Accounting Archives - CAMICO

Engagement Letter Do’s and Don’ts

ssAdmin — Wed, 14 Jan 2026 00:16:38 +0000

Signed engagement letters help CPA firms improve communication with clients and protect the firm from litigation as “the first line of defense.” Use the following tips to help you write more effective engagement letters.

Engagement letters should…
• State the purpose of the engagement.
• Define the scope and limits of the engagement.
• Specify known negative conditions or adverse situations.
• Include client instructions, responsibilities, deliverables and dates.
• Note reliance on facts provided by the client.
• Outline terms of fee collections and the consequences of late payment.
• Include a stop-work clause.
• Indicate the firm’s record retention policy.
• Include third-party service provider language, if applicable.
• Include alternative dispute resolution language (i.e., mediation for all disputes and an arbitration clause for fee disputes only).
• Confirm client’s acknowledgment to the terms of the agreement and request client’s signature.

Additional considerations
• Include protective language in traditional tax and financial statement engagement letters that specifically disclaims the firm’s responsibility related to advising on any legal, regulatory, or employment-related matters.
• Specify the client’s responsibility for the adequacy of a system of internal control.
• If applicable, explain limitations regarding financial statement distribution.
• Evaluate the appropriateness and efficacy of including limitation of liability clauses.

Engagement letters should not include…
• Marketing information. The engagement letter should be viewed and composed as a contract.
• All-encompassing language. Limit the scope of your firm’s work by avoiding superlatives and absolutes such as all, every, any, complete, confirm, totally, validate and verify.
• Legal jargon or ambiguity. Don’t use abbreviations or words only a CPA would understand. Any ambiguity will most likely be decided in the client’s favor in a court of law.

Additional tips
• Avoid evergreen letters — update letters annually to reflect changes in the scope of the engagement.
• Update engagement letters whenever engagements change.
• Avoid usurious interest charges. Instead, assess a “late fee” for unpaid balances.
• For tax engagements, include the full or exact name of the client, entity type, specific state name(s) and tax year(s), and purpose of the engagement.

Save yourself time and energy by using the letters specially crafted for CPA firms by CAMICO experts.
As seen above, a clear, comprehensive engagement letter is one of your best safeguards against future disputes. CAMICO offers policyholders with Professional Liability Insurance access to engagement letter review services. CAMICO’s internal Loss Prevention Specialists are happy to review and comment on your drafted engagement letters – at no cost. Furthermore, CAMICO has 150+ sample engagement and disengagement letter templates available on its Members-Only Site. CAMICO experts designed these sample letters to be clear and understandable for clients, provide appropriate documentation for you, and effectively outline the scope of your work.

The post Engagement Letter Do’s and Don’ts appeared first on CAMICO.

Navigating Change, Client Expectations, and Professional Risk Under the OBBB Act

Amber — Thu, 13 Nov 2025 18:01:41 +0000

The recently enacted One Big Beautiful Bill Act (“OBBB Act”) ushers in some of the most significant tax law changes since the Tax Cuts and Jobs Act. While many provisions are designed to simplify or stimulate economic activity, they also create traps for the unwary. CPAs need to remain alert to compliance challenges, client misperceptions, and liability exposures as the IRS and state taxing authorities continue to issue implementing guidance.

As professionals who help CPA firms manage risk, we recognize that major tax legislation is a leading source of malpractice claims. The OBBB Act introduces both planning opportunities and new stress points that can easily evolve into disputes if expectations are not clearly communicated and documented. Although not meant to be all-inclusive, this article highlights several current risk areas and practical strategies for managing them through communication, documentation, and engagement-scope clarity.

Depreciation and Expensing Provisions — The Timing and Documentation Trap

The restoration of 100% bonus depreciation for property placed in service after January 19, 2025, and the increased Section 179 expensing limit to $2.5 million (with a $4 million phase-out threshold) are welcome, but the effective dates create traps for accurate application.

Determining when an asset was “acquired” — based on the binding contract date — remains one of the most frequent sources of bonus depreciation errors. This rule, unchanged under the OBBB Act, still governs when property qualifies as newly acquired for purposes of the 100% deduction. Eligibility depends on both when the asset is placed in service and when the binding purchase contract was executed. Property acquired under a contract signed before January 20, 2025, is treated as acquired under prior law and may qualify only for the reduced bonus percentages in effect at that time.

