CAMICO’s Loss Prevention and Claims departments work with CPA policyholder firms every day on difficult risk management issues. The following Q&A covers 10 questions and trends that our specialists hear about most frequently from our policyholders.
Top Loss Prevention Trends
Q: What are some of the risks and general guidelines for our firm if we choose to use generative artificial intelligence (“AI”)?
A: Let’s face it: Generative AI is no longer just a buzzword. Before ChatGPT, CAMICO didn’t receive many inquiries about AI. However, after the release of ChatGPT, inquiries have steadily increased, and with good reason. The technological advancement generative AI promises to provide in the near term is significant. It has the potential to reshape how you provide professional services, communicate with clients, and even how you manage your firm. Most of the changes should improve efficiency and other important metrics; however, AI adoption comes with significant risks. CAMICO recommends addressing the risks sooner rather than later with a clear and concise firm policy and communicating the policy to all your employees.
A crucial thing to know about generative AI is that it is not infallible. Whether you’re thinking about using it for automating calculations, crafting emails, or explaining the tax code, be on alert for its inaccuracies. Often, AI-generated information is outdated, misleading, or even fabricated (technically called “hallucinations” in AI-speak). Therefore, all AI-generated outputs must be reviewed to ensure accuracy and reliability. A proper review will also help mitigate the risk of inappropriate, discriminatory, or otherwise harmful content leaving your firm.
Another source of risk is inadvertently compromising the confidentiality of data. Before using a generative AI provider, we recommend performing due diligence on the AI provider to ensure their system complies with professional standards and regulations. When doing your due diligence, we also recommend researching the AI provider’s reputation to see if they have a history of inappropriately training their AI models on unauthorized data.
Along the lines of maintaining confidentiality is ensuring data privacy and mitigating security risks. Firms should prioritize data encryption, implement access controls, and adhere to data protection regulations. Please remember that it may be necessary to consult with qualified legal counsel and update, if needed, the firm’s Privacy Policy to ensure transparency about the categories of sensitive information collected, the sources of that information, the purposes for the collection, and how the firm stores and shares such information.
As you explore the opportunities afforded by generative AI, CAMICO recommends considering the risks and countervailing safeguards. Successful integration of generative AI requires a well-crafted implementation plan which should include, among other things, appropriate education and training to ensure responsible use. CAMICO believes a clear and concise generative AI policy to document your firm’s authorized usage is paramount in achieving your goals using AI. Please see CAMICO’s generative AI policy template available on CAMICO’s Members-Only Site, which you can modify to fit your firm’s requirements. As always, we recommend working with your firm’s legal counsel and IT specialists, as appropriate, as you develop and implement your generative AI strategy and related usage policy.
— Jason “Zev” Jankovic, Loss Prevention Specialist II
Q: My client has asked our firm to initiate wire transfers. What risks are associated with agreeing to initiate wire transfers and what protocols should our firm consider?
A: CPA firms continue to be at high risk of social engineering attempts due to the type of information firms gather and store. If the firm and/or a client’s email is hacked, a wire transfer request could come from a fraudster/hacker. As fraudulent wire transfers frequently cause large dollar losses, firms need to be hyper-vigilant in their efforts to protect the firm and clients against wire transfer fraud.
If the fraudster controls the client’s and the firm’s email, commonly referred to as a “man in the middle” attack, the fraudulent request may mimic previous legitimate requests, which can make it very difficult for a firm to identify the request as illegitimate. When the fraud is discovered after the transfer, the funds are usually not recoverable. Domestic banks are often not helpful in preventing fraudulent transfers, as laws tend to limit their risk exposure and enable them to deny responsibility.
Given the increasingly sophisticated phishing and spoofing scams, CAMICO strongly encourages firms to have written protocols in place with clients who need such services that outline the protocols to be followed when executing wire transfer requests. Certainly, best practice would be to verbally verify the authenticity of all wire transfer requests that are received by the firm via email correspondence, but for those clients who may wish to limit the requirement for your firm to verbally verify each wire transfer, the client should specify in writing those limits (e.g., by dollar threshold, business purpose, etc.) as well as acknowledge their responsibility for the added risks associated with this limited verbal verification process. We recommend including as part of the verification process specific questions to which only your client would know the answer.
CAMICO has developed an Addendum for illustrative purposes that can be used in conjunction with an engagement letter to highlight best practices for such a communication. You can access CAMICO’s “Addendum to Engagement Letter – Protocols for Executing Wire Transfers” on the CAMICO Members-Only Site under the Cyber/Data Security Resource Center.
– June Thornton, Senior Loss Prevention Specialist/Team Lead
Q: My firm has a Written Information Security Plan (“WISP”), but it hasn’t been updated since early 2023. How often should we be reviewing/updating our WISP? And have there been any significant changes to the regulatory guidance related to physical, technical, and/or administrative safeguards a CPA firm is required to have in place to protect its confidential client data from potential breaches and cyberattacks?
