The latest in liability
Nobody likes to be placed on the defensive, but that’s the position in which CPAs in a malpractice suit find themselves. And it’s worse than most would imagine, according to Bill Thompson, president of CPA Mutual.
“Most people don’t realize the time it takes to settle a large suit,” he said. “It typically takes four to five years to settle a claim of $500,000 to $1 million. And even though you may be over the deductible, I remind people that just the amount of time getting ready for depositions, for a trial, to attend a mediation or an arbitration only to have it canceled, takes a large chunk out of your life. And it’s not a pleasant experience. I’ve seen it take a mental toll on people.”
For example, in a large claim, the plaintiff’s attorneys walked into a mediation meeting and said that they weren’t there to talk about the claim per se, but to find out about the personal assets of the CPA, Thompson said. “They wanted to intimidate our members by putting them on notice that the policy limits wouldn’t be enough to settle the claim,” he said. “That gets your attention when you’re looking at a claim for a multiple of the policy.”
“One of the things that you’re trying to protect is your time,” Thompson said. “You can never recover the amount of time you lose when you’re involved in a claim. Not only money but the reputation of the firm is at stake. And of course, tied in with money is the ability to buy insurance.”
“A CPA whose firm becomes uninsurable will find it difficult to sell the practice,” he said. “And if you’re a mid-market firm that wants to grow your business by hiring a hotshot rainmaker, will they want to work for you when they find out you’re uninsurable? Ability to insure, and the price to insure, are factors that not many consider.”
Perils for practitioners don’t go away, but more issues get added to the list of concerns, according to insurance experts.
Client selection, dabbling, and failure to use engagement letters remain high on the list, while cyberthreats, sexual harassment and tax reform are surfacing as potential pitfalls.
“Foundational items like engagement letters are still items for discussion,” said Dave Sukert, senior vice president at Aon Affinity. “There’s no way you can manage expectations until you set them, and setting of expectations should be encompassed within the engagement letter. Sometimes CPAs are hesitant to ask clients to sign an engagement letter, particularly if they’re long-term clients. But if something goes wrong, an engagement letter gives you a fighting chance.”
Engagement letters should not only be updated annually but also during the course of the year when the client asks for additional work, cautioned Sukert.
“Make sure you document any conversation related to the request for additional work,” he advised. “If it’s not memorialized, you and the client may have different takes on what was agreed upon. Sometimes practitioners are reticent to have this discussion, but it’s for their own protection and also for the protection of the client.”
More accounting firms are providing consulting services, Sukert noted: “As opportunities arise, accountants can get to a place where they’re practicing outside their expertise. They want to help their clients — this is a virtue, but they have to have the realization about what they know and what they’re good at. We see an increasing number of claims where the practitioner was clearly out of their depth.“
“We see a huge increase in firms providing ‘CFO to go’ services,” he added. “Payroll, employee benefits — anything an internal comptroller would do. It’s a great opportunity to do more for the client and drive revenue, but you also put yourself in the crosshairs if something goes wrong. You don’t want to hear, ‘I thought you were going to take care of paying this tax for me.’”
“’Most trusted advisor’ is a great moniker, but it can be a two-edged sword,” said Sukert. “CPAs truly feel they want to help, but when a claim comes around the client can say, ‘I trusted you to find that fraud.’”
“The #MeToo movement has shed a spotlight on sexual harassment, so professional firms should be looking at that,” said Sukert. “Accounting firms have been slow in responding to this. Their mindset is that, ‘We’re a small firm and we’re all one family.’ But they’re becoming aware of the risk.”
From reform to reefer
The breadth and scope of tax reform poses risks to CPA firms, according to Suzanne Holl, a CPA and senior vice president of loss prevention services at Camico.
“The Tax Cuts and Jobs Act has brought about uncertainties and new concepts that are further complicated by the extent to which individual states will conform to the law,” she said. “Our claims experience shows that CPAs who successfully manage client expectations are more likely to ‘get it right’ and avoid becoming victims of potential liability exposures.”
“We recommend that CPA firms send notification letters regarding some of the significant highlights of the TCJA to both individual and business clients, encouraging them to contact the firm if they feel that they may benefit from tax planning assistance. The important point is to adequately communicate and document the significant tax act implications to clients that might be impacted. The firm should maintain and retain a list detailing to whom the letter was sent.”
