ssAdmin, Author at CAMICO

Engagement Letter Do’s and Don’ts

ssAdmin — Wed, 14 Jan 2026 00:16:38 +0000

Signed engagement letters help CPA firms improve communication with clients and protect the firm from litigation as “the first line of defense.” Use the following tips to help you write more effective engagement letters.

Engagement letters should…
• State the purpose of the engagement.
• Define the scope and limits of the engagement.
• Specify known negative conditions or adverse situations.
• Include client instructions, responsibilities, deliverables and dates.
• Note reliance on facts provided by the client.
• Outline terms of fee collections and the consequences of late payment.
• Include a stop-work clause.
• Indicate the firm’s record retention policy.
• Include third-party service provider language, if applicable.
• Include alternative dispute resolution language (i.e., mediation for all disputes and an arbitration clause for fee disputes only).
• Confirm client’s acknowledgment to the terms of the agreement and request client’s signature.

Additional considerations
• Include protective language in traditional tax and financial statement engagement letters that specifically disclaims the firm’s responsibility related to advising on any legal, regulatory, or employment-related matters.
• Specify the client’s responsibility for the adequacy of a system of internal control.
• If applicable, explain limitations regarding financial statement distribution.
• Evaluate the appropriateness and efficacy of including limitation of liability clauses.

Engagement letters should not include…
• Marketing information. The engagement letter should be viewed and composed as a contract.
• All-encompassing language. Limit the scope of your firm’s work by avoiding superlatives and absolutes such as all, every, any, complete, confirm, totally, validate and verify.
• Legal jargon or ambiguity. Don’t use abbreviations or words only a CPA would understand. Any ambiguity will most likely be decided in the client’s favor in a court of law.

Additional tips
• Avoid evergreen letters — update letters annually to reflect changes in the scope of the engagement.
• Update engagement letters whenever engagements change.
• Avoid usurious interest charges. Instead, assess a “late fee” for unpaid balances.
• For tax engagements, include the full or exact name of the client, entity type, specific state name(s) and tax year(s), and purpose of the engagement.

Save yourself time and energy by using the letters specially crafted for CPA firms by CAMICO experts.
As seen above, a clear, comprehensive engagement letter is one of your best safeguards against future disputes. CAMICO offers policyholders with Professional Liability Insurance access to engagement letter review services. CAMICO’s internal Loss Prevention Specialists are happy to review and comment on your drafted engagement letters – at no cost. Furthermore, CAMICO has 150+ sample engagement and disengagement letter templates available on its Members-Only Site. CAMICO experts designed these sample letters to be clear and understandable for clients, provide appropriate documentation for you, and effectively outline the scope of your work.

The post Engagement Letter Do’s and Don’ts appeared first on CAMICO.

How Your Story Will Be Told to a Jury

ssAdmin — Wed, 05 Nov 2025 20:16:18 +0000

By Ron Klein, J.D.

Among its many roles, CAMICO acts as a gathering and disseminating agent for CPA liability experiences across the nation. For nearly 40 years, we have gathered hundreds of thousands of CPA experiences and distilled the learnings those experiences provided so that we could tell CPAs about the real-world risk implications to their firms.

A perspective that is important for CPAs to reflect on is how their actions – for which they are getting sued – will be portrayed to the jury. The gap between the experienced reality and the story told at trial can be significant and is illustrative of what CPAs need to do today to minimize risk tomorrow.

When looking at a situation in hindsight, it is important to note that history can sometimes be “rewritten” to benefit the client: “Why didn’t my CPA warn me about what was going to happen? I was relying on my CPA’s expertise for financial help.” The good news, however, is that CAMICO’s vast experience and research help to inform us as to what factors and preconceived notions sway jurors. As such, the advice and guidance you will find in this article are designed to raise your awareness and help you to recognize (before the “milk is spilled” and a claim occurs) what the triggers are that may sway jurors, as well as proactive risk management steps you can take to improve your chances of having history favorably rewritten with a jury to your benefit.

