CPA firms either maintain or have access to numerous types of client records and related working papers. Requests for access to copies of such records can arise from multiple sources, including current and former clients, lawyers, civil and criminal investigators, lenders, and others. All requests should be made in writing.
The obligation of a CPA firm to respond to these requests is governed by professional standards, state board of accountancy regulations, state and federal law, and regulatory bodies. Before responding, a CPA firm should consider all applicable standards, statutes, and regulations. Often, the requesting party seeks an immediate response while actions affecting the CPA firm’s client, such as extending a loan, securing a construction bond, or responding to a regulatory inquiry, are pending—thus creating impediments to a prompt reply.
Additional issues to consider include the standing of the parties requesting the records, the types of records requested, the time frames sought to produce the records, the format of the records being requested, and the resources necessary to identify, retrieve, reproduce, and submit copies of records.
CPA firms should consider designating a records custodian responsible for coordinating the responses to all such requests. The custodian will develop expertise over time in this area, and that continuity will help minimize errors and wasted time. Ultimately, this protocol will help to manage the costs associated with responding to records requests, as processes are developed and required consultations with legal counsel can be minimized.
REQUESTS FROM CLIENTS AND FORMER CLIENTS
The most common types of records requests come from clients, former clients, or parties associated with them. With respect to the standing of the party requesting the records, the first question to consider is whether the party is the client or former client, or an authorized representative.
Business clients often are closely held and are corporations or partnerships, which can lead to other questions to consider before responding, such as whether the client has a COO or CFO, or whether one of the owners always engaged the CPA firm and provided requested information, but there is joint ownership. The requesting party should state in writing its relationship to the client. The CPA firm should then consider whether this representation is consistent with the information the CPA firm knows about the client’s business.
This is important because it is not unusual for the operators or owners of a client business to become embroiled in a business dispute and demand copies of records despite having had little or no prior contact with the CPA firm. If it cannot be readily determined whether the requesting party is authorized to receive copies of records on behalf of the client’s business, it may be necessary to consult with legal counsel prior to responding.
REQUESTS FROM THIRD PARTIES
Records requests may come from third parties, such as shareholders, lenders, mortgage brokers, vendors or customers of clients, attorneys, regulators, and civil or criminal investigators.
Before responding to an inquiry, a CPA firm should first consider the source. Is the request emanating from a regulator, a representative of a department of revenue, or a criminal investigator? When in doubt, consult with your firm’s legal counsel. It is possible that a subpoena should have accompanied the request. In addition, other advice may be needed to avoid running afoul of investigative authority vested in the requesting party.
Also, consider the potential risk to the CPA firm if it provides client records to a third party. In addition to privacy and confidentiality concerns, a CPA firm can unintentionally expose itself to the risk of claims from third parties, who may assert reliance on the records provided by the CPA firm to make a decision or enter into a business transaction. The ability of a third party to assert such claims varies by jurisdiction.
RESPONDING TO THE REQUEST
If a document request is in the form of a subpoena or other legal documents, the CPA firm should consult with its attorney and professional liability insurer before contacting the client or responding, in order to ensure that any prohibitions or limitations on sharing the information are fully understood and addressed appropriately. The costs to research and respond to document requests can be significant; follow the advice of counsel regarding research to be conducted and documents to be produced. Upon learning of past or pending litigation involving the client or the client’s business, inform the attorney, as confidentiality agreements or court orders may affect the production of documents.
Requests to produce documents often arise in connection with business disputes that involve clients, either directly or indirectly. Absent an obligation to keep knowledge of the request confidential, such as the issuance of a grand jury subpoena, clients should be provided with a copy of the document request or subpoena. CPA firms also should consult with their client prior to responding to a subpoena.
If a subpoena is issued, the client may request that the CPA firm object to either the scope of the document request or the nature of documents being requested, which may include confidential information such as trade secrets, expansion plans, or product development. If the request is not via a subpoena, the client may request that the CPA firm refuse to provide information in the absence of a subpoena. Again, the CPA firm should consult with its attorney regarding its response to a subpoena, including any objections to the subpoena that should be asserted.
