1. podcast
  2. NEWS

Are CPA firms ready for the next wave of data security threats?

Hosted by Neil Amato

Sarah Ference, CPA, an author of the JofA’s Professional Liability Spotlight column, returns to the JofA podcast to discuss recent column topics and the advice CPAs can gain from them. In particular, Ference details data security preparedness, the value of engagement letters for tax-compliance services, common audit claims and defenses, and more.

Editor’s note: This episode is the JofA podcast’s last until Jan. 8.

The articles discussed in the episode:

What you’ll learn from this episode:

  • Advice for CPA firms to guard against data security incidents.
  • The ways engagement letters can prevent costly client disputes.
  • The factors that often make audit claims the most expensive type of claims for firms.
  • How to protect your firm when a client faces bankruptcy.

Play the episode below or read the edited transcript:

— To comment on this episode or to suggest an idea for another episode, contact Neil Amato at Neil.Amato@aicpa-cima.com.

Transcript

Advertisement

Neil Amato: Welcome back, listeners, to the Journal of Accountancy podcast. This is Neil Amato with the JofA. I’m joined again by Sarah Ference. Sarah is a CPA who serves as a risk control director at CNA, which is the underwriter of the Professional Liability Insurance Program with the AICPA. She is also an author of the JofA’s Professional Liability Spotlight column. We’re going to review recent columns and also look ahead to the first one in 2026. Sarah, welcome back to the JofA podcast.

Sarah Ference: Thank you so much for having me back, Neil. Happy to be here.

Amato: October’s Professional Liability Spotlight column includes your byline, and it is a topic that is definitely timely. That headline is, “Are You Prepared for the Cost of a Data Security Incident?”

I’ll ask you, are most CPA firms prepared for such incidents?

Ference: That’s an interesting question. Are any of us really fully prepared for a data security incident? I don’t think so. The sophistication of attacks and the speed at which the bad actors evolve their exploitation tactics means that CPA firms will never really be totally prepared. Even if they are prepared one day, things can and will change, and the next day they won’t be.

But I think there’s a silver lining in this. Data security is not an area to be complacent. If you think that you have it figured out and one day you let your guard down, then you’re more likely to get hooked by a phishing attack or something similar. There are a number of real-life examples in the article to illustrate just this point.

Amato: You mentioned some of the advice in the article. What steps can the less prepared take to bolster their defenses and possibly prevent a data breach?

Advertisement

Ference: Well, there are a lot of things that firms can do, but I’ll highlight a few. Data security should be layered like an onion, or like Shrek, if you’re a fan of that movie, which I am.

Your data security protocol should include protocols that not only help prevent intrusions, such as multifactor authentication, strong passwords, firewalls, etc., but also those that detect and contain incidents that might have broken through that first layer of a firm’s defense.

Then another simple but really critical layer in that data security onion are the people in the firm. The primary attack vector, the primary way that a bad actor might get into a firm is through a phishing attack. Phishing emails are so much harder to spot these days that everyone really should be critically evaluating every email that comes in, every phone call they receive. Many firms conduct phishing simulations regularly, quarterly, or even monthly to make sure that need to be vigilant is top of mind for everyone at the firm.

Then the last item I’ll highlight is an incident response plan. This is your playbook for when an incident happens at your firm. When an incident happens, when there’s a data security event, the natural tendency, I think for all of us is to go into panic mode. And having a written resource that tells you who you need to call as your cyber insurance carrier and what you need to do to stop that incident from spreading across your network can help bring some order and sanity to an otherwise frantic situation. But like any playbook, it needs to be tested and updated to make sure it’s ready to go when you need it.

Amato: Great. Thank you for that. That’s the October Pro Li, as we like to call it. We will link to that column and the others that have been published in the show notes for this episode. The November topic, “Blocking and Tackling: Engagement Letters for Tax Compliance Services.” What exactly for people who might not know what is meant by that opening phrase, blocking and tackling? How does that relate to this topic?

Ference: Well, it is still football season, so the phrase is a bit timely. Blocking and tackling means focusing on the fundamental essential tasks, those basics that help ensure everything else goes smoothly. In football, it’s being able to block and tackle. If a team can’t do that, it’s probably not going to win many football games. At a CPA firm, the ability to craft, disseminate, and get an engagement letter back from a client is one of those fundamental, essential tasks.