For example, let’s take a “garden variety” embezzlement claim. As the CPA experiences it, it goes something like this:

For the past six years, the CPA has been providing tax preparation services as well as occasional assistance to the sole accounting employee, including closing the books at the end of the year. During this period, the CPA meets face-to-face with the client/owner less than a dozen times, visits the client’s office another dozen times, and communicates by email and phone several times a month, usually with accounting. While helping to close the books at the end of year six, the CPA finds a number of vendor payments in a suspense account. When the CPA asks the owner about the payments, the owner does not recognize any of the vendors. And the embezzlement quickly unravels. It turns out that the accounting employee had embezzled over $275,000 over the past ten years, having begun four years before the CPA even obtained the client.

After a few years of litigation, including over 700 written interrogatories, 80 hours of depositions and 90,000 documents, the attorneys on both sides now have a better understanding of what occurred than any of the participants, including the CPA. What does the jury hear? Given the necessary compaction of time, each attorney, for the plaintiff and the defendant, will focus their cases. Each of them will select four or five key documents and some testimony each feel is particularly impactful (usually from an expert and one or two eyewitnesses). The jury will have no sense of the actual expectations of the client/plaintiff before the discovery of the embezzlement. Juries most often place little weight on the professional standards that guided the CPA.

From the testimony, evidence and argument, each juror will decide. From jury research and many previous embezzlement claims, CAMICO knows that juries will likely decide based upon:

Whether the jury believes the CPA “warned the client of risk and advised the client of opportunity” in financial and tax matters. In embezzlement cases, this burden is increased because juries believe CPAs are the fraud police and embezzlements are common. Most juries believe that the CPA’s “advising and warning” antennae should be hyper-sensitive during difficult economic periods. Some even believe “anyone can do a CPA’s job when times are good, but when we really need the CPA — that’s when the CPA should really be tuned in.” In other words, expectations are elevated when economic times are challenging.
Written documentation (“in plain English and not legalese-speak”) to support the scope and limits of the services the client engaged the CPA to render. It is ideal to have a signed engagement letter that is current and specifically mentions that the services contracted for are not designed to detect fraud. Second, a written communication informing the small business client of embezzlement risk, which needs to include ways the client can manage embezzlement risk, including the importance of timely bank reconciliations, requiring substantiation for each check, and monthly review of the bank statement by the owner. This written communication allows the CPA’s attorney to make the argument that the CPA warned the client of the risk of embezzlement and advised the client of actions to take that will reduce the risk to client. With the good evidence described above, the CPA attorney will be able to turn the tables on the client, forcing the jury to consider whether the client met his obligations to protect himself. The best offense is a good defense.

Is it necessary to have the engagement letter signed and current, and the communications in writing? Absolutely. Jurors do not like to rely upon verbal communications. Verbal communications are always disputed. Further, the jury expects the party with the power and knowledge (CPA) to have the burden of documentation. This is especially true of CPAs because juries view CPAs’ job as documenting everything significant.

What happens at trial if the CPA did not fully meet the expectations of the jury to warn and advise? Without a good written warning communication about small business risks of embezzlement, instead of the CPA’s attorney arguing that the CPA warned about embezzlement risk and that the client failed to do what was necessary, the client’s attorney will argue that the CPA left the financially unsophisticated client unaware of the risk and unprepared to deal with it. It is not unusual for clients who signed blank checks (for convenience) to argue that their CPA never advised them not to sign blank checks. Thus, rather than the jury’s focus being on how well the CPA warned the client and whether the client took appropriate defensive action, their attention is turned to how and how often the CPA had a chance to catch the embezzlement but failed.

Did the CPA know that bank reconciliations were months behind, or how vendor payments were processed at the client’s office? A jury’s expectations are that the CPA, after six years of service to the client, will have a profound knowledge of how the business works, even with limited services. The CPA’s duty expands with time, in the jury’s mind.

Just as it is the CPA’s job to inform the client of embezzlement risk, it is CAMICO’s job to inform the CPA of embezzlement risk as well. So, it is highly recommended that you consider our guidance, especially for small businesses:

Have a signed and current engagement letter that specifically addresses embezzlement and fraud, and warns that the services requested are not designed to detect them.
Send an initial written warning letter informing the client about embezzlement risk, the appropriate way to process payments, bank reconciliations, and monthly review of the bank statements and checks by the owner.
Be aware of the importance of timely bank reconciliations. If the client is more than two months behind with bank recs, that is an embezzlement alert, likely requiring at least a written communication with the client.