When practicable, obtain the client’s written consent to produce documents in response to the request. Sometimes, due to the nature of the documents being requested, a shareholder or partner in the client’s business will be affected by providing the documents. In those cases, obtain that person’s written consent as well. If the client, shareholder, or partner objects to the production of some documents, seek his or her review and approval before responding to the request. Also ask the individual to consult with his or her attorneys prior to responding.
Do not surrender original documents. Instead, provide copies and maintain a complete set of the documents being produced.
Occasionally, disputes arise among management and owners of a client business regarding responses to records requests. In such cases, the CPA firm should consult with its attorney prior to responding to the request. In other cases, it may become necessary to refuse to respond to the request without a valid subpoena.
LEGAL AND PROFESSIONAL STANDARDS
When responding to records requests, CPA firms must consider all applicable professional standards, regulations, and statutes pertaining to client confidentiality, privacy, and requests to produce records. These include, but are not limited to, the following:
- AICPA Code of Professional Conduct (the AICPA Code);
- State board of accountancy regulations;
- Regulations issued by the SEC, PCAOB, and state securities regulators;
- Regulations and laws applicable to the client’s industry;
- State privacy laws;
- Circular 230, Regulations Governing Practice Before the Internal Revenue Service (31 C.F.R. Part 10);
- Internal Revenue Code (IRC) Secs. 6103(c) and 7216; and
- Federal privacy laws, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.
AICPA Code Interpretation 501-1, Response to Requests by Clients and Former Clients for Records, addresses the responsibilities of AICPA members in such situations. Requests may be received for copies of both client-provided records and member-prepared records. It is important to understand the distinction between these types of records. Guidance on this and other questions that arise regarding responsibilities to produce records, the format of the records to be produced, the recovery of costs to research and produce copies of records, and other matters are addressed directly in this ethics interpretation.
State board of accountancy regulations may be more restrictive than the AICPA Code with respect to responding to requests for documents. If the client operates in a regulated industry or is a publicly traded corporation, rules issued by applicable regulators also must be considered.
State privacy laws may restrict the ability to produce records containing personally identifiable information, such as names, Social Security numbers, or taxpayer ID numbers that use Social Security numbers, without the express consent of affected individuals. Information on state privacy laws is available on the AICPA Information Management and Technology Assurance Section's page at aicpa.org/IMTA.
Tax return preparers have additional considerations. Circular 230 addresses responsibilities with respect to records in Section 10.28, Return of Client’s Records. IRC Secs. 6103(c) and 7216 limit the use and disclosure of information obtained in connection with the preparation of U.S. tax returns, and Rev. Proc. 2008-35 provides rules on how to obtain consent to use or disclose such information. Review these rules and obtain required signed authorizations prior to releasing records.
CPA firms with clients in the health care industry must consider the application of HIPAA and the HITECH Act, each of which addresses maintaining the confidentiality of protected health information. This is particularly important when requests are made for patient billing records processed by the CPA firm.
Responding to requests for records is an ongoing issue for all CPA firms. Maintaining centralized control over replies to such requests, designating a records custodian, and maintaining current knowledge and training regarding applicable professional standards, laws, and regulations can help simplify a task that may be difficult and time-consuming. Implementing protocols and procedures for such responses will help to minimize the risk of experiencing disputes, disciplinary actions, and malpractice claims related to records production.
Joseph Wolfe (firstname.lastname@example.org) is assistant vice president, Risk Control, at CNA. Continental Casualty Co., one of the CNA insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program. Aon Insurance Services, the National Program Administrator for the AICPA Professional Liability Program, is available at 800-221-3023 or visit cpai.com.
This article provides information, rather than advice or opinion. It is accurate to the best of the author’s knowledge as of the article date. This article should not be viewed as a substitute for recommendations of a retained professional. Such consultation is recommended in applying this material in any particular factual situations.
Examples are for illustrative purposes only and not intended to
establish any standards of care, serve as legal advice, or
acknowledge any given factual situation is covered under any CNA
insurance policy. The relevant insurance policy provides actual
terms, coverages, amounts, conditions, and exclusions for an