Accounting Archives - CAMICO

Post-Tax Season Tips for Managing Risk

Amber — Tue, 24 Jun 2025 23:34:53 +0000

With more than 60% of CAMICO’s claims originating from tax-related matters, addressing and managing the risk stress points associated with problematic tax clients can significantly improve a firm’s risk profile. There is no better time than now, before the final phase of tax season, to take proactive steps to better position your firm to ensure you are maintaining the right overall firm/client fit.

The first step is to prioritize performing the “right services” for the “right clients.” Evaluate your client list and consider disengaging clients that do not meet the right firm/client fit threshold — ideally after they have paid their bills.

Some questions to consider as you look to identify and mitigate client scenarios that may pose higher risk to the firm:

1. Is the client still a “good fit”?
Although not meant to be all-inclusive, common red flags include:

Difficult or uncooperative behavior (e.g., withholding critical information, argumentative and/or disrespectful to firm members)
Deteriorating client relationship (e.g., not taking your advice, being non-responsive, and/or acting in a way that suggests compromised integrity)
Constantly questioning your value (e.g., allegations that your fees are too high, or others could do it cheaper, and/or insinuating that the work should be “easy” thus your fee should be less)
Changes in client business and/or client management
Potential conflicts of interest

Trying to uncover the source of the problem could be beneficial, but whatever you do, don’t ignore the above warning signs.

2. Is the engagement a “good fit” for the firm’s expertise?
It is important to recognize, embrace and maintain your competencies. If clients seek your help with transactions and/or activities outside your comfort zone or skillset, you will be better served suggesting they seek the advice and counsel of professionals with expertise in those areas.

In CAMICO’s experience, firms who don’t “stay in their lane” and choose to dabble outside their comfort zone have a much higher risk of having a claim. Learning the art of saying “NO” to clients is an important, but often overlooked, risk mitigation tool.

3. Are you taking the right steps to manage (and document) client expectations?
Good written documentation habits are critical to successfully managing client expectations, but extra diligence should be given to documentation when dealing with potentially problematic clients. Jurors (members of the public) generally consider CPAs to be experts in documentation, and falling short of that expectation may be viewed as negligent and perceived as falling below the standard of care.

Below are important situations requiring documentation to help mitigate the risk of client expectation gaps:

Change in engagement scope (may require a new engagement letter)
Negative information (e.g., tax return is already late, client’s failure to provide timely information, client is facing an audit)
Client agreement to take significant action
Communications regarding past-due invoices
Conversations regarding significant transactions, extensions, or estimated tax payments
High-risk scenarios that may require informed consent, waiver of potential conflict, and/or client representation of key facts and circumstances

Contact CAMICO or Your Risk Advisor

If the above assessment identifies client scenarios that you deem may pose risk to the firm and/or clients that are no longer a good fit for the firm, contact CAMICO or your risk advisor to help you assess the next steps. For example, if disengagement is deemed appropriate, skillfully handled transitions can be mutually beneficial to firms and clients.

In addition, CAMICO encourages early reporting by reducing the deductible by 50%, up to $50,000, for any potential claim that is reported before a claim is made. Further, if CAMICO determines that it is appropriate to retain counsel to assist with a potential claim, the related expenses preceding a claim will be absorbed by CAMICO and will not impact policy limits or be charged to the deductible.

CAMICO policyholders with questions regarding this article or other risk management topics should contact the Loss Prevention department at lp@camico.com, or call our advice hotline at 1.800.652.1772 and ask to speak with a Loss Prevention Specialist.

The post Post-Tax Season Tips for Managing Risk appeared first on CAMICO.

The Cyber Saga Continues… Protect Your Firm from First-Party and Third-Party Cyber Exposures

Amber — Tue, 24 Jun 2025 23:34:08 +0000

In today’s digital landscape, it is no surprise that there appears to be a new cybersecurity story in the news every week, from attacks on major infrastructure to small companies being held for ransom. The risk of cyber threats continues to grow for CPA firms, along with other professional services firms, as all are considered prime targets for cyber criminals given the wealth of sensitive client data, financial information, and/or legal documents they maintain.