Amato: You know, it’s funny. Football season hasn’t really been joyful in your area recently, but I guess we can say there’s reason for hope with the [Chicago] Bears this year.

Advertisement

Ference: Knock on wood. Absolutely. Hopefully, fingers crossed, it’s a good season, but like any good Bears fan, I will believe it when I see it.

Amato: I think that’s well said and a good approach to take. Back to the blocking and tackling article, what sorts of issues can a good engagement letter fend off for firms?

Ference: Well, the root cause of many client disputes, whether they’re claims or even just a simple disagreement, those root causes can be traced back often to some sort of expectation, misalignment, or miscommunication between the firm and the client. When there’s a solid engagement letter in place and one that clearly and specifically defines the scope of service in particular, disagreements over scope can be more easily resolved.

Same thing goes with other common areas of dispute, whether it’s fees, timing, responsibilities, everything is better with a letter. But even though the benefits of engagement letters are widely acknowledged, about half of our tax claims in 2024 failed to have an engagement letter, and this percentage is similar to prior years as well.

When there’s no engagement letter, defending that claim can be very difficult and the outcome is likely to be unfavorable to the CPA. To help increase the use of engagement letters for tax services, we thought we’d start with the low-hanging fruit, engagement letters for tax-compliance services. The article provides some practical suggestions on how to efficiently implement tax engagement letters at your firm. I emphasize the word “efficiently” because we know CPAs have so many demands on their time.

Amato: That’s November. The December digital edition, now available on journalofaccountancy.com, includes the monthly column with the headline, “Common Audit Claims and Defenses.” In reading it, my eye was drawn to one of the article subheads, “Why are audit claims so expensive?” Sarah, why are they expensive? And what else can readers expect to learn from that article?

Ference: Well, audit claims are not as frequent as claims related to other services, but they are generally the most expensive, and that’s for a number of reasons. First of all is the size of the underlying loss, whether it’s an embezzlement, a business failure, a debt default. Those are usually significant and, therefore, big losses equal big claims. Second, defending audit claims is complicated and complex. The process is very document- and resource-intensive and usually involves the use of multiple experts and defense counsel. Audit claims can take years to resolve, and time is money.

Advertisement

A final factor contributing to the severity of audit claims is just the nature of the service itself. It combines the highest standard of care for a CPA with the reliance on the CPA’s work product by third parties in addition to the client. When you have more plaintiffs, you have more losses and bigger claims. But fear not, the article does provide some recommendations that can help auditors improve their defensibility should a claim arise. These recommendations are timely as we head into busy season, because claims can arise several years after the service is delivered. So the work auditors do now and the documentation they generate now can be used to defend a future claim.

Amato: That’s great. It’s always good to have a reference to busy season for our membership, as it is about to be upon us. For January, what’s an early look at the first Professional Liability Spotlight of 2026? To me, it definitely has an attention-getting headline. And you wrote the article, “Don’t Let a Bankrupt Client Bankrupt You.”

Ference: January is another one for my fellow auditors. I previously mentioned that when there’s a large underlying loss, such as a client bankruptcy, a large claim typically follows, especially when that client is an audit client. We’ve had several years of a relatively strong economy, but recent bankruptcy filing statistics may signal some future challenges and headwinds. Again, since audit claims arise several years after the service is rendered, now is the time to get your future defenses in order, and that’s what the January article focuses on.

Amato: Sarah, I think that’s a great tease to 2026. Thank you again for being on the JofA podcast.

Ference: My pleasure. Thank you again for having me and happy holidays to you.

Continental Casualty Company, one of the CNA insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program. Aon Insurance Services, the National Program Administrator for the AICPA Professional Liability Program, is available at 800-221-3023 or visit cpai.com.

This podcast episode provides information, rather than advice or opinion. It is accurate to the best of the speaker’s knowledge as of the publication date. This podcast episode should not be viewed as a substitute for recommendations of a retained professional. Such consultation is recommended in applying this material in any particular factual situations.

Examples are for illustrative purposes only and not intended to establish any standards of care, serve as legal advice, or acknowledge any given factual situation is covered under any CNA insurance policy. The relevant insurance policy provides actual terms, coverages, amounts, conditions, and exclusions for an insured. All products and services may not be available in all states and may be subject to change without notice.