From a best-practices perspective, practitioners should obtain and retain supporting documentation — such as contracts, invoices, or purchase orders — confirming both the contract date and the placed-in-service date to avoid potential risks associated with timing errors. The IRS enforces these transitional rules strictly, and missteps can easily lead to audit adjustments and potential professional liability.

Taxpayers who benefit from increased bonus depreciation and Section 179 expensing may assume those tax benefits will continue in future years, even though these provisions are temporary. Without proactive communication, clients may be unprepared for the higher tax liabilities that will follow once the provisions sunset after 2028 and normal depreciation patterns resume. This misunderstanding can create frustration or even allegations of poor planning. CPAs should confirm in writing how clients intend to time asset purchases, emphasize that these accelerated deductions are temporary, and remind them of state conformity differences that may sharply limit the benefit. Engagement letters and planning correspondence should frame projections as estimates subject to change. Clear, written communication — supported by signed client acknowledgments — remains the best safeguard for managing expectations.

Research and Development Costs — The Retroactive Burden

The Act restores immediate expensing of domestic Section 174 R&D costs for tax years beginning after 2024 while foreign research must continue to be amortized. This makes it important to distinguish domestic from foreign research activities; misallocating these costs can result in material errors, particularly where research is spread across multiple locations or functions.

For many taxpayers, the shift back to immediate expensing of domestic R&D will require an Accounting Method Change, filed on Form 3115, along with a Section 481(a) adjustment to reconcile prior-year treatment. Errors in Form 3115 preparation are a frequent audit trigger and often lead to broader examinations. To help manage this exposure, firms should treat the preparation of Form 3115 as a separate engagement — identified in the engagement letter with its own scope, timeline, and fee structure — rather than incorporating it into standard tax return preparation.

The Act also permits taxpayers to amend prior-year returns (2022–2024) to retroactively expense domestic R&D costs. While doing so may produce refunds, it also introduces the audit-risk-of-amendment — the risk that filing the claim opens the entire return to IRS review, not only the R&D adjustment. In other words, while the refund may be justified, amending a return effectively invites the IRS to take another look at every item reported on that return. Practitioners should document discussions weighing the potential benefit of the refund against the increased examination risk. Written client acknowledgment is particularly important where the refund amount is relatively small compared to the cost and risk of an IRS examination, where prior-year documentation may be incomplete or uncertain, or where the taxpayer has other positions on the return that could draw scrutiny. In these situations, obtaining a signed acknowledgment helps ensure the client understands both the benefit and the associated exposure before choosing to proceed.

Business Interest Expense, QSBS, and Opportunity Zones

The easing of Section 163(j) limitations through EBITDA-based calculations expands deductibility, but risk remains where intercompany debt allocations, thin capitalization, or aggressive financing structures exist. CPAs should limit their role to tax compliance and planning guidance and refer clients to legal counsel or other advisors for any questions involving the terms of financing arrangements or the structure of the underlying debt.

Both Qualified Small Business Stock (QSBS) and Opportunity Zone provisions received extensions and modifications, including expanded exclusion limits. These remain complex and closely scrutinized. Practitioners should refrain from offering definitive advice until the IRS and Treasury issue regulations. Any interim planning guidance should be accompanied by written disclaimers clarifying that the advice is preliminary and subject to change.

Energy Credits — A Renewed Source of Risk

The OBBB Act modifies and consolidates several energy-related credits, including provisions affecting solar investments, electric vehicles, and energy-efficient property. As with prior legislation, these areas are frequently associated with aggressive marketing claims, promoter involvement, and inflated valuation assumptions. CPAs should not endorse or recommend specific investment programs and should document all client communications regarding energy-credit eligibility and substantiation.

When assisting clients with credit calculations or filings, engagement letters should clearly limit the firm’s role to compliance — based on client-provided documentation — and disavow responsibility for the underlying economic or legal validity of these investments.

Individual Provisions — The 2029 “Tax Cliff” and Temporary Deductions

For tax years 2025 through 2028, taxpayers may claim new temporary deductions: up to $25,000 for tips, $25,000 for overtime pay (joint filers), and $10,000 for car loan interest on new U.S.-assembled vehicles. The SALT deduction cap also increases to $40,000 through 2029.

These benefits create a significant “tax cliff” beginning in 2029, when they expire and the SALT cap reverts to $10,000. CPAs should incorporate these reversions into projections to prepare clients for higher future liabilities and avoid allegations of poor planning.

