The COVID-19 pandemic affected nearly all areas of the risk landscape. CPAs were asked to give advice and guidance on the many government programs created to help businesses survive, many clients and their accountants worked remotely, new forms were issued, and cybersecurity continues to pose greater challenges.
“We’re still seeing a rise in cyber claims,” said Stephen Vono, senior vice president at liability insurance agency McGowanPro. “Fraudulent wire transfers are increasing. Anything to do with email or sending money poses a risk.”
Hackers are very adaptable, and are adept at turning a situation to their advantage. For example, a CPA sent their client an invoice for $30,000 that was intercepted by a hacker, Vono remarked: “The hacker was lurking in the email. The client asked how they should pay the invoice, and the hacker, pretending to be the CPA, told him to pay via ACH. So the client paid the invoice and gave the hacker $30,000. This is a good example of another exposure that people don’t think about. Luckily for the CPA, he had commercial criminal insurance that would cover the loss. The larger firms usually have this type of coverage, but the smaller ones don’t — and they should.”
Accountants need to train their employees on responses to email, he suggested: “A lot of people will say that the email looked authentic, but that’s the point of what hackers do. You need to get on the phone and confirm any transactions that involve money. There are many ways to confirm, but it’s vital that staff know what to do to verify that the ‘client’ they’re dealing with is really the client.”
Vono recommended that all accounting firms should be using the services of an information security specialist.
There has also been a rise in tax claims against accountants regarding the estate tax, he noted. “The problem with estate tax filings is that it can’t be rectified. They’re usually in the higher dollar amounts. And we’ve seen a rise in claims on improper tax elections. Part of the problem is that the IRS is less inclined to grant waivers for first-time penalties.”
The first-time penalty abatement is an administrative waiver that the IRS may grant for failure-to-file, failure-to-pay, and failure-to-deposit penalties as an encouragement to have a clean compliance history. “There was a time when the CPA could argue on behalf of a client and get the penalty waived, but not any more,” Vono said.
John Raspante, director of risk management at McGowanPro, pointed to a rise in claims regarding the Employee Retention Credit as an outgrowth of the pandemic. “IRS guidelines said there had to be a reduction in sales due to a partial or complete government shutdown,” Raspante noted. “There’s also a provision that says even if sales went up but there was a supply chain interruption, it’s the equivalent of a government shutdown. For example, a FedEx truck broke down and couldn’t get the parts needed for repair. As a result, they had to lease additional trucks. This was considered at IRS Appeals as the equivalent of a government shutdown.”
The result has been that there are already some claims against accountants for not taking the position that the guidance allows.
Another big area that has increased claims is residency audits, he indicated: “Many people have left large metropolitan areas and moved. But just by virtue of moving it doesn’t mean that a taxpayer has changed their residence. A person may move from Rockland County in New York to North Carolina and claim they’re now a resident of North Carolina. New York will say they haven’t satisfied the domiciliary rules, and will still impose tax as a resident. Residency audits have always been an area of exposure for CPAs, but they’re magnified now by the sheer number of taxpayers taking the opportunity to work remotely. If the CPA doesn’t get it right, they open themselves up to risk.”
“Derek Jeter maintained a condo in New York City while he was with the Yankees,” Raspante said. “He established that he was a Florida resident, and was outside New York the required number of days. New York agreed he was a Florida resident, but had not succeeded in changing his domicile.”
New York domicile does not change until the taxpayer can demonstrate with clear and convincing evidence that they have abandoned their New York domicile and established a new domicile outside the Empire State. It is not enough simply to file a certificate of domicile or register to vote in a new location.
“It’s a tricky area and there’s no uniformity among states,” Raspante observed. “It’s up to the CPA to advise their clients correctly.”
Failure to file Form 5472, an information return when a 25% foreign-owned corporation is doing business in the U.S., can result in a $25,000 penalty on the shareholder responsible to notify the IRS, Raspante added: “We’re just starting to see a lot of suits against CPAs who did not advise their clients about the form, or who did advise them but the clients ignored the advice.”
“We’re seeing an increase in the number of cyber-related claims impacting CPA firms and unfortunately, the severity of these cyber crimes and ransomware attacks has grown,” said Suzanne Holl, senior vice president of loss prevention services at insurer Camico. “Cyber criminals naturally target CPA firms and tax professionals because of the abundance of client data on the firms’ computers,” said Holl. “As CPAs, we always take client confidentiality very seriously, and firms have been doing a good job. But there’s been an uptick in third-party liability, where the clients themselves are attacked.”
“These situations often arise when a client has been hacked and the hacker has penetrated the client’s computer system,” she said. “Once inside, the hacker can cause all manner of losses for which the CPA firm may be blamed, in whole or in part. Many of these tend to be high-dollar claims against the CPA firm. The claims typically include allegations such as failure to detect the red flags associated with communications that were executed by the hacker, falling below the standard of care by initiating wire transfers, later determined to be fraudulent, without proper client authorization, failure to ‘warn and advise’ clients of the potential risks involved — and the list goes on.”
“Most cyberattacks that take place with accounting firms today take advantage of two common cybersecurity risks — social engineering attacks that trick users into inadvertently providing access, and security misconfigurations that are often just human error.”
“A firm’s best protection against social engineering attempts is to continuously raise awareness of the importance of vigilance and enhanced skepticism with every email and online interaction,” Holl said. “Raising the cybersecurity IQ of all employees will help tremendously in guarding against a breach and will minimize a firm’s potential exposure, as employees will be better able to recognize social engineering attempts. To be of ultimate value, it is important for firms to commit to the principle of continuous education, because the threat landscape doesn’t just stop evolving when your employees’ cybersecurity training is done.”
Most accountants are familiar with engagement letters as a defensive mechanism, according to Dave Sukert, senior vice president at Aon, the broker and administrator of the AICPA professional liability program.
“But they don’t use them when they should, which is all the time,” he said. “The reasons are they don’t want to bother the client — they ask for so many other things that they don’t want to ask for engagement letters.”
They should look at an engagement letter as an opportunity to communicate with the client, Sukert believes: “Given the last two years when we haven’t engaged as much as we would like, the engagement letter provides a great opportunity to reach out to the client.”
Engagement letters help set expectations for both parties as to what the practitioner will provide for the client, and what the practitioner expects from the client.
“The biggest part is that if something goes wrong later, you have documentation, and it provides a basis for a defense against a claim,” Sukert said. “It’s not perfect, but if you don’t have it, you’re in worse shape than if you did.”
A common mistake is the failure to update an engagement letter. “People use a generic ‘evergreen’ letter,” he said. “It’s OK to have one, but it should be updated and specifically tailored whenever there’s a new engagement. And it should make reference to things the practitioner will not provide, as well as what will be provided.”
If the client will agree to it, include a limitation-of-liability clause, such as two times the fee, Sukert advised.
“Practitioners have to think if what they’re asking the client is reasonable,” he said. “Setting the ground rules and expectations for both sides is very reasonable.”
And if the firm pulls out of an engagement, they should make note of it in a disengagement letter, he added: “There’s a chance that the client might think the firm is still advising them on a particular matter.”