Firms should be wary of clients who choose not to engage the firm to provide tax planning services but who have a “quick question” on some aspect of the law, Holl observed.
“These situations can pose risk to the firm if not adequately documented and disclaimed,” she said. “Firms may want to consider having language in their engagement letters that specifies that it is the firm’s policy to put all advice upon which a client intends to rely in writing. The language should state that the firm believes this is necessary to avoid any confusion and make clear the specific nature of the firm’s advice, and the client should not rely on any unwritten advice from the firm.”
The stock market has done well in the last two years, and consequently the number of claims arising from personal financial planning has reduced considerably, according to Ricard Jorgensen, president and chief underwriting officer of CPAGold.
“However, the smart money is saying that this is not going to continue and a correction is imminent, probably in 15 to 18 months. If this happens, there will be a consequent increase in applicability claims, where clients allege that a portfolio was inappropriate for their risk profile. So it may be timely for CPAs that provide investment advisory services to review client investment portfolios and gradually move to a more conservative balance, regardless of client risk appetite. This will go some way to reduce the likelihood of malpractice claims,” he said.
“Some CPA firms are expanding their practice to provide services to the cannabis growing and distribution industry,” Jorgensen noted. “The guidance provided by various state boards of accounting give a certain level of comfort, and the ‘demon weed’ is legal in a number of states. However, it is still illegal federally and all insurers’ policies contain a fraud and criminal acts exclusion. In the best case, a malpractice policy provides defense coverage until a CPA is found guilty, and covers non-guilty parties 100 percent. In the worst cases, the policy states: ‘We are not obligated to defend any criminal investigation, criminal proceeding or prosecution against you.’”
Jorgensen urges caution on the part of firms considering engaging in providing such services.
“Our advice to clients is to stay clear of this activity, even if the local state board of accountancy says it’s OK. They’re not going to pay the legal bills if the feds turn the spotlight on the CPA,” he said.
In fact, he notes, insurers themselves, in accepting premiums from a firm providing services to a “criminal enterprise” might be deemed subject to RICO (Racketeer Influenced and Corrupt Organizations) statutes or the Bank Secrecy Act.
Cyber-risk, which seemed an exotic topic just a few years ago, is now mainstream and on everyone’s mind, according to Stephen Vono, president of McGowanPro.
“Yet we still see CPAs falling prey to phishing scams,” he said. “The CPA who controls funds for a client gets an email from the client requesting a transfer to a certain account. The email might say that the client is traveling, and give an alternate phone number to confirm. The CPA wants to do good service, so goes ahead and makes the transfer. Of course, the email was fraudulent and the money is gone.”
A related issue involves client information security, Vono said. “There have been claims in this area. The CPA can be in violation not only of state laws, but professional ethics rules.”
“Most professionals think the way to attack this is on the technical side — passwords, firewalls and backup servers,” he said. “But the No. 1 reason for lost information is human error.”
The solution to both issues — phishing scams and information security — is training, Vono suggested.
“Ask yourself, what can I do today to protect my client information? The term ‘mindfulness’ is used in this area,” he said. “Be aware of the environment in which you’re operating, and be aware of the risks of phishing and lost information. The administrative staff should also be trained in this area, as well. There have to be policies and procedures in place, and they have to be followed.”
“The IT people may not be completely suited for the security aspect of their role,” Vono noted. “The larger firms have the resources, but the smaller ones may not. For example, if someone’s workstation is infected by a virus, the IT response may be to come in and scrub. Instead, they should unplug it from the network, because the machine has been breached and has malware installed on it.”
A state law may require training, and a contact person to maintain an information security program.
Vono cited Massachusetts’ CMR 17, which sets standards for protecting personal information contained in both paper and electronic records. The law states that every comprehensive information security program should include one or more employees to maintain that program.
“We recommend that, when possible, at least three people in a professional service firm be on the designated
security committee,” said Vono. “They should include a partner with a global perspective of the firm, the firm administrator or chief operating officer with a nuts-and-bolts knowledge of the daily operations of the firm, and an IT or security specialist.”