The 20% Qualified Business Income (QBI) deduction is now permanent, but eligibility — particularly for specified service trades — must still be tested carefully. Documenting the assumptions used in determining QBI eligibility is a key risk-management safeguard.

Compliance, Credits, and Penalties

The Act increases due diligence obligations across multiple credits and deductions. Some examples include:

Ongoing Employee Retention Credit (ERC) scrutiny reinforces the need for separate, detailed engagement letters and client representation letters confirming eligibility. CPAs must not assume responsibility for verifying eligibility — this distinction is central to malpractice prevention.

For self-employed clients, the Form 1099-K reporting threshold increases to $20,000 and 200 transactions. This change can heighten the potential risk of income understatement and reinforces the best practice to issue engagement letters and clarify the clients’ responsibility to provide complete and accurate information for preparation of their tax returns.

The Act also makes the Alternative Minimum Tax (AMT) exemption permanent but reintroduces phase-outs beginning in 2026 and expands Disaster Relief provisions to cover certain state-declared events. Practitioners should confirm eligibility, secure documentation, and avoid filing claims prematurely.

Practical Loss Prevention Takeaways

The OBBB Act is a complex mix of permanent, temporary, and transitional provisions. Effective risk management depends on communication, documentation, and clear scope definition.

Communicate early and often. If engaged to do so, model estimated impacts and emphasize that all projections are subject to change as guidance evolves.
Obtain written authorization. Confirm elections and timing decisions — especially for depreciation, R&D, and energy credits — in writing.
Clarify your role. CAMICO recommends that your tax engagement letters specifically detail the scope and limits of the engagement, which should define the firm’s services as limited to tax compliance and planning (if applicable).
Document thoroughly. Maintain comprehensive workpapers, including if applicable eligibility analyses, and client representation letters for all high-risk positions.
Monitor developments. Stay current on IRS and Treasury guidance. If appropriate, inform clients when prior advice may need to be revisited.

Final Word

The OBBB Act presents both opportunity and exposure. By staying proactive — communicating clearly, confirming assumptions, and documenting diligently — tax practitioners can help clients benefit from new provisions while minimizing professional risk. Large, accelerated deductions and temporary relief should be clearly communicated as timing benefits rather than permanent tax reductions. Clear communication, sound planning, and thorough documentation remain a tax practitioner’s strongest defense.

CAMICO policyholders with questions regarding this article or other risk management topics should contact the Loss Prevention department at lp@camico.com, or call our advice hotline at 1.800.652.1772 and ask to speak with a Loss Prevention Specialist.

The post Navigating Change, Client Expectations, and Professional Risk Under the OBBB Act appeared first on CAMICO.

Post-Tax Season Tips for Managing Risk

Amber — Fri, 03 Oct 2025 16:18:09 +0000

With more than 60% of CAMICO’s claims originating from tax-related matters, addressing and managing the risk stress points associated with problematic tax clients can significantly improve a firm’s risk profile. There is no better time than now, before the final phase of tax season, to take proactive steps to better position your firm to ensure you are maintaining the right overall firm/client fit.

The first step is to prioritize performing the “right services” for the “right clients.” Evaluate your client list and consider disengaging clients that do not meet the right firm/client fit threshold — ideally after they have paid their bills.

Some questions to consider as you look to identify and mitigate client scenarios that may pose higher risk to the firm:

1. Is the client still a “good fit”?
Although not meant to be all-inclusive, common red flags include:

Difficult or uncooperative behavior (e.g., withholding critical information, argumentative and/or disrespectful to firm members)
Deteriorating client relationship (e.g., not taking your advice, being non-responsive, and/or acting in a way that suggests compromised integrity)
Constantly questioning your value (e.g., allegations that your fees are too high, or others could do it cheaper, and/or insinuating that the work should be “easy” thus your fee should be less)
Changes in client business and/or client management
Potential conflicts of interest

Trying to uncover the source of the problem could be beneficial, but whatever you do, don’t ignore the above warning signs.

2. Is the engagement a “good fit” for the firm’s expertise?
It is important to recognize, embrace and maintain your competencies. If clients seek your help with transactions and/or activities outside your comfort zone or skillset, you will be better served suggesting they seek the advice and counsel of professionals with expertise in those areas.

