Risk Management Archives - CAMICO

Be Prepared: The Quality Management Standards Are Coming

Amber — Tue, 26 Aug 2025 19:15:55 +0000

By Duncan B. Will, CPA/ABV/CFF, CFE

The AICPA’s Statements on Quality Management Standards’ (“SQMS”) December 15, 2025, effective date is fast approaching, and few firms are prepared. Since the SQMS were issued in June 2022, the AICPA has produced a plethora of related content. This article is not intended as a treatise on the SQMS. Instead, this article is an extremely brief overview of the SQMS, and shares risk management tips intended to motivate you to make progress on modifying your firm’s system of quality management to be compliant with the SQMS.

Overview

The SQMS represent a significant overhaul of the quality control framework for CPA firms, shifting from a rules-based to a risk-based quality management framework. These standards are designed to ensure that firms establish, implement, and maintain effective systems of quality management tailored to their unique circumstances and engagements.

The items listed and in the image, below, are components of the new SQMS, initially introduced when the International Auditing and Assurance Standards Board rolled out their quality management standards. Three components are elements of the extant quality control standards (“QCS”); three are renamed and expanded/updated elements of the (soon to be replaced) QCS; and the new components are the two COSO components not addressed in the extant QCS.

You are not required to implement the standards before December 15, 2025, but all standards applicable to your firm must be implemented by that date. Firms performing services in accordance with Statements on Auditing Standards, Statements on Standards for Accounting and Review Services, or Statements on Standards for Attestation Engagements must design and implement their systems of quality management in compliance with the SQMS and should already have begun this process.

The initial evaluation of your firm’s designed system of quality management is to be performed during the year ending December 15, 2026, and annually thereafter, to assess whether your system of quality management meets its quality objectives.¹

Risk Management Tips:

The clock is ticking, and December 15, 2025, is fast approaching, so although not meant to be all-inclusive, do consider the following risk management tips and best practices:

Don’t let “perfect be the enemy of good.” If unchecked, this aphorism can create crippling inertia in the development of your quality management process. Understand that a system of quality management is an evolving, iterative, dynamic process. Learn from the process, share information with your team, and use that information to improve your system of quality management.
Seek your peer reviewer’s guidance with the transition. Your peer reviewer’s familiarity with your quality control system and understanding of the new standards can be instrumental in assisting you with designing your system of quality management. Ask what tools your peer reviewer believes would be beneficial for you. Ideally, you can obtain your peer reviewer’s insight and tips specific to your unique needs. However, be cautious not to rely too heavily on your peer reviewer (unless you are willing to secure the services of another) as doing so could threaten your peer reviewer’s independence.
Consider having a senior member of your system of quality management development team lead your firm’s brainstorming sessions and adopt a two-phased approach to brainstorming. During the initial phase, the discussion leader should encourage and reinforce that this phase is exclusively for the generation of ideas, and that there be no evaluation or criticism of ideas raised. Care should be taken to record every suggestion. Only during the second phase should the team evaluate or constructively critique aspects of the initial brainstorming phase. This two-phase approach will encourage team members to offer a greater number of suggestions as well as more-nuanced suggestions, which might otherwise not be captured and considered in the development of your system of quality management.
Consider supplementing your external resources by collaborating with other practitioners with similar practices.
Don’t overcomplicate your transition process or try to address every potential risk. Instead, focus on the quality risks that are material, relevant, or of higher risk to your firm; the types of industries, businesses, and organizations you serve; and the services you offer.
SQMS No. 1 indicates that root cause analyses should be performed by people responsible for the firm’s system of quality management. But to maintain objectivity, you should take care to avoid assigning individuals to perform root cause analyses that are on engagements being reviewed.

Root cause analysis can be extremely complicated, but don’t get lost. Keep it as simple as possible. Now may be a good time to reacquaint yourself with or to discover the “Five Whys Technique,” which involves repeatedly asking “why” to identify a problem’s root cause. The technique can help you and your firm evaluate and avoid overlooking the root causes of identified deficiencies in your firm’s system of quality management.

