Wood Litigation, APC is panel counsel for two accounting malpractice carriers and has represented hundreds of solo to midsize accounting firms in a variety of cases. One of the firm’s special areas of practice is the defense of accounting firms, where the accountant is being blamed for not catching embezzlement sooner. From our litigation experience, we have drawn some conclusions as to how CPA-tax preparers and business advisors can best protect themselves from being dragged into these lawsuits.
What is a Gatekeeper Lawsuit?
In the typical case, the CPA or other advisor is hired to do a job, like preparing a company’s taxes, doing bookkeeping work, or performing some other non-attestation engagement. The CPA prepares an engagement letter that states that the CPA is performing that work and only that work. The letter adds that while the CPA is not trying to uncover fraud, he or she will tell the client about fraud if one happens to be uncovered (by accident).
Things go well and over time the accountant is relied upon more and more. Management may, for example, call the CPA for advice on how the company should raise cash. The client’s in-house bookkeeper may ask the CPA to assist with a special project mid-year, or more periodically, and may even give the outside CPA online access to the books. Management may be looking at spinning off a new company and ask the CPA to do a quick valuation.
Then, the embezzlement occurs by the client’s bookkeeper or another employee. The CPA has never been asked to detect fraud, but by this time has boxes/gigabytes of accounting detail and boxes/gigabytes of records in their possession, and the incriminating data is all in there. It’s finger-pointing time. Management not involved in the theft invariably says they relied on the CPA to guide them, to protect them, period. The engagement letter only talks about a tax engagement and does not have any disclaimers tied to all of the work the CPA or advisor was actually doing. Lines are blurred and the CPA or other advisor is exposed.
How can you protect yourself from this situation?
1. Take Your Engagement Letter to the Next Level
Obviously, outside CPAs, bookkeepers, and business advisors should have an engagement letter with each and every client. Those new to writing engagement letters can start with CAMICO’s guide entitled CPA’s Guide to Effective Engagement Letters (11th Edition) w/CD, which at the time of writing this article was available on Amazon.com for $185.00.
In our legal practice, the problem is not that our clients do not have engagement letters. They usually do. The problem is, rather, the letters are either out of date, they are no longer effective because the work being done is different than described, or both.
The first step to limiting exposure and a future gatekeeper lawsuit is to take your engagement letter to the next level, catering the letter to each client and situation. Specifically, we recommend paying attention to:
- how the scope of work is articulated;
- disclaimers and making sure they attach to the whole scope;
- identifying what additional services are available for a fee; and
- renewing and reminding your clients about the parameters of the arrangement.
- Articulating the Scope of Work
There seems to be a belief that limiting the scope of services in the engagement letter is helpful from a risk management perspective. But, the whole point of having an engagement letter is to include disclaimers. Limit the scope and you can, if you are not careful, effectively limit the disclaimers. This can be done by poor writing or, more likely, by doing work not contemplated by the original language.
The better approach is to use language that captures all of the services you expect to provide, including services that naturally flow from the core engagement, then coupling that scope with disclaimers that attach to all of it. For instance, if you are hired to prepare tax returns, you can expect to be asked to provide tax advice, do tax planning and be consulted on tax-related matters. Depending on the situation, you may also expect to be asked to provide more general services such as calculations and/or advice to management respecting various aspects of the business. Similarly, if you are providing bookkeeping services, you may expect to provide advice on how the books should be kept. Depending on the situation, you may expect to be asked for advice on liquidity and other financial issues. When defining the scope, include these consequential engagements.
Important Note for Auditors: This article and its advice is not aimed at auditors. Audit work is a different animal where the CPA is independent. The form audit engagement letter that specifies that you are performing an audit of the company’s financial statements and not internal controls, etc., should not be modified to suggest you are performing services that would breach your independence. That said, if you anticipate being asked for operational advice outside the audit work, and such consulting services do not breach your independence, you should articulate that in the engagement letter instead of being silent on the point. See CAMICO’s guide for more guidance.
- Include the Appropriate Disclaimers
Once you have accurately described the services you expect to perform, add language which limits the extent the client can rely on those services. There is a standard paragraph, touched on above, that provides that the CPA is not tasked with identifying fraud. This language alone is not terribly persuasive where the CPA’s role and access to information has grown since the engagement letter was first written.
Consider beefing up the section that states that you are not charged or tasked with detecting fraud. There are, indeed, many ways management and/or internal bookkeeping staff (or anyone else that handles client funds) can improperly use or abscond with company funds without detection. Say that, and consider adding examples tailored to the client and situation. For example: just because you are getting copies of documents, including bank statements, does not mean that you are checking to make sure the transactions on these documents are legitimate. If you think your client will be sending you accounting detail and/or backup, like bank statements, be clear as to what you will be using the documents for and, equally as important, what you will not be using them for. And use plain English, for example: “We will not be reviewing bank statements for suspicious transactions.”
- Note Additional Services Available for Additional Fee
Every engagement letter, we think, should then take another step, and that is to make clear that additional services are available for an additional fee. We do not see this often enough.
Juries don’t understand how accounting services are provided, or how much they should cost. While each side can hire an expert to explain it, nothing would be more convincing than the CPA or advisor saying to the client at the outset that additional services cost additional money.