In CAMICO’s experience, firms who don’t “stay in their lane” and choose to dabble outside their comfort zone have a much higher risk of having a claim. Learning the art of saying “NO” to clients is an important, but often overlooked, risk mitigation tool.

3. Are you taking the right steps to manage (and document) client expectations?
Good written documentation habits are critical to successfully managing client expectations, but extra diligence should be given to documentation when dealing with potentially problematic clients. Jurors (members of the public) generally consider CPAs to be experts in documentation, and falling short of that expectation may be viewed as negligent and perceived as falling below the standard of care.

Below are important situations requiring documentation to help mitigate the risk of client expectation gaps:

Change in engagement scope (may require a new engagement letter)
Negative information (e.g., tax return is already late, client’s failure to provide timely information, client is facing an audit)
Client agreement to take significant action
Communications regarding past-due invoices
Conversations regarding significant transactions, extensions, or estimated tax payments
High-risk scenarios that may require informed consent, waiver of potential conflict, and/or client representation of key facts and circumstances

Contact CAMICO or Your Risk Advisor

If the above assessment identifies client scenarios that you deem may pose risk to the firm and/or clients that are no longer a good fit for the firm, contact CAMICO or your risk advisor to help you assess the next steps. For example, if disengagement is deemed appropriate, skillfully handled transitions can be mutually beneficial to firms and clients.

In addition, CAMICO encourages early reporting by reducing the deductible by 50%, up to $50,000, for any potential claim that is reported before a claim is made. Further, if CAMICO determines that it is appropriate to retain counsel to assist with a potential claim, the related expenses preceding a claim will be absorbed by CAMICO and will not impact policy limits or be charged to the deductible.

The post Post-Tax Season Tips for Managing Risk appeared first on CAMICO.

The Cyber Saga Continues… Protect Your Firm from First-Party and Third-Party Cyber Exposures

Amber — Tue, 24 Jun 2025 23:34:08 +0000

In today’s digital landscape, it is no surprise that there appears to be a new cybersecurity story in the news every week, from attacks on major infrastructure to small companies being held for ransom. The risk of cyber threats continues to grow for CPA firms, along with other professional services firms, as all are considered prime targets for cyber criminals given the wealth of sensitive client data, financial information, and/or legal documents they maintain.

Don’t be lulled into a false sense of comfort that your firm (or your clients) are too small or too large to be attacked. CAMICO is seeing an uptick in the number of cyber-related claims impacting CPA firms of all sizes and unfortunately, the severity of these cyber crimes and ransomware attacks have grown in recent years.

Some of the more frequent categories of loss for CPA firms related to cyber claims include:

Social engineering
Funds transfer fraud
Theft of data
Loss of laptop or data stick
Unauthorized use of networks
Failure to protect client confidential information shared with a third-party service provider
Computer system cloud hack
Lost profits related to cyber events
Ransom attacks

Identifying key cyber risks and best practices to mitigate risk exposures is important to safeguard confidential information, maintain client trust, and ensure your firm’s continuity. One of the important concepts people must be aware of when evaluating their cybersecurity exposures is the difference between first-party risks and third-party risks. First-party risks are damages and losses you incur from a cyber attack or security breach of your firm, whereas third-party risks often arise when a hacker has penetrated the firm’s (or client’s) computer system causing damages to a client or other third party as a result of the cyber incident for which the firm may be blamed in whole or in part.

As you would expect, first-party cyber exposures have become increasingly problematic for CPA firms as cyber criminals are targeting CPA firms and tax professionals with greater frequency because of the abundance of client data found on CPA firms’ computers. If they are successful in gaining access to a firm’s information infrastructure, there can be costly measures that need to be taken by the firm such as hiring IT forensic experts to determine the extent of the breach, consulting with attorneys who specialize in data breach laws and notification obligations, and providing credit monitoring to those impacted by the breach.

What may be surprising to some CPAs, however, is the increase in third-party cyber exposures that are impacting firms. These situations often arise when a client has been hacked, and the hacker has penetrated the client’s computer system and once inside, causes all manner of losses for which the CPA firm may be blamed. Unfortunately, many of these incidents tend to be high-dollar claims against the CPA firm. These claims typically include allegations that the firm failed to detect red flags associated with communications executed by the hacker, falling below the standard of care by initiating wire transfers (later determined to be fraudulent) without “proper” client authorization, failure to “warn and advise” clients of the potential risks/threats of cyber attacks, and the list goes on.

