Commonly referred to as the “expectation gap,” a disconnect sometimes exists between a CPA’s professional responsibility for detecting theft and fraud and the general public’s perception of a CPA’s duties. The AICPA Professional Standards for audit, review, and compilation services include a responsibility to inform the appropriate levels of management if any information or evidence comes to the CPA’s attention indicating a fraud may have occurred. However, claims made against CPAs in the AICPA Professional Liability Insurance Program alleging failure to detect theft and fraud emanate from all types of engagements, including those generally regarded by CPAs as low-risk, such as bookkeeping or tax compliance services.
In such cases, plaintiff attorneys may contend that the CPA failed to exercise due care in accordance with Article V of the Principles of Professional Conduct, which are included in the AICPA Code of Professional Conduct. Lawyers may allege that CPAs have a duty to identify and inform clients of fraud red flags such as suspicious activities or internal control deficiencies. While adherence to professional standards assists CPAs in defending these types of claims, there is no guarantee that such a defense will be successful.
CPAs may believe that longtime clients would never assert such a claim against them. However, a congenial working relationship can take an abrupt turn when fraud is discovered. Clients then may question why a CPA didn’t discover the fraud earlier or bring matters to the client’s attention that could have prevented it.
To illustrate how a CPA can get tangled up in a client’s fraud, consider the following scenarios based on real-life claims:
Scenario 1. A CPA was engaged to perform tax compliance and tax planning services for a recruiting agency. To understand potential year-end tax implications, the CPA summarized select income and payables accounts and discussed trends with the owner. The CPA also received monthly bank statements and bank reconciliations. The controller, a longtime employee of the agency, embezzled more than $1 million by writing checks to himself, reporting them as business expenses, and destroying the canceled checks (or scanned copies of them) when the bank statements were received.
The owner brought a claim against the CPA for failing to detect the embezzlement. Expert review of the engagement noted that the controller had unmonitored access and responsibilities in accounts payable and that the trend analysis the CPA performed noted unusual fluctuations in expense accounts. The plaintiff’s attorney argued that the CPA should have identified the trend fluctuations as a red flag and brought this and the internal control weakness to the owner’s attention for further investigation. In defense, the CPA’s counsel noted that the CPA received the bank statements for the sole purpose of understanding the tax implications.
Scenario 2. A CPA firm compiled annual financial statements for a local wine producer. The firm sued the client for outstanding fees, and the client countersued, alleging failure to detect a high six-figure embezzlement perpetrated by three of its employees, all of whom colluded to create false wire transfers and payroll checks. The CPA firm’s invoices, which were produced during the lawsuit’s discovery phase, indicated that the firm performed a review of financial statements, made changes in financial statement classifications and general ledger adjustments, and completed bank reconciliations. CPA firm representatives also worked extensively on-site with the employee/embezzlers and were involved in the company’s day-to-day financial operations, but they did not discover the fraudulent wire transfers or payroll checks.
In both scenarios, the lack of an engagement letter memorializing the scope and limitations of services performed and management’s responsibilities was detrimental to the CPA’s defense.
LIMITING RISK EXPOSURES
CPAs can use several techniques to protect themselves against risk exposures related to failure to detect theft and fraud. They include:
- Regularly evaluate the risk of the client and the engagement. Client and engagement acceptance and continuance are not simply for audit engagements. Regularly screen clients and consider the risks associated with both the client and the services you are being engaged to perform. It should raise a red flag for the CPA when clients dismiss internal control weaknesses brought to their attention. Is this a situation where the client has an unreasonable service expectation, or is it possibly one of questionable integrity? Either way, the CPA should take precautions.
- Use engagement letters on all engagements. That’s correct—all engagements. A well-crafted engagement letter can help reduce expectation gaps and can serve as key evidence in the defense of a professional liability claim. The engagement letter should include an understandable description of the scope and limitation of services to be performed, a statement that the engagement is not designed to detect theft or fraud, and the responsibilities of both the client and the CPA. The engagement letter should also be renewed and signed by the client annually.
- Stay within the scope of the engagement. An engagement letter is useful only if the CPA adheres to the defined scope in rendering the professional services. Additional services, or modifications to agreed-upon services, should be memorialized in writing with the client, whether it’s through email, a new engagement letter, or an amendment to the existing engagement letter.
- Be fraud aware. Train all firm personnel, not only auditors, about potential fraud risk factors and the “fraud risk triangle” (opportunity, rationalization, and incentive/pressure). Learn about the risk factors associated with common frauds, such as embezzlement by an unmonitored bookkeeper or controller with excessive authority or access, or use of business credit cards for personal expenses. Firm personnel should be educated about common internal control weaknesses that create an opportunity for fraud to occur, such as a lack of segregation of duties, poor tone at the top, or infrequent vacations taken by key financial employees.
- Apply professional skepticism to all engagements. This is particularly important on engagements with longtime clients, where a level of established comfort could threaten objectivity. Trust your instincts and follow up on matters that don’t seem quite right.
- If you see something, say something. Management letters with suggestions for control or process improvements are not designed solely for audit clients. If you observe a weakness in internal controls or believe management should follow up on an observation noted, inform your client orally and in writing. If the weakness persists year after year, keep telling the client both orally and in writing until the deficiency is addressed.
- Document, document, document. Contemporaneous documentation represents critical evidence in the defense of professional liability claims. Strong documentation includes, at a minimum, a well-crafted and detailed engagement letter, documentation regarding client inquiries made and responses received, and communication of internal control matters or suspicious activities noted.
Sarah Beckett Ference (email@example.com) is a risk control consulting director at CNA.
Continental Casualty Company, one of the CNA insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program. Aon Insurance Services, the National Program Administrator for the AICPA Professional Liability Program, is available at 800-221-3023 or visit cpai.com.
This article provides information, rather than advice or opinion. It is accurate to the best of the author’s knowledge as of the article date. This article should not be viewed as a substitute for recommendations of a retained professional. Such consultation is recommended in applying this material in any particular factual situations.
Examples are for illustrative purposes only and not intended to establish any standards of care, serve as legal advice, or acknowledge any given factual situation is covered under any CNA insurance policy. The relevant insurance policy provides actual terms, coverages, amounts, conditions, and exclusions for an insured.