CPA practitioners must exercise due diligence and professional skepticism in accepting and continuing all clients and engagements. A continual evaluation of the client (whether prospective or continuing) can keep a CPA’s exposure to litigation and financial controversy to minimal risk. And the foundation for this evaluation must be our Code of Conduct.
Codes of conduct are important. Law enforcement has one. Businesses have them (or should). Even Boy Scouts of America has one. Some of you may recall that a scout must be “trustworthy, loyal, helpful, friendly, courteous, kind, obedient, cheerful, thrifty, brave, clean, and reverent.” This code is serious business for scouts; likewise, the AICPA Code of Conduct is serious business for our profession. It identifies our highest responsibility – to protect the public interest and maintain the public trust. We CPAs must strive to be trustworthy, to instill and maintain trust, and to assess trustworthiness in the people and entities with which we work.
When it comes to public practice, CPAs often develop an innate sense that alerts us to those clients who are arrogant, reckless, aggressive, shady, deceitful, or fundamentally troubling. When we apply professional analysis and documentation, we convert those “feelings” into clearer indications of whether to engage or disengage with a client.
Many well known fraud cases (from Adelphia to ZZZZ Best) are related to audit engagements, and most are public companies. However, frauds and other disreputable actions are perpetrated by private companies and individuals as well. In fact, nearly every study on fraud concludes that most fraud takes place in nonpublic entities due to the lack of basic internal controls and the significant involvement of owners (management). Further, business owners know that the lower the level of assurance provided by the outside CPA (only audits and reviews provide “assurance”), the less CPA scrutiny and verification there is – thus, there’s a far greater chance that irregularities will go unfound.
CPAs, however, have extensive ethical responsibilities in the daily performance of any and all professional services, not just audits. Unethical behavior by management in business, nonprofits, governments, or quasi-governments have implications significant to all touched by them. Thus many, including those in the legal process, look to CPAs to keep everyone “honest and accountable.” Accordingly, the AICPA, state boards of accountancy, CPA state societies, state laws, and a multitude of regulatory agencies (General Accounting Office, Department of Labor, U.S. Treasury, and so forth) establish rules and regulations for ethical behavior applicable to all CPAs providing any professional services. Accordingly, a CPA has responsibilities to the public interest (anyone affected by, or who rely upon, the objectivity and integrity of the CPA) by exhibiting and acting with integrity while maintaining objectivity (in all cases) and independence (when required by the service standards), all while conducting and rendering professional services with due professional care.
The point is that CPAs who do not provide assurance services (audits or reviews) probably feel relatively secure that they do not need to worry about the trustworthiness of their clients. Don’t be quick to make that assumption. Let’s look at some of the facts presented by CNA, a professional liability insurance provider:
Regarding analysis of claims by practice area, 65 percent relate to tax, 12 percent relate to accounting and bookkeeping services (includes compilations), 7 percent relate to consulting, and 5 percent relate to investment advisory services.
- Regarding theft and fraud claims, 25 percent came from accounting and bookkeeping engagements (no financial statement), 13 percent from tax engagements, 9 percent from investment advisory services, and 3 percent from consulting engagements.
- Bookkeeping engagements accounted for the largest number of claims alleging fraud or theft of client funds by the insured.
- Engagement scope disputes resulting from bookkeeping engagements are particularly common when investment, tax, or other financial advice is also provided.
In financial reporting engagements, reported failures to detect theft, misstatements, and fraud break down as follows: 77 percent in private company audit claims, 73 percent in review engagements, and 64 percent in compilations.
Further, CNA stipulates, “Failure to identify fraud during the course of an engagement is a major cause of malpractice allegations against CPAs. Notwithstanding the scope of the engagement ..., clients often hold CPAs responsible for failing to discover a financial fraud, or the loss of money or other assets to theft or defalcation, perpetrated by an officer or employee.”1
Correlate the above information with fraud studies that consistently indicate that about two-thirds of fraud is perpetrated by members of the “C-suite,” including owners. Further, a widespread characteristic of closely held businesses is that the owners often see the business as a source of all kinds of “owner benefits.” Many times when a CPA sees items that appear questionable, the CPA might assume that the owner was involved, leaving them in a quandary: should the CPA highlight the activities and confront the owner (who might be the source of the activity and adversely affect the relationship), or look the other way (and ethically bend, possibly letting someone perpetrate theft or fraud)?
