Risk mitigation best practices

Editor: Stephen P. Valenti, CPA

According to Rebecca Toffolon, assistant vice president at CNA, the endorsed underwriter for the AICPA Professional Liability Insurance Program, "claims related to tax services are not necessarily the largest type of malpractice claims from a dollar perspective, but they typically are the most frequent source of claims. Indeed, approximately 66% of claims asserted against CPAs in the program in 2020 related to tax services. The most commonly asserted causes of loss were improper tax treatment or advice and untimely filing."

Of course, other risks in addition to being sued for malpractice include loss of a CPA license or other credentials, sanctions by the IRS Office of Professional Responsibility (OPR) or state accountancy board, loss of clients, and loss of reputation.

Best practices to reduce the likelihood of claims as well as other risks in a tax practice include using engagement letters, judiciously selecting new clients and retaining current clients, avoiding informal advice, carefully considering the form of advice, exercising care in making recommendations and referrals, and, of course, having robust data privacy and security plans.

In professional liability cases, the first line of defense is a well-written engagement letter. In addition to reducing the number of claims, the use of engagement letters is also associated with reducing the amount of claims. An engagement letter can be an enforceable contract, so careful wording is important. If you draft your own, a best practice is to have an attorney review it. Malpractice insurance carriers are likely to offer sample engagement letters for individuals, different types of business clients, trusts, and so on. The AICPA Tax Section works with CNA to provide sample engagement letters for tax services to AICPA Tax Section members. The AICPA Tax Practice Responsibilities Committee provides input on the letters from a practitioner's perspective. A more detailed discussion of the importance of engagement letters for small firms can be found in Sawyers, "The Importance of Engagement Letters for Small Firms," 48 The Tax Adviser 764 (November 2018).

Engagement letters should be used to limit the scope of services by specifying the returns and other services for which the firm is responsible and, just as important, services for which the firm is not responsible. Separate letters should be used for business engagements and individual engagements as well as for adult children of clients and should specifically include or exclude filing responsibilities for minor children.

To avoid misunderstandings, engagement letters should list the state and local income tax returns to be prepared and whether the engagement includes other, non—income-based taxes (excise, franchise, sales and use tax, etc.) that may be due. Letters should specifically list which state returns and form numbers are included in an engagement rather than just say "all required state returns." Likewise, an engagement letter should specify responsibility for determining filing requirements for non-U.S. returns and, unless specifically agreed to, state that foreign filing obligations are not within the scope of the engagement. Specifically mentioning other services that are not included can be an effective way to limit misunderstandings and subsequent claims, particularly if such services have been provided to a client as part of a previous engagement.

With respect to limiting claims, a well-drafted terms-and-conditions addendum to an engagement letter can help to clarify additional responsibilities of the client, such as classification of workers and related payroll tax and withholding requirements, as well as billing and payment terms (helping to limit misunderstandings about fees). In addition, the document should typically contain language regarding data storage and data transfer practices and limiting firm responsibility for data breaches and hacks (as long as reasonable security provisions are in place). Unless prohibited by state laws or regulatory bodies, this document may also include language limiting liability for claims from third parties and overall liability for claims to fees paid in the engagement, or more commonly, some multiple of those fees. Finally, if allowed by state law, a terms-and-conditions document should include language limiting the commencement of claims by the client to a reasonable period following delivery of the work product and termination of the engagement. Updating engagement letters and making sure they are signed annually is also key in establishing a statute of limitation for claims.

Unintentional expansion of scope can sometimes result in malpractice claims. This can happen when a tax adviser informally responds in an email or a phone call to a client question about the tax consequences of a proposed or completed transaction that is not part of the original engagement. What the firm considers to be an "unofficial" response based on incomplete information might be considered more formal advice by the client, leading to misunderstandings as well as future liability claims. Firms can also create an unintentional expansion of scope by providing services that are not part of the original engagement. For example, the preparation of a state tax return not included in the original engagement letter may cause the client to assume that the CPA has done a nexus study and has concluded that no other state returns are required. New engagement letters should be used anytime additional services are identified.