As with the extant quality control standards, the SQMS require you to document your system of quality management. As before, that documentation may be used by your peer reviewer to assess whether your firm has complied with the standards. If documentation indicates your firm will perform procedures exceeding those required by professional standards, those elevated requirements will be the benchmark used to assess your compliance. So, take care in documenting your firm’s quality objectives, quality risks, your responses to those risks, and ultimately your system of quality management, taking care to identify those responsible and accountable for your system.
Keep up to date with quality management standards’ developments and take advantage of resources developed and shared by the AICPA: A journey to quality management | Resources | AICPA & CIMA
Firms encountering challenges with the transition should consider seeking external support. Firms may benefit from engaging entities that specialize in offering tailored assistance with the implementation of the quality management standards.

Contact CAMICO

CAMICO policyholders with questions regarding this communication or other risk management questions should contact the Loss Prevention department at lp@camico.com, or call our advice hotline at 800.652.1772 and ask to speak with a Loss Prevention Specialist.

^{1 Quality objectives — The desired outcomes in relation to the components of the system of quality management to be achieved by the firm.}

The post Be Prepared: The Quality Management Standards Are Coming appeared first on CAMICO.

Claim Chronicles 126-A

Amber — Thu, 26 Jun 2025 21:01:17 +0000

First-party damages: refers to losses directly suffered by the policyholder (or insured) firm in response to a firm’s data breach or other covered cyber event.

Topic: First-Party Cyber Attack

CAMICO policyholder Mary Davis had just signed on to her computer one morning when she received an email from a “potential client” named “Tim,” who was requesting her services. In the email, “Tim” stated that he would pay Mary $7,500 upfront and an additional $300 for processing fees. “The client” asked Mary to invoice him via QuickBooks and so she did. QuickBooks fronted the $7,800 prior to any verification that there were funds in “Tim’s” account to cover the invoice. Four days later, “Tim” sent another email stating that he included an additional $11,000 because he wanted Mary to purchase computers for his daughters and ship them to him. The next day, Mary noticed a credit to her account for $20,000. Later that evening, she received another email from “Tim” saying that he had changed his mind about the computers and asked her to issue him a refund for $11,000 and so she did. “Tim,” (the fraudster) then cancelled the original transaction, causing Mary to lose $11,000 plus the $7,500 that QuickBooks fronted. This is because it turned out that there wasn’t any money in “Tim’s” account to cover the thousands of dollars. Mary contacted the police and her bank to notify them of the fraud and on the same day, she received a notification from Intuit (QuickBooks) that the initial transaction for $20,000 had been charged back. The police came to Mary’s residence and took a report but the damage was done. Mary was now a victim of fraud through her own business and the funds were not recovered.

Select the answer that is the correct response:

1. What kind of cyber attack occurred in this claim?
a. Ransomware
b. Phishing
c. Password attack

2. Was this first-party claim covered by the policyholder’s coverage with CAMICO?
a. Yes
b. No

3. Does CAMICO’s claims department see more first-party or third-party claims?
a. First-party claims
b. Third-party claims

Correct Answers:

1. b. Phishing is a variation of spoofing, which occurs when an attacker attempts to obtain personal or financial information from the victim using fraudulent means, most often by impersonating as another user or organization.

2. b. No. It was not covered because it was financial loss by the policyholder, which is not included in the CyberCPA endorsement, the Accountants Professional Liability policy, a Business Owner’s Policy (BOP) or theft policy. For a higher level of coverage, such as a stand-alone cyber policy, contact CAMICO for more information at 1.800.652.1772.

3. a and b. Both, and this is why: For every first-party claim that is reported, there is the risk of a third-party claim developing due to stolen information. CAMICO’s claims department investigates every claim with both first-party and third-party damages in mind. Third-party damages, if discovered, are handled under the Accountants Professional Liability (APL) policy. Therefore, if a first-party claim is reported, a third-party potential claim is also opened to lock in coverage should third-party damages occur. But in most cases, a third-party claim doesn’t arise because most policyholders become aware of their system being attacked prior to damages being able to occur. Many policyholders have their own IT team who can shut down the system and start a forensic investigation on what was taken and to notify people as soon as possible.

The “Claim Chronicles” are drawn from CAMICO claims files and illustrate some of the dangers and pitfalls in the accounting profession. All names were changed.

The post Claim Chronicles 126-A appeared first on CAMICO.