One way to help in these situations is to determine whether or not there have been indicators that would lead an objective CPA to conclude, “I don’t really trust this client.” This is the critical starting point of assessing the integrity of a client relationship. When push comes to shove, a large majority of business owners (clients) will choose their own best interest over another’s, especially that of their CPA. If clients perpetrate some inappropriate accounting or out-and-out fraudulent activities, they will likely turn on the CPA and claim either the CPA did not advise them that they were doing anything wrong, or assert that their CPA advised them that they could do whatever it is that they had done. A CPA who “looks the other way” is not helping anyone. Further, he or she will have violated the ultimate responsibilities of a CPA.
In accounting, integrity means that a person acts on principle – that is, a conviction that there is a right way to act when faced with an ethical dilemma – and upholds the public trust.
New Client Acceptance
New client acceptance processes should be preemptive: the objective is to gain insight into a prospective client’s past business practices, the integrity of the client (and management), and whether there are issues that could create a conflict for the CPA/firm to meet its professional obligations. Here are a few key points to evaluate:
ABCs – Evaluate the relationships (current and prior) between the prospect and its attorneys, bankers, and outside CPA. Understanding how the prospective client interacts with these professionals will help you better understand/project the relationship. For example, what are the reasons it is seeking a new or different CPA firm? The reasons may be legitimate, but you should verify that other matters did or did not exist, such as fee disputes, cooperation or disagreements between the prospect and the CPA firm, or whether the prospect is “opinion” or “low fee” shopping. Questions to consider here would include the following:
- What was the nature/characteristics of the relationship with the prior firm?
- Can the prospect provide “credible” business references on which we might rely?
- Does the prospect have any history of professional liability claims or disputes?
- Has the prospect timely and satisfactorily paid for their professional services?
Integrity Standards – Irrespective of whether attest or nonattest services will be provided, an integral premise is that you will need to rely on client management to provide reliable information, disclosures, and representations. So, whether the services are tax or financial reporting, consider the following:
- Does the client (management) have any history with compliance and related enforcement?
- Does the prospect reflect a history of honoring its agreements, responsibilities, and obligations?
- Does the prospect have a litigious history, either as plaintiff or defendant?
- Does the prospect (management) have a reputation within the region or industry?
Subject to drastic leadership changes, management generally does not materially change. While “past performance is not indicative of future results,” certain historical characteristics or trends may present red flags. For example, a company that has often been a defendant in litigation could indicate poor management or suspect character. Conversely, a company that has been a frequent plaintiff could indicate unrealistic expectations or an attitude of working the system.
CPA professional performance standards for attest services already have requirements for the client acceptance evaluation process. But CPAs should have a thorough scrutinizing process for all prospects, as well as evaluations for client continuation.
A “Client Assurance Program” is a formalized acceptance and retention program that CPAs should consider implementing for both attest and nonattest engagements. In addition to performance standards, regulatory guidance and court case precedents suggest the significance, and expectation, to “know the client.” Exposure matters are deep in any client engagement, whether nexus, trust-fund responsibilities, valuation or impairment assessments, related-party relationships, subjectivity in financial representations, and all aspects of earnings management, to name a few. All present a need for dialing up professional skepticism. Upon implementation, any CPA risk avoidance procedure must be thoroughly documented, documented, and, oh yes, documented.
The program should weigh a wide range of matters, including high turnover in staff or external professionals, poor or volatile earnings history, litigation, cash flows (or lack thereof), rapid expansion or drastic cost-cutting, unusual transactions, and so on. All of these “documented” matters will play a part in the acceptance or rejection of a client (or the decision to continue or disengage an existing client) via a multipartner/manager approval process.
This is fundamentally problematic for single-owner CPA firms. Sole practitioners should heavily rely on the application of the AICPA Code of Professional Conduct’s Conceptual Framework. Using the conceptual framework,2 the practitioner should identify the potential for threats to CPA compliance with professional guidance and standards based on the New Client Acceptance questions and assessment. Potential threats from a prospective client are evaluated under seven broad categories: adverse interest, advocacy, familiarity, management participation, self-interest, self-review, and undue influence.
Some firms may use a formal application, with the prospect completing an intake form. Investigations are often disclosed to the prospect as part of the process – others may not since these are considered commercial investigations. More and more, CPA firms are also running background and criminal checks on prospective clients, although the level of investigation may be influenced by criteria, such as size of engagement, level of performance, high-risk industries, specific engagement service types, or tangential relationship with regulated or high “user-reliance” industries or engagements.
The evaluation of existing clients in ongoing service engagements is a requirement in all attest engagements, but it can be a significant and important best practice for CPAs who provide nonattest services. The steps applied in new client acceptance should be the foundation for continuing service evaluations. But rather than looking back at the relationship the client had with a predecessor, continuance requires an ongoing review of your relationship and service experiences. Professional services rendered provide great insight into owner/management motivations and character.