Don’t be lulled into a false sense of comfort that your firm (or your clients) are too small or too large to be attacked. CAMICO is seeing an uptick in the number of cyber-related claims impacting CPA firms of all sizes and unfortunately, the severity of these cyber crimes and ransomware attacks have grown in recent years.

Some of the more frequent categories of loss for CPA firms related to cyber claims include:

Social engineering
Funds transfer fraud
Theft of data
Loss of laptop or data stick
Unauthorized use of networks
Failure to protect client confidential information shared with a third-party service provider
Computer system cloud hack
Lost profits related to cyber events
Ransom attacks

Identifying key cyber risks and best practices to mitigate risk exposures is important to safeguard confidential information, maintain client trust, and ensure your firm’s continuity. One of the important concepts people must be aware of when evaluating their cybersecurity exposures is the difference between first-party risks and third-party risks. First-party risks are damages and losses you incur from a cyber attack or security breach of your firm, whereas third-party risks often arise when a hacker has penetrated the firm’s (or client’s) computer system causing damages to a client or other third party as a result of the cyber incident for which the firm may be blamed in whole or in part.

As you would expect, first-party cyber exposures have become increasingly problematic for CPA firms as cyber criminals are targeting CPA firms and tax professionals with greater frequency because of the abundance of client data found on CPA firms’ computers. If they are successful in gaining access to a firm’s information infrastructure, there can be costly measures that need to be taken by the firm such as hiring IT forensic experts to determine the extent of the breach, consulting with attorneys who specialize in data breach laws and notification obligations, and providing credit monitoring to those impacted by the breach.

What may be surprising to some CPAs, however, is the increase in third-party cyber exposures that are impacting firms. These situations often arise when a client has been hacked, and the hacker has penetrated the client’s computer system and once inside, causes all manner of losses for which the CPA firm may be blamed. Unfortunately, many of these incidents tend to be high-dollar claims against the CPA firm. These claims typically include allegations that the firm failed to detect red flags associated with communications executed by the hacker, falling below the standard of care by initiating wire transfers (later determined to be fraudulent) without “proper” client authorization, failure to “warn and advise” clients of the potential risks/threats of cyber attacks, and the list goes on.

Cyber Claims Trends
Human error remains a significant threat to cybersecurity, with a wide range of activities such as weak password practices, falling for phishing attacks, and the mishandling of sensitive information contributing to security breaches.

Social engineering, which is the art of exploiting human behavior as a manipulation technique to gain access to confidential information, is one of the most dangerous types of cybersecurity threats to CPA firms given the type of information that firms gather and store. “Phishing” is one of the more widespread social engineering schemes, where information in an email attempts to convince a recipient that the email is from a legitimate source and the recipient needs to respond to the request by clicking a link. The trend this past tax season as reported in CAMICO’s mid-March 2025 Alert is bogus emails from the “Social Security Administration” or “IRS e-Services.” As employees are the most common entry point for phishing attacks, a firm’s best protection against social engineering attempts is to make continuous efforts to raise awareness with staff to never take these emails at face value and instead, maintain ongoing vigilance and enhanced skepticism with every email and online interaction.

Consider the following two scenarios from the CAMICO claims files which unfortunately are becoming all too familiar for CPA firms:

Scenario #1: Client hacked; CPA firm initiated fraudulent wire-transfers
A client of the CPA firm was hacked, and the hacker penetrated and commandeered the client’s email account. The hacker emailed several requests to the CPA firm to wire funds to a new account — a classic “man in the middle” attack. After receiving each request, a CPA firm staff member emailed the client to verify the wire transfer instructions. As the hacker had full control of the client’s email account, the hacker was able to respond back to the CPA firm to verify the payments to the hacker’s overseas bank account.

The above scenario, unfortunately, has become a recurring fact pattern, and these fraudulent wire transfer requests frequently cause large dollar losses. If the fraudster is controlling the client’s email and potentially their phone system as well, and the fraudulent request mimics previous legitimate requests, it is often difficult for the firm to identify the request as illegitimate. When fraud is discovered after the transfer, the funds are usually not recoverable. Domestic banks are not always helpful in preventing fraudulent transfers, as laws tend to limit their risk exposures and enable them to deny responsibility.