Claim Chronicles 126-B

Amber — Thu, 26 Jun 2025 20:53:03 +0000

Third-party damages: refers to damages alleged by clients or other third parties that the negligence of the CPA firm contributed in whole or in part to the third party’s cyber-related loss.

Topic: Third-Party Cyber Attack

CAMICO policyholders Michael Jones and Tom Smith of Jones & Smith Accounting Services were out of the office during the week of May 19-23. On May 20, their office received a call from a fraudster who claimed to work for Wells Fargo. Leslie Johnson, a current employee of the accounting firm, was the individual who answered the call and shared the requested information with the attacker. A day later, the scammer initiated multiple fraudulent transactions. While Jones was traveling back to the office on May 26, he received a call from Matthew Patterson, a client relationship manager with Wells Fargo. Patterson advised that a transaction for $224,528 was requested, along with a $175,000 ACH (Automated Clearing House) electronic payment. Jones explained that they were fraudulent transactions, and both were stopped and deleted. Alarmed by the fraud, Jones called the fraud department later that evening to discuss his concerns. He learned that three transactions for $153,000, $193,000, and $175,000 were moved into a fraudulent account and were deleted and reversed on May 23. Four days later, a lump sum for $525,000 was transferred out of the client’s account into a different fraudulent account, however, the funds were not reversed. Wells Fargo was able to stop three transactions, but not the largest one of $525,000. Fortunately for Jones, some of the money was recovered through Wells Fargo’s cyber carrier (after a forensic investigation was conducted).

Select the answer that is the correct response:

1. What was the accounting firm’s breach/ key mistake?
a. Not implementing multiple security tools to detect and block cyber threats
b. Not installing robust security software and maintaining it with the latest security updates
c. Human error; lack of proper training and strict adherence to firm-wide protocols

2. Was this third-party claim covered by the policyholder’s coverage with CAMICO?
a. Yes
b. No

3. Are most third-party claims covered under a policy with CAMICO?
a. Yes
b. No

Correct Answers:

1. c. Leslie Johnson, an employee at the accounting firm, gave the attacker sensitive information without proper verification and company protocol. Firms can and should consider their people as the first line of defense against cyber threats. Human error remains a significant threat to cybersecurity, with a wide range of activities such as weak password practices, falling for phishing attacks, and the mishandling of sensitive information contributing to security breaches. Refer to The Cyber Saga Continues… Protect Your Firm from First-Party and Third-Party Cyber Exposures article in this IMPACT for risk management tips on this topic.

2. a. Yes. It was fully covered under the policyholder’s Accountants Professional Liability (APL) policy because they engaged to do a professional service and their office gave the attacker information that resulted in the fraudulent transactions, so the insuring agreement was met. CAMICO’s APL insurance is designed to cover losses by third parties that CAMICO’s policyholder is responsible for due to negligence. This claim is an example of a vishing cyber attack, or voice phishing, where fraudulent phone calls are made to trick individuals into revealing personal information or money. These scams often involve attackers impersonating trusted entities like banks, government agencies, or tech support to gain the victim’s trust and exploit them.

3. a. Yes. As long as a claim fits the insuring agreement and no exclusions apply, most third-party cyber damages that are a result of the professional services that the policyholder engaged to do are covered. How liability is assessed: Was the policyholder liable for allowing the fraudulent activity to occur? What duties did the policyholder owe? What duties did the policyholder breach? What damages were sustained and are those damages a result of the breached duties?

The “Claim Chronicles” are drawn from CAMICO claims files and illustrate some of the dangers and pitfalls in the accounting profession. All names were changed.

The post Claim Chronicles 126-B appeared first on CAMICO.

The Cyber Saga Continues… Protect Your Firm from First-Party and Third-Party Cyber Exposures

Amber — Tue, 24 Jun 2025 23:34:08 +0000

In today’s digital landscape, it is no surprise that there appears to be a new cybersecurity story in the news every week, from attacks on major infrastructure to small companies being held for ransom. The risk of cyber threats continues to grow for CPA firms, along with other professional services firms, as all are considered prime targets for cyber criminals given the wealth of sensitive client data, financial information, and/or legal documents they maintain.