A struggling economy exacerbates the potential for embezzlement claims, as many businesses and individuals are under growing financial strain. Increased financial need will likely increase pressure and rationalization for fraudulent behavior (e.g., “My line of credit has been canceled.” “My retirement funds shrank.” “I need this money.”) Understanding the gravity of these pressures is crucial to effective fraud prevention and detection. Public perception is that CPAs are expected to have a “nose for fraud,” regardless of the limitations of the engagement. The expectation that CPAs will detect fraud is extremely difficult to meet, but the expectation to advise and warn is much less difficult. By advising and warning clients of their fraud/defalcation exposures and responsibilities, CPAs can minimize liability stemming from the expectation CPAs will detect fraud.

The best thing about our recommendations above is that, if followed, not only will they provide you with the best defense should you get sued, but there is also a very good chance that they will prevent or discover embezzlements. In which case, that will make the CPA a hero to the client rather than a target – the best win-win of all.

Ron Klein, J.D., is Risk Management Counsel with CAMICO. He has been with CAMICO since its inception in 1986 and managed the claims department for 25 years.

The post How Your Story Will Be Told to a Jury appeared first on CAMICO.

How to Respond to Subpoenas

ssAdmin — Tue, 10 Jun 2025 21:13:45 +0000

CPA firms are often uncertain about whether or how to respond to a subpoena, as they also need to comply with a number of rules and regulations that are intended to protect client confidentiality. The following Q&A focuses on understanding the nature of subpoenas and how CPA firms can minimize their professional liability exposures when responding to them.

What is a subpoena?

A subpoena is usually a formal request for documents and/or appearance, typically requested by an attorney in the course of litigation, or by a government agency in the course of a criminal or civil investigation.

What should CPAs do when they receive a subpoena?

CPAs in receipt of a subpoena should consider the information in their client files, along with any recent communications with the client or any parties involved, and then contact the CPA’s professional liability risk adviser or attorney before responding to the subpoena. In evaluating the appropriate course of action for CPAs to take, their adviser may consider the following information:

What is the underlying litigation about? Does the CPA have direct or other knowledge about what the issues are in the litigation?
What is the subpoena asking the CPA to do? Is it requesting that the CPA provide testimony, documents or both? Does the subpoena excuse the CPA from testifying if the CPA provides the documents in advance?
Is the CPA in possession of the information listed? The CPA should review the subpoena and consider whether the firm is in possession of the information. If the information is confidential, such as tax documents, it may be subject to claims of privilege by the client and/or an accountant-client privilege.
Does the subpoena provide a deadline for complying? If the deadline is quickly approaching, or if the subpoenaing party did not provide sufficient time to comply, has the CPA received any communications to suggest the opposing party will grant an extension of time?
What communications has the CPA had with the client? Has the CPA had any contact with the client, the attorneys on the case or the governmental agency? Does that contact suggest whether the CPA is a target or merely a person in possession of information? Is the client taking specific measures to formally object to the subpoena?

Why is the CPA receiving a subpoena?

Typically, an attorney or other party will issue a subpoena because he or she believes that the CPA is in possession of information and documents that will establish facts that are relevant to the underlying case. However, sometimes a subpoena may indicate that the CPA is a target in the underlying case by seeking information that could implicate the CPA as possibly liable for the matter being investigated or litigated.

Is the CPA required to comply with a subpoena? Is a subpoena a court order?

If the CPA has received an order signed by a judge, or a subpoena from a government agency, in most cases the CPA must comply. Government subpoenas generally require compliance, even without client consent or a court order.

However, most subpoenas are preprinted forms that attorneys or other parties fill out to request information. In these cases, accountants are bound by a number of rules and regulations that are intended to protect clients, including Internal Revenue Code section 7216. Under most circumstances, these rules and regulations prohibit the accountant from complying with the subpoena, unless the accountant has undertaken specific measures to protect client confidentiality, including obtaining the client’s consent.

Again, CPAs should contact their risk adviser regarding all subpoenas to evaluate the underlying litigation and the obligation to comply.

Should the CPA report a subpoena to the CPA’s professional liability agent or carrier?

Yes. Regardless of how much or how little information a CPA may have pertaining to the client or former client, it is always important to promptly report the matter.