Cyber Claims Trends
Human error remains a significant threat to cybersecurity, with a wide range of activities such as weak password practices, falling for phishing attacks, and the mishandling of sensitive information contributing to security breaches.

Social engineering, which is the art of exploiting human behavior as a manipulation technique to gain access to confidential information, is one of the most dangerous types of cybersecurity threats to CPA firms given the type of information that firms gather and store. “Phishing” is one of the more widespread social engineering schemes, where information in an email attempts to convince a recipient that the email is from a legitimate source and the recipient needs to respond to the request by clicking a link. The trend this past tax season as reported in CAMICO’s mid-March 2025 Alert is bogus emails from the “Social Security Administration” or “IRS e-Services.” As employees are the most common entry point for phishing attacks, a firm’s best protection against social engineering attempts is to make continuous efforts to raise awareness with staff to never take these emails at face value and instead, maintain ongoing vigilance and enhanced skepticism with every email and online interaction.

Consider the following two scenarios from the CAMICO claims files which unfortunately are becoming all too familiar for CPA firms:

Scenario #1: Client hacked; CPA firm initiated fraudulent wire-transfers
A client of the CPA firm was hacked, and the hacker penetrated and commandeered the client’s email account. The hacker emailed several requests to the CPA firm to wire funds to a new account — a classic “man in the middle” attack. After receiving each request, a CPA firm staff member emailed the client to verify the wire transfer instructions. As the hacker had full control of the client’s email account, the hacker was able to respond back to the CPA firm to verify the payments to the hacker’s overseas bank account.

The above scenario, unfortunately, has become a recurring fact pattern, and these fraudulent wire transfer requests frequently cause large dollar losses. If the fraudster is controlling the client’s email and potentially their phone system as well, and the fraudulent request mimics previous legitimate requests, it is often difficult for the firm to identify the request as illegitimate. When fraud is discovered after the transfer, the funds are usually not recoverable. Domestic banks are not always helpful in preventing fraudulent transfers, as laws tend to limit their risk exposures and enable them to deny responsibility.

With the increased number of claims related to fraudulent wire transfers, the best risk management practice in the absence of any written protocols to the contrary is to verbally confirm all wire transfer requests with the client, and not rely on email or voicemail confirmations. Unfortunately, technological advances have permitted sophisticated scammers to create AI versions not only of people’s voices, but also realistic avatars of scam targets so that you can’t trust your ears or your eyes on virtual calls (Microsoft Teams). Ideally, you and your client will have a code word and/or phrase to confirm the authenticity of the person you are speaking to. Additional loss prevention guidance to minimize fraudulent wire transfer exposure can be found in CAMCO’s article Social Engineering Scams/Fraudulent Wire Transfers. Refer to the Cyber/Data Security Resource Center on CAMICO’s Members-Only Site.

Scenario #2: Ransomware
An employee of a CPA firm opened an unsolicited email attachment from “IRS e-Services” that immediately downloaded ransomware onto the firm’s computer system. The employee noticed that the file names were rapidly being changed to “Needs Decrypting.” The employee turned off and rebooted the computer, but the virus had already spread to all the firm’s servers, and all the files became encrypted. The employee reported the incident to the firm’s managing partner and the firm promptly took actions in accordance with their Incident Response Plan. Once it was determined that a breach had occurred, the firm complied with applicable state and federal laws, and the breach was reported to law enforcement.

Ransomware is one of the most malicious hacker attack vectors and firms of all sizes have become victims. It sneaks into computer systems, encrypts files, and demands a ransom before agreeing to decrypt the files. A major problem is that hackers do not always decrypt files even after the ransom is paid.

Ransom demands have certainly increased in recent years and it is not unusual to see them range from several thousand dollars to several hundred thousand dollars. Some ransomware attacks rely on software that now has known fixes, so a solution might be found online. Other ransom attacks are more advanced and have no known fixes, other than the victim retrieving and relying on the latest backup files. Therefore, being prepared and taking precautions against cyber risk exposures is essential.

To gain a greater perspective on how CPA firms are impacted by cyber exposures, refer to the IMPACT 126 Claims Chronicles for two additional cyber-related claims.

Has your firm prepared for a cyber incident?
Remember, it is not if you will be attacked, but when.