Don’t be lulled into a false sense of comfort that your firm (or your clients) are too small or too large to be attacked. CAMICO is seeing an uptick in the number of cyber-related claims impacting CPA firms of all sizes and unfortunately, the severity of these cyber crimes and ransomware attacks have grown in recent years.

Some of the more frequent categories of loss for CPA firms related to cyber claims include:

Social engineering
Funds transfer fraud
Theft of data
Loss of laptop or data stick
Unauthorized use of networks
Failure to protect client confidential information shared with a third-party service provider
Computer system cloud hack
Lost profits related to cyber events
Ransom attacks

Identifying key cyber risks and best practices to mitigate risk exposures is important to safeguard confidential information, maintain client trust, and ensure your firm’s continuity. One of the important concepts people must be aware of when evaluating their cybersecurity exposures is the difference between first-party risks and third-party risks. First-party risks are damages and losses you incur from a cyber attack or security breach of your firm, whereas third-party risks often arise when a hacker has penetrated the firm’s (or client’s) computer system causing damages to a client or other third party as a result of the cyber incident for which the firm may be blamed in whole or in part.

As you would expect, first-party cyber exposures have become increasingly problematic for CPA firms as cyber criminals are targeting CPA firms and tax professionals with greater frequency because of the abundance of client data found on CPA firms’ computers. If they are successful in gaining access to a firm’s information infrastructure, there can be costly measures that need to be taken by the firm such as hiring IT forensic experts to determine the extent of the breach, consulting with attorneys who specialize in data breach laws and notification obligations, and providing credit monitoring to those impacted by the breach.

What may be surprising to some CPAs, however, is the increase in third-party cyber exposures that are impacting firms. These situations often arise when a client has been hacked, and the hacker has penetrated the client’s computer system and once inside, causes all manner of losses for which the CPA firm may be blamed. Unfortunately, many of these incidents tend to be high-dollar claims against the CPA firm. These claims typically include allegations that the firm failed to detect red flags associated with communications executed by the hacker, falling below the standard of care by initiating wire transfers (later determined to be fraudulent) without “proper” client authorization, failure to “warn and advise” clients of the potential risks/threats of cyber attacks, and the list goes on.

Cyber Claims Trends
Human error remains a significant threat to cybersecurity, with a wide range of activities such as weak password practices, falling for phishing attacks, and the mishandling of sensitive information contributing to security breaches.

Social engineering, which is the art of exploiting human behavior as a manipulation technique to gain access to confidential information, is one of the most dangerous types of cybersecurity threats to CPA firms given the type of information that firms gather and store. “Phishing” is one of the more widespread social engineering schemes, where information in an email attempts to convince a recipient that the email is from a legitimate source and the recipient needs to respond to the request by clicking a link. The trend this past tax season as reported in CAMICO’s mid-March 2025 Alert is bogus emails from the “Social Security Administration” or “IRS e-Services.” As employees are the most common entry point for phishing attacks, a firm’s best protection against social engineering attempts is to make continuous efforts to raise awareness with staff to never take these emails at face value and instead, maintain ongoing vigilance and enhanced skepticism with every email and online interaction.

Consider the following two scenarios from the CAMICO claims files which unfortunately are becoming all too familiar for CPA firms:

Scenario #1: Client hacked; CPA firm initiated fraudulent wire-transfers
A client of the CPA firm was hacked, and the hacker penetrated and commandeered the client’s email account. The hacker emailed several requests to the CPA firm to wire funds to a new account — a classic “man in the middle” attack. After receiving each request, a CPA firm staff member emailed the client to verify the wire transfer instructions. As the hacker had full control of the client’s email account, the hacker was able to respond back to the CPA firm to verify the payments to the hacker’s overseas bank account.

The above scenario, unfortunately, has become a recurring fact pattern, and these fraudulent wire transfer requests frequently cause large dollar losses. If the fraudster is controlling the client’s email and potentially their phone system as well, and the fraudulent request mimics previous legitimate requests, it is often difficult for the firm to identify the request as illegitimate. When fraud is discovered after the transfer, the funds are usually not recoverable. Domestic banks are not always helpful in preventing fraudulent transfers, as laws tend to limit their risk exposures and enable them to deny responsibility.