Again, an excellent aid in this process is the AICPA Code of Professional Conduct’s Conceptual Framework and the seven threats to objectivity and integrity.3 This process is critical as, over time, a CPA can get too comfortable with the client’s behavior, attitudes, and practices. The longer the ongoing relationship with a client, the greater the threat potential to the CPA. Stepping back to continuously evaluate the client relationship better alerts the CPA of cautions or concerns – and a clearer vision of attributes may arise that suggests the CPA should not trust the client.
The concept of professional skepticism highlighted in Statement on Auditing Standard No. 99 (auditors’ responsibilities for fraud detection) alerts the auditor to the need to overcome a natural tendency of overreliance on client representations and other biases in the audit and audit approach, but (dare we say it out loud) there is also the fact that not all clients are honest. A more critical and skeptical mind-set should be equally important and relevant in nonaudit engagements.
Nonattest Services Offer Clearer View
In many instances, CPAs who provide nonattest services delve even more deeply than those providing attest services. While a CPA providing auditing or review services is focused on providing assurance on the financial data being reported upon, once CPAs are in the levels of compilations (without independence) or preparations, bookkeeping, controllership, and tax services, they tend to go into the underlying financial data, reconciling, analyzing, and adjusting for classification and valuation (a verification process). When CPAs provide data entry, bank analyses and reconciliations, and distribution determination, there is an increased perception of knowledge and awareness of the propriety of financial data. Further, the deeper the CPA is in the underlying financial data that makes up the financial representations of the general ledger and the financial statements (or tax reports prepared therefrom), the greater the expectations on the CPA for either some level of awareness of financial propriety or to notice any irregularities, embezzlements, or misuse of financial assets, especially when there are third-party users (lenders, potential investors, tax or other regulatory authorities, etc.).
The professional standards are fairly clear on CPAs’ responsibilities in the event the CPA suspects or uncovers fraud, but how the CPA must proceed when the suspicion of fraud presents during the course of bookkeeping, tax preparation, or other nonattest services is not overtly expressed in professional literature. Some CPAs worry that following a suspicion is tantamount to pulling the proverbial thread that unravels all. A hunch may create all sorts of problems for the practitioner: suppose an owner may be exercising “extra benefits” he believes he is due; the follow-up and reporting of the suspicion could then inadvertently extend the scope of the engagement and responsibilities, which in turn increases potential liability. Then there is the potential that the relationship with the client will be terminated should the CPA question the owner, which might be interpreted as an accusation.
More Ways to Gauge Trust
The use of formalized policies and procedures will help protect you from the harm that follows allowing something to go unchecked and unaddressed. Here are more procedures to consider:
Meet and/or interact with owners and senior managers to maintain a sense of their tone at the top.
- Some CPAs obtain credit histories for individual tax and financial planning clients.
- When dealing with a new client, make a concerted effort to obtain permission to speak with the predecessor accountant. Even the prospective client’s attitude about permitting (or not) a discussion with the predecessor will tell you something.
- Review past financial statements and tax returns to see whether the engagement is up against due dates or time constraints.
- Consider/evaluate the overall risks of the engagement and engagement services.
- For higher-risk engagements, a background check on key members of the company’s management – looking at bankruptcies, judgments, tax liens, licensing issues, criminal/civil records, etc. – may be prudent.
- Thoroughly discuss the owner/management plans for the short and intermediate term to determine the goals that might influence their decision-making.
- For continuing clients, consider a risk assessment, financial trending compared to the industry, and relationship assessments for the personnel that interact with the client.
- Consider the questions, “Is this client right for our firm?” and “Does this client make our practice better?” There is no requirement to accept all prospective clients or retain all existing clients.
Finally, let’s go back to the Boy Scouts for another important lesson that they emphasize. That would be the Boy Scout motto: “Be prepared.”
1 CNA, from AICPA Education Center.
2 AICPA Code of Professional Conduct – Conceptual Framework at 1.000.010.
3 AICPA Code of Professional Conduct – Seven Threats per the Conceptual Framework at 1.000.010.10 thru 1.000.010.16.
James J. Newhard, CPA, is a sole practitioner in Paoli, a CPE presenter for Loscalzo Associates, a past president of PICPA’s Greater Philadelphia Chapter, and a member of numerous PICPA committees, including the Pennsylvania CPA Journal Editorial Board. He can be reached at firstname.lastname@example.org or on Twitter @CatalystJimCPA.