Care should be taken in considering the appropriate form of advice to clients — that is, whether the advice is given orally or in writing. While the AICPA's Statement on Standards for Tax Services (SSTS) No. 7, Form and Content of Advice to Taxpayers (available at future.aicpa.org), clearly states that the form and content of advice can be written or verbal and that judgment must be used in determining the appropriate form, it also notes that "written communications are recommended in important, unusual, substantial dollar value, or complicated transactions." In determining the appropriate form of advice, you should consider the importance of the transaction, the dollar amounts involved, how the advice is being used, the tax sophistication of the taxpayer, potential penalties, etc.

While a practitioner may think that providing written advice is always best, verbal advice may be preferable in some situations and with some clients. If you are talking to a client, you can read their cues as to whether they understand what you are saying, and you can elaborate when necessary. Written communication is limited in some respects — you cannot immediately answer questions or elaborate as easily on a point that a client does not understand. As a best practice, if you provide oral advice for a client, document it — make notes of the specific question you are answering, the facts, your response, etc. You may also consider following up oral advice with something written. Although you may be tempted to communicate via email, due to security concerns, you should be very careful not to include confidential or other sensitive client information in an email. And never provide tax advice in a text message.

The AICPA Tax Practice Quality Control Guide (available to Tax Section members at future.aicpa.org) includes a discussion of the risks and responsibilities in accepting new clients. The goal is to minimize the likelihood that association with a client presents a risk to the firm. Risks may be reputational, competence-related, financial, or related to independence and conflicts of interest.

When considering accepting a new client for a tax engagement, you should consider client characteristics including whether information furnished by the prospective client is questionable or incomplete; the reputation of the client's industry, owners, management, and related parties; and personality conflicts and professional client-related conflicts of interest.

You should also consider whether you and your firm have the capacity, availability, resources, and competence to complete the new engagement. Ensuring that you have the required competence to complete an engagement is especially important for novel engagements that could require filing obligations in state and local jurisdictions in which you do not regularly practice or transactions and engagements that may not be a regular part of your tax practice. While being competent does not require a practitioner to be infallible, do not accept a client or engagement unless you have the skills to complete the engagement or are confident that you can realistically obtain the necessary skills to serve the client with competence. A normal part of providing professional services involves performing additional research or consulting with others to gain sufficient competence (AICPA Code of Professional Conduct, ET §1.300.010.03). However, if you are unable to gain sufficient competence, you should suggest, in fairness to the client, the engagement of a competent person to perform the service either independently or as an associate (ET §1.300.010.04).

Equally important from a risk management perspective is knowing when to sever ties with an existing client. Issues to consider include the suitability of information provided to you by the client, the client's appetite for risk and whether the tax aggressiveness of the client is compatible with your own, and the client's reaction when asked to correct errors or when you deliver bad news about his or her tax liability.

Clients may hold an adviser responsible for a referral to another professional when they find that the individual or firm did not have sufficient competence to complete an engagement. When making recommendations or referrals, make more than one recommendation if possible, document your recommendations, and make it clear that the client is ultimately responsible for the choice. Be careful when you endorse the skills of others or accept endorsements of your own skills. Under Treasury Circular 230, Regulations Governing Practice Before the Internal Revenue Service (31 C.F.R. Part 10), practitioners cannot make misleading or deceptive statements or claims. Do not claim that you are an expert in international tax issues (and do not let someone else make that claim for you) unless you are.

Data privacy and security plans are crucial. Data breaches of CPA firms have increased tremendously over the last several years. A firm's costs of dealing with data breaches and hacks can run to hundreds of thousands of dollars. Of course, your clients may experience their own losses and incur costs and in turn seek to recover those costs from you. While cyber insurance can cover some of these costs, the costs associated with the loss of reputation and the loss of potential clients as a result of a breach are difficult to calculate.