With the increased number of claims related to fraudulent wire transfers, the best risk management practice in the absence of any written protocols to the contrary is to verbally confirm all wire transfer requests with the client, and not rely on email or voicemail confirmations. Unfortunately, technological advances have permitted sophisticated scammers to create AI versions not only of people’s voices, but also realistic avatars of scam targets so that you can’t trust your ears or your eyes on virtual calls (Microsoft Teams). Ideally, you and your client will have a code word and/or phrase to confirm the authenticity of the person you are speaking to. Additional loss prevention guidance to minimize fraudulent wire transfer exposure can be found in CAMCO’s article Social Engineering Scams/Fraudulent Wire Transfers. Refer to the Cyber/Data Security Resource Center on CAMICO’s Members-Only Site.

Scenario #2: Ransomware
An employee of a CPA firm opened an unsolicited email attachment from “IRS e-Services” that immediately downloaded ransomware onto the firm’s computer system. The employee noticed that the file names were rapidly being changed to “Needs Decrypting.” The employee turned off and rebooted the computer, but the virus had already spread to all the firm’s servers, and all the files became encrypted. The employee reported the incident to the firm’s managing partner and the firm promptly took actions in accordance with their Incident Response Plan. Once it was determined that a breach had occurred, the firm complied with applicable state and federal laws, and the breach was reported to law enforcement.

Ransomware is one of the most malicious hacker attack vectors and firms of all sizes have become victims. It sneaks into computer systems, encrypts files, and demands a ransom before agreeing to decrypt the files. A major problem is that hackers do not always decrypt files even after the ransom is paid.

Ransom demands have certainly increased in recent years and it is not unusual to see them range from several thousand dollars to several hundred thousand dollars. Some ransomware attacks rely on software that now has known fixes, so a solution might be found online. Other ransom attacks are more advanced and have no known fixes, other than the victim retrieving and relying on the latest backup files. Therefore, being prepared and taking precautions against cyber risk exposures is essential.

To gain a greater perspective on how CPA firms are impacted by cyber exposures, refer to the IMPACT 126 Claims Chronicles for two additional cyber-related claims.

Has your firm prepared for a cyber incident?
Remember, it is not if you will be attacked, but when.

The weakest link in most cybersecurity attacks today continues to be the human element, so it is important to remember that your firm employees are a vital line of defense. Take action now to arm your employees with education, awareness, and reminders, so that they can make informed decisions about what they click.

Although not meant to be all-inclusive, the following additional basic best practice measures are extremely important when addressing the human element of data security:

Cybersecurity awareness training: As employees are the most common entry point for phishing attacks, a firm’s best protection against social engineering is to make continuous efforts to raise awareness of the importance of ongoing vigilance and enhanced skepticism of each email and online interaction. Education can come in various forms, both formal and informal. Consider sharing with your team “real-life” examples of the potential scam emails received by members of your firm. Learning of the attempted attacks on their colleagues heightens awareness of the nature and types of scams that pose potential threats.

As part of the firm-wide cybersecurity awareness training, you should also consider reviewing the firm’s existing protocols and infrastructure (refer to the firm’s written security plan in place) that supports the firm’s commitment to taking appropriate cybersecurity precautions so that all employees are aware and updated when changes are made. If your firm does not yet have a written security plan in place or you are in the process of updating your document, refer to CAMICO’s Written Information Security Plan (“WISP” or “ISP”) template. The template can be found on the Cyber/Data Security Resource Center on the CAMICO Members-Only Site.

Raising the cybersecurity IQ of all employees will help tremendously in guarding against a breach and will minimize your firm’s potential exposure as employees will be better able to recognize social engineering attempts and understand the importance of guarding their login/authentication credentials both in the office and at home. To be of ultimate value, it is important for firms to commit to embracing a motto of continuous education because the threat landscape doesn’t stop evolving when your employees’ cybersecurity training is done.

2. Use multi-factor authentication. This can add an extra level of security to prevent an account hack, especially when employees work remotely.

3. Change and strengthen passwords frequently. Systems are only as secure as the passwords used to access them.

4. Ensure all software has the latest security options/patches. This will help protect against malware, viruses, and hacker attacks.