The CPA or advisor doesn’t have to provide the service. The engagement or annual notice just needs to say that the service exists in the universe and provide a range on the cost. With that in the letter, we as defense attorneys can ask the plaintiff if they ever hired someone to do that work, if they ever paid the additional fee that it would cost, and deal a deftly blow.
- Renew and Remind
If your engagement letter is out of date or imperfect, you can still help yourself by renewing it or even just sending an annual notice that includes the above-discussed language (disclaimers coupled with an identification that additional services are available for an additional fee). A client will be hard-pressed to argue they were relying on the accountant to catch fraud where the accountant sent them a notice every year that said the exact opposite.
2. When Doing Bookkeeping Type Work, Train Your Lower Staffers to Be Aggressive and Educate Them on Internal Controls
Many of our clients are small CPA firms that provide tax and/or outside bookkeeping services to small businesses, including bank reconciliations. From the CPA’s perspective, these are low-level services. Accordingly, the CPA hires college graduates and/or lesser experienced individuals to do the work. The result is, the person doing the work is both new to the industry, in addition to being new to the client’s business.
The problem is, embezzlers are not newcomers to their respective businesses. They are seasoned experts that, usually, have been working at the same place for many years learning its weaknesses. In a recent case that we handled, a bookkeeper at a doctor’s office used the credit card machine to refund money, seemingly to patients but really to himself. The CPA’s staffer doing the reconciliation never thought to question the refunds. In another recent case, an in-house bookkeeper with check writing authority wrote checks to cash and then claimed vendors were paid with cash when, in fact, they were not. The CPA’s staffer doing the reconciliation mentioned to the bookkeeper (the embezzler) that transactions should not be done this way, but the effort stopped there.
The solution is to make clear to inexperienced staff to be inquisitive, if not aggressive. Train staff to take a greater interest in the businesses they are working on. Staff should take notes of vendor payments, employee payments, and other trends and/or transactions of interest and report what they find to the CPA in charge. As part of this process, staff should be trained to ask the CPA questions, however stupid they may seem. A properly trained staffer puts the CPA on notice of odd vendor payments, double payments to employees, or irregular credit card and cash transactions.
In addition to training staff to be inquisitive, CPA should educate staff on what internal controls are – what they look like. Arguably anyone in the world providing accounting services to anyone else in the world should know what the phrase “internal controls” means, and how controls might take shape. Staffers are not going to review the internal controls of every organization, but if they know what internal controls are they can at least ask more intelligent questions about suspicious transactions — that is, if they are verified by a control or not, information which the CPA will ultimately need to determine whether to raise the issue or not.
3. Identify Clients at High Risk and, when Suspicious Transactions are Identified, Report Them to the Next Person Up
Doctors, chefs, and tradesmen are a few examples of clients who never, ever, ever pay attention to the accounting going on under them. They are so engrossed in their craft they completely ignore the business side of their business. They rely heavily on one person or outside providers of bookkeeping services, and ultimately their CPA.
Take note if the client relies on one person or an outside service to do in-house bookkeeping work. Educate staffers that this client is at risk and, as a result, your firm is at risk too.
If suspicious transactions do present, report them:
- in writing; and
- to the next person up.
Why in writing? In the law, communication not in writing is as good as not happening at all. Why report to the next level up? With fraud, reporting to the person that committed the fraud is about as good as not reporting at all. For communication to reduce a CPA or other advisor’s risk, it must be in the correct form, addressed to the correct person.
You might ask: Who is above the CEO? The CEO may have hired you, but he or she is not at the top of the corporate food chain. Above the CEO (in a corporation) is the Board of Directors, and that is to whom suspicious activity should ultimately be reported. If you need to protect yourself with respect to CEO-level activity, the best you can do is give the CEO a courtesy call before reporting and offer to include whatever explanation the CEO desires.
Depending on the level of suspicion and the adequacy of the response, the CPA has to consider whether to continue to do work for the client, or disengage. This is one of those things where, if you are asking yourself the question of whether you should disengage, you know the answer.
4. Confirm Payroll Taxes are Current
After giving you broad tips to reduce risk, advising to pay special attention to payroll taxes probably doesn’t seem to fit, and you’re right. But, we’ve seen it too many times not to mention it.
In-house bookkeeper/embezzlers often do not pay payroll taxes. It doesn’t make sense to us why embezzlers think this is an area where they can skim, but it is. The embezzler must be concerned that if he or she does not pay one of the company’s day-to-day vendors, the vendor will call management and the embezzler’s fraud will be uncovered. The IRS and FTB are slow responders by comparison. In at least two of our recent cases, the embezzler was caught only because the IRS put a tax lien on the company’s accounts.
If you find yourself doing more and more work for a client, consider taking an interest in payroll taxes – just confirm they are current.
5. Get Insurance, and Don’t Be Afraid to Call for Help
Even the most organized and diligent CPA can find himself or herself named in a complaint. Professional liability insurance is your best friend when that happens. Have coverage and have enough coverage to protect your personal assets. Talk to a licensed insurance agent for more advice on that front.
With insurance comes the ability to call for help. Most carriers have hotlines. If your carrier does not have a hotline, or you are looking for legal advice, call us. Wood Litigation, APC exists to help accountants and business advisors, and initial consultations are free. This means that if you have a question or concern, you can call us, get educated advice and go about your own business smarter at no extra cost to you. Call Greg Wood at (415) 936-0300.