CAMICO offers policyholders with Professional Liability Insurance comprehensive subpoena and consultation services. These services are designed to assist CPAs in reducing the risk of claims or future litigation. Regarding subpoena expenses that are not related to a reported claim, CAMICO will provide counsel to policyholders to assist in responding to a subpoena seeking documents or testimony. This coverage is treated as a potential claim and offers policyholders a 50% deductible reduction (up to 50K) and locks in coverage during the policy period.

The post How to Respond to Subpoenas appeared first on CAMICO.

The Dos and Don’ts of Disengaging

ssAdmin — Fri, 18 Apr 2025 17:00:10 +0000

By Duncan B. Will, CPA/ABV/CFF, CFE

Whether due to the “great resignation,” the “great reassessment,” or the “baby boomer departure,” the CPA profession is experiencing a diminishing workforce while facing “standards overload,” handling a variety of relief programs, coping with innumerable IRS issues, and dealing with the constant stress of limited resources and elevated client demands.

What can you do?

If you are like many CPAs, you are reflecting on the busy season you just traversed. You are reassessing your quality-of-life chart and have identified issues or clients you wish were no longer accompanying you.

Don’t let the passage of time curb this planning. Yes, now is the time to explore disengagement.

Too many CPAs prioritize the “client acceptance” process and don’t equally follow the important “continuance” component of the client acceptance and continuance process.

Undesirable individuals aren’t the only reason to terminate clients. You should also consider disengaging when:

Clients fail to pay or are slow to pay.
Relationships deteriorate or you no longer possess the competence or capacity to perform the services sought.
The risks outweigh rewards or when there is a conflict of interest.
Your independence (on attest services) is threatened or impaired.

Once you realize the client relationship should end, take a moment to do it right. Disengage in writing, but only after you have laid the groundwork.

Start with verbal communication

Don’t surprise clients you terminate with a letter informing them of your decision. Get personal and talk to them. Recognize that it may be painful and difficult, but the good-natured touch will typically smooth the transition.

Explain your reasoning, listen, and be empathetic.

You do excellent work, you have been a constant in their lives, and the change will likely not be welcomed as they won’t want to lose you. So, expect an emotional appeal. Know it is coming and stick to your guns.

Disengage in writing

Shortly after your disengagement conversation, memorialize your conversation with a “tweaked version” of the hybrid disengagement letter you crafted — in collaboration with a CAMICO Loss Prevention Specialist — using language harvested from illustrative disengagement letters. Yes, you’ve already had the difficult discussion, but your job is not complete until you finish the paperwork. It’s best to expeditiously communicate your decision, but you need defensive documentation of your client receiving your disengagement communique.

Email can be the solution if your client promptly replies to your email. A client’s email response acknowledging receipt eliminates the need to obtain proof of delivery from a delivery service. Use your understanding of the client to best gauge how to obtain that defensive documentation. While email is the fastest alternative, clients may find email too informal and not reply. If not, send a disengagement notification to your client via a mechanism that provides a return receipt or other proof of delivery. Certified mail has historically been the preferred mechanism, but some parties (expecting news they don’t wish to accept) decline to sign an acknowledging receipt. If you opt to send the communique via email, and your client does not reply via email, follow up with a mechanism that provides proof of delivery.

Include your last date of service

Don’t be ambiguous. State the last date of service. Nine times out of 10 it is best to disengage and have no further client expectations. Ideally, you collect on the last item you agreed to deliver and promptly disengage. Often, you are peppered with requests, your client is slow to pay, and you must disengage with work in process or on the horizon. So, state that the most recent deliverable was your last or the penultimate.

Work status/pending due dates

You will want to “exit stage left,” but will be dragged back in if you don’t take the time to state the status of services you were performing and detail the due dates of items on the horizon, regardless of whether you had formally been engaged to perform those services.

Why? Because if you don’t and your client or your successor makes a mistake, you may be blamed for their oversight. Smoothing the transition reduces the likelihood of ruffled feathers that might result in allegations you were negligent.

Account balance status

Outstanding invoices and work in progress are commonplace when accountants disengage. Collecting these fees may prove problematic, but detail amounts they owed you in your disengagement letter, attach copies of the invoices, and state “your prompt payment will be appreciated” to significantly increase the likelihood you get paid. Pointing out the amounts owed also provides psychological leverage against clients’ unreasonable demands and expectations.