A: CAMICO strongly encourages firms to keep their Written Information Security Plan (“WISP”) relevant and updated to showcase the firm’s ongoing efforts to ensure compliance with the spirit and intent of Gramm-Leach-Bliley Act’s (“GLBA”) Safeguards Rule. To that end, CPA firms should periodically review the effectiveness of their security program as detailed in their WISP and reassess the risk factors as well as any material changes to the firm’s operations and make changes to the plan as necessary. Firms need to consider the appropriate frequency of this review based on the firm’s size, complexity, identified risk factors, and any updated guidance promulgated by the Internal Revenue Service (“IRS”) or other regulatory bodies. Refer to CAMICO’s article Compliance with the Federal Trade Commission “Safeguards Rule,” published in CAMICO’s July 2023 IMPACT 123 newsletter.
Now would be a good time to consider reviewing and updating the firm’s WISP given the IRS’s August 13, 2024 announcement regarding the availability of an updated WISP template to help tax professionals, especially smaller practices, protect against continuing threats from identity thieves and data risks. (IR-2024-208). The updated WISP, contained in IRS Publication 5708, Creating a Written Information Security Plan for Your Tax & Accounting Practice, is available at: www.irs.gov/pub/irs-pdf/p5708.pdf.
The IRS’s guidance includes best practices for implementing multi-factor authentication for any individual accessing any information system (refer to: Multi-factor authentication: Key protection to tax professionals’ security arsenal now required | Internal Revenue Service (irs.gov), as well as a new requirement to report a security event affecting 500 or more people to the Federal Trade Commission (FTC) as soon as possible, but no later than 30 days from the date of discovery.
Remember that maintaining an information security program is not a one-size-fits-all approach as every firm will need to ensure that they have the required safeguards in place for their size, complexity, and the nature and scope of the services they render. As such, a CPA firm’s efforts to comply with the Safeguards Rule is organization-specific and CAMICO recommends that each firm work with their IT/cyber specialists and legal counsel to modify and tailor their WISP to ensure the firm’s compliance with the GLBA’s Safeguards Rule and other applicable laws.
For more risk management guidance and information on cyber and data security issues, which includes CAMICO’s illustrative Written Information Security Plan template, access CAMICO’s Cyber/Data Security Resource Center on our Members-Only Site.
– Anthony Cooper, J.D., MBT, Tax Analyst, Loss Prevention
Q: We are having difficulty managing one of our top performers who is frequently short and rude to his coworkers to the point where now they no longer want to work with him. If he is not violating any firm policies such as Anti-Harassment or Anti-Bullying, do we have to counsel him? He is such an asset to the firm, and we are concerned about losing him.
A: Behavior does not have to rise to the level of violating firm policy to negatively impact the firm by creating a toxic work environment. An employee who is chronically rude, brash, and short can singlehandedly disrupt the work environment. Toxicity in the workplace will spread and lead to low morale, decreased productivity, increased disruption and employee stress.
Toxicity can flourish when those firm rainmakers with poor interpersonal skills demonstrate entitlement and belittle others without consequence; or when those in the office who demonstrate microaggression, or what we call death by a thousand small cuts, are ignored. There are also those employees who enjoy gossiping and spreading rumors which creates its own toxicity.
Oftentimes the firm will turn a blind eye to the behavior because it might not necessarily rise to the level of violating firm policy, but first and foremost, firms should follow their own policy language and ensure that the firm’s values and mission statement are also being reflected in the workplace. Core values should drive organizational behavior and when core values and organizational behavior are misaligned, employees lose their trust in management.
Firm management can support employees by responding timely to any display of toxic work behavior; broaden policy language to focus on the bigger picture, and not narrowly define harassment and bullying; and most importantly, walk the talk themselves. Studies have shown that employees who feel surrounded by psychological safety in the workplace will be more productive and engaged, and the firm will recognize a lower turnover rate due to a more positive work environment.
As it relates specifically to counseling an employee for unacceptable behaviors that are creating a toxic work environment for others, CAMICO recommends reaching out to your employment practices risk advisor and/or legal counsel to discuss appropriate steps to take to minimize the potential risks of a claim or lawsuit.
For additional information on how to create a more positive workplace, refer to CAMICO’s article Create a Workplace Where Your Employees Will Thrive, published in CAMICO’s IMPACT 124 newsletter issued in February 2024.
-Emily Franchi, Loss Prevention Supervisor, Employment Practices
Q: Our firm is starting to prepare for the new Quality Management Standards, which become effective December 15, 2025, and we were wondering if CAMICO has any risk management tips for us as we begin the process?