With the increased number of claims related to fraudulent wire transfers, the best risk management practice in the absence of any written protocols to the contrary is to verbally confirm all wire transfer requests with the client, and not rely on email or voicemail confirmations. Unfortunately, technological advances have permitted sophisticated scammers to create AI versions not only of people’s voices, but also realistic avatars of scam targets so that you can’t trust your ears or your eyes on virtual calls (Microsoft Teams). Ideally, you and your client will have a code word and/or phrase to confirm the authenticity of the person you are speaking to. Additional loss prevention guidance to minimize fraudulent wire transfer exposure can be found in CAMCO’s article Social Engineering Scams/Fraudulent Wire Transfers. Refer to the Cyber/Data Security Resource Center on CAMICO’s Members-Only Site.

Scenario #2: Ransomware
An employee of a CPA firm opened an unsolicited email attachment from “IRS e-Services” that immediately downloaded ransomware onto the firm’s computer system. The employee noticed that the file names were rapidly being changed to “Needs Decrypting.” The employee turned off and rebooted the computer, but the virus had already spread to all the firm’s servers, and all the files became encrypted. The employee reported the incident to the firm’s managing partner and the firm promptly took actions in accordance with their Incident Response Plan. Once it was determined that a breach had occurred, the firm complied with applicable state and federal laws, and the breach was reported to law enforcement.

Ransomware is one of the most malicious hacker attack vectors and firms of all sizes have become victims. It sneaks into computer systems, encrypts files, and demands a ransom before agreeing to decrypt the files. A major problem is that hackers do not always decrypt files even after the ransom is paid.

Ransom demands have certainly increased in recent years and it is not unusual to see them range from several thousand dollars to several hundred thousand dollars. Some ransomware attacks rely on software that now has known fixes, so a solution might be found online. Other ransom attacks are more advanced and have no known fixes, other than the victim retrieving and relying on the latest backup files. Therefore, being prepared and taking precautions against cyber risk exposures is essential.

To gain a greater perspective on how CPA firms are impacted by cyber exposures, refer to the IMPACT 126 Claims Chronicles for two additional cyber-related claims.

Has your firm prepared for a cyber incident?
Remember, it is not if you will be attacked, but when.

The weakest link in most cybersecurity attacks today continues to be the human element, so it is important to remember that your firm employees are a vital line of defense. Take action now to arm your employees with education, awareness, and reminders, so that they can make informed decisions about what they click.

Although not meant to be all-inclusive, the following additional basic best practice measures are extremely important when addressing the human element of data security:

Cybersecurity awareness training: As employees are the most common entry point for phishing attacks, a firm’s best protection against social engineering is to make continuous efforts to raise awareness of the importance of ongoing vigilance and enhanced skepticism of each email and online interaction. Education can come in various forms, both formal and informal. Consider sharing with your team “real-life” examples of the potential scam emails received by members of your firm. Learning of the attempted attacks on their colleagues heightens awareness of the nature and types of scams that pose potential threats.

As part of the firm-wide cybersecurity awareness training, you should also consider reviewing the firm’s existing protocols and infrastructure (refer to the firm’s written security plan in place) that supports the firm’s commitment to taking appropriate cybersecurity precautions so that all employees are aware and updated when changes are made. If your firm does not yet have a written security plan in place or you are in the process of updating your document, refer to CAMICO’s Written Information Security Plan (“WISP” or “ISP”) template. The template can be found on the Cyber/Data Security Resource Center on the CAMICO Members-Only Site.

Raising the cybersecurity IQ of all employees will help tremendously in guarding against a breach and will minimize your firm’s potential exposure as employees will be better able to recognize social engineering attempts and understand the importance of guarding their login/authentication credentials both in the office and at home. To be of ultimate value, it is important for firms to commit to embracing a motto of continuous education because the threat landscape doesn’t stop evolving when your employees’ cybersecurity training is done.

2. Use multi-factor authentication. This can add an extra level of security to prevent an account hack, especially when employees work remotely.