Encourage retaining a new CPA ASAP

Be sure to encourage clients you terminate to secure the services of another qualified professional. Doing so is great advice, an act of courtesy, and an excellent defensive measure. The sooner former clients establish a relationship with your successor, the greater the likelihood that clients’ ill will dissipates, and their accounting and other professional needs are timely met.

Occasionally, CPAs are tempted to provide those terminated with someone to consider as their successor. Do not. Instead, when wishing to offer referrals, offer at least two names and encourage former clients to perform their own due diligence. Suggesting one and only one person exposes you to liability should the former client later allege your successor didn’t meet the standard of care.

Cooperation with successor

The sooner and smoother the transition to your successor, the better it is for you and your former client. As such, it’s typically best to make an offer in your disengagement letter to “cooperate as necessary” with your successor.

Your offer to cooperate doesn’t indicate you will bend over backwards or donate your time. Rather, your cooperation will be contingent on factors that need not (and should not) be specified in your disengagement letter.

If your transition assistance is sought, first obtain written authorization from your client to speak openly and share information with the specified professional(s). Second, secure the successor(s)’ signed agreement to the terms of your cooperation (the CAMICO Members-Only Site offers illustrative versions based upon the nature of the services provided), and lastly, consider leveraging your cooperation pending payment of your outstanding fees and possibly a retainer to cover the anticipated cost of your cooperation. However, keep in mind that the AICPA prohibits its members from withholding client-provided records,¹and your state board of accountancy may prohibit withholding records, even though fees are owed for work you have performed.

Disposition of all client records

CPAs are often tempted to enclose client records in the same envelope they send their disengagement letter. Do not. Clients have been known to allege they did not receive the CPA’s disengagement letter. Problems compound if client records are lost.

Instead, ask the client when you converse (or in the disengagement letter) how they wish for you to provide them with the records they desire. And just to be safe, retain copies for your records of any records returned.

Consider sending your letter to multiple parties

If concerned that certain owners or those charged with governance will not hear of your disengagement or your reasons for disengaging, consider the “noisy disengagement” option. Noisy disengagement letters are identical to traditional disengagement letters but are addressed to the parties you are concerned might not promptly learn of your disengagement or your reasoning. Be cognizant of the AICPA’s Confidential Client Information Rule²which prohibits accountants in public practice from disclosing confidential client information without client consent. Sharing the disengagement letter with owners and those charged with governance typically would not violate the Rule but be careful not to inadvertently violate it when wishing to alert others you terminated the relationship.

Be professional, not emotional

It can be cathartic to colorfully detail your reasons for disengaging but be mindful that your openness can have consequences. Experience has shown that letting clients down easy typically results in the quickest and least eventful parting of ways. Having a right to do something doesn’t make it the right thing to do.

CAMICO encourages policyholders to craft their letters using one of the illustrative letters available on the Members-Only Site as a foundation and to share Microsoft Word versions of their hybrid letters with CAMICO. CAMICO Loss Prevention Specialists have helped draft tens of thousands of disengagement letters. Specialists provide policyholders feedback by using the software’s Track Changes feature. Policyholders should use their professional judgment, understanding of their clients, and personal writing style when deciding whether to accept or reject specialists’ suggestions.

Duncan B. Will, CPA/ ABV/ CFF, CFE, is a loss prevention manager and accounting and auditing specialist with CAMICO. He can be reached at dwill@camico.com.

________________________________________

ET 1.400.200, Record Requests

ET 1.700.001

The post The Dos and Don’ts of Disengaging appeared first on CAMICO.

Understanding First-Party and Third-Party Cyber Coverages

ssAdmin — Tue, 22 Oct 2024 17:34:50 +0000

With cybersecurity threats coming from all directions, it’s crucial for CPA firms and their staff to be aware of how the risk exposures impact the firm as well as the client. When there is a claim, it is important to understand how cyber insurance coverages respond and it’s vital to engage with qualified legal and technical experts to produce the best possible outcomes for your firm.

