Be­ing pre­pared for trou­ble

Firms need to brace them­selves for li­a­bil­ity is­sues old and new

Accounting Today - - Malpracticeinsuranceguide - By Roger Rus­sell

Since the ma­jor­ity of CPA firms do at least some type of tax work, and tax is the most fre­quently lit­i­gated is­sue in the pro­fes­sional li­a­bil­ity field, it pays to keep an eye on the cov­er­age pro­vided by your er­rors & omis­sions, or pro­fes­sional li­a­bil­ity, pol­icy, ac­cord­ing to Alvin Fen­nell, vice pres­i­dent at Aon Affin­ity.

“It’s es­pe­cially im­por­tant for prac­ti­tion­ers who de­cide to go out on their own,” he said.

“CPAS are nat­u­rally en­tre­pre­neur­ial,” he ob­served. “Many smaller firms are formed by pro­fes­sion­als with a num­ber of years of ex­pe­ri­ence at larger firms. They’re ex­pe­ri­enced in help­ing busi­ness clients that are start­ing out, and they de­cide they want to start their own busi­ness and be self-di­rected.”

”Prob­a­bly the last thing on their minds is the po­ten­tial li­a­bil­ity they might in­cur, but it’s go­ing to hap­pen sooner or later,” he said. “It might have noth­ing to do with the work prod­uct — it’s the na­ture of the busi­ness. Of­ten, it may not be your fault, it just might be your turn.”

Prac­ti­tion­ers should un­der­stand what their pol­icy cov­ers, em­pha­sized Rickard Jor­gensen, pres­i­dent and chief un­der­writ­ing of­fi­cer of CPAGOLD: “In the past year we have seen sev­eral so­cial en­gi­neer­ing claims — a.k.a. fraud­u­lent wire trans­fer scams — which have re­sulted in six-fig­ure pay­ments. If a CPA’S pol­icy con­tains a ‘false pre- tense’ ex­clu­sion, there is likely no cov­er­age for this.”

“We con­tinue to see scams where crim­i­nals file bo­gus tax re­turns, although this is re­duc­ing in fre­quency,” he con­tin­ued. “We have seen a re­cent round of sex­ploita­tion emails where an in­di­vid­ual is tar­geted for cy­ber ex­tor­tion by us­ing stolen pass­words. Many pro­fes­sional li­a­bil­ity in­sur­ers will limit cov­er­age for these types of claims. Cy­ber ex­tor­tion is an ex­clu­sion in some mal­prac­tice poli­cies. A CPA should care­fully check their pol­icy.”

The Euro­pean Union’s Gen­eral Data Pro­tec­tion Reg­u­la­tion, or GDPR, which be­came ef­fec­tive in May this year, im­posed cer­tain obli­ga­tions on CPA firms with in­ter­na­tional clients. So far, the im­pact on U.S. CPAS has been min­i­mal, Jor­gensen noted, but trends are of­ten global and it is likely that in the not-too-dis­tant fu­ture there will be a sim­i­lar law, if not fed­er­ally, then in some pro­gres­sive states like Cal­i­for­nia, New York or Wash­ing­ton, that es­tab­lishes stronger rules for the pro­tec­tion of per­sonal client in­for­ma­tion and penal­ties for a breach. “It may be pru­dent for a CPA firm to start think­ing about this and an­tic­i­pate what prac­tice changes might be needed to com­ply,” he said.

New ex­po­sures

Tax re­form has added some com­plex­i­ties to most prac­tices that weren’t there be­fore.

“Given the [Tax Cuts and Jobs Act’s] sig­nif­i­cant changes re­lated to the flat cor­po­rate tax rate and the new de­duc­tion for pass-through en­ti­ties, some clients may re­think their choice of le­gal en­tity,” noted Suzanne Holl, a CPA and se­nior vice pres­i­dent of loss preven­tion ser­vices at Cam­ico.

“This type of eval­u­a­tion and as­sess­ment cer­tainly has tax im­pli­ca­tions associated with it, and CPAS can cer­tainly ad­dress the op­por­tu­ni­ties that are avail­able to max­i­mize the client’s tax ben­e­fits,” she said. “But CPA firms should be wary of ren­der­ing le­gal ad­vice with­out a li­cense. Clients will need other ad­vi­sors — in this case, le­gal coun­sel — to help them, as well as the CPA firm, to eval­u­ate and im­ple­ment changes that may be nec­es­sary to ad­dress the le­gal im­pli­ca­tions re­lated to choice-of-en­tity de­ci­sions.”

Cy­ber ex­po­sure is an­other area that calls for spe­cial scru­tiny, ac­cord­ing to Holl.

“Cy­ber­crim­i­nals have been tar­get­ing CPA firms and tax pro­fes­sion­als be­cause of the abun­dance of client data found on the firms’ com­put­ers,” she ob­served. “Data such as in­come, de­pen­dents, cred­its and de­duc­tions are ideal for help­ing scam­mers make fraud­u­lent tax re­turns look le­git­i­mate.”

“Firms should ad­dress their cy­ber ex­po­sures with a com­bi­na­tion of in­sur­ance cov­er­ages and cy­ber­se­cu­rity mea­sures, in­clud­ing ed­u­cat­ing em­ploy­ees about phish­ing at­tacks, in­stalling a se­cure client web por­tal, adding an­other layer of se­cu­rity with multi-fac­tor au­then­ti­ca­tion, and avoid­ing pub­lic Wifi or hotspots when in­putting or work­ing with per­sonal iden­tity in­for­ma­tion,” she said.

In­sur­ance cov­er­age should ad­dress both first-party losses di­rectly borne by the pol­i­cy­holder firm, and third-party dam­ages al­leged by clients or other third par­ties for which the pol­i­cy­holder firm may be li­able, Holl in­di­cated.

“First-party cy­ber cov­er­age should in­clude breach re­sponse ser­vices to help de­ter­mine whether an in­ci­dent is a breach as de­fined by cur­rent state and/or fed­eral laws,” she said. “Cy­ber ad­vi­sors and IT foren­sics should as­sist with re­port­ing and no­ti­fi­ca­tion re­quire­ments, call cen­ters, credit mon­i­tor­ing ser­vices, and pub­lic re­la­tions ser­vices.”

“Cy­ber ad­vi­sors should also re­spond to ran­somware at­tacks and pro­vide ser­vices to de­crypt and re­store the firm’s files, among other ser­vices,” she con­tin­ued. “Firms should al­ways back up all im­por­tant data and in­for­ma­tion fre­quently to en­sure that crit­i­cal data is not lost in the event of a cy­ber­at­tack or phys­i­cal in­ci­dent such as a fire or flood.”

“Fi­nally, firms should pro­tect the back­ups in a re­mote or ex­ter­nal lo­ca­tion where they are safe from ran­somware that seeks out backup copies,” Holl ad­vised. “Pe­ri­od­i­cally, ver­ify whether the backup is work­ing.”


Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.