Nothing can be more injurious to a CPA firm’s reputation – not to mention its bank account – than a client introducing a large malpractice claim. Based on her article for the Journal of Accountancy, Sarah Ference, CPA, risk control director for the accountants program at CNA Insurance, explores the signs that a large malpractice claim could be on the horizon as well as potential damages that can take place if the situation is not handled in a brisk manner.
By Bill Hayes, Pennsylvania CPA Journal Managing Editor
Nothing can be more injurious to a CPA firm's reputation, not to mention its pocketbook, than a client introducing a large malpractice claim. With this in mind, we thought we would explore the signs that one could be on the way and the potential damages that can be incurred if the situation is not remedied in a swift manner. To delve into the dangers prevalent in the area of large malpractice claims, today we are talking to Sarah Ference, CPA, risk control director for the accountants program at CNA Insurance, the underwriter of the AICPA Professional Liability Insurance Program.
As part of a piece you wrote for of the Journal of Accountancy, you discuss some of the warning signs that a CPA firm may be headed for a large malpractice claim from a client. What are some of the types of clients that can be troublesome when you look at providing of attest services?
[Ference] It's important to note whenever a client or even a third party – especially when it comes to attest services; third parties could include investors or shareholders or creditors – loses money, CPA firms are often sued, especially when they're providing attest services.
When we look at some of these descendants that might bring a claim against the firm, the client entities that often give rise to large claims can be regulated entities, whether it's a bank or an insurance company or a credit union. When there's a regulator that steps in after a regulated entity fails, those regulators can be very aggressive when it comes to pursuing anyone who feel might have had some hand or some role in the regulated entity's demise.
Bankruptcy trustees, who step into the role when another entity fails, can also be fairly aggressive when it comes to pursuing to recoup their losses. Finally, entities that have maybe a higher risk of fraud, whether it's a hedge fund or even a construction company or an entity with weak internal controls and lack of segregation of duties, can also lead to large claims against CPA firms.
How about non-attest services? What sort of clients do you have to keep your eye on there?
[Ference] Well, there's a few here too, and those could be for a tax client or consulting client. First, we have high-profile individuals or high-profile families. Maybe that's a celebrity, an entertainer, an athlete, and high-profile is often subjective, those who maybe have their own sense of self-importance.
But those can be problematic when it comes to claims. High-net-worth individuals or families can be problematic because they have the means to pursue litigation against CPAs. Then, really any client that doesn't accept their role in the services or their responsibilities, then tend to shift that to the CPA can also be precursors to large claims.
What sort of red flags should CPA firms be aware of as it relates to service delivery?
[Ference] There's a few different things here. Every year, regardless of service that's delivered, we always see claims that assert that the CPA failed to detect the theft or fraud. This includes services that the CPA has no responsibilities related to fraud whatsoever, tax services or bookkeeping services or consulting. When a client experiences an embezzlement, regardless of service, they'll often point the finger at the CPA for not informing them of red flags that the CPA may or may not have been aware of during the course of delivering services.
Documentation deficiencies can also be pretty problematic in the defense of both the attest and non-attest claims, that when we have work papers that don't demonstrate how the services were performed, or the communications that were held with clients or the type of evidence that was obtained and tested. Those can be problematic, when the documentation in any service is really what speaks for how you delivered the engagement.
Then another red flag related to non-attest services is scope creep and the provision of investment advice, which can often go hand in hand. Those are some of the things we want to be cognizant of as it relates to how we deliver our services.
The article mentions being mindful of the perception of ethical violations. What exactly is meant by that?
[Ference] Well, we're all aware that independence is required for attest services and objectivity is required for all services. The Code of Professional Conduct does outline some bright lines, some black-and-white examples of what clearly violates independence and what clearly violates a firm's objectivity.
We all understand those situations, but there's a lot of gray in there where a CPA's professional judgment is involved in determining whether or not we have an independent violation or a threat of it, or a threat to objectivity. When we have areas or instances that might suggest that the CPA lacked independence or objectivity, or somehow impaired maybe a multiyear audit client of the firm, where the firm and the client and the engagement team have a close relationship and maybe they trade some casual emails, a plaintiff attorney might take that close relationship and twist it to try to assert that the CPA lacked independence and professional skepticism, because they were too familiar with the client.
Those kinds of things where they're not necessarily a 100% violation of the ethical standards, but a creative plaintiff attorney can demonstrate or might hint at there being some error of impropriety on behalf of the CPA. That just can be very damaging in the defense of a claim, because our defense council is much less likely to take that case to trial because of this cloud that hangs over whether or not the CPA was in compliance with the Code of Professional Conduct.
So CPA firms are ready, if these should come along, what sort of risk management practices and policies should they establish ahead of time?
[Ference] Just be aware of some of these potential risk issues when you're going through your client acceptance and delivery. That's the first step: being aware and responding appropriately.
But some of the risk management practices and policies for dealing with higher-risk clients and higher-risk engagements are very similar to what you do for any type of clients or engagement. That's your client acceptance and continuance, your first tool in your risk management toolbox, how you determine what kind of risk your firm is willing to accept and what you're not. After your client's in the door, then you put an engagement letter in place with that client.
We're a big fan of engagement letters for all services, not just where they're required by the professional standards. Make sure you include an engagement letter, sticking to the scope of that engagement letter or modifying it appropriately through some sort of written documentation with your client.
Risk-allocation provisions are also super helpful to have an engagement letter, whether that's using mediation to resolve disputes, including, where you can, a limitation of liability or a limitation of damages provision, or indemnification of the CPA firm against management's, or claims that relate to management's, misrepresentations. Finally, documentation for audits, for reviews, tax returns, all services, some sort of documentation that demonstrated the services that were performed by the firm.
Those are always going to be what helps you defend a claim that might arise.