The weakest link in most cybersecurity attacks today continues to be the human element, so it is important to remember that your firm employees are a vital line of defense. Take action now to arm your employees with education, awareness, and reminders, so that they can make informed decisions about what they click.

Although not meant to be all-inclusive, the following additional basic best practice measures are extremely important when addressing the human element of data security:

Cybersecurity awareness training: As employees are the most common entry point for phishing attacks, a firm’s best protection against social engineering is to make continuous efforts to raise awareness of the importance of ongoing vigilance and enhanced skepticism of each email and online interaction. Education can come in various forms, both formal and informal. Consider sharing with your team “real-life” examples of the potential scam emails received by members of your firm. Learning of the attempted attacks on their colleagues heightens awareness of the nature and types of scams that pose potential threats.

As part of the firm-wide cybersecurity awareness training, you should also consider reviewing the firm’s existing protocols and infrastructure (refer to the firm’s written security plan in place) that supports the firm’s commitment to taking appropriate cybersecurity precautions so that all employees are aware and updated when changes are made. If your firm does not yet have a written security plan in place or you are in the process of updating your document, refer to CAMICO’s Written Information Security Plan (“WISP” or “ISP”) template. The template can be found on the Cyber/Data Security Resource Center on the CAMICO Members-Only Site.

Raising the cybersecurity IQ of all employees will help tremendously in guarding against a breach and will minimize your firm’s potential exposure as employees will be better able to recognize social engineering attempts and understand the importance of guarding their login/authentication credentials both in the office and at home. To be of ultimate value, it is important for firms to commit to embracing a motto of continuous education because the threat landscape doesn’t stop evolving when your employees’ cybersecurity training is done.

2. Use multi-factor authentication. This can add an extra level of security to prevent an account hack, especially when employees work remotely.

3. Change and strengthen passwords frequently. Systems are only as secure as the passwords used to access them.

4. Ensure all software has the latest security options/patches. This will help protect against malware, viruses, and hacker attacks.

5. Require regular data backups. By encouraging employees to regularly back up their data you are preventing data loss when disaster strikes. While this may be a hard policy to enforce for employees working remotely, it remains the best practice. In many instances, devices can be set to back up to the cloud automatically. When relying on cloud storage remember that ransomware can also compromise cloud services. Any data stored in the cloud should also be periodically backed up to an external hard drive. Data backups ensure that a business can continue to operate, even if resources are taken offline by a ransomware attack.

6. Maintain strong cyber hygiene. Reinforce with employees the cyber protocols to be followed when working both in the office as well as remotely (e.g., machine use restrictions, Wi-Fi passwords, VPN, firewalls, etc.).

7. Remind all employees of the importance of powering down computers when not in use. Computers are not accessible to attacks or intrusions when powered off.

Choose the Right Cyber Insurance Coverage
Cyber insurance protects against financial losses related to data breaches or other covered cyber events. Cyber insurance coverage is basically divided along two lines:

First-party, which refers to losses directly suffered by the policyholder (or insured) firm in response to a firm’s data breach or other covered cyber event, and
Third-party, which refers to damages alleged by clients or other third parties that the negligence of the CPA firm contributed in whole or in part to the third party’s cyber-related loss. CAMICO’s professional liability policy generally will cover third-party cyber claims subject to applicable policy terms, conditions, and exclusions.

It is possible that a single cyber incident may give rise to both damage suffered by the firm (first-party losses) and damages allegedly suffered by others that blame the firm (third-party losses). The relationship between the first and third parties can be formed in many ways. It can be contractual (for example, engagement letters), built through tort law, common law, or other ways. CPA firm clients are third parties, and others may become a third party based on the nature of an incident. Clients may have insurance of their own, making them a first party with their own cyber insurance carrier.

First-party insurance typically covers the direct costs of actions needed after a firm has had a data breach, extortion, ransomware attack, or other hacker malfeasance against the firm. Third-party cyber-liability insurance, on the other hand, covers the costs of dealing with the claims of other parties that seek to hold your firm at least partially responsible for damages that they have incurred because of a cyber incident. Sometimes, the line between first-party damage and third-party damage becomes blurred — especially if a firm and its client have both been breached, and forensic analysis cannot conclusively establish either the sequence of events leading up to the breach and/or how the breach occurred.

