CPAs face malpractice claims asserting they failed to detect fraud at a client regardless of service. Learn tips to help mitigate risk.
By Sarah Beckett Ference, CPA
This article originally appeared in the October 2022 issue of the Journal of Accountancy.
Did you know that, regardless of the service provided, CPAs face professional liability claims asserting that they failed to detect a theft or fraud at a client organization? Did you also know that even if a theft or fraud is below an auditor's or reviewer's materiality threshold, the CPA may still be blamed for not detecting it? The disconnect between a CPA's professional responsibilities related to fraud detection and the public's perception of those duties has annoyingly persisted.
To understand how a CPA can be perceived as responsible for detecting fraud in a client's organization, consider the following scenarios based on real-life claims:
Scenario 1: A CPA was engaged to provide tax planning and preparation services for a number of entities that were part of a family office. The family office employed a CFO charged with acting on behalf of the family members. The CPA met with the family members at the beginning of the relationship to discuss service needs and to get the engagement letter signed.
Over the course of the client relationship, the CPA interacted almost exclusively with the CFO. When the family office's bookkeeper resigned, the CPA assisted the CFO with various responsibilities, including bank reconciliations. It was subsequently discovered that the CFO had been systematically defrauding the family office for decades and had misappropriated nearly $10 million through excessive compensation, using a company credit card and wire transfers to secret accounts he controlled to pay for luxury vacations for his family, tuition for his children, and lavish artwork.
Defending the claim was difficult. While there was an engagement letter in place, the CPA indicated that it was intentionally broad in scope, as the "client needed flexibility and did not wish to be bothered by the details." The engagement letter also did not address any limitations of the firm's services, such as the failure to detect theft and fraud, and since the engagement letter was perpetual, the statute of limitation was not available as a defense. The CPA's involvement with bookkeeping for the family office entities also proved detrimental. The client argued that the CPA had access to credit card and bank statements and should have noticed the CFO's unusual charges and brought them to the family's attention. The client also indicated that the CPA should have advised them of the risk of fraud when the bookkeeper resigned, making segregation of duties impossible. Finally, since the CPA had developed a tight relationship with the CFO and had been the unknowing recipient of a few of the CFO's unauthorized "perks," the client alleged that the CPA's objectivity was impaired.
Scenario 2: A CPA firm provided audit and tax return preparation services for a textile company for a number of years but eventually terminated services as the firm outgrew the client. Subsequent to the end of the professional relationship, the client discovered that one of its employees had misappropriated over $1 million, directing those funds to another business owned by the employee. While the majority of the funds had been misappropriated after the CPA firm had ceased providing services, the client asserted that had the CPA firm pointed out certain red flags that were allegedly evident during the performance of the CPA firm's services, the fraud would have been detected earlier, thus lessening the damage. The client brought a $2 million suit against the firm: $1 million for misappropriated funds and an additional $1 million in lost value of the client's business, allegedly due to the misappropriated funds. The total claimed damages were well above the CPA firm's policy limit.
In defense of the claim, the CPA firm pointed to its engagement letter provisions describing its responsibilities, and limitations thereof, related to theft and fraud detection. The firm also noted that the embezzled amount in any given year was below the materiality threshold for the respective period. However, the expert hired by the defense noted there was room for improvement in the firm's workpapers related to accounts payable transactions. In addition, it appeared that the firm did not point out the client's lack of access and oversight controls in a written communication to the client.
CPAs may believe that longtime clients would never assert such a claim against them. However, a congenial working relationship can take an abrupt turn when fraud is discovered. When clients lose money, they often look for someone toblame.
Risk Management Tips
CPAs can use several techniques to help protect themselves against risk exposures related to failure to detect theft and fraud.
- Regularly evaluate the risk of the client and the engagement. Regularly screen clients and consider the risks associated with both the client and the services you are being engaged to perform. It should raise a red flag if a client dismisses internal control weaknesses brought to their attention. Is this a situation where the client has an unreasonable service expectation, or is it possibly one of questionable integrity? Either way, the CPA should takeprecautions.
- Use engagement letters on all engagements. A well-crafted engagement letter can help reduce expectation gaps and can serve as key evidence in the defense of a professional liability claim. The engagement letter should include a clear and specific description of the scope and limitation of services to be performed, the responsibilities of both the client and the CPA, and, where applicable, a statement that the engagement is not designed to detect theft or fraud or deficiencies in the client's internal controls. The engagement letter should also be renewed and signed by the client annually.
- Stay within the scope of the engagement. An engagement letter is useful only if the CPA adheres to the defined scope in rendering the professional services. Additional services, or modifications to agreed-upon services, should be memorialized in writing with the client, whether it's through email, a new engagement letter, or an amendment to the existing engagement letter.
- Be fraud aware. Train all firm personnel, not only auditors, about potential fraud risk factors and the "fraud risk triangle" (opportunity, rationalization, and incentive/pressure). Learn about the risk factors associated with common frauds, such as embezzlement or asset misappropriation by an unmonitored bookkeeper, or use of business credit cards for personal expenses. Educate firm personnel about common internal control weaknesses that create an opportunity for fraud to occur, such as a lack of segregation of duties or poor tone at the top, or potential red flags, such as key financial employees seeming reluctant to take time off.
- Inform clients, in writing, of the risk of a lack of segregation of duties. More often than not, embezzlements are perpetrated by someone with unfettered or unmonitored access. Regardless of service and client size, consider a written communication informing the client of the risk of a lack of segregation of duties. For small clients with limited personnel, suggested controls could include having the owner as well as the account reconciler receive account statements directly from the financial institution and having the owner or another senior-level employee perform surprise reviews of account reconciliations and account activity. If the control weakness persists, keep telling the client both orally and in writing until the deficiency is addressed.
- Apply professional skepticism to all engagements. This is particularly important on engagements with longtime clients, where a level of established comfort could threaten objectivity. Trust your instincts and inform the client, in writing, of matters that don't seem quite right.
- Document, document, document. Contemporaneous documentation represents critical evidence in the defense of professional liability claims. Strong documentation includes, at a minimum, a well-crafted and detailed engagement letter, documentation regarding client inquiries made and responses received, and communication of internal control matters or suspicious activities noted.
Not just an audit concern
The portion of claims asserted in 2021 against CPA firms in the AICPA Professional Liability Insurance Program that alleged the firm failed to detect theft or fraud that arose from the following services:
59% Tax services
23% Bookkeeping and consulting services
18% Attest services
Source: CNA Accountants Professional Liability Claim Database, underwritten by Continental Casualty Company. Copyright © 2022. All rights reserved.