CPA firms are facing numerous risks in 2020 and beyond. According to our guest, Ken Mackunis, executive vice president, professional firms, for Aon Affinity, technology adoption, talent issues, and information security are at the top of the list. To learn why he places these concerns so high – and to hear about others – listen to our in-depth podcast.
By: Bill Hayes, Pennsylvania CPA Journal Managing Editor
Firm growth, technology adoption, talent issues, and even societal movements. These are just some of the top risks facing CPA firms in 2020, according to Ken Mackinus, executive vice president, professional firms, for Aon Affinity who joins us today to explore the details.
How important do you think it is for CPA firms to get out ahead quickly when planning for challenges that might be facing them in 2020 or even beyond?
[Mackunis] They have to be getting into it right now. We've already started doing our tax season planning and preparation seminars and the kinds of things that pre-tax season should be getting together. We know that that's right ahead of us. But as you're thinking about 2020, you think about the different kinds of risks that are evolving that the profession faces. Some of the things that really start to jump right out to me is every tax season is different by itself. So that by itself you have to be organized around. Certainly, as you start thinking about the Tax Cuts and Job Act and going through this tax season, we're starting to think of issues that are already starting to emerge, things like residency and how are taxpayers contemplating different considerations to get more favorable tax rates in the new environment with these changes.
Then conversely, the state revenue authorities have been aggressively investigating taxpayer state residency already. So when you start thinking about that, you think about risks, you start thinking, "Okay, that's a newer one that's getting on the radar that we have to be sensitive to." I think about the environment right now too for the CPA profession and the role that CPAs play and tax advice and tax guidance and going beyond just pure filing and into planning. The thing we always caution members on is the complexity in moving from personal income tax to corporate tax to estate tax. In the preparation alone, the complexity goes up.
When you start thinking about tax planning in full or let's say even into any type of family issues or succession issues in business and all the implications that start to come about in that, we really feel like that documentation around those advisory services becomes really important, the documentation or the role of the tax professional. So those types of things. You're also getting ready for 2020. The IRS already added a data security responsibility statement requirement to the 2020 P10 filings, eligibility filings, and so that's a new thing saying that somebody filed has to have a data security responsibility statement. So we're spending time providing guidance around those types of issues or that type of issue right now as well. So you could see getting ready for the year quite a bit in both the areas of tax and advisory services.
One of the top risk areas you have identified is firm growth and quality control. What's meant by this? When you think of it, right off the top, firm growth doesn't immediately sound risky, but I guess it's something that needs to be planned for, or it could be overwhelming?
[Mackunis] It's interesting. In the years of working with CPA firms, we noticed different correlations that have been consistent through the years. One of the consistencies we've seen is the more aggressive a growth rate, the more clients take on, or let's say the growth in revenues in a firm, the greater the frequency of claims per dollar billed. That's why I always get cautious around periods of growth. I mean, periods of growth are great. It means that at the same time ... another correlation we see is as the economy's going well the frequency of claims go down. And certainly as the economy goes well, more advisory services get demanded as well. So when we start thinking about "what do you need to think about," well, okay, if you're a fast-growing firm, are you growing your quality control and your infrastructure proportionate? What is that growth in client acquisition?
Is it through a merger or is it through adding practices that you were approached to integrate their sole proprietors, to integrate their practices into your firm as they're retiring? Taking on a large number of clients at one time, that due diligence that needs to be done, hugely important. So again, we think about liability through firm integrations to accomplish growth. Even that term “merger” gets a little murky and we have a whole series of advice we give around that, that when we're talking about integrating firms together, what's the appropriate language to use?
But with growth, our key thing is really, you know, we talk about making sure the quality control processes are scaled at the same scale as your growth. And second, that you have a culture that you don't compromise at all around your integrity, especially in the client acceptance and the client's continuance areas. Then lastly, I'd say, that phrase “red flag,” we hear so often in clients, that "was there a red flag that set up that something should have been considered and delved into a little bit more detail?" I just think, again, in those growth periods you have to actually increase your skepticism around red flags, not let them go by as easily, and then I think you're doing the right things to manage that growth.
What are some of the areas of concern in technology adoption and what could be some of the more impactful technologies for CPA firms?
[Mackunis] You know, it's just a fabulous time for CPA firms. I get very excited about it as the role changes of the CPA and how they use technology, the efficiencies they could gain, how their role as an adviser or trusted adviser becomes even more powerful as they're more capable in using different technologies, certainly the movement to the cloud and utilizing cloud services. Three events in the last two years, the Cloud 9 event that was out there, the ComplyRight breach, and then even the CCH matter all reflect the same type of thing, which is that when you're giving up some control of your information to someone else and you're relying on them in the cloud, that there's an exposure created, there's an expectation. You have to manage that.
So the terms in your agreements, don't compromise on it. Be demanding. Scrutinize. Do the right diligence on the parties that you're ... make sure in those agreements you're taking care of your own liability. Don't just agree to them because you want access to the tools. Make sure you're looking at it the right way. When I look at the things that are out there on the horizon, like the PCR tool being developed at cpai.com and AICPA. Unbelievable, like when you start looking at the control around the engagement documentation and the consistency of using tools like that, just how that helps in the quality of the delivery of the service.
