While accountants are among the unsung heroes of the ongoing pandemic recovery, the changing landscape of practice has made them vulnerable to risk.
“Practitioners were faced with so many different issues,” observed Ken Mackunis, executive vice president of Aon Professional Firms, the broker and administrator of the AICPA Professional Liability Program. “When the pandemic hit, people needed help in all different ways, from their personal well-being to helping us as a society by advising on government relief programs and regulatory requirements. At the same time, they broadened somewhat their exposure to risk.”
“CPAs have always had a role as a trusted advisor, but during the past year this role expanded and intensified,” he continued. “They provided guidance on the many government programs, and dealt with federal, state and local requirements. This pulled many CPAs into a whole other arena with respect to risk being taken on. At the same time, court operations were halted or interrupted, which affected the approach to handling claims or potential claims.”
The cybersecurity landscape changed markedly during the pandemic, Mackunis noted. “The right systems had to be in place for people to cooperate remotely through cellphones, computers and other electronic devices. Hackers were aware of this change, so the dark side got more aggressive. We saw the rise of ransomware attacks increased 400% year over year, on top of a 197% increase the year before. Hackers using ransomware even sold tools on the dark web to enable other hackers to do the same.”
Mackunis cited four areas that have unique issues of concern:
1. Special purpose acquisition companies. “These are getting our attention, and a lot of regulators’ attention,” said Mackunis. “They can be involved in all different kinds of services. There is tons of speculation in SPACs, and where there’s speculation, there’s the risk of fraud and potential conflicts of interest. The CPA should be very risk conscious as they step into supporting these transactions.”
2. Conservation easements. “These have been on the radar for awhile,” said Mackunis. “They have led to higher severity of claims, so we caution CPAs to be specially aware of the potential for risk.”
3. Microcap insurance companies. “These are being scrutinized more by the IRS. When a larger business uses its own money to fund its insurance risks, CPAs should take care in providing advice to ensure that the structure is handled the right way and the tax considerations are addressed the right way,” he said.
4. High-net-worth individuals. “There is a broad expectation on advisors. Sometimes, accountants are not as clear as they should be. As the situation changes, there should be documentation to reflect this,” he added.
“All four of these issues are important, not so much for frequency of claims, but they’ve generated a higher level of severity of claims over the last few years,” he said.
With so many old and new risks intensifying over the course of the pandemic, common elements of risk hygiene are even more important than ever.
For instance, risk advisors have been pushing for the use of engagement letters for years, Mackunis observed. “Outside of attestation services, where their use is required, when we look at claims, roughly 60% to 65% of recent claims did use engagement letters. That’s more than half, but over the last decade that hasn’t changed. We would love to see the use of engagement letters increase in tax services and advisory services. They are critical to an understanding between the CPA firm and the client. When there’s a dispute, the engagement letter is there to help the firm right out of the gate. It leads to better settlements. As the role of the CPA continues to move more toward advisory services, that documentation of advice and having a common understanding of what advice was provided is important.”
An eye on cyber
The risk landscape has changed, agreed Stephen Vono, senior vice president at professional liability insurer McGowanPro. “Information security and cyber liability issues have amped up in the last year just because there are a lot more claims. As a result, every liability insurance policy is going up in premiums,” he said. “Ransomware is a huge issue; a lot of insurance carriers are requiring that internal controls on technology are tightened up. It’s a big issue. Some cyber liability carriers are nonrenewing policyholders where they fail to implement recommended internal controls. Policyholders find it harder to get quotes, and find a lot of hoops to jump through, basically because cyber liability guidelines are being tightened.”
“If you filled out an application for cyber liability insurance in the past without checking the box as to certain internal controls, the carrier might have insured you but not covered that particular issue,” he explained. “Now they won’t even write the policy.”
In addition to accounting firms and their clients, insurance companies themselves are the target of hackers, according to both Mackunis and Vono. “It’s the nature of the type of data that is collected and then put out and sold on the dark web,” observed Mackunis. “I don’t think we’re going to see the types of targets change as we go forward.”
In fact, published reports noted that CNA Financial recently paid $40 million to unlock its software after a ransomware attack.
‘Hypersensitive antennae’
In light of the current economic challenges, accountants will need to be prepared and vigilant to minimize professional liability claims, observed Suzanne Holl, senior vice president of loss prevention services at Camico. “The public, including clients and jurors, perceive that the CPA’s fundamental job is to ‘advise and warn’ — to advise clients of opportunities and to warn them about risks.”
“The CPA’s ‘advising and warning’ antennae should therefore be hypersensitive now,” she said. “Expectations are elevated, and when something goes wrong, behaviors begin to change, sometimes to the point where clients will perceive the CPA as having failed to advise and warn. Professional skepticism should also increase, not just to protect the accountants themselves and their clients, but to protect other key stakeholders — for example, the readers of the financial statements and lenders. History has proven that desperate times will cause some clients to take desperate measures, leading to deceit.”