Cyber coverages are therefore divided along two lines:

First party, which refers to losses directly suffered by the policyholder (or insured) firm.
Third party, which refers to damages alleged by clients or other third parties for which the policyholder firm may be liable.

A single incident may give rise to both damages suffered by the firm (first-party losses) and damages allegedly suffered by others that blame the firm (third-party losses). The insurance coverages will respond according to which party is bearing losses or alleging damages.

First-party exposures have become increasingly problematic for CPA firms. Here are a few major reasons why:

Cyber criminals are targeting CPA firms and tax professionals with greater frequency because of the abundance of client data found on the firms’ computers. If they are successful in gaining access to the firm’s information there can be costly measures that need to be taken by the firm.
By inducing a recipient to click an innocent-looking link or attachment, hackers penetrate a firm’s computer system to access client data, read email messages, and commandeer email and other programs. A common scam is to change bank account and routing numbers on client tax returns so that refunds are deposited into the scammers’ bank accounts instead of the clients’ accounts. The costs to complete the forensic analysis, fix the problems, and notify all possible clients would be first-party exposures to the firm. Hackers also use a firm’s tax software programs to falsify and submit tax returns that generate large tax refunds routed to the hackers’ own bank accounts, a third-party exposure to the same hack.
Ransomware attacks and demands against a CPA firm also generate losses borne by the CPA firm. Ransom demands can be expensive, and paying them does not guarantee that files encrypted by the malware will be restored. Rebuilding the firm’s previous work takes time, as information and data need to be gathered, reentered and reconstructed. Such activity is in addition to other data breach expenses if an investigation determines that client data has been compromised.
If a firm’s client data has been compromised, there can be a significant cost to the firm associated with complying with the notification requirements to each potential party whose information may have been compromised.

Third-party exposures often arise when a hacker has penetrated the firm’s or client’s computer system and once inside can cause all manner of losses for which the firm may be blamed. For example:

By using client information, or by commandeering the client’s email accounts, scammers can make purported client email look legitimate and trustworthy, tricking someone at the firm into clicking an attachment or link, which then downloads a virus or malware. Once malware is downloaded, it can enable a hacker to gain remote access to the firm’s computer network, read email messages, and obtain information about other clients and use the information to steal funds.
“Spear phishing” targets a specific firm, or person within a firm, by using client information or a client email account to make fraudulent messages look legitimate. If the hacker squats in both the client’s and the firm’s email accounts, messages going back and forth between the client and the firm can be manipulated on both ends, making it extremely difficult to determine that a “man-in-the-middle” attack is in progress.
Client data can also be mined by hackers to perpetrate large-dollar thefts. A common technique is to identify high-end clients who have given bill-paying or wire authority to firms providing business management services. A hacker posing as a client will email a request from the client’s email account for a wire transfer of funds into an account controlled by the hacker. If the account is in another country, the transferred funds are usually irretrievable. They may also request a new vendor be added and start sending fraudulent bills to be paid to this new fake vendor.

Loss Prevention Tip: Have controls in place and always confirm the legitimacy of an email message before clicking an attachment or link, or taking any action. Call for verbal confirmation, and receive confirmation by an actual phone call—not by email or voicemail. Email and other electronic systems may also be compromised and unreliable in an incident. Voicemail can be hacked as well, making it just as unreliable as email. To further minimize fraudulent wire transfer exposure, the firm should establish written protocols with clients for handling client funds, especially as related to handling wire transfer requests. Consider establishing dollar thresholds above which verbal consent would be required if clients do not want to be “bothered” to approve each request. In addition, document who the authorized client representative(s) would be for providing such consent if/when the client is not available.

Scammers have also been known to use many ruses, posing as (for example):

Tax software companies recommending that tax preparers update their software
The user’s computer “security” system requiring a password
Potential clients soliciting professional services
Legal and technical experts

Loss Prevention Tip: If an email message asks the recipient to click a link or attachment, go directly to the website for information rather than clicking on links provided in the message, or call for confirmation that the email is legitimate and not a scam.

