CPA Mutual Insurance Company of America RRG
Share this content
Woman working remotely
Remote work options have become an emerging benefit for CPA firms to attract and retain new talent.
This is no surprise, given the growing number of people who desire this opportunity. According to Gallup’s State of the American Workplace report, 43 percent of Americans said they spent at least some time working remotely in 2017, up from 39 percent in 2012.
The problem, from a risk management standpoint, is less control. Given that the majority of data security breaches are due to employee error, remote work adds another layer of risk to the CPA firm’s security and reputation.
Every CPA firm should have a remote work policy in place, even if it or working at home is still an infrequent occurrence. Knowing where key employees are working if a data breach or fraudulent activity occurs is important when investigating a professional liability claim. It also matters how the policy is written and if it was followed.
Here are some key areas to update in your remote work policy and review with any professionals who have the option to work from home, even occasionally.
1. Device Management
If the employee is using firm equipment, ranging from laptops to smartphones or other devices like tablets, make sure business insurance policies cover equipment housed offsite or — if applicable — traveling between the office and the telecommuter’s remote location. The remote work policy should offer guidelines for use, storage and transport of firm-owned or leased equipment.
If the employee uses his or her own equipment, research and include language about required insurance protection. Make sure that the equipment has adequate malware, anti-virus and security processes installed, such as a strong password that is changed regularly.
The remote policy should stipulate the types of software to be installed and require that it is kept updated and functioning properly and that adequate password protection is in place.
Review language in the remote work policy that clarifies rights and use of the equipment. Make sure that the remote worker understands and agrees that business equipment is to be used exclusively for work and that they should deny access to non-employees (e.g. family members).
2. Network Access
One of the risks of remote work flexibility is the flexibility itself. If employees can work remotely, they may choose to work from a coffee shop or other public space. Wi-Fi systems are rarely secure in these locations, allowing others to access and view sensitive data electronically. In addition, the information on an employee’s screen could be viewed.
Remote work policies should specify the locations where work is allowed and where it is not. Processes for accessing, uploading, storing and backing up files must be updated on your policy as technology is updated or changed.
3. Physical Risks
Although more CPA firms are moving to paperless technology, there may still be some paper files or notes kept in the employee’s remote office. Policies should clarify how to manage, file and dispose of sensitive physical data.
In addition, the policy may also require a secure workspace, which could be defined as locking cabinet drawers or having an office with a door lock and other secure physical elements, including, perhaps, a home security system.
As remote workers are often communicating by email or some form of communication app or cloud software, the remote worker policy should be updated to reflect current digital data storage and retrieval as required by law. It also helps to define the characteristics of professional communication, even while working remotely.
Employees should be trained on proper communication and just assume that anything they write in the course of their professional duties could be entered as evidence in a liability claim. Offering a remote work option blurs the line even further between professional and personal. Be careful rather than regretful.
CPA Mutual Insurance Company of America RRG
Bill Thompson, CPA, helps CPAs navigate the minefield of professional liability issues that they face on a daily basis. He understands practical risk management for CPAs and risks faced in the profession. In addition to overseeing the day to day operations of the insurance company, Bill is responsible for underwriting, reinsurance negotiations...