5. Require regular data backups. By encouraging employees to regularly back up their data you are preventing data loss when disaster strikes. While this may be a hard policy to enforce for employees working remotely, it remains the best practice. In many instances, devices can be set to back up to the cloud automatically. When relying on cloud storage remember that ransomware can also compromise cloud services. Any data stored in the cloud should also be periodically backed up to an external hard drive. Data backups ensure that a business can continue to operate, even if resources are taken offline by a ransomware attack.

6. Maintain strong cyber hygiene. Reinforce with employees the cyber protocols to be followed when working both in the office as well as remotely (e.g., machine use restrictions, Wi-Fi passwords, VPN, firewalls, etc.).

7. Remind all employees of the importance of powering down computers when not in use. Computers are not accessible to attacks or intrusions when powered off.

Choose the Right Cyber Insurance Coverage
Cyber insurance protects against financial losses related to data breaches or other covered cyber events. Cyber insurance coverage is basically divided along two lines:

First-party, which refers to losses directly suffered by the policyholder (or insured) firm in response to a firm’s data breach or other covered cyber event, and
Third-party, which refers to damages alleged by clients or other third parties that the negligence of the CPA firm contributed in whole or in part to the third party’s cyber-related loss. CAMICO’s professional liability policy generally will cover third-party cyber claims subject to applicable policy terms, conditions, and exclusions.

It is possible that a single cyber incident may give rise to both damage suffered by the firm (first-party losses) and damages allegedly suffered by others that blame the firm (third-party losses). The relationship between the first and third parties can be formed in many ways. It can be contractual (for example, engagement letters), built through tort law, common law, or other ways. CPA firm clients are third parties, and others may become a third party based on the nature of an incident. Clients may have insurance of their own, making them a first party with their own cyber insurance carrier.

First-party insurance typically covers the direct costs of actions needed after a firm has had a data breach, extortion, ransomware attack, or other hacker malfeasance against the firm. Third-party cyber-liability insurance, on the other hand, covers the costs of dealing with the claims of other parties that seek to hold your firm at least partially responsible for damages that they have incurred because of a cyber incident. Sometimes, the line between first-party damage and third-party damage becomes blurred — especially if a firm and its client have both been breached, and forensic analysis cannot conclusively establish either the sequence of events leading up to the breach and/or how the breach occurred.

Although not meant to be all-inclusive, the table below shows common cyber costs and damage that may be incurred in cyber-related claim situations, classified by first- and/or third-party potential exposures:

	First-Party Exposures	Third-Party Exposures
Restoration of the damaged systems, hardware, software and network	X
Cost to restore lost data	X
Ransom fees to retrieve lost data or reopen systems	X
Notification costs	X	X
Forensic investigation costs	X
Credit monitoring costs	X	X
Reprogramming costs	X
Business interruption costs	X
Lost client’s money sent to someone incorrectly due to a cyber event		X
Costs (restoration, fines/fees, etc.) incurred by the third party required due to lost data		X

Understanding the difference between first-party and third-party risks is essential when seeking cyber insurance. Ideally, every CPA firm should have some degree of insurance coverage for both first-party and third-party risks as the CPA firm faces exposure to many accusations and lawsuits in the event of a compromise or data breach impacting its clients’ data. For example, everyone faces risks of inadvertently forwarding a malware-infected email message that subsequently wreaks havoc after being opened by a recipient, or of their computers and networks being breached and subsequently exploited by hackers to serve as launching pads from which to target others. Relying on only one type of cyber insurance that may be limited to either first- or third-party coverage may leave businesses exposed to significant financial and legal risks. Whereas investing in both first-party and third-party cyber insurance ensures greater protection against today’s growing cyber threats.

If you have any specific coverage-related questions, please contact your agent or CAMICO at 1.800.652.1772, and ask to speak with your underwriter.

Additional CAMICO Resources
Additional risk management guidance and information on this topic is available on the Members-Only Site — refer to CAMICO’s Cyber/Data Security Resource Center. CAMICO policyholders with questions regarding this communication or other risk management questions should contact the Loss Prevention department at lp@camico.com, or call our advice hotline at 800.652.1772 and ask to speak with a Loss Prevention Specialist.

The post The Cyber Saga Continues… Protect Your Firm from First-Party and Third-Party Cyber Exposures appeared first on CAMICO.