First-Party Cyber Coverage

In the event a firm’s computer system appears to have been breached by malware, a mobile device goes missing, or anything appears to have compromised the firm’s data security, a number of steps need to be taken. A complete cyber insurance program will coordinate these steps and may provide coverage for some or all of the related expenses. Each cyber policy is different so reviewing the coverage language is critical. Examples include:

Investigation – The cyber risk adviser or attorney with the cyber insurance carrier coordinates an investigation to verify whether the incident is a breach as defined by current state and/or federal laws.
IT forensics – An IT forensics expert investigates the incident as part of determining whether or not there was a security breach and if client confidential information was accessed. IT forensics experts also respond to ransomware events to assist in decrypting and restoring files as well as eradicating malware from the system.
Notification letters – If the incident is determined to be a breach, counsel may be appointed to investigate the need for, and preparation of, notification letters to clients.
Call centers – Clients who receive notification letters may have additional questions about the breach, and a call center will initially handle those questions.
Credit monitoring services – Clients may demand such services in a post-breach environment.
Media relations – Media relations firms may be hired in such situations to help protect the firm’s reputation. If state laws require law enforcement to be notified in the event of a theft, media reports may affect the firm’s public image and reputation.
Cyber extortion or terrorism – A policy may be purchased to pay money to terrorists or extortionists to retrieve locked or stolen critical data.

Such losses incurred by the insured firm are generally considered “first party” and subject to the first-party policies or endorsements.

Third-Party Cyber Coverage

If a client alleges damages arising from an insured firm’s act, error, or omission, for which the insured may be liable, the damages typically would be addressed under third-party coverage included in the CAMICO Accountants Professional Liability (APL) insurance policies—not the CPA’s cyber coverage.

In the cyber area, one common example is the fraudulent wire transfer executed because of a hacker hijacking the client’s or insured’s email account and prompting the CPA firm to transfer client funds into an account controlled by the hacker. Claims sometimes carry substantial third-party exposure, and once funds are transferred, they are usually not recoverable. Even if the client was hacked due to their lack of cybersecurity, the CPA firm can be held at least partially responsible for the transfer of money because they had the last chance to stop the fraudulent transfer.

CAMICO includes third-party cyber coverage in its APL policy, including damages caused by fraud of others (not fraud of an insured), social engineering, phishing, and other forms of misrepresentation. CPA firms should be wary of any APL policy that carries an exclusion for claims arising from such damages.

An information security plan/program, including an incident response plan (IRP), should be in place to satisfy provisions of state and federal regulations. For example, the IRS requires tax return preparers to comply with the Gramm-Leach-Bliley Act’s (“GLBA”) Safeguards Rule, which establishes minimum requirements for protecting sensitive client data. One such requirement is to have in place a written information (data) security plan (ISP), and to periodically review the effectiveness of the program and reassess the risk factors as well as any material changes to the firm’s operations.

An ISP has many benefits, not the least of which is that it will help a firm use its resources wisely and efficiently to plan for a breach and thus reduce firm expenses when a breach occurs. Stand-alone cyber coverage is available to our policyholders who desire a higher level of coverage. Contact CAMICO for more information at 1.800.652.1772.

The information provided in this article is a general overview and not intended to be a complete description of all applicable terms and conditions of coverage. Actual coverages and risk management services and resources may vary and are subject to policy provisions as issued. Coverage and risk management services may vary and are provided by CAMICO and/or through its partners and subsidiaries.

The post Understanding First-Party and Third-Party Cyber Coverages appeared first on CAMICO.

Responding to Pressure to Provide CPA-to-Lender Comfort Letters

ssAdmin — Wed, 04 Sep 2024 22:50:08 +0000

By Suzanne M. Holl, CPA

Complying with requests from banks and other lenders for assurances regarding clients’ financial strength can put CPAs and their licenses at significant risk.

First, CPAs may face the risk of falling below professional standards if they don’t adhere to AICPA Professional Standards. Another risk is that lenders may allege that CPAs misrepresented their clients’ creditworthiness should their clients later default on the loans. In some claims situations, lenders have alleged that CPAs were negligent and misrepresented their clients’ self-employment status, financial condition, or creditworthiness.

Use professional judgment

The creditworthiness dilemma is a balancing act—CPAs need to carefully evaluate the risks associated with complying with these requests.

For example, since professional standards do not require CPAs to provide any letters to third parties, they need to balance the risks of saying “no” (e.g., losing the client or being sued by the client should the loan fall through) against the risks of saying “yes” (e.g., not meeting the profession’s standard of care, or becoming a “deep pocket” target for the lending institution if the client later defaults).