While accountants empathize with their clients and have been more than willing to help where they can, they must guard against becoming a victim for their clients, Holl indicated. “Loyalty to a client doesn’t take precedence over maintaining professional standards of integrity, independence and objectivity,” she cautioned. “It is not worth jeopardizing one’s reputation or financial security in an attempt to mitigate or minimize client dilemmas.”
The struggling economy and financial strain will also increase the pressure and rationalization for fraud, according to Holl: “For example, organizations in nearly every sector are cutting expenses and laying off workers. Furloughs and reduced expenditures can compromise existing internal controls and lead to fewer fraud prevention measures. Our claim experience has shown that when people perceive an opportunity to commit fraud and get away with it, they are more inclined to do so.”
The public expects accountants to have a “nose for fraud,” regardless of the limitations of the engagement, Holl observed. “The expectation that CPAs will detect fraud is extremely difficult to meet, but the expectation to advise and warn is much less difficult,” she said. “By advising and warning clients of their fraud and defalcation exposures and responsibilities, CPAs can minimize their liability stemming from the expectation that they will detect fraud. Regardless of the services performed, CPAs cannot provide absolute assurance that fraud has not been committed.”
Holl recommends that accounting firms work to address difficult economic times by identifying clients that may pose a higher level of risk, increasing their level of professional skepticism, and prioritizing defensive documentation, including engagement letters.
“Significant client meetings should be followed up with a written memorialization of who was present, what was discussed, action items agreed upon, and who was responsible for each,” she said. “A written memorialization is probably the most important tool you can use to communicate with your client and to ensure that both you and the client are proceeding with the same expectations and assumptions.”
Remote risks
Holl noted an uptick in the frequency of social engineering scams, phishing and fraudulent wire transfers.
“Fraudulent email requests for wire transfers cause large dollar losses,” she remarked. “If the fraudster controls the client’s and the firm’s email, commonly referred to as a ‘man in the middle’ attack, and the fraudulent request mimics previous legitimate requests, it is very difficult for the firm to identify the request as illegitimate.”
“Any request for money to be transferred to a bank account unfamiliar to the CPA is a red flag, especially if the new account is in another country,” Holl advised. “If the firm’s protocol with clients is to permit requests for wire transfers to be made via email, then the firm should establish — and follow — procedures to confirm requests using a mechanism other than email.”
For the most part, accountants have not suffered financially during the past year, and many have seen an uptick in revenue derived from assisting their clients in applying for various government programs, observed Rickard Jorgensen, president of specialty insurance broker Jorgensen & Co.
“Many firms were nimble enough to relocate key staff members to home offices or remote locations,” Jorgensen said. “Although there have been some IT and cybersecurity challenges, much of this transfer of professional services has been successful. Clients have been understanding, as they have shared many common obstacles.”
“The return to the office has been much more cautious, and with the increasing number of Delta variant outbreaks, the momentum for a full office operation has been curtailed,” he noted. “Because of the reluctance to get vaccinated and use face masks in certain states and segments of the population, the smart money is predicting another major outbreak in the fall, which could lead to another lockdown. Most firms are aware of this and are planning accordingly.”
“So far, the insurance industry has not devised a solution to transfer or mitigate pandemic risk, and is preoccupied with litigation to avoid paying consequential business interruption claims,” Jorgensen said. “There are some insurance products in development, but so far nothing available to CPA firms. A new product to transfer pandemic risk would be a boon to the profession, as it would allow firms to plan for the next outbreak and smooth some of the consequent expenses.”
The question foremost on the minds of many accountants faced with a cyber claim is whether or not they have coverage, according to John Raspante, the director of risk management for McGowanPro.
“There are a lot more breaches, and criminals take advantage of of all types of entities. It creates an opportunity in the criminal mind to attack the vulnerable, and a lot of time it’s the CPA firm client,” he said. “We get calls weekly regarding a ransom request. It’s a huge embarrassment — they have to notify the attorney general and their clients, then find out what exclusions are in the policy. Usually their coverage is put in through an endorsement to the policy. It can be misleading because firms may think they have coverage up to the policy limit, whereas the endorsement could be limited to $50,000 or $100,000 on a $1 million policy.”
Finally, firms need to be aware that part of the changing landscape is “social inflation,” according to Mackunis: “We see this creeping into juries as well as the plaintiffs bar. They’re demanding higher settlements because they know that juries have a greater sensitivity to the alleged injured party than to a large organization. We feel that it’s a societal shift that’s creeping back into disputes.”