SSARS 27 — A Changing Risk Landscape for Client Advisory Services

Amber — Tue, 24 Jun 2025 23:22:22 +0000

The role of CPA firms who perform “outsourced accounting services” for their clients has greatly expanded over the years into what many today refer to as “client advisory services and/or client accounting services” (“CAS”). With the evolution of CAS, many CPAs have questioned the appropriateness of applying the “preparation standards” (“AR-C 70”) set forth in the Statements on Standards for Accounting and Review Services (SSARS) for financial statements prepared as part of CAS engagements, when all other client advisory services (including controllership or CFO services) are performed under the consulting standards.

On April 7, 2025, the AICPA’s Accounting and Review Services Committee issued Statement on Standards for Accounting and Review Services No. 27 (“SSARS 27”), Applicability of AR-C Section 70 to Financial Statements Prepared as Part of a Consulting Services Engagement. The new SSARS amends AR-C section 70, Preparation of Financial Statements, explicitly excluding financial statements prepared as part of a consulting services engagement performed in accordance with CS section 100, Consulting Services, (“CS 100”) from engagements in which AR-C 70 must be applied.

The scope paragraphs of AR-C 70 were amended to clarify that accountants are not required to apply AR-C 70, but application is not precluded when accountants are preparing financial statements or prospective financial information as part of a consulting services engagement performed in accordance with CS 100 when the preparation of financial statements is not the primary objective of the engagement.

The SSARS 27 exception to AR-C 70 preparation engagements is effective for the preparation of interim or annual financial statements for periods ending after December 14, 2026. Early implementation is permitted.

For many CPA firms, SSARS 27 is welcome relief, as performing financial statement engagements under the consulting standards may better align with the evolving needs of clients and the CAS being provided. With that said, SSARS 27, does present a changing “risk landscape” and CAMICO cautions firms not to rush into early adoption without first having appropriate risk mitigating tools and solutions in place. Firms should seek to establish clear guidelines and a timeline for implementation and not short-change the efforts needed to educate themselves and their clients about the implications of this change, including the fine distinctions of when financial statements may be deemed a mere by-product of the services the firm is rendering versus the primary objective of the services.

Proactive documentation will be critical in managing the changing risk landscape for those firms who seek to embrace the flexibility afforded by preparing financial statements under the consulting standards. New written understandings with the clients should be executed delineating the revised scope and applicable standards of the services being provided. Firms should also consider the appropriateness of including revised indemnification language in these agreements, especially in situations where they may be perceived as, or in fact performing, management responsibilities as part of the CAS engagement.

In the coming weeks, CAMICO will make available engagement letter templates to assist policyholders who choose to early implement SSARS 27. CAMICO is also developing a risk management FAQ document to highlight common inquiries received from policyholders related to the risk management implications of SSARS 27 to CAS engagements and includes suggested best practices to proactively minimize potential exposures. CAMICO policyholders can access these resources on CAMICO’s Members-Only Site Accounting and Auditing Resource Center.

CAMICO policyholders with questions regarding this article or other risk management topics should contact the Loss Prevention department at lp@camico.com, or call our advice hotline at 800.652.1772 and ask to speak with a Loss Prevention Specialist.

The post SSARS 27 — A Changing Risk Landscape for Client Advisory Services appeared first on CAMICO.

Conflicts of Interest Still Cause Trouble for CPAs

Amber — Tue, 13 May 2025 21:40:17 +0000

By Duncan B. Will, CPA/ABV/CFF, CFE

Conflicts of interest have long been a major factor in professional liability claims against CPAs. Part of the problem is that potential conflicts of interest are hard to recognize or identify until something goes wrong. When clients are satisfied, they tend to perceive the CPA as a competent advisor who has their best interests at heart. It’s not until clients become disappointed that their perception of the CPA begins to change. The CPA appears to no longer be prioritizing the client’s best interests. Sometimes the CPA may even appear to have sacrificed the client’s best interests to benefit the CPA or another party to the client’s detriment.

One common claim scenario is that of the CPA advising both parties to a transaction, or helping the parties resolve a dispute. For example, the CPA will sometimes agree to represent both the husband and the wife in a divorce when they are still friendly and cooperative. Many times though, the couple’s relationship will deteriorate, leaving the CPA stuck in the middle and caught in the crossfire.