3. Change and strengthen passwords frequently. Systems are only as secure as the passwords used to access them.

4. Ensure all software has the latest security options/patches. This will help protect against malware, viruses, and hacker attacks.

5. Require regular data backups. By encouraging employees to regularly back up their data you are preventing data loss when disaster strikes. While this may be a hard policy to enforce for employees working remotely, it remains the best practice. In many instances, devices can be set to back up to the cloud automatically. When relying on cloud storage remember that ransomware can also compromise cloud services. Any data stored in the cloud should also be periodically backed up to an external hard drive. Data backups ensure that a business can continue to operate, even if resources are taken offline by a ransomware attack.

6. Maintain strong cyber hygiene. Reinforce with employees the cyber protocols to be followed when working both in the office as well as remotely (e.g., machine use restrictions, Wi-Fi passwords, VPN, firewalls, etc.).

7. Remind all employees of the importance of powering down computers when not in use. Computers are not accessible to attacks or intrusions when powered off.

Choose the Right Cyber Insurance Coverage
Cyber insurance protects against financial losses related to data breaches or other covered cyber events. Cyber insurance coverage is basically divided along two lines:

First-party, which refers to losses directly suffered by the policyholder (or insured) firm in response to a firm’s data breach or other covered cyber event, and
Third-party, which refers to damages alleged by clients or other third parties that the negligence of the CPA firm contributed in whole or in part to the third party’s cyber-related loss. CAMICO’s professional liability policy generally will cover third-party cyber claims subject to applicable policy terms, conditions, and exclusions.

It is possible that a single cyber incident may give rise to both damage suffered by the firm (first-party losses) and damages allegedly suffered by others that blame the firm (third-party losses). The relationship between the first and third parties can be formed in many ways. It can be contractual (for example, engagement letters), built through tort law, common law, or other ways. CPA firm clients are third parties, and others may become a third party based on the nature of an incident. Clients may have insurance of their own, making them a first party with their own cyber insurance carrier.

First-party insurance typically covers the direct costs of actions needed after a firm has had a data breach, extortion, ransomware attack, or other hacker malfeasance against the firm. Third-party cyber-liability insurance, on the other hand, covers the costs of dealing with the claims of other parties that seek to hold your firm at least partially responsible for damages that they have incurred because of a cyber incident. Sometimes, the line between first-party damage and third-party damage becomes blurred — especially if a firm and its client have both been breached, and forensic analysis cannot conclusively establish either the sequence of events leading up to the breach and/or how the breach occurred.

Although not meant to be all-inclusive, the table below shows common cyber costs and damage that may be incurred in cyber-related claim situations, classified by first- and/or third-party potential exposures:

	First-Party Exposures	Third-Party Exposures
Restoration of the damaged systems, hardware, software and network	X
Cost to restore lost data	X
Ransom fees to retrieve lost data or reopen systems	X
Notification costs	X	X
Forensic investigation costs	X
Credit monitoring costs	X	X
Reprogramming costs	X
Business interruption costs	X
Lost client’s money sent to someone incorrectly due to a cyber event		X
Costs (restoration, fines/fees, etc.) incurred by the third party required due to lost data		X

Understanding the difference between first-party and third-party risks is essential when seeking cyber insurance. Ideally, every CPA firm should have some degree of insurance coverage for both first-party and third-party risks as the CPA firm faces exposure to many accusations and lawsuits in the event of a compromise or data breach impacting its clients’ data. For example, everyone faces risks of inadvertently forwarding a malware-infected email message that subsequently wreaks havoc after being opened by a recipient, or of their computers and networks being breached and subsequently exploited by hackers to serve as launching pads from which to target others. Relying on only one type of cyber insurance that may be limited to either first- or third-party coverage may leave businesses exposed to significant financial and legal risks. Whereas investing in both first-party and third-party cyber insurance ensures greater protection against today’s growing cyber threats.

If you have any specific coverage-related questions, please contact your agent or CAMICO at 1.800.652.1772, and ask to speak with your underwriter.