A: CAMICO encourages firms to not over-complicate the transition process or try to address every potential risk as they seek to adopt the new Statements on Quality Management Standards (“SQMS”). Instead, focus on the quality risks that are material, relevant, or of higher risk to your firm; the types of industries, businesses, and organizations you serve; and the services you offer. A system of quality management is an evolving, iterative, dynamic process. Don’t let “perfect be the enemy of good.” If unchecked, this aphorism can create crippling inertia in the development of your quality management process.
As the SQMS’s risk-based approach requires custom-fitting to your firm’s conditions and circumstances, you may wish to seek your peer reviewer’s guidance regarding the transition. Your peer reviewer’s familiarity with your quality control system and understanding of the new standards can be instrumental in assisting your firm with designing your system of quality management. Ideally, you can obtain your peer reviewer’s insight and tips specific to your unique needs. However, be cautious not to rely too heavily on your peer reviewer (unless willing to secure the services of another reviewer) as doing so could threaten your peer reviewer’s independence.
As the SQMS are risk-based, requiring firm leadership to proactively manage quality by designing, implementing, and operating a customized system of quality management scalable to fit your firm’s accounting and auditing practice, it is important to give the person(s) agreeing to assume the system of quality management leadership role(s) in your firm sufficient time and resources to implement the standard.
Consider adopting a two-phased approach to brainstorming sessions led by a senior member of your system of quality management development team. During the initial phase, the discussion leader should encourage and reinforce that this phase is exclusively for the generation of ideas, and should not include evaluation or criticism of ideas raised (to avoid squelching voices). Care should be taken to record every suggestion. Only during the second phase should the team evaluate or constructively critique aspects of the initial brainstorming phase. This two-phase approach will encourage team members to offer more and nuanced suggestions which might otherwise not be captured and considered in the development of your system of quality management. Each system of quality management must address the eight components and the SQMS prescribes specific quality objectives for each of the components. While your firm may establish additional quality objectives, be certain that each of the prescribed component-specific quality objectives are addressed.
As with the extant quality control standards, the SQMS requires you to document your system of quality management. As with its predecessor, this documentation may be used by your peer reviewer to assess whether your firm has complied with the standards. If documentation indicates your firm will perform procedures exceeding those required by professional standards, those elevated requirements will be the benchmark used to assess your compliance. Be diligent in documenting your firm’s quality objectives, quality risks, your responses to those risks, and ultimately your system of quality management to identify those responsible and accountable for your system.
And lastly, CAMICO strongly encourages firms to take advantage of resources developed and shared by the AICPA. Explore the following list and pay particular attention to the two practice aids and sample risk assessment Microsoft Excel template. Each is extremely helpful with focusing attention on the development and enhancement of your firm’s system of quality management.
AICPA Resources
- Quality Management Resource Center
- Quality Management Practice Aids [One for Sole Practitioners, another for Small and Medium-Sized Firms, and an illustrative risk assessment MS Excel Template]
- Crosswalk from SQCS to SQMS
- QM Standards Checklist
- Journal of Accountancy Content
- Podcast: Tips for firms implementing quality management standards – June 7, 2022
- Quality management standards: How to perform a root cause analysis – August 31, 2023
- Quiz: Test your knowledge of the new quality management standards – September 22, 2022
- QM standards: Overview of the monitoring and remediation process – September 28, 2023
- How to implement the risk-based quality management standards – October 1, 2023
- QM is approaching faster than you think — get ready – November 1, 2023
- QM standards: How to perform a root cause analysis – December 1, 2023
– Duncan B. Will, CPA/ABV/CFF, CFE, Loss Prevention Director/ Accounting & Auditing Specialist
Top Claims Trends
Q: With most tax returns being e-filed, has CAMICO seen any trends in e-filings that don’t go through? If so, what advice do you have for policyholders to prevent or mitigate these situations?
A: We have seen a trend of e-returns not going through or being fraudulently e-filed. A few tips we can give policyholders would be to consider having an internal process in place, along with certain checks and balances to ensure that the e-filings go through. As the IRS provides an online tool to check the status of returns, it is helpful if the policyholder advises their clients to follow up on the status of their returns after they have been e-filed, to ensure that they have been accepted and processed. Rather than waiting for months to receive an update on the return, it is helpful if the client checks on the status after a couple of weeks to ensure that there aren’t any errors. Also, following up with clients to ensure that they received their refunds could help mitigate any potential damages early on. Another helpful tip is to review the returns one final time before submitting, to ensure that all the information on the return is correct, including the social security number and the firm’s Taxpayer Identification Number (TIN).
– Ines Adams, Claims Specialist
Q: Do CPAs often get brought into family disputes related to inheritance?