The following examples of requests provide some ideas on how to traverse the delicate balance of mitigating risks while managing client and third-party expectations.

Request No. 1: Verification of tax information/employment

Financial institutions often send forms directly to a prospective borrower’s CPA, requesting verification of tax information, employment or self-employment, and assurances that the client’s business or owner will not be affected by the contemplated loan. Typically, the form is short and already filled out, and it calls for the CPA’s response and signature verifying the information provided. CAMICO strongly encourages CPAs to be cautious when considering these requests.

After the client has provided the CPA with appropriate written consent, CAMICO encourages CPAs to draft a letter in response to the form (instead of signing it) that clearly identifies:

The scope and limits of the services rendered to the client
The responsibility of the financial institution to exercise its own due diligence and to perform procedures and tests the lender deems appropriate in determining whether to extend credit
The limited responses (which should be facts, as opposed to judgments) to the questions posed on the form that are relevant to the client, stating that these answers are based solely upon the information shared by the client and were not audited or otherwise verified. In order to avoid potential privity issues, this letter should also clearly state that the CPA’s response is not intended to establish a client relationship with the financial institution

Request No. 2: Telephone verification

Another type of request that adds even more exposure to CPAs comes from the so-called “Underwriting Quality Control” divisions of large financial institutions, asking CPAs to provide verbal confirmations regarding their clients’ self-employment and/or other assurances regarding their clients’ financial information. We recommend letting the caller know that professional standards regarding client confidentiality prohibit CPAs from discussing their clients with the caller over the phone. CPAs should request that the financial institution put any questions it may have in writing and, if the CPAs receive written client consent to respond, they will address the inquiries in writing as they deem appropriate, given the scope and limitations of the services they have provided. CPAs should consider sending a letter or an email acknowledging the request and reiterating that no assurance was given during the conversation. This is excellent defensive documentation from later allegations that could suggest otherwise.

Request No. 3: Confirm information on a previously issued lender letter

CPAs should be wary if ever contacted after the fact by a third party requesting that they confirm client information previously provided to the lender on behalf of their client. These individuals may work for a mortgage insurance company or other organization as investigators trying to build a fraud case against a borrower who has defaulted on a loan. CPAs have no professional obligation to respond to these requests, and they would breach client confidentiality if they responded to them without written client consent. We strongly recommend that CPAs not sign or make any statements in writing, over the phone or in person, to requests of this nature. Also, such calls typically suggest that the loan was selected at random, but the loans are typically nonperforming loans.

Tips when responding to third-party requests

Before CPAs tailor their own response letters they should remember the following:

Be sure to obtain the client’s written consent before disclosing tax return information
The letter should be simple and clear
Document only facts and the services that the CPA has performed. Refrain from speculating on future events (e.g., forecast future income or contingencies) and avoid making conclusions not supported by the services performed for the client (i.e., a CPA should not make assurances regarding the accuracy or completeness of the information provided unless the scope of the services enables the CPA to provide such assurances)
Do not provide any form of assurance regarding matters of solvency
Avoid using words that expand, rather than narrow, the CPA’s responsibilities

Tips for educating clients

It’s also important to inform clients about these issues so that they understand what information CPAs can and cannot provide. CAMICO encourages CPAs to take the following steps:

Have a conversation with the client regarding the scope and limits of the services the CPA performed
Clarify for the client what the CPA can and cannot provide under the scope and limits of the services rendered
Explain that professional standards prohibit the CPA from providing assurance regarding the client’s financial position when the requisite scope of services hasn’t been performed
State that professional standards for CPAs prohibit CPAs from offering any form of assurance regarding matters of solvency

Following these guidelines early on in a relationship is ideal because the client or financial institution often gives CPAs little or no time to educate their client about the issues after they make their requests.

Suzanne M. Holl, CPA, is executive vice president with CAMICO. With over 30 years of experience in accounting, she draws on her Big Four public accounting and private industry background to provide CAMICO’s policyholders with information on a wide variety of loss prevention and accounting issues.

The post Responding to Pressure to Provide CPA-to-Lender Comfort Letters appeared first on CAMICO.