Additional CAMICO Resources
Additional risk management guidance and information on this topic is available on the Members-Only Site — refer to CAMICO’s Cyber/Data Security Resource Center. CAMICO policyholders with questions regarding this communication or other risk management questions should contact the Loss Prevention department at lp@camico.com, or call our advice hotline at 800.652.1772 and ask to speak with a Loss Prevention Specialist.

The post The Cyber Saga Continues… Protect Your Firm from First-Party and Third-Party Cyber Exposures appeared first on CAMICO.

SSARS 27 — A Changing Risk Landscape for Client Advisory Services

Amber — Tue, 24 Jun 2025 23:22:22 +0000

The role of CPA firms who perform “outsourced accounting services” for their clients has greatly expanded over the years into what many today refer to as “client advisory services and/or client accounting services” (“CAS”). With the evolution of CAS, many CPAs have questioned the appropriateness of applying the “preparation standards” (“AR-C 70”) set forth in the Statements on Standards for Accounting and Review Services (SSARS) for financial statements prepared as part of CAS engagements, when all other client advisory services (including controllership or CFO services) are performed under the consulting standards.

On April 7, 2025, the AICPA’s Accounting and Review Services Committee issued Statement on Standards for Accounting and Review Services No. 27 (“SSARS 27”), Applicability of AR-C Section 70 to Financial Statements Prepared as Part of a Consulting Services Engagement. The new SSARS amends AR-C section 70, Preparation of Financial Statements, explicitly excluding financial statements prepared as part of a consulting services engagement performed in accordance with CS section 100, Consulting Services, (“CS 100”) from engagements in which AR-C 70 must be applied.

The scope paragraphs of AR-C 70 were amended to clarify that accountants are not required to apply AR-C 70, but application is not precluded when accountants are preparing financial statements or prospective financial information as part of a consulting services engagement performed in accordance with CS 100 when the preparation of financial statements is not the primary objective of the engagement.

The SSARS 27 exception to AR-C 70 preparation engagements is effective for the preparation of interim or annual financial statements for periods ending after December 14, 2026. Early implementation is permitted.

For many CPA firms, SSARS 27 is welcome relief, as performing financial statement engagements under the consulting standards may better align with the evolving needs of clients and the CAS being provided. With that said, SSARS 27, does present a changing “risk landscape” and CAMICO cautions firms not to rush into early adoption without first having appropriate risk mitigating tools and solutions in place. Firms should seek to establish clear guidelines and a timeline for implementation and not short-change the efforts needed to educate themselves and their clients about the implications of this change, including the fine distinctions of when financial statements may be deemed a mere by-product of the services the firm is rendering versus the primary objective of the services.

Proactive documentation will be critical in managing the changing risk landscape for those firms who seek to embrace the flexibility afforded by preparing financial statements under the consulting standards. New written understandings with the clients should be executed delineating the revised scope and applicable standards of the services being provided. Firms should also consider the appropriateness of including revised indemnification language in these agreements, especially in situations where they may be perceived as, or in fact performing, management responsibilities as part of the CAS engagement.

In the coming weeks, CAMICO will make available engagement letter templates to assist policyholders who choose to early implement SSARS 27. CAMICO is also developing a risk management FAQ document to highlight common inquiries received from policyholders related to the risk management implications of SSARS 27 to CAS engagements and includes suggested best practices to proactively minimize potential exposures. CAMICO policyholders can access these resources on CAMICO’s Members-Only Site Accounting and Auditing Resource Center.

CAMICO policyholders with questions regarding this article or other risk management topics should contact the Loss Prevention department at lp@camico.com, or call our advice hotline at 800.652.1772 and ask to speak with a Loss Prevention Specialist.

The post SSARS 27 — A Changing Risk Landscape for Client Advisory Services appeared first on CAMICO.

How to Respond to Subpoenas

ssAdmin — Tue, 10 Jun 2025 21:13:45 +0000

CPA firms are often uncertain about whether or how to respond to a subpoena, as they also need to comply with a number of rules and regulations that are intended to protect client confidentiality. The following Q&A focuses on understanding the nature of subpoenas and how CPA firms can minimize their professional liability exposures when responding to them.

What is a subpoena?

