By Allison M. Henry, CPA, CGMA, PICPA Vice President - Professional & Technical Standards

The relationships between a CPA and his or her clients can last for many years, having been built on a foundation of trust and professionalism. However, the increase in third parties asking for comfort letters threatens these relationships and challenges the integrity and ethical behavior of the CPA as well as their billable hours.

These third parties — which can be banks, health insurance providers, or state taxing authorities– typically want to verify the accuracy of a client’s employment status, income, or revenue, and they want the CPA to sign off on that information through what is commonly called a comfort letter. Furthermore, recently enacted regulations from the Consumer Financial Protection Bureau (CFPB) intended to implement the Truth in Lending Act (TILA) have given lenders new reasons to request comfort letters from CPAs. Specifically, Section 129C of the TILA requires a lender to “make a reasonable and good faith determination, based on verified and documented information, that the consumer has a reasonable ability to repay….” To comply with these guidelines, lenders are turning to CPAs for assurance. Unfortunately, in most instances, CPAs must say no to this request.

Why is writing a letter that includes verification of requested information such a problem? It really comes down to the fact that CPAs are bound by the requirements of the State Board of Accountancy (which carries weight of law) and the AICPA professional and ethical standards. Failure to follow these rules can result in ethics violations or sanctions from the State Board of Accountancy. For a CPA to provide assurance as to the fairness of the presentation of a client’s financial position, that CPA must perform an engagement that provides such assurance, such as a financial statement audit or review. Other types of information can be provided through other attest services. These engagements are costly, and clients are rarely willing to hire the CPA to do them. Plus, under no circumstances can a CPA verify solvency information, which is strictly prohibited by professional and ethical standards.

Other information requests are not within many CPAs’ area of expertise. For example, a CPA who prepares a tax return based on information provided by the client is not in a position to verify that the client doesn’t have other employment arrangements aside from what he or she tells the CPA. Another frequent request is for verification that the client owns a certain percentage of a business.  A CPA can’t confirm whether or not a client has bought or sold a portion of a business without some sort of additional procedures.

Regulations allow lenders to use information from the IRS for verification. This information can be obtained from the client. A CPA cannot simply forward a tax return to a third party. CPAs are required to follow the applicable laws, regulations, and professional standards set by the IRS, State Board, and AICPA. At best, and only under certain circumstances after complying with applicable regulations, a CPA may be able to provide confirmation that he or she prepared the tax return, the return was prepared in accordance with IRS rules (which does not include an assessment as to credit worthiness). Even in this case a reminder should be included that credit decisions should be based on the lender’s own due diligence.

To preserve their hard-earned client relationships, practitioners must have a plan for comfort letter situations. To preserve their bottom line, practitioners should strongly consider informing their clients up front that there will be additional charges for responding to third-party requests for information. The CPA should understand the applicable standards, laws, and regulations as well as the potential risk and liability. The PICPA has a new set of resources to help practitioners prepare for these requests. The PICPA is working to educate lending institutions and regulatory agencies as to what CPAs can and cannot provide on behalf of clients. At the same time, neither the PICPA nor the AICPA can police the world. It is ultimately up to the practitioner to hold the line and comply with professional standards. We are interested in obtaining information regarding specific egregious requests. Please, after ensuring that you meet client confidentiality rules, forward some examples to my attention.