A: When dealing with family disputes, especially when it comes to money, emotions will run high, and these matters can become very contentious with CPAs getting pulled in and stuck in the middle. While these situations may be unavoidable, there are steps that can be taken for policyholders to protect themselves from exposure. Documentation and communication are key. Everything pertaining to the CPA’s work should be memorialized in writing and the CPA should ensure that both they and the client understand the decisions and actions that will be taken. If a CPA advises a client to take a specific course of action, written proof of the advice should be preserved. Engagement letters can also be a vital tool in protecting the CPA’s interests. The letter should spell out precisely the work that will be performed for the client and should be updated as the engagement changes. Finally, if the appearance of a conflict arises, the CPA should consider whether disengagement is the appropriate action. If the CPA decides to disengage, the disengagement should be clear (and in writing), and a copy should be preserved.
– Jill Cavenaile, Claims Executive
Q: What are the liability issues if clients withhold information about large sums of cash that they have?
A: In situations where the accountant has been made aware of clients hoarding large amounts of cash, we advise the accountant that there are several reasons to disengage from this type of client. Historically a reason for this action by the client relates to the 1929 stock market crash where the money was forever lost to the client. However, hoarding thousands of dollars is seen as a way of hiding taxable income from the government. In this situation, there are several issues with going forward with this client. 1) When the client informs the policyholder that they have decided to use this money for an investment or make a high-cost purchase, we cannot expect that they have receipts and can properly account for when and where the money came into their possession; 2) The client’s prior tax returns for as long as they have been hoarding the cash are wrong and need to be amended; 3) It is very likely that there will be a tax investigation and possibly a criminal investigation; 4) the CPA will be subpoenaed and will likely be questioned about how they advised the client after learning of the hoarding; and 5) in the investigation, the authorities will be looking at the accountant to determine if based on the information in their possession they should have known that the client was hoarding large amounts of cash. Something to remember in most situations where there is an accountant providing assistance to a taxpayer, if there is anyway a “bad situation” can be blamed on advice (or lacking advice) provided by the accountant, it will be blamed on the accountant.
– Gerard Mack, Claims Specialist
Q: Has CAMICO seen Employment Practices Liability claims related to accounting professionals being mandated to return to work (post-pandemic)?
A: The biggest issue with return-to-office claims, after COVID-19 restrictions were lifted, involves employees who are permitted to work from home and those who are being called to return to the office. Many professionals (bookkeepers, CPAs and even executive assistants who bill for their time) have been allowed to continue their remote roles as they are able to work within their role remotely. These employees have a desktop phone, laptops, and can perform their job duties via email, phone, or video conference. Allegations have emerged from staff who were hired specifically for in-office roles, such as firms’ administrative staff. Their job description typically includes some sort of client facing role, such as a receptionist, or duties that include maintaining the office, checking and ordering office supplies or copying client files. Employees who were allowed to work remotely, either due to COVID-19 or another medical accommodation, have challenged the call to return to the office. When the employee was moved to a temporary remote role, policyholders usually needed to shift the administrative employee’s duties to someone who was present at the office or reduce the administrative employee’s duties. There have been instances in which the remote employee was given the opportunity to learn new skills, such as payroll or bookkeeping, which can be completed remotely. In those instances, where the remote administrative employee was unable to learn new skills or completed those skills at an unsatisfactory level, the policyholder has made the decision to terminate the employee due to the lack of work that the administrative employee can complete away from the office. A termination of this nature has led to allegations of discrimination or wrongful termination.
– Katjana Roelz, Claims Specialist
Q: What does CAMICO recommend when a client passes away and there is a new point of contact for the engagement?
A: We recently had a situation where an accountant prepared tax returns and did bookkeeping for the matriarch of a family for many years. Upon her passing, the client’s daughter became the point of contact. The daughter said she was going to engage a new CPA to prepare taxes and was going to take over the bookkeeping duties herself. The policyholder did not confirm the conversation in writing and did nothing further. A couple years later, the daughter was surprised to find that the tax returns had not been prepared and filed. A claim was brought against the CPA for the penalties that were imposed by the IRS.
An engagement with a client is fundamentally a relationship. As with all relationships, there should be an understanding between the parties as to what they should expect. Many times, people make assumptions about what the other person will do or not do. These assumptions are often different than what the other person expects will happen in the relationship. An engagement letter is the best way to develop an understanding with the client about what they should expect from the accountant and what the accountant expects of them. There may be conversations between the parties about what they expect to happen, but perceptions may differ, and memories will fade. When an accountant uses a well-drafted engagement letter or disengagement letter, both parties know exactly what to expect of the other. If the client were to later make an unwarranted assertion about the relationship, the accountant can refer to the letter to justify his or her action or inaction. This is especially important in the confusion surrounding the death of a client. Engagement letters also enhance the accountant’s professionalism and make it easier for their actions to be defended in any later dispute.
Engagement letter templates can be found in the Engagement Letter Resource Center, located on CAMICO’s Members-Only Site.
-Mark Rooks, Claims Specialist