The old adage of "Put it in writing" remains as valid today as ever as a hedge against firm malpractice claims.
"A properly worded engagement letter that includes a clear statement of the professional services provided, that is updated frequently for changes in activities, and contains reasonable limitation and mediation language is the best shield to a malpractice claim," said Rick Jorgensen, president and chief underwriting officer at Jorgensen & Co., a professional liability and risk management consulting firm. "We have seen many instances where a CPA firm gets dragged into costly litigation because of the professional relationship with a client that was not clearly described."
For example, Jorgensen recently reviewed a file where a CPA became involved with litigation concerning a complex investment strategy promoted by the client's law firm. "The CPA firm merely provided limited tax preparation services and was not involved in promoting or evaluating the investment strategy," said Jorgensen. "The IRS ultimately denied the validity of the strategy and the client was faced with fines and penalties. The client sued the CPA and contended that he should have known that the strategy was flawed. Due to the fact that no engagement letter existed evidencing the limited services provided by the CPA, the CPA could not develop an adequate defense and the insurer settled for over $100,000."
SPELLED OUT
"Quite simply, the key to a successful defense is ensuring that the client knows what the CPA is not doing, as much as what the CPA is doing," he said.
Suzanne Holl, vice president of loss prevention at Camico, agreed, noting that the engagement letter book Camico issued years ago is still a top seller. "So much of mitigating risk in an accounting firm is about having really good client communication, establishing the expectation between your firm and the client," she said. "It's important to establish the scope of your services and make sure the client understands the limitation of those services, as well as what their responsibilities are to provide you with information."
One of the things that has changed, she noted, is the importance of defensive documentation. "In addition to the engagement letter, we encourage CPAs to remind their clients by periodically sending letters to them highlighting the importance of steps they should take in monitoring activities in different areas. For example, one of the most frequent calls we receive today is on things like fraud - what is the exposure of the CPA, and how can they help their client without putting themselves at risk. Either they uncover the fraud, or the client has brought it to their attention. Defensive documentation helps mitigate potential exposure to risk by helping the client think through the potential threats and implement specific safeguards."
WATCH WHAT YOU TWEET
Another emerging issue is social networking. "We get a lot of calls on this," said Holl. "Social networking can be a wonderful resource for a firm, but it's also a source of potential exposure. The rule of thumb when dealing in this environment is to make sure that everything you put down is something you would want everyone and their mother to see. Once it's out there, you can't retrieve it. So we encourage firms to educate their employees to consider, before they type in Facebook or Twitter, whether they would feel comfortable seeing their words in a statement to the jury."
Fee suits, especially when trying to collect from financially troubled entities, can often lead to professional liability counterclaims from the client, noted Holl. "This is not new," she observed. "The first newsletter Camico published in 1987 featured when it is appropriate to sue for fees. We stress the importance of retainers and staying in communication with potentially troubled clients."
Data security is an increasingly important issue, Holl said. "The potential for identity theft has grown, along with a barrage of state and federal regulations on safeguarding client information," she said. "Secure client portals are one way to avoid sending data back and forth in e-mails. However, the CPA firm should make sure they have defensive documentation that addresses that they have done their due diligence in evaluating the firm that implements the portal."
Tom Hennell, chief marketing officer at NAPLIA (North American Professional Liability Insurance Agency), likewise believes that CPA firms are increasingly vulnerable to data security issues. "Information security is the largest trend we see in terms of protecting firms," he said. "CPAs need to be educated on their state data security laws, and start protecting themselves."
In one cautionary case, a CPA firm hired an outside IT consultant to provide service for the safeguarding of confidential information, including the latest firewalls, virus protection and computer security, Hennell said.
Laptops containing sensitive information were not allowed to be removed from the office, the server room was locked down, and the office had a 24-hour security system tied directly to the local police station. System backups were performed nightly and tested twice a year. Employees were required to be bonded and the firm used an outside HR firm to conduct employee screenings.
"The firm took their clients' personal information seriously and had established a clear paper trail for security breaches except one," Henell said. "Backup tapes were removed each night by a partner and stored at his home. The next morning the tapes were returned and the process repeated each day. The partner stopped to have dinner with his wife on his way home, leaving the backup tapes in the car. After dinner, he saw broken glass on the driver's-side door - someone had broken into his car, taking his laptop and briefcase, including his firm's backup tapes."
"Police were notified and reports were filed," Henell said. "The briefcase and laptop could be replaced, and the backup tapes redone the next day. However, due to state regulations the firm was required to notify all current clients and explain the possibility that they could be victims of identity theft because the tapes included tax information with Social Security numbers, and banking information. The hard costs were small at about $10,000, but the long-term costs are unknown, because the firm doesn't know how many clients it will lose due to the security breach."
AN E&O POLICY ANALYSIS
"The most important thing for accountants to do is analyze their E&O [errors and omissions, or malpractice] policy to make sure it covers all the services they render to clients," said Lilia Rocha, vice president at Momentous Insurance Brokerage. "If a CPA policy says it covers accounting services, are there other services the firm provides? Some might fall outside that definition. In that case, the firm should have the policy wording modified so it protects them."
Rocha said that she normally writes a policy covering "business management services," as opposed to just "accounting services."
As the economy declined over the past several years, fraud and embezzlement claims rose, noted Melissa Thomas, assistant vice president of claims at CNA, underwriter of the AICPA Professional Liability Program. "As the economy gets worse, there are more opportunities for people to steal from their employers and more reasons to commit fraud," she said. "CPAs need to be aware that claims for failure to detect fraud are sometimes brought by clients who received non-audit services, such as tax, accounting and financial statement services."
"The first thing to consider is client acceptance and continuance," added Ellen VanDeLaarschot, risk control director at CNA. "A client with poor internal controls creates an opportunity for someone to steal. There can be a fine line as to how to communicate such weaknesses to the client. For example, even if you're only providing tax compliance services, if it's obvious that the client has poor internal controls, you should bring it to the attention of the client but emphasize that advice on internal control is not part of the tax compliance engagement."
""You also have to be careful of engagement creep," she noted. "For example, a firm that originally was hired to do tax compliance services might end up doing additional work outside the scope of the original engagement agreement. If that happens, you should issue an additional engagement letter. CPAs tend to be very helpful, but we've seen good intentions result in claims against the CPA."
