By Randy Sadler, CIC Services.
Most CPAs feel confident they’re protected against fraud — until they discover that their company’s commercial crime insurance excludes the very scenarios most likely to cause catastrophic financial loss. After all, you likely have coverage in place for employee theft, forgery and perhaps even certain types of cybercrime. But here’s the uncomfortable reality: many commercial crime policies contain hidden gaps — and most companies only discover them when a major loss has already impacted the balance sheet.
By that point, you’re not just counting direct losses. You’re facing audit scrutiny, board or shareholder concerns, reputational fallout, legal expenses, operational disruption, and, in some cases, existential threats to your business’s viability.
If that sounds alarmist, consider the data: PwC’s 2024 Global Economic Crime Survey found that 51% of companies worldwide experienced fraud in the past two years. In the United States, nearly 30% of business failures cite employee theft as a contributing factor.
Fraud is not just a security risk; it’s a financial reality. And whether your organization can withstand it often hinges on whether your crime insurance policy covers what you think it does.
The Hidden Gaps CPAs Can’t Afford to Overlook
Social Engineering and Funds Transfer Fraud
Social engineering fraud — where a criminal impersonates a trusted executive or vendor to deceive employees into wiring funds — is one of today’s most financially devastating threats. The FBI’s 2023 Internet Crime Report estimates that U.S. businesses lost nearly $3 billion last year to business email compromise (BEC) schemes.
Yet many commercial crime policies exclude coverage for losses resulting from “voluntary parting” with funds. In other words, if an employee authorizes a wire transfer under false pretenses, your insurer may refuse to pay — even though the authorization was fraudulently obtained.
Employee Collusion with External Parties
Fraud schemes involving employee collusion with external actors — vendors, suppliers, or hackers — are increasingly common. Unfortunately, traditional crime policies often only cover straightforward “employee dishonesty,” where the employee personally benefits. If the outside party is the one who profits and the employee’s intent can’t be definitively proven, coverage may be denied.
For CPAs, this is a major blind spot. Collusion schemes can persist undetected for months or years, compounding financial damage.
Fraud by Contractors and Temporary Workers
Modern companies rely heavily on independent contractors, consultants, and temp agencies to fill operational gaps. Yet many commercial crime policies define “employee” narrowly — meaning non-payroll workers are often excluded from coverage.
If a temporary bookkeeper siphons funds or a contractor with systems access commits fraud, your organization may find itself without recourse under its existing crime insurance.
Computer Fraud Versus Cybercrime
When fraud involves technology, CPAs often assume it’s covered under crime or cyber insurance. However, many crime policies limit “computer fraud” coverage to unauthorized access by outsiders. If an employee is deceived into revealing login credentials or initiating fraudulent transactions themselves, the insurer may argue that the access was “authorized” — resulting in a claim denial.
This technical distinction between unauthorized system breaches and authorized deception leaves many companies dangerously exposed.
Multiple Deductibles for a Single Scheme
Fraud often unfolds over time rather than as a single event. A long-running embezzlement or fraudulent invoicing scheme may involve dozens or hundreds of transactions.
Yet many crime policies apply deductibles on a per-occurrence basis. If each fraudulent transaction is deemed a separate occurrence, organizations could face multiple deductibles, significantly reducing total claim recovery. CPAs should understand how their policy defines an “occurrence” and whether coverage aggregates multiple acts into a single loss.
Fraud by Vendors, Clients, and Other Non-Employees
It’s not just internal actors that pose a threat. Fraud committed by trusted vendors, clients, or other third parties is notoriously difficult to detect — and even harder to insure against.
Unless the crime policy is specifically endorsed to include third-party fraud, losses caused by non-employees may be excluded, leaving companies to absorb the damage themselves.
Strict Discovery and Reporting Deadlines
Most commercial crime policies operate on a discovery basis, meaning losses must be discovered and reported within a tightly defined timeframe — often during the policy term or shortly thereafter.
Fraud is frequently uncovered months or even years after it begins. If a loss is discovered outside the reporting window, the insurer may deny the claim even if the fraud occurred while coverage was active.
No Coverage for Consequential Losses
Even when a policy does pay for direct financial losses, it typically stops there. Consequential costs — including legal fees, public relations efforts, lost customers, and operational disruption — are rarely covered.
For CPAs, this reality underscores why the total cost of fraud almost always exceeds the immediate financial loss.
How CPAs Can Close the Gaps Before They Become Catastrophic
To protect their organizations — and their balance sheets — CPAs must take a proactive, comprehensive approach to crime risk management:
- Conduct a forensic-level policy review. Work with your insurance broker, risk manager, and legal counsel to dissect your existing crime policy. Identify what’s covered — and what’s excluded.
- Prioritize endorsements that address modern fraud risks. Coverage extensions for social engineering, contractor fraud, and third-party losses can often be added for a premium. Understand what’s available — and whether it’s adequate.
- Scrutinize reporting timelines and deductible structures. Make sure your organization is operationally capable of detecting fraud in time to meet policy reporting requirements. Understand whether a multi-act scheme would trigger one deductible or many.
- Consider captive insurance for advanced risk management. For organizations with complex risk profiles or elevated fraud exposure, captive insurance can offer a more tailored and financially efficient solution.
Captives allow CPAs to craft bespoke policies that close gaps commercial policies leave open, including:
- Expanding the definition of covered parties (contractors, vendors, consultants)
- Addressing consequential losses not typically covered
- Aggregating losses over time to minimize deductible impacts
- Insuring exposures excluded or prohibitively expensive in the commercial market
Captives also allow organizations to retain underwriting profits in favorable years, smoothing the cost of coverage over time. For many mid-sized to larger companies, captives are no longer exotic tools reserved for multinationals — they are practical, strategic instruments for managing real financial risks.
Internal Controls Remain the First Line of Defense
Insurance is critical — but it’s not a substitute for strong internal controls. CPAs should ensure robust fraud prevention systems are in place, including:
- Segregation of duties, particularly for cash handling and payment authorizations
- Dual approvals for all outgoing wire transfers
- Mandatory vendor verification protocols
- Regular audits and surprise inspections
Embedding a culture of vigilance across finance, operations, and procurement teams reduces the risk of fraud — and increases the likelihood of early detection.
Fraud Is an Inevitable Threat — But Its Impact Doesn’t Have to Be
Fraud is no longer a question of “if” for most companies — it’s a matter of “when.” The real differentiator is how well your organization is prepared to absorb the blow.
CPAs who rely blindly on boilerplate crime policies risk discovering coverage gaps when it’s far too late. Those who take a proactive, customized approach — reviewing policies critically, pursuing targeted enhancements, exploring captive solutions, and fortifying internal controls — are the ones best positioned to protect their organizations’ financial strength and future stability.
When it comes to fraud, hindsight is always the most expensive strategy. A rigorous approach today can save millions — and perhaps the entire enterprise — tomorrow.
====
Randy Sadler started his career in risk management as an officer in the U.S. Army, where he was responsible for the training and safety of hundreds of soldiers and over 150 wheeled and tracked vehicles. He graduated from the U.S. Military Academy at West Point with a Bachelor of Science degree in International and Strategic History with a focus on U.S. – Chinese Relations in the 20th century. He has been a Principal with CIC Services, LLC for 8 years and consults directly with business owners, CEOs, and CFOs in the formation of captive insurance programs for their respective businesses. CIC Services, LLC manages over 100 captives.
Thanks for reading CPA Practice Advisor!
Subscribe Already registered? Log In
Need more information? Read the FAQs
