Navigating storms, and risk, with subcontractors

By Matt Mitzen, CPA, and Deborah K. Rood, CPA

Like any good sea captain, many CPA firms run a tight ship, ensuring staff are appropriately utilized and busy delivering client service. While this staffing model makes sense most of the year, there are times when not having enough hands on deck may sink the ship. To keep the boat afloat, firms often engage outside help to assist during stormier times, such as tax season, or to provide expertise that does not otherwise reside within the firm, such as engagement quality control review (EQCR) services. While using subcontractors has the advantage of just-in-time staffing, there are professional liability risks to consider.

An example of such a risk is shown in the following claim scenario:

A CPA firm engaged a subcontractor who was winding down his own tax practice to assist with the firm's April 15 tax deadline. Unbeknownst to the firm, the subcontractor also provided bill payment services on behalf of his legacy clients. In addition, he started providing these services for the firm's clients assigned to him, without its knowledge. After April 15, the subcontractor's services for the firm ended, but the firm did not inform its clients of the termination. The subcontractor continued to make payments on the clients' behalf. The firm only realized this when it was sued by a client for the subcontractor's embezzlement of over $3 million from the client. The client asserted that it believed the subcontractor was still acting on behalf of the firm and that the firm failed to supervise the actions of its "agent."

As the story demonstrates, the actions of a firm's subcontractors, even though they are unrelated third parties of a CPA firm, can place the firm at risk. Consider implementing the tips below to mitigate the risk of a claim related to subcontractors.


Before setting sail, revisit your needs. Are you looking for additional crew to prepare income tax returns during March and April, or are you looking for someone with specific talents, such as international or state and local tax expertise?

Irrespective of the role a subcontractor will play, perform due diligence to evaluate the subcontractor just as you would a new employee. Is the subcontractor qualified in the required areas? Can the subcontractor perform the required functions? Consider a busy CPA who hastily engaged a subcontractor on a Friday afternoon in late February to help prepare international aspects of corporate tax returns, prior to completing due diligence. After providing client information for the subcontractor to work on at his home office, the CPA discovered that the subcontractor had misrepresented his experience and did not have the necessary knowledge. The relationship was immediately terminated, but significant time was spent determining if all client information was returned, as well as reviewing and completing in-process work. Ultimately, the firm was left with no assistance in preparing the tax returns.

When engaging subcontractors, remember to:

  • Ensure subcontractor professional licenses are valid and current;
  • Evaluate the skills and experience of the subcontractor by checking references and performing other procedures to assess qualifications;
  • Evaluate the subcontractor's cybersecurity practices;
  • Confirm the subcontractor is in good standing with the AICPA and state CPA society;
  • Address where services will be performed, including how information will be shared between the CPA firm and the subcontractor;
  • Review the subcontractor's peer review report, if applicable; and
  • Examine continuing professional education to determine its relevance to the firm's requirements.

Importantly, ask why this person has capacity at a busy time of the year. Some subcontractors may have difficulty working with others, preventing them from having a full client list or holding a full-time position. Another red flag is a subcontractor who has jumped from firm to firm over several years.


Before beginning any client work, the CPA firm obtains an engagement letter. Likewise, a written agreement also should be executed with the subcontractor. Some professional liability insurers and other third-party providers have samples.

While the subcontractor agreement is similar to a client engagement letter, significant differences should be addressed, including:

  • The subcontractor's responsibilities regarding the protection of confidential client information and their responsibilities in the event of a data security incident;
  • Training to be provided by the CPA firm;
  • Documentation and maintenance of professional and cyber liability insurance by both the CPA firm and the subcontractor;
  • The subcontractor's indemnification of the CPA firm for claims brought against the CPA firm as a result of the subcontractor's gross negligence or intentional misconduct;
  • The CPA firm's responsibility to direct, supervise, review, and evaluate the subcontractor's work; and
  • The CPA firm's responsibility for the final deliverable, including any conclusions reached.

Clearly delineating roles and responsibilities between the parties is important. For example, will EQCR comments be cleared by the subcontractor or the engagement partner? If the engagement partner clears review points, does the engagement partner understand the concerns raised by the subcontractor? If the subcontractor prepares tax returns, is there a designated firm representative who must review and sign the returns prepared by the subcontractor before they are filed?

How and when will the subcontractor receive training on firm methodology, systems, or technical updates relevant to the services to be delivered? A CPA firm's processes, procedures, and tools help ensure the firm provides a consistent, high-quality deliverable to its clients. Having all parties rowing in the same direction is a key factor in the potential success of a firm-subcontractor relationship.


Supervising experienced professionals may create choppy waters, but all firm personnel should be monitored. The AICPA Code of Professional Conduct (ET §0.300.060.06) requires CPAs to "plan and supervise adequately any professional activity for which he or she is responsible." Supervise subcontractors as you would any new hire performing similar services.

What should you do if the subcontractor specializes in an area in which the firm has limited or no expertise? Regardless of the firm's knowledge in the specific subject matter, it should have sufficient experience to define the work and review the work product and determine if it is reasonable. If the subcontractor's work does not appear to be reasonable, and the explanation provided is not sufficient, keep probing until it is. The CPA firm should understand the work performed and the conclusions reached in order to approve and issue the final work product. The subcontractor should also provide documentation to support the work performed and conclusions reached, which is then retained by the CPA firm.


Remember the "inexperienced" subcontractor noted earlier? That subcontractor was hired to work from his home and had access to clients' personal information. Even if the subcontractor was honorable, such information could be inadvertently disclosed to others sharing the contractor's workspace. Or a miscreant may have the ability to access information if the subcontractor does not have appropriate data security safeguards in place. What security protocols do they use? Will they use your firm's VPN (virtual private network)? The article "Professional Liability Spotlight: Due Diligence With CPA Firm Subcontractors," JofA, June 2015, discusses a firm's legal and professional responsibilities related to subcontractors.


There are both upsides and potential risks to using a subcontractor. If you are the subcontractor, the same considerations noted above apply, except you are keeping an eye open for a potential employer. Are you ready, willing, and able to be a deckhand reporting to a new captain? If not, this could create little ripples that become big swells on the voyage to a smooth busy season.

Matt Mitzen, CPA, CFE, and Deborah K. Rood, CPA, are risk control consulting directors at CNA. For more information about this article, contact

Continental Casualty Company, one of the CNA insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program. Aon Insurance Services, the National Program Administrator for the AICPA Professional Liability Program, is available at 800-221-3023 or visit

This article provides information, rather than advice or opinion. It is accurate to the best of the authors' knowledge as of the article date. This article should not be viewed as a substitute for recommendations of a retained professional. Such consultation is recommended in applying this material in any particular factual situations.

Examples are for illustrative purposes only and not intended to establish any standards of care, serve as legal advice, or acknowledge any given factual situation is covered under any CNA insurance policy. The relevant insurance policy provides actual terms, coverages, amounts, conditions, and exclusions for an insured. All products and services may not be available in all states and may be subject to change without notice.

Where to find May’s flipbook issue

The Journal of Accountancy is now completely digital. 





Leases standard: Tackling implementation — and beyond

The new accounting standard provides greater transparency but requires wide-ranging data gathering. Learn more by downloading this comprehensive report.