A subpoena is usually a formal request for documents and/or appearance, typically requested by an attorney in the course of litigation, or by a government agency in the course of a criminal or civil investigation.

What should CPAs do when they receive a subpoena?

CPAs in receipt of a subpoena should consider the information in their client files, along with any recent communications with the client or any parties involved, and then contact the CPA’s professional liability risk adviser or attorney before responding to the subpoena. In evaluating the appropriate course of action for CPAs to take, their adviser may consider the following information:

What is the underlying litigation about? Does the CPA have direct or other knowledge about what the issues are in the litigation?
What is the subpoena asking the CPA to do? Is it requesting that the CPA provide testimony, documents or both? Does the subpoena excuse the CPA from testifying if the CPA provides the documents in advance?
Is the CPA in possession of the information listed? The CPA should review the subpoena and consider whether the firm is in possession of the information. If the information is confidential, such as tax documents, it may be subject to claims of privilege by the client and/or an accountant-client privilege.
Does the subpoena provide a deadline for complying? If the deadline is quickly approaching, or if the subpoenaing party did not provide sufficient time to comply, has the CPA received any communications to suggest the opposing party will grant an extension of time?
What communications has the CPA had with the client? Has the CPA had any contact with the client, the attorneys on the case or the governmental agency? Does that contact suggest whether the CPA is a target or merely a person in possession of information? Is the client taking specific measures to formally object to the subpoena?

Why is the CPA receiving a subpoena?

Typically, an attorney or other party will issue a subpoena because he or she believes that the CPA is in possession of information and documents that will establish facts that are relevant to the underlying case. However, sometimes a subpoena may indicate that the CPA is a target in the underlying case by seeking information that could implicate the CPA as possibly liable for the matter being investigated or litigated.

Is the CPA required to comply with a subpoena? Is a subpoena a court order?

If the CPA has received an order signed by a judge, or a subpoena from a government agency, in most cases the CPA must comply. Government subpoenas generally require compliance, even without client consent or a court order.

However, most subpoenas are preprinted forms that attorneys or other parties fill out to request information. In these cases, accountants are bound by a number of rules and regulations that are intended to protect clients, including Internal Revenue Code section 7216. Under most circumstances, these rules and regulations prohibit the accountant from complying with the subpoena, unless the accountant has undertaken specific measures to protect client confidentiality, including obtaining the client’s consent.

Again, CPAs should contact their risk adviser regarding all subpoenas to evaluate the underlying litigation and the obligation to comply.

Should the CPA report a subpoena to the CPA’s professional liability agent or carrier?

Yes. Regardless of how much or how little information a CPA may have pertaining to the client or former client, it is always important to promptly report the matter.

CAMICO offers policyholders with Professional Liability Insurance comprehensive subpoena and consultation services. These services are designed to assist CPAs in reducing the risk of claims or future litigation. Regarding subpoena expenses that are not related to a reported claim, CAMICO will provide counsel to policyholders to assist in responding to a subpoena seeking documents or testimony. This coverage is treated as a potential claim and offers policyholders a 50% deductible reduction (up to 50K) and locks in coverage during the policy period.

The post How to Respond to Subpoenas appeared first on CAMICO.

The Dos and Don’ts of Disengaging

ssAdmin — Fri, 18 Apr 2025 17:00:10 +0000

By Duncan B. Will, CPA/ABV/CFF, CFE

Whether due to the “great resignation,” the “great reassessment,” or the “baby boomer departure,” the CPA profession is experiencing a diminishing workforce while facing “standards overload,” handling a variety of relief programs, coping with innumerable IRS issues, and dealing with the constant stress of limited resources and elevated client demands.

What can you do?

If you are like many CPAs, you are reflecting on the busy season you just traversed. You are reassessing your quality-of-life chart and have identified issues or clients you wish were no longer accompanying you.

Don’t let the passage of time curb this planning. Yes, now is the time to explore disengagement.

Too many CPAs prioritize the “client acceptance” process and don’t equally follow the important “continuance” component of the client acceptance and continuance process.

