4 Reputation Risk Management Trends to Knowby
In today’s all-pervasive environment of online content and marketing, online privacy lawsuits are just one of the reputation management threats that public accounting firms must consider.
Not long ago, accounting firms were not allowed to advertise beyond putting their contact information in the Yellow Pages. Since marketing became ethically acceptable, each state board of accountancy has maintained strict guidelines on how public accountants can communicate their services or experience.
These guidelines cover things like how CPAs refer to their experience, what they promise to clients and when they promise to deliver their services. Marketing content that strays from professional standards could be used in a court of law to support evidence of client or employee privacy violations, false service claims, or misrepresentation.
“As we think about the ways that public accounting firms manage their reputations from a professional liability standpoint, new areas of risk are coming to light,” says Bill Thompson, CPA, RPLU, and President of CPA Mutual.
Here are four evolving risk management trends that impact CPA reputations and how to manage them:
1. Online Communications
Now that the European Union has passed its “right to be forgotten” rules known as General Data Protection Regulation (GDPR), and companies like Facebook have been under fire for uses of private citizen data, the conversation around data use and privacy has expanded.
Public accounting firms that market their services should consider how they communicate with clients and non-clients alike, Thompson says.
Make sure that visitors to your website or recipients of email have clear ways to opt in to receive more information or to opt out if they don’t want further communication. Make sure that your email lists are relevant to your services to avoid being marked as spam by too many recipients. This can result in getting blocked or blacklisted by email services.
“It’s also critical to ask for permission when using a client story, logos or photos for marketing purposes,” Thompson says. “Think about times when companies have solicited you. Review your state guidelines and put measures into place that respect a person’s choice to not be solicited.
“If a CPA firm has an investment subsidiary and is regulated under FINRA guidelines, it is even more critical that leaders are aware of what can and cannot be mentioned through social media. Firms must have processes in place for monitoring and controlling unsuitable content, filtering and blocking mentions of investment products and services as well as blocking testimonials and recommendations. Even your LinkedIn content can get you in trouble,” Thompson adds.
2. Review Sites
Whether firms are paying attention to them or not, review sites like Google, Yelp and Glassdoor are providing information about the quality of firm services and the work environment. When potential clients or employees search for your firm, it’s likely that a review site will pop up, too.
“It doesn’t provide the full picture of what your firm is like, but people do pay attention to five-star ratings, or less, for better or for worse,” Thompson says.
Take time to look at these sites and determine if reviews are legitimate or if they need to be flagged for being inappropriate. Also, encourage clients and employees to write real reviews of your services to maintain a positive impression of your firm. “You can’t write your own reviews or pay people to write them, but often people are willing to write a quick and independent review if you make it easy for them. In general, provide good service to your clients and a positive working environment to manage the risk of a bad review,” Thompson says.
Mistakes can happen. That’s why insurance companies prefer that accounting professionals don’t list themselves as “experts” on their websites or make claims of being the best at something. If a firm is sued for malpractice on a tax return or audit, this type of language can be called into question.
“The attorney will say, ‘you said your firm had experts, so what was my client supposed to believe?’ Thompson adds. “Be careful with Yellow Pages ads, websites and LinkedIn accounts. Review language to avoid overstatement of knowledge, expertise, advice or service promises.”
For instance, Thompson says, information contained in an investment advisor’s LinkedIn profile is considered advertising under FINRA rule 2210. Content must be pre-approved before it is posted. Any updates to the profile such as “likes” or “Skills & Endorsements” have to be monitored to make sure they don’t violate any FINRA content requirements.
“I think the best way to manage risk is for someone in the firm to monitor these social media sites for any changes or additions that may have been added or edited without the firm’s knowledge,” Thompson says. Training is also key; employees need to be made aware of the risk in using these accounts.
Website scrutiny shouldn’t stop at social media profiles however, he adds. The firm should also review content and remove outdated materials such as old tax law updates and outdated blog posts or bios of retired partners. If the firm links to articles from outside publication on a “News” page those articles should also be checked for accuracy and timeliness.
The Internet doesn’t distinguish between old and new information; people may not either. “I would suggest that all firms add a “terms of usage” and an updated privacy disclosure to the site as well,” Thompson says.
4. Data Security
A breach of data security is no longer a matter of if, but when, according to cybersecurity experts. To test vulnerabilities, cybersecurity firms can conduct assessments of data environments, but they can also simulate an ethical hack (penetration test). These tests can help firms determine the types of training needed to reinforce how employees should handle a questionable email or conduct an Internet search.
Cyber liability policies are now available to cover many of the legal costs and fees associated with a data breach claim. However, each cyber liability policy is different, in that some don’t cover your cloud provider or other vendors that may access your system. Insurance policies also don’t restore reputations and trust.
“Ultimately, the insured accounting firm is the one exposed to liability,” Thompson says. “Make use of your insurance provider’s cyber liability resources page, if available, to help mitigate your risk. Then carefully review your options with regard to cyber liability insurance. Not all policies are created equal.”
The way firms respond to a security breach is also critical to restoring client trust. Transparency with clients is key, Thompson says. Firms need to provide as much detail regarding the breach as possible, as well as outline the steps that are being taken to increase protection.
“Unfortunately, in today’s environment, I don’t think many clients will be surprised if you report a breach, but how you handle it will be judged much more harshly than the breach itself,” Thompson says.
It’s just one more way, Thompson adds, that in the age of online content and marketing firms need to be vigilant about the information that can impact their reputation.
“Twenty years ago, firms simply placed an ad in the Yellow Pages and walked away with little concern of risk exposure,” Thompson says. “But today, firms need to be attentive to all the information that can impact their reputation. Make sure the information you share online is timely, accurate, and is professionally managed and monitored for risk.”
Deanna Arteaga is a professional freelance writer and public relations specialist who for the past six years has covered CPA industry trends for AccountingWEB. She also writes about CPA firm marketing, higher education and professional development for CPAs, and workplace trends in the accounting profession. She has more than 20 years...