accountants change daily

Client selection, dabbling, and use of engagement letters are issues that can add to or mitigate a CPA’s potential professional liability, according to insurance executives and professional liability lawyers. Cyber-liability is a burgeoning threat that will continue to target practitioners, they warn.

Celebrity clients should have one strike against them in the client selection process, according to Sarah Ference, risk control director at CNA, and Dave Sukert, senior vice president at Aon Affinity. (Aon is the program manager, and CNA is the underwriter, of the American Institute of CPAs’ Professional Liability Insurance Program.)

“Liability issues with high-net-worth clients and celebrity clients have been increasing in terms of severity of the claim. They have a lot of money at stake, and an attitude,” said Ference. “Claims for services delivered to these clients are larger than typical claims. They often include consequential and overinflated damages — they feel wronged, and want to make the CPA feel their pain. They’re not all bad, but they do bring an element of risk that’s not typically presented by other clients, so handle with care.”

“There’s also the element of ego involved,” said Sukert. “They’re used to getting what they want, and the CPA sees prestige in having a celebrity client. Our advice is to step back, slow down, and look at the risks and rewards. Take all the factors together, including the mindset of celebrities — they have the means to fuel litigation.”

“Wealthy clients are much more prone to litigation if mistakes are made,” agreed Bill Thompson, president of CPA Mutual Insurance of America RRG. “My antennae would go up if any of my clients became a little more prosperous. They have a hard time dealing with failure, so they look for someone else to blame. Many times it’s the CPA who bears the brunt of the blame.”


KNOW WHAT YOU’RE DOING

Dabbling is a growing risk factor due to the increasing complexity of tax regulations, Sukert observed. “It’s difficult for practitioners, especially in the smaller firms, to stay knowledgeable. As the landscape becomes more complex, what the client expects of the practitioner becomes cloudy, and CPAs tend to delve into areas in which they’re not experts. This can result in liability for practitioners who get in over their heads. They think, ‘It’s not that hard — I can figure this out.’ It’s human nature to run toward revenue, and toward helping people, but they should sit back and decide the best way to help.”

Ference agreed: “Sometimes, being the most trusted advisor means you might have to decide that you’re not the best one to serve your client in this area,” she said. “No one likes to steer a client to another firm because they feel the other firm will take away their business. The point is to know what you’re good at, and make sure your client is well served by the right person.”

Firms that dabble are more likely to be on the receiving end of a liability lawsuit than those that don’t, Ference noted. “If they have a culture of taking on engagements that aren’t in their wheelhouse, they don’t perform as well,” she said. “Our actuaries found that the more areas in which they dabble, the worse their loss experience.”

AT-082717-Lawsuit Types against accountants

WRITE IT DOWN

Liability insurers have been preaching the use of engagement letters for years as a means to avoid or mitigate claims. And the use of engagement letters, while good, should be better, Sukert noted. “Having an engagement letter or a written memorandum of a conversation with a client can prevent a claim from happening in the first place, and can mitigate damages when a claim arises. If you don’t have one, it makes it more difficult to defend.”

“Payment on claims in which there was an engagement letter are less than on claims for which there was no engagement letter,” he said. “Damages are up to 70 percent higher on claims for which there was no engagement letter.”

“And watch out for engagement letter creep,” he cautioned. “If the scope of the engagement changes, you need a new engagement letter.”

“Some practitioners are reticent about discussing a new letter with long-term clients. They think they have an understanding, but the understanding that exists until things go bad. When people are aggrieved, they look for someone to blame,” Sukert said. “The letter should spell out what you’re doing and what you’re not doing. Otherwise, the pleading will say that they expected you to take care of everything for them. The engagement letter needs to be tailored for a particular engagement. If you don’t have a new letter when the engagement changes, you open yourself up to potential liability.”


VIRTUAL RISKS

Cyber-liability is increasing year over year, according to Ference. “When it first became prevalent, it would take the form of a lost thumb drive or a stolen laptop,” she said. “We would educate firms on what their obligations were under state breach laws. We’re beyond that today. Now, we see more awareness and caution on the part of firms.”