Undesirable individuals aren’t the only reason to terminate clients. You should also consider disengaging when:

Clients fail to pay or are slow to pay.
Relationships deteriorate or you no longer possess the competence or capacity to perform the services sought.
The risks outweigh rewards or when there is a conflict of interest.
Your independence (on attest services) is threatened or impaired.

Once you realize the client relationship should end, take a moment to do it right. Disengage in writing, but only after you have laid the groundwork.

Start with verbal communication

Don’t surprise clients you terminate with a letter informing them of your decision. Get personal and talk to them. Recognize that it may be painful and difficult, but the good-natured touch will typically smooth the transition.

Explain your reasoning, listen, and be empathetic.

You do excellent work, you have been a constant in their lives, and the change will likely not be welcomed as they won’t want to lose you. So, expect an emotional appeal. Know it is coming and stick to your guns.

Disengage in writing

Shortly after your disengagement conversation, memorialize your conversation with a “tweaked version” of the hybrid disengagement letter you crafted — in collaboration with a CAMICO Loss Prevention Specialist — using language harvested from illustrative disengagement letters. Yes, you’ve already had the difficult discussion, but your job is not complete until you finish the paperwork. It’s best to expeditiously communicate your decision, but you need defensive documentation of your client receiving your disengagement communique.

Email can be the solution if your client promptly replies to your email. A client’s email response acknowledging receipt eliminates the need to obtain proof of delivery from a delivery service. Use your understanding of the client to best gauge how to obtain that defensive documentation. While email is the fastest alternative, clients may find email too informal and not reply. If not, send a disengagement notification to your client via a mechanism that provides a return receipt or other proof of delivery. Certified mail has historically been the preferred mechanism, but some parties (expecting news they don’t wish to accept) decline to sign an acknowledging receipt. If you opt to send the communique via email, and your client does not reply via email, follow up with a mechanism that provides proof of delivery.

Include your last date of service

Don’t be ambiguous. State the last date of service. Nine times out of 10 it is best to disengage and have no further client expectations. Ideally, you collect on the last item you agreed to deliver and promptly disengage. Often, you are peppered with requests, your client is slow to pay, and you must disengage with work in process or on the horizon. So, state that the most recent deliverable was your last or the penultimate.

Work status/pending due dates

You will want to “exit stage left,” but will be dragged back in if you don’t take the time to state the status of services you were performing and detail the due dates of items on the horizon, regardless of whether you had formally been engaged to perform those services.

Why? Because if you don’t and your client or your successor makes a mistake, you may be blamed for their oversight. Smoothing the transition reduces the likelihood of ruffled feathers that might result in allegations you were negligent.

Account balance status

Outstanding invoices and work in progress are commonplace when accountants disengage. Collecting these fees may prove problematic, but detail amounts they owed you in your disengagement letter, attach copies of the invoices, and state “your prompt payment will be appreciated” to significantly increase the likelihood you get paid. Pointing out the amounts owed also provides psychological leverage against clients’ unreasonable demands and expectations.

Encourage retaining a new CPA ASAP

Be sure to encourage clients you terminate to secure the services of another qualified professional. Doing so is great advice, an act of courtesy, and an excellent defensive measure. The sooner former clients establish a relationship with your successor, the greater the likelihood that clients’ ill will dissipates, and their accounting and other professional needs are timely met.

Occasionally, CPAs are tempted to provide those terminated with someone to consider as their successor. Do not. Instead, when wishing to offer referrals, offer at least two names and encourage former clients to perform their own due diligence. Suggesting one and only one person exposes you to liability should the former client later allege your successor didn’t meet the standard of care.

Cooperation with successor

The sooner and smoother the transition to your successor, the better it is for you and your former client. As such, it’s typically best to make an offer in your disengagement letter to “cooperate as necessary” with your successor.

Your offer to cooperate doesn’t indicate you will bend over backwards or donate your time. Rather, your cooperation will be contingent on factors that need not (and should not) be specified in your disengagement letter.

