In their preparation for the filing season ahead, most tax professionals are aware of the risks inherent in their profession. However, their list of things to do rarely includes the full attention to risk avoidance that is desirable, according to Alvin Fennell, vice president, senior risk advisor and underwriter at Aon, the national program manager for the American Institute of CPAs professional liability program.
"The top issue right now, and one of the things we're most concerned about, is protecting them from cyber attacks and the liability that arises from them," he said. "Many don't have a clear understanding of how to protect themselves from cyber attacks. They may not carry enough protection because they see the risk more as a large-entity risk. But from the personal information standpoint, they are high targets."
The industry is becoming more conscious of the risk, requiring CPAs to have internal controls for data protection. "The task is getting accountants to understand things like virus protection, firewalls, software updates and so forth." he said. "They must understand the necessity of staying on top of these. Do they replace default settings and make sure that security configurations are updated? Do they have control over access to information on mobile devices, including updating passwords to maintain password credibility?"
Fennell noted that the training of staff is a routine task for accountants that is often overlooked or given short shrift, since it takes away from the time available to accomplish substantive tasks.
"It's one more thing that needs to be emphasized in the training of staff," he said. "They need to be sensitized to the importance of data protection. It's not if, but when, cyber attacks will assault the accounting firm. They should be educated in the firm's data recovery plan, which would be in place for when there is a breach. There are resources where professionals — 'white hat' hackers — will come in and test the security or firewalls for the firm."
"Once filing season begins, it's a 'mental beatdown,'" he remarked. "That's why it's best to have the full staff, including temps and contract workers, in place and in the right frame of mind at the start."
The talent shortage is causing many firms to look for additional resources outside the firm, including outsourcing, according to Fennell: "They need to make sure they can provide the right services and relationships for their clients based on the talent they have."
Engagement letters are often an uncomfortable, but necessary, part of the practice. Accountants especially need to ensure that they evolve along with the relationship, Fennell emphasized.
"The CPA may make a statement based on a casual question or conversation without realizing that the client will take it as part of the engagement," he explained. "Make sure the engagement letter evolves along with the relationship to match current services they are providing."
"Accountants that are shy about updating engagement letters often protest that the client has been with them for years and has never had a problem. In that case, blame it on the underwriter," Fennell added. "Tell them the underwriters are requesting it."
Lawsuits involving CPA firms are rising, and they need to see themselves as attractive, high-risk targets, according to Fennell.
"Hackers are out there, constantly trying to find ways to breach security," he warned. "The firm may get an email that looks and feels right, and asks for a transfer of funds. Make it a procedure to have several layers of security — always follow up with a phone call to confirm as an additional step. Create layers of due diligence when handling funds."
Where firms are hiring entities to provide back-office services, it may be wise to notify the client who is providing those services.
"Don't assume responsibility that should be held by the client," Fennell noted. "Make sure that you are not expected to perform duties that would be the client's responsibility. For example, in hiring staff, you might provide information and options, but it is the client that makes the decision."