Federal law gives the Federal Trade Commission (FTC) authority to set data safeguard regulations for various entities, including professional tax return preparers. According to the FTC Safeguards Rule (available at www.ftc.gov), tax return preparers must create, implement, and maintain an information security program to protect client data. The security program must be appropriate to the company's size and complexity, the nature and scope of its activities, and the sensitivity of the customer information it handles. At a minimum, each firm must: (1) designate one or more employees to coordinate its information security program; (2) identify and assess the risks to customer information in each relevant area of the firm's operation and evaluate the effectiveness of the current safeguards for controlling these risks; (3) design and implement a safeguards program and regularly monitor and test it; (4) select service providers that can maintain appropriate safeguards, require them by contract to do so, and oversee their handling of customer information; and (5) evaluate and adjust the program in light of relevant circumstances, including changes in the firm's business or operations, or the results of security testing and monitoring.

The FTC provides a checklist around three areas including employee management and training, information systems, and detecting and managing system failures. The checklist is available in IRS Publication 4557, Safeguarding Taxpayer Data, available at irs.gov/pub/irs-pdf/p4557.pdf. While not all of the checklist items are relevant to a tax practice, it is a good place to start. Some are just common sense — limiting access to client documents, locking rooms, maintaining backups of data, and using secure internet. The IRS provides some specific suggestions in certain areas including password requirements and labeling and maintaining the security of sensitive documents and records.

The IRS also mandates that practitioners address data security responsibilities. All applicants for a preparer tax identification number (PTIN) must affirm the following statement in their application: "I am aware that paid tax return preparers must have a data security plan to provide data and system security protections for all taxpayer information." Best practices include:

• The installation of firewalls and anti-malware/anti-virus security software on all devices (laptops, routers, tablets, and phones).
• Requiring the use of strong and unique passwords along with multifactor authentication. Most security experts suggest that the most secure passwords are a phrase or words that are easily remembered but unique.
• Encrypting sensitive files and emails.
• Backing up sensitive data to a safe and secure external source not connected full time to a network.
• Destroying or wiping clean old computer hard drives and devices that contain sensitive data.
• Providing and requiring clients to use a secure portal or other mechanism to upload tax documents and other files. Many software providers provide secure data portals for clients to send and receive documents.

Additional information and links related to professional responsibilities in data security for tax professionals can be found at future.aicpa.org.

However, even with precautions, you may not always be able to prevent a cybersecurity breach. Accordingly, you should recognize signs of a data breach so that you can take quick corrective action. Potential signs of data theft include: client e-filed returns being rejected because returns with their Social Security numbers were already filed; clients who have not filed tax returns receiving authentication letters (5071C, 4883C, 5747C) from the IRS; clients who have not filed tax returns receiving refunds; clients receiving tax transcripts that they did not request; clients who created an IRS online account receiving an IRS notice that their account was accessed or IRS emails stating their account has been disabled; clients receiving an IRS notice that an IRS online account was created in their names; and clients responding to emails that the practitioner did not send.

Best practices around safeguarding taxpayer data include tracking your daily e-file acknowledgments. If you are a Circular 230 practitioner or an annual filing season program participant and you file 50 or more returns a year, you can also check your PTIN account for a weekly report of returns filed with your PTIN. From the "Main Menu" of your PTIN account, under "Additional Activities," select "View My Summary of Returns Filed." A chart will display with your numbers. The data is updated weekly but only includes Form 1040 series returns. If you have a Centralized Authorization File number, make sure you keep your authorizations up to date and remove authorizations for taxpayers who are no longer your clients.

What should you do if you find that your or your client's data has been lost or stolen? Immediately contact your IT expert and your malpractice insurance carrier. In addition, you should contact your stakeholder liaison at the IRS (available at www.irs.gov) and local law enforcement. Finally, many states require that the attorney general be notified of data breaches. You can email the Federation of Tax Administrators at StateAlert@taxadmin.org to get information on how to report victim information to the states.