The same is true for dissolutions or disputes between business partners. Disputes between partners or owners often result in the CPA’s advice becoming perceived by one of them as favoring the other.

Participating in business deals or investments with clients is another common scenario where everyone is happy while the investment performs well. But as soon as it takes a downturn or falls apart, the client’s perception of the CPA erodes.

These scenarios are riskiest when issues develop slowly, and the CPA is slow to recognize the slippery slope they are traversing by continuing to serve the parties’ conflicting interests.

Case Study

Consider the following case study (the names have been changed):

For decades, Paul Noble, the founder and managing partner of his CPA firm, had served as a trusted financial advisor to his clients. Like many CPAs, he also had his own personal financial advisor—stockbroker Rich Arrington. Noble frequently shared advice he received from Arrington with his firm’s clients and partners.

Chad Pennyworth, a junior broker at Arrington’s brokerage house, worked with some of Noble’s clients and took on many of Arrington’s accounts when Arrington retired. Noble trusted Arrington’s judgment in Pennyworth’s training and development. Though Noble did not refer any of his clients or acquaintances to Pennyworth, he did inform several of them that he had elected to work with him. Because of Noble’s reputation, many of his clients chose to engage Pennyworth as their own broker when they learned of Noble’s faith in Pennyworth.

Almost immediately after Arrington left, Pennyworth sold Noble some bonds, based on incorrect information that misidentified the bonds’ guarantor as the state, when the bonds were instead guaranteed by a financially challenged local school district.

Pennyworth acknowledged the mistake to Noble, and the brokerage firm agreed to repurchase the bonds from Noble’s portfolio, subject to a nondisclosure agreement, which Noble signed. Noble was pleased when a safer alternative was substituted for the bond investment a couple weeks later.

Two years later though, Noble was troubled when he read of the financial disaster that was all over the news: the local school district’s failure and worthlessness of the bonds the district had guaranteed. Pension funds and investors, including some of his clients, were hurt badly by the losses. Noble felt sorry for the investors but was relieved he had avoided a similar fate.

His relief turned to dismay, as some of his clients called to discuss the impact of the losses they sustained and their intentions to sue Pennyworth and the brokerage house.

Noble’s hands had been tied because of the nondisclosure agreement. He had not warned his clients of the elevated risk of the bond investment, and his clients were now surprised to learn that he was not “in the soup” with them.

During the class action lawsuit against Pennyworth and the brokerage house which followed, Noble’s initial investment, the reversal of that transaction, and the nondisclosure agreement became public knowledge. Noble’s reputation was ruined. He was now seen as a greedy, self-interested collaborator. Ultimately, Noble and his firm were added to the list of defendants in the class action lawsuit. His former clients alleged that Noble and his firm had a duty to disclose the concerns regarding their investment, had ignored the apparent conflict of interest, and had prioritized their own interests over those of their clients.

Loss Prevention Tips

Recognize and communicate potential conflicts of interests. Project the scenario forward to anticipate what would happen if things were to go wrong. Juries tend to sympathize with clients — especially with the benefit of hindsight and the evidence laid out by a skilled attorney.

Embrace “active ethics.” The CPA should recognize that his or her own personal interests can be adverse to client interests and should not agree to sign nondisclosure agreements without first protecting vulnerable clients. Moreover, disclosing a conflict of interest, while helpful, does not resolve the problem, even if clients acknowledge and sign the CPA’s disclosure regarding the potential conflict of interest. Clients could later argue that their consent was not “informed” by a third party (such as an attorney). Do not get too comfortable with disclosure as a form of protection. In the end, the issue will be whether there is a perception that the CPA’s loyalty to his or her clients waned.

Recognize that there are risks associated with providing referrals. Clients often link the CPA who gives a referral to the professional who ultimately performs the services. In instances where it may be perceived that a CPA is offering a referral, the CPA should be careful to name three or more qualified candidates to perform the service and encourage the client to perform their own due diligence in assessing the suitability of the professionals’ qualifications.

Duncan Will is a Loss Prevention Director and Accounting and Auditing Specialist with CAMICO. He advises policyholders through the CAMICO Loss Prevention hotline and speaks to CPA groups on a wide range of topics.

The post Conflicts of Interest Still Cause Trouble for CPAs appeared first on CAMICO.