That makes me get excited about even like moving toward more integrated dynamic audit solutions as the profession moves forward. All those are positives, but certainly, blockchain and internet of things and just automation in the workforce, all of those create different types of considerations that the practitioners need to be aware of as they look at the different segments of clients that they serve. It could be more important than ever to really stay on top of the emerging trends in technology.
What are some of the talent issues that need to be monitored? Obviously, the aging workforce is something that can be a concern for many industries, but in one really interesting part, you talk about the impact of societal movements. Where does that come into play?
[Mackunis] There's a couple of dynamics there. Certainly #MeToo is on the forefront of everybody's minds. I have to touch on that only because it really is something that everybody has to be aware of these days, that no matter how sensitive you are, no matter how aware you are, how proper you are, you have to have that comfort to exist that allegations could come from anywhere. You're going to need to manage that. That could be both reputational issues as well as just general cost issues. I'm not saying that anybody's going to do anything wrong, but it's just a different environment. It's different for a number of reasons. And certainly the millennials, the workforce, they're a little different.
The way we manage and engage the workforce in our firms is different. So are they loyal? Are they long-term? Are they looking to be as committed? As you're looking at growth, you're weighing out different talent issues in adding the talent. You can't be compromising in that recruiting. You have to really stay true to the standards of what you're shooting for in the integrity of your firm. When I think about all those things, I start thinking about other societal issues like social media and how easy it is to post something in social media, as opposed to going into the EEOC or going to the HR office, just posting things in social media is almost more powerful and get outcomes than other means. When you start thinking about that, that really changes the dynamic around the employer and employee relationship and how things have to be managed. So I start thinking about that.
Your workforce needs a use of subcontractors as well, and there you get into a bunch of other issues that even then relate back to data security that need to be managed, and if you have folks working from home. Also, one of the things we've been talking with firms lot about around talent and the responsibilities evolves around both when you ask your employees to attend events outside of your office, when you ask them to attend conferences in hotels or in other areas, what circumstances are you putting them in? You're still responsible for that. Because they're working for you at that time. And you have to be thinking about that when they're out at clients and they're there doing work, whether it's on an audit engagement or whatever. Does the client still have the same type of HR procedures that you have in your firm, because you're responsible for how that employee feels in those environments.
So we're talking about that a little bit more as well because that ties back to the employment practices exposures they face around talent. I also think about safety when we think about talent and the issues that are faced right now. CPA firms, great places to work, but even with that, with a little bit of a different workforce, workplace safety, workplace violence, reactions, those are things that we are seeing, not particularly the CPA profession, but just generally in business. Something that having plans, having approaches to manage those unexpected type of reactions to different things are also more important to have on your radar than they ever were.
Information security is obviously a big-time concern. So you say that it's not only from an external standpoint, but internal. What are the issues there?
[Mackunis] We've seen a number of things from the internal side around security. One is the disgruntled employee. Are you managing access to passwords, access to records when somebody's terminated, or someone's let go? How are you managing those situations? Because we have seen compromising of firm data, customer, private, PII, compromised as well by employees that were disgruntled with something or frustrated. Firms have a lot of valuable client information and their employees have access to that. Making sure the employees understand the expectations and the controls is hugely important. You're now working with so many different devices, the controls around those devices, the use your own device concept prevails quite a bit.
Having the right types of protections is hugely important, but also misplacing and losing those devices and having processes and procedures to manage that and the reporting and the comfort level and the environment for that. Because when it all comes down to it, it really is about protecting your firm's integrity and your reputation. Like I said, connecting that back to, in the growth stage, where if you're using subcontractors to do work, making sure you have the right controls and data protection procedures in place when folks are working from home or in other environments. That's why we're not just looking at the ransomware issues or the "somebody's trying to hack into a system." Those aren't the only issues. There are things internally that you have to really be careful with.
How about the pace of change in the industry? It's obviously faster than it's ever been before and it's only going to get faster. How's that going to impact CPA firms and what can they do to keep up?
[Mackunis] In my eyes, I feel like they've actually done a great job with it but I always feel like you could do better just because the change keeps accelerating and will continue to accelerate. The folks are using the term exponential pace of change and so we look at that ourselves in providing insurance that we feel like our obligation even has changed, not to just provide insurance but to be able to be more resourceful, to help guide around those changes and the things to anticipate.
So we just kind of talked about a bunch of them as we're going into 2020, but you think about what kinds of resources are valuable. Organizations like the Pennsylvania Institute of CPAs are hugely valuable for the members, for where to go to and find out different things and programs on the changes that are happening. Certainly the AICPA. One of the conferences I've started attending regularly in the last few years has been the Digital CPA Conference that the AICPA hosts, only because it's really where the forefront of change is addressed and kind of all the technology, software companies, different vendors, they're all together and talking about different things. So you see things beyond just what is directly already in the profession, but where it's going and where it could go. So being involved in things like that.
Then, like I said, the issues are changing not just in practice delivery, but you think about the social changes, the issues around managing your talent. Things like even now talking about hosting services and that role and the standards around that with the test clients, GDPR, different states laying out adoption of other data protection statutes, California's Consumer Privacy Act. That's going to just keep coming. We saw that coming in one wave already, but GDPR I think has started to change the game again to have another wave of change that everybody has to stay on top of that will happen at the state level.