If your transition assistance is sought, first obtain written authorization from your client to speak openly and share information with the specified professional(s). Second, secure the successor(s)’ signed agreement to the terms of your cooperation (the CAMICO Members-Only Site offers illustrative versions based upon the nature of the services provided), and lastly, consider leveraging your cooperation pending payment of your outstanding fees and possibly a retainer to cover the anticipated cost of your cooperation. However, keep in mind that the AICPA prohibits its members from withholding client-provided records,¹and your state board of accountancy may prohibit withholding records, even though fees are owed for work you have performed.

Disposition of all client records

CPAs are often tempted to enclose client records in the same envelope they send their disengagement letter. Do not. Clients have been known to allege they did not receive the CPA’s disengagement letter. Problems compound if client records are lost.

Instead, ask the client when you converse (or in the disengagement letter) how they wish for you to provide them with the records they desire. And just to be safe, retain copies for your records of any records returned.

Consider sending your letter to multiple parties

If concerned that certain owners or those charged with governance will not hear of your disengagement or your reasons for disengaging, consider the “noisy disengagement” option. Noisy disengagement letters are identical to traditional disengagement letters but are addressed to the parties you are concerned might not promptly learn of your disengagement or your reasoning. Be cognizant of the AICPA’s Confidential Client Information Rule²which prohibits accountants in public practice from disclosing confidential client information without client consent. Sharing the disengagement letter with owners and those charged with governance typically would not violate the Rule but be careful not to inadvertently violate it when wishing to alert others you terminated the relationship.

Be professional, not emotional

It can be cathartic to colorfully detail your reasons for disengaging but be mindful that your openness can have consequences. Experience has shown that letting clients down easy typically results in the quickest and least eventful parting of ways. Having a right to do something doesn’t make it the right thing to do.

CAMICO encourages policyholders to craft their letters using one of the illustrative letters available on the Members-Only Site as a foundation and to share Microsoft Word versions of their hybrid letters with CAMICO. CAMICO Loss Prevention Specialists have helped draft tens of thousands of disengagement letters. Specialists provide policyholders feedback by using the software’s Track Changes feature. Policyholders should use their professional judgment, understanding of their clients, and personal writing style when deciding whether to accept or reject specialists’ suggestions.

Duncan B. Will, CPA/ ABV/ CFF, CFE, is a loss prevention manager and accounting and auditing specialist with CAMICO. He can be reached at dwill@camico.com.

________________________________________

ET 1.400.200, Record Requests

ET 1.700.001

The post The Dos and Don’ts of Disengaging appeared first on CAMICO.

CAMICO Tip: Best Practices to Prevent Wire Transfer Fraud

Amber — Thu, 20 Mar 2025 01:22:07 +0000

Q: My client has asked our firm to initiate wire transfers. What risks are associated with agreeing to initiate wire transfers and what protocols should our firm consider?

A: CPA firms continue to be at high risk of social engineering attempts due to the type of information firms gather and store. If the firm and/or a client’s email is hacked, a wire transfer request could come from a fraudster/hacker. As fraudulent wire transfers frequently cause large dollar losses, firms need to be hypervigilant in their efforts to protect the firm and clients against wire transfer fraud.

If the fraudster controls the client’s and the firm’s email, commonly referred to as a “man in the middle” attack, the fraudulent request may mimic previous legitimate requests, which can make it very difficult for a firm to identify the request as illegitimate. When the fraud is discovered after the transfer, the funds are usually not recoverable. Domestic banks are often not helpful in preventing fraudulent transfers, as laws tend to limit their risk exposure and enable them to deny responsibility.

Given the increasingly sophisticated phishing and spoofing scams, CAMICO strongly encourages firms to have written protocols in place with clients who need such services that outline the protocols to be followed when executing wire transfer requests. Certainly, best practice would be to verbally verify the authenticity of all wire transfer requests that are received by the firm via email correspondence, but for those clients who may wish to limit the requirement for your firm to verbally verify each wire transfer, the client should specify in writing those limits (e.g., by dollar threshold, business purpose, etc.) as well as acknowledge their responsibility for the added risks associated with this limited verbal verification process. We recommend including as part of the verification process specific questions to which only your client would know the answer.

The post CAMICO Tip: Best Practices to Prevent Wire Transfer Fraud appeared first on CAMICO.