“Like lawyers, title agents, investment advisors and any professionals that have a custodial duty to protect client funds, accountants are on the front lines of the current cyber war,” said Rickard Jorgensen, president and chief underwriting officer at Jorgensen & Co., a professional liability and risk management consulting firm. “In recent months we have seen the number of attacks against firms increase exponentially. Even our organization was the subject of a ransomware attack, which we were only able to thwart with solid backup systems and good tech people.”

“There is a battle going on for your clients’ money,” he said. “The next expanding cyber-exposure is fraudulent wire transfers. In the past few years, we have paid a number of these claims, some in the six figures. The essence is that an accountant is duped into sending funds to a client, which later turns out to be a criminal pretending to be that client.”

The trend is growing, and is not going away, noted Ken Wigboldy, vice president of claims at Camico. “E-mail communications have been manipulated and controlled by hackers, who will commandeer both the client’s and the CPA firm’s e-mail to make fraudulent requests for fund transfers. This is called a ‘man in the middle’ attack, and it can be difficult to figure out that communications are being manipulated by a third party, because the requests look like they are coming from the client. This can even involve voicemail messages being delivered to an e-mail account, which a hacker can use to view voice messages as well as e-mail messages.”

“It’s essential for firms to avoid getting lulled into a sense of comfort with e-mail and other communications,” Wigboldy said. “Any wire transfer requests made via e-mail should be confirmed verbally over the phone with the client. This includes confirming the dollar amounts, the name of the financial institution, and the actual bank account number. It never hurts to call senders to verify e-mail or attachments and links before you open them.”

“Cyber is creating new avenues for claims against accountants,” said Matthew Tornincasa, a partner in Shendell & Pollock PL. “And the risk is not always on the accountant’s side. It’s often on the client’s side.”

“In one case, our insured had excellent Internet security and was fully updated. But the client had been hacked. Our insured was receiving false instructions, and the case, still in the pleading stage, is predicated on whether our insured should have had red flags to indicate that their client’s system had been compromised, and taken steps to verify that the instructions they had received were genuine,” he explained.

CPA Mutual’s Thompson underscored the importance of coverage. “I can’t stress enough that if you don’t already have cyber-insurance, buy it,” he said. “If I were practicing today, there’s no way that I would do it without cyber-coverage. And it’s very affordable. Most insurers don’t understand what their exposure is — once these claims start rolling in, we’ll see an uptick in the premiums.”

DISCIPLINARY ISSUES

Thompson cautioned practitioners to be aware of the dangers lurking behind disciplinary proceedings. “There are incidents where a firm provided services for next to nothing that it could lose its license over,” he said. “It can become a reciprocal disciplinary proceeding. For example, the [Department of Labor] comes in and reviews the audit of a 401(k) plan, and finds errors in the audit. Then the AICPA and the state boards sweep in behind the DOL and the problems multiply.”

In fact, disciplinary proceedings can be brought on by lawyers in hopes that the state board will investigate, according to Tornincasa. “When we see a civil complaint, it often repeats findings of the state investigator,” he said. “It’s a good reason to take any licensing inquiries very seriously and get counsel involved early. In many instances, if there had been a more thorough response provided initially to explain why there was no basis to go forward, the investigation might have ended there. But once an expert has been appointed, they are not limited to the allegations in the complaint.”

The change in filing deadlines for partnerships and C corporations, and the failure of some practice management software to get it right, has created potential liability for accountants filing extensions, according to Ron Parisi, a partner in Orchard Accounting and an attorney and former insurance company executive. “It’s definitely a struggle to watch on fiscal-year returns,” he said. “My own practice management software didn’t get it right. A lot of CPAs missed those deadlines.”

“There is a big stress on management of accounting firms to utilize technology and not be left behind,” he continued. “But the risk assessment piece is often overlooked, particularly with regard to client confidentiality. For example, using an application on a mobile device to share information can put client confidentiality at risk.”

Despite the issues generated by changes in the rules and in technology, client selection and engagement letters are the necessary basics, according to Ference and Sukert.

“No matter how complex the world gets, basic blocking and tackling for CPA firms — client selection and engagement letters — will take care of the vast majority of issues,” said Sukert.

For reprint and licensing requests for this article, click here.
Cyber attacks Cyber security Fraud liability
MORE FROM ACCOUNTING TODAY