Managing risk related to consulting engagements

By Jamie Yoo

Over the past 10 years, consulting has grown from a $153 billion industry to a $259 billion industry. Even though consulting is not necessarily a "traditional" service delivered by a CPA firm, consider the number of times a client has asked for advice. In many instances, such ad hoc advice can evolve into a larger consulting opportunity and a great way to enhance the practitioner's value proposition.

If traditional tax or attestation engagements are like a coloring book, where the professional standards and guidance provide pre-formatted guidelines within which the practitioner should color, consulting engagements are like a blank canvas, limited only by the practitioner's imagination. Consulting engagements can lend themselves to more creativity and flexibility but do require more professional judgment, preparation, and planning to help ensure the end result is a success and not a flop. This column provides some tips to consider when sketching out your plan for a consulting engagement.

ASSESS EXPERTISE IN THE CHOSEN MEDIUM

A sculptor might not possess the skills to be an impressionist painter. A cartoonist may not be the best at blowing a glass sculpture. Similarly, before accepting a consulting engagement, practitioners should first objectively assess whether they possess the appropriate expertise and knowledge of the engagement's subject matter. The AICPA Code of Professional Conduct requires the CPA to conduct his or her activities "with competence and diligence" (ET §0.300.060, Due Care). Further, AICPA Statement on Standards for Consulting Services (SSCS) §100.06 requires practitioners to undertake only those services they can reasonably expect to complete with professional competence.

Accept engagements only when the firm has expertise to deliver the service with competence. The phrase "fake it until you make it" shouldn't be one that is heard in your office. Understand and evaluate the firm's knowledge gaps to determine whether additional training or expertise is needed. Playing to the firm's strengths and making a commitment to learning and professional improvement is a good risk management practice and is required by the professional standards. Regardless of what the professional standards say, being competent in one's chosen medium or subject matter just makes good business sense.

DETERMINE WHAT STANDARDS APPLY

Once the practitioner has determined that the firm possesses the appropriate expertise and resources to support a consulting engagement opportunity, another question the CPA may ask is, "What professional standard(s) will govern my service?"

Sometimes the service requested by the client does not neatly align with an AICPA professional standard that can govern the service. In these instances, the CPA should ask probing questions to determine what risk the client is seeking to address and what the client is seeking to achieve from the service. Following this, the practitioner will likely determine that the appropriate body of standards is the SSCS. Per SSCS §100.02, in a consulting engagement, "the practitioner develops the findings, conclusions, and recommendations presented." This approach lends itself nicely to a wide variety of engagements related to nearly any subject matter. Indeed, consulting engagements can entail problem-solving, evaluation of alternatives, and recommending or implementing a course of action, with the primary objective to provide advice that is only for the use and benefit of the client. Since the specific methodologies to be followed and procedures to be employed are at the discretion and professional judgment of the practitioner, knowledge of other professional guidance or widely accepted frameworks may be necessary.

For example, practitioners engaged to evaluate a client's processes and internal controls related to the revenue cycle may require additional expertise beyond their existing financial reporting knowledge. A firm that has been engaged to provide a gap assessment of a client's cybersecurity practices and policies may need experience with widely accepted industry frameworks such as the National Institute of Standards and Technology's Cybersecurity Framework.

The applicable professional standard or framework should also be included and described in the engagement letter to document the client's and the CPA's understanding and acknowledgment.

AGREE UPON AND MANAGE SCOPE

Scope management is important for all engagements but is especially crucial for consulting engagements, as the nature and scope of work performed is determined solely between the practitioner and the client. In addition, the likelihood of the scope to evolve based upon information discovered during the engagement is greater than for an attest or tax engagement, and that expansion is sometimes expected. Given this, it is important for the practitioner and client to be aligned in the understanding of scope and responsibilities through every step of the engagement. Consider the following ripped-from-the-headlines, cautionary tale of a consulting engagement gone awry:

A consulting firm was engaged by a client to test the adequacy and effectiveness of security in place at various company locations, including a highly sensitive research-and-development facility, and identify possible vulnerabilities. The consulting firm obtained an executed engagement letter and a form signed by the client authorizing the consultants to carry out their planned engagement activities.

Two consultants arrived at the research-and-development facility after business hours, with the authorization form in hand to carry out the engagement activities. The tests performed by the consultants ultimately triggered the security system as expected. When law enforcement arrived, the consultants calmly presented a copy of the authorization form to explain the intrusion. However, it was not accepted by law enforcement, as they were not made aware of the engagement prior to the planned break-in attempt. As a result, the consultants were arrested and their mugshots taken.

What unfolded was a saga of differences in interpretations of the engagement scope between the firm and the client, and a lack of communication about the engagement by the client to other affected parties. The client had not anticipated that the engagement would involve attempting a forced entry into a building and did not communicate to law enforcement in advance that the penetration test was to occur. Additionally, the executed engagement letter included contradictory statements about whether testing could occur after business hours.

This unfortunate event reminds us of the importance of:

  • Agreeing upon the scope, detailed engagement activities, and respective client and practitioner responsibilities at the beginning of the engagement.
  • Educating the client about its responsibility to manage communication within the organization regarding the engagement so that it does not become the practitioner's burden to bear.
  • Documenting this agreement and understanding in an executed engagement letter. As the scope changes, update the engagement letter through a formal addendum or other written communication with the client. An email exchange can often suffice.
  • Managing client expectations throughout the engagement. Over-communication is better than an unaddressed misunderstanding.
  • Retaining supporting documentation in firm workpapers for research performed to support the practitioner's conclusion.

FINAL THOUGHTS

Careful and objective assessment supported by appropriate risk management measures can help mitigate the professional liability risk associated with consulting services. Preparation and planning are important, but look out for unexpected bumps in the road or questions from clients. When a question or request for services appears to be high-risk despite the application of the aforementioned safeguards, remember that it's OK to say no rather than advising clients in haste.

Jamie Yoo, CISA, is a risk control consultant at CNA. For more information about this article, contact specialtyriskcontrol@cna.com


Continental Casualty Company, one of the CNA insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program. Aon Insurance Services, the National Program Administrator for the AICPA Professional Liability Program, is available at 800-221-3023 or visit cpai.com.

This article provides information, rather than advice or opinion. It is accurate to the best of the author's knowledge as of the article date. This article should not be viewed as a substitute for recommendations of a retained professional. Such consultation is recommended in applying this material in any particular factual situations.

Examples are for illustrative purposes only and not intended to establish any standards of care, serve as legal advice, or acknowledge any given factual situation is covered under any CNA insurance policy. The relevant insurance policy provides actual terms, coverages, amounts, conditions, and exclusions for an insured. All products and services may not be available in all states and may be subject to change without notice.

VIDEO

Excel walk-through: Sparklines

Want to liven up your spreadsheets with some color and graphical elements? Kelly L. Williams, CPA, Ph.D., shows how to use Excel sparklines, which illustrate data trends and patterns via small charts that fit in a single Excel cell.

PODCAST

What’s next for potential CPA licensure changes

A new model proposed by NASBA and the AICPA is designed with an eye on the future for newly licensed CPAs. The AICPA's Carl Mayes, CPA, provides background on the project and a look ahead to 2020.