Although not meant to be all-inclusive, the table below shows common cyber costs and damage that may be incurred in cyber-related claim situations, classified by first- and/or third-party potential exposures:

	First-Party Exposures	Third-Party Exposures
Restoration of the damaged systems, hardware, software and network	X
Cost to restore lost data	X
Ransom fees to retrieve lost data or reopen systems	X
Notification costs	X	X
Forensic investigation costs	X
Credit monitoring costs	X	X
Reprogramming costs	X
Business interruption costs	X
Lost client’s money sent to someone incorrectly due to a cyber event		X
Costs (restoration, fines/fees, etc.) incurred by the third party required due to lost data		X

Understanding the difference between first-party and third-party risks is essential when seeking cyber insurance. Ideally, every CPA firm should have some degree of insurance coverage for both first-party and third-party risks as the CPA firm faces exposure to many accusations and lawsuits in the event of a compromise or data breach impacting its clients’ data. For example, everyone faces risks of inadvertently forwarding a malware-infected email message that subsequently wreaks havoc after being opened by a recipient, or of their computers and networks being breached and subsequently exploited by hackers to serve as launching pads from which to target others. Relying on only one type of cyber insurance that may be limited to either first- or third-party coverage may leave businesses exposed to significant financial and legal risks. Whereas investing in both first-party and third-party cyber insurance ensures greater protection against today’s growing cyber threats.

If you have any specific coverage-related questions, please contact your agent or CAMICO at 1.800.652.1772, and ask to speak with your underwriter.

Additional CAMICO Resources
Additional risk management guidance and information on this topic is available on the Members-Only Site — refer to CAMICO’s Cyber/Data Security Resource Center. CAMICO policyholders with questions regarding this communication or other risk management questions should contact the Loss Prevention department at lp@camico.com, or call our advice hotline at 800.652.1772 and ask to speak with a Loss Prevention Specialist.

The post The Cyber Saga Continues… Protect Your Firm from First-Party and Third-Party Cyber Exposures appeared first on CAMICO.

SSARS 27 — A Changing Risk Landscape for Client Advisory Services

Amber — Tue, 24 Jun 2025 23:22:22 +0000

The role of CPA firms who perform “outsourced accounting services” for their clients has greatly expanded over the years into what many today refer to as “client advisory services and/or client accounting services” (“CAS”). With the evolution of CAS, many CPAs have questioned the appropriateness of applying the “preparation standards” (“AR-C 70”) set forth in the Statements on Standards for Accounting and Review Services (SSARS) for financial statements prepared as part of CAS engagements, when all other client advisory services (including controllership or CFO services) are performed under the consulting standards.

On April 7, 2025, the AICPA’s Accounting and Review Services Committee issued Statement on Standards for Accounting and Review Services No. 27 (“SSARS 27”), Applicability of AR-C Section 70 to Financial Statements Prepared as Part of a Consulting Services Engagement. The new SSARS amends AR-C section 70, Preparation of Financial Statements, explicitly excluding financial statements prepared as part of a consulting services engagement performed in accordance with CS section 100, Consulting Services, (“CS 100”) from engagements in which AR-C 70 must be applied.

The scope paragraphs of AR-C 70 were amended to clarify that accountants are not required to apply AR-C 70, but application is not precluded when accountants are preparing financial statements or prospective financial information as part of a consulting services engagement performed in accordance with CS 100 when the preparation of financial statements is not the primary objective of the engagement.

The SSARS 27 exception to AR-C 70 preparation engagements is effective for the preparation of interim or annual financial statements for periods ending after December 14, 2026. Early implementation is permitted.

For many CPA firms, SSARS 27 is welcome relief, as performing financial statement engagements under the consulting standards may better align with the evolving needs of clients and the CAS being provided. With that said, SSARS 27, does present a changing “risk landscape” and CAMICO cautions firms not to rush into early adoption without first having appropriate risk mitigating tools and solutions in place. Firms should seek to establish clear guidelines and a timeline for implementation and not short-change the efforts needed to educate themselves and their clients about the implications of this change, including the fine distinctions of when financial statements may be deemed a mere by-product of the services the firm is rendering versus the primary objective of the services.

Proactive documentation will be critical in managing the changing risk landscape for those firms who seek to embrace the flexibility afforded by preparing financial statements under the consulting standards. New written understandings with the clients should be executed delineating the revised scope and applicable standards of the services being provided. Firms should also consider the appropriateness of including revised indemnification language in these agreements, especially in situations where they may be perceived as, or in fact performing, management responsibilities as part of the CAS engagement.

