Defending professional liability claims is difficult when practitioners assume responsibilities beyond the scope of their engagement. The difficulty in defending against a claim increases dramatically if the CPA undertakes activities considered to be the responsibility of “management” and if the client, based on the CPA’s words and actions, believed it could rely on the CPA to perform what was generally understood to be an internal management function. Doing so provides an opportunity for plaintiff counsel to assert that the CPA “should have known better.”
So, how easy is it to cross the line from service provider to being perceived as a member of client management? The following hypotheticals, which are based on the claim experience of the AICPA Professional Liability Insurance Program, provide examples:
Scenario 1. For several years, a CPA provided bookkeeping and compilation services to a small but growing construction company. The CPA’s engagement letter listed the client’s responsibilities, including review of a monthly payment register and preapproval of invoices exceeding a specified threshold. As business grew, the owner had little time available to oversee the CPA’s activities and increasingly relied on the CPA’s experience with and knowledge of the company’s operations. Wanting to help the busy owner, the CPA told the owner that he would “take care of things,” stopped sending the register for review, and paid bills as they became due, even if they exceeded the specified threshold. The owner subsequently discovered that his assistant had established several fictitious vendors and created false invoices, which were processed and paid by the CPA. He brought a professional liability claim against the CPA for failing to detect the embezzlement.
Scenario 2. A small not-for-profit organization engaged a CPA firm to provide bookkeeping, compilation, and strategic financial consulting services. The firm’s standard engagement letter for write-up and compilation services was used and included a reference to the provision of “other financial consulting services as considered necessary,” but it failed to define those services. Because the organization had no internal accounting resources, the board of directors requested that the CPA attend its monthly meetings to advise on the organization’s finances. The CPA agreed to attend. At one meeting the board discussed and decided to invest in a real estate parcel. During this discussion, the CPA was distracted by another client matter and checked his email frequently. The real estate subsequently declined significantly in value. The client sued the CPA, alleging he failed to provide advice regarding the investment risks in connection with his attendance and participation in the board meetings and provision of “other financial consulting services.”
An expectation gap may be created when the CPA is perceived by clients to be a member of management who has greater authority than that provided in the engagement letter. A client may assume the CPA is responsible for detecting theft or fraud, regardless of the type of service provided, or that the CPA should advise on all matters of which the CPA has knowledge, even if those matters are not covered by the engagement letter, as demonstrated in the previous scenarios.
Professional liability risk is heightened when third parties are involved. A client may ask the CPA to attend a meeting with a third party, such as a lender, to help explain the components of financial statements compiled by the CPA. This may lead the lender to perceive and expect that the CPA is acting as a de facto CFO or controller, which may create a privity relationship between the CPA and the lender. Such a relationship may permit the lender to bring a claim against the CPA.
Fiduciary Standard of Care
Company management, including its directors and officers, owe the organization the fiduciary duties of care and loyalty—meaning they must act in the best interest of the organization they serve. Case law imposes this duty on the corporate officers and directors. A fiduciary duty is the highest standard of care in the law and imposes certain responsibilities that do not apply to most CPA services. Undertaking activities that are considered responsibilities of client management can create a fiduciary duty to the client.
Professional Liability Insurance Coverage
Practitioners who overstep their bounds should understand the coverage parameters of their current policy. Al Fennel, vice president of Underwriting at Aon Affinity, notes, “Professional liability insurance policies typically limit or exclude coverage for services rendered when the policyholder also performs management duties or assumes management responsibilities on behalf of the client, regardless of whether a formal title is used to describe these duties or responsibilities.” Firms should review the details of their professional liability insurance policy and confer with their insurance agent or broker regarding the application of insurance coverage if questions arise.
RISK CONTROL CONSIDERATIONS
CPAs can avoid the pitfalls associated with assuming a client’s management duties by taking the following steps:
- Issuing a clearly written and specific engagement letter that defines the scope of services to be rendered, the responsibilities of the CPA and the client, and any limitations on services.
- Performing professional activities within the scope of services as documented in the engagement letter. If additional services are requested, the CPA should execute a signed engagement letter addendum or another written agreement with the client.
- Documenting oral advice or recommendations in the work papers or in a written communication to the client, noting the client’s responsibility for taking action on recommendations made.
- Avoiding including statements in engagement letters, marketing materials, and client communications that imply the firm will undertake activities that are the responsibility of client management.
- Requesting that the client designate an individual (preferably at the executive level) with sufficient time and expertise to oversee all services provided by the CPA firm, to communicate the tasks to be performed, evaluate the adequacy and results of services rendered, and accept responsibility for all decisions made.
- Avoiding referring to himself or herself as a client’s “interim” or “outsourced” CFO or controller. CFO and controller are internal titles and roles.
- Not assuming responsibility for making management decisions or performing duties that may be construed as the responsibility of management, such as approving journal entries or strategic business plans.
- If attendance at board meetings is required, being first on the agenda, exiting the meeting when his or her role on the agenda is completed, and ensuring the minutes reflect the subject discussed and the time of exit. Additionally, the CPA should send a follow-up communication to the client detailing the discussion.
Sarah Beckett Ference (firstname.lastname@example.org) is a risk control consulting director at CNA.
Continental Casualty Co., one of the CNA insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program. For more information, call Aon Insurance Services, the National Program Administrator for the AICPA Professional Liability Program, at 800-221-3023 or visit cpai.com.
This article provides information, rather than advice or opinion. It is accurate to the best of the author’s knowledge as of the article date. This article should not be viewed as a substitute for recommendations of a retained professional. Such consultation is recommended in applying this material in any particular factual situations.
Examples are for illustrative purposes only and not intended to establish any standards of care, serve as legal advice, or acknowledge any given factual situation is covered under any CNA insurance policy. The relevant insurance policy provides actual terms, coverages, amounts, conditions, and exclusions for an insured.