In the coming weeks, CAMICO will make available engagement letter templates to assist policyholders who choose to early implement SSARS 27. CAMICO is also developing a risk management FAQ document to highlight common inquiries received from policyholders related to the risk management implications of SSARS 27 to CAS engagements and includes suggested best practices to proactively minimize potential exposures. CAMICO policyholders can access these resources on CAMICO’s Members-Only Site Accounting and Auditing Resource Center.

CAMICO policyholders with questions regarding this article or other risk management topics should contact the Loss Prevention department at lp@camico.com, or call our advice hotline at 800.652.1772 and ask to speak with a Loss Prevention Specialist.

The post SSARS 27 — A Changing Risk Landscape for Client Advisory Services appeared first on CAMICO.

How to Respond to Subpoenas

ssAdmin — Tue, 10 Jun 2025 21:13:45 +0000

CPA firms are often uncertain about whether or how to respond to a subpoena, as they also need to comply with a number of rules and regulations that are intended to protect client confidentiality. The following Q&A focuses on understanding the nature of subpoenas and how CPA firms can minimize their professional liability exposures when responding to them.

What is a subpoena?

A subpoena is usually a formal request for documents and/or appearance, typically requested by an attorney in the course of litigation, or by a government agency in the course of a criminal or civil investigation.

What should CPAs do when they receive a subpoena?

CPAs in receipt of a subpoena should consider the information in their client files, along with any recent communications with the client or any parties involved, and then contact the CPA’s professional liability risk adviser or attorney before responding to the subpoena. In evaluating the appropriate course of action for CPAs to take, their adviser may consider the following information:

What is the underlying litigation about? Does the CPA have direct or other knowledge about what the issues are in the litigation?
What is the subpoena asking the CPA to do? Is it requesting that the CPA provide testimony, documents or both? Does the subpoena excuse the CPA from testifying if the CPA provides the documents in advance?
Is the CPA in possession of the information listed? The CPA should review the subpoena and consider whether the firm is in possession of the information. If the information is confidential, such as tax documents, it may be subject to claims of privilege by the client and/or an accountant-client privilege.
Does the subpoena provide a deadline for complying? If the deadline is quickly approaching, or if the subpoenaing party did not provide sufficient time to comply, has the CPA received any communications to suggest the opposing party will grant an extension of time?
What communications has the CPA had with the client? Has the CPA had any contact with the client, the attorneys on the case or the governmental agency? Does that contact suggest whether the CPA is a target or merely a person in possession of information? Is the client taking specific measures to formally object to the subpoena?

Why is the CPA receiving a subpoena?

Typically, an attorney or other party will issue a subpoena because he or she believes that the CPA is in possession of information and documents that will establish facts that are relevant to the underlying case. However, sometimes a subpoena may indicate that the CPA is a target in the underlying case by seeking information that could implicate the CPA as possibly liable for the matter being investigated or litigated.

Is the CPA required to comply with a subpoena? Is a subpoena a court order?

If the CPA has received an order signed by a judge, or a subpoena from a government agency, in most cases the CPA must comply. Government subpoenas generally require compliance, even without client consent or a court order.

However, most subpoenas are preprinted forms that attorneys or other parties fill out to request information. In these cases, accountants are bound by a number of rules and regulations that are intended to protect clients, including Internal Revenue Code section 7216. Under most circumstances, these rules and regulations prohibit the accountant from complying with the subpoena, unless the accountant has undertaken specific measures to protect client confidentiality, including obtaining the client’s consent.

Again, CPAs should contact their risk adviser regarding all subpoenas to evaluate the underlying litigation and the obligation to comply.

Should the CPA report a subpoena to the CPA’s professional liability agent or carrier?

Yes. Regardless of how much or how little information a CPA may have pertaining to the client or former client, it is always important to promptly report the matter.

CAMICO offers policyholders with Professional Liability Insurance comprehensive subpoena and consultation services. These services are designed to assist CPAs in reducing the risk of claims or future litigation. Regarding subpoena expenses that are not related to a reported claim, CAMICO will provide counsel to policyholders to assist in responding to a subpoena seeking documents or testimony. This coverage is treated as a potential claim and offers policyholders a 50% deductible reduction (up to 50K) and locks in coverage during the policy period.

The post How to Respond to Subpoenas appeared first on CAMICO.