Failure to detect theft and fraud: It’s not just an audit issue
Commonly referred to as the “expectation gap,” a disconnect sometimes
exists between a CPA’s professional responsibility for detecting theft
and fraud and the general public’s perception of a CPA’s duties. The
AICPA Professional Standards for audit, review, and compilation
services include a responsibility to inform the appropriate levels of
management if any information or evidence comes to the CPA’s attention
indicating a fraud may have occurred. However, claims made against
CPAs in the AICPA Professional Liability Insurance Program alleging
failure to detect theft and fraud emanate from all types of
engagements, including those generally regarded by CPAs as low-risk,
such as bookkeeping or tax compliance services.
In such cases, plaintiff attorneys may contend that the CPA failed to
exercise due care in accordance with Article V of the Principles of
Professional Conduct, which are included in the AICPA Code of
Professional Conduct. Lawyers may allege that CPAs have a duty
to identify and inform clients of fraud red flags such as suspicious
activities or internal control deficiencies. While adherence to
professional standards assists CPAs in defending these types of
claims, there is no guarantee that such a defense will be successful.
CPAs may believe that longtime clients would never assert such a
claim against them. However, a congenial working relationship can take
an abrupt turn when fraud is discovered. Clients then may question why
a CPA didn’t discover the fraud earlier or bring matters to the
client’s attention that could have prevented it.
To illustrate how a CPA can get tangled up in a client’s fraud,
consider the following scenarios based on real-life claims:
Scenario 1. A CPA was engaged to perform tax
compliance and tax planning services for a recruiting agency. To
understand potential year-end tax implications, the CPA summarized
select income and payables accounts and discussed trends with the
owner. The CPA also received monthly bank statements and bank
reconciliations. The controller, a longtime employee of the agency,
embezzled more than $1 million by writing checks to himself, reporting
them as business expenses, and destroying the canceled checks (or
scanned copies of them) when the bank statements were received.
The owner brought a claim against the CPA for failing to detect the
embezzlement. Expert review of the engagement noted that the
controller had unmonitored access and responsibilities in accounts
payable and that the trend analysis the CPA performed noted unusual
fluctuations in expense accounts. The plaintiff’s attorney argued that
the CPA should have identified the trend fluctuations as a red flag
and brought this and the internal control weakness to the owner’s
attention for further investigation. In defense, the CPA’s counsel
noted that the CPA received the bank statements for the sole purpose
of understanding the tax implications.
Scenario 2. A CPA firm compiled annual financial
statements for a local wine producer. The firm sued the client for
outstanding fees, and the client countersued, alleging failure to
detect a high six-figure embezzlement perpetrated by three of its
employees, all of whom colluded to create false wire transfers and
payroll checks. The CPA firm’s invoices, which were produced during
the lawsuit’s discovery phase, indicated that the firm performed a
review of financial statements, made changes in financial statement
classifications and general ledger adjustments, and completed bank
reconciliations. CPA firm representatives also worked extensively
on-site with the employee/embezzlers and were involved in the
company’s day-to-day financial operations, but they did not discover
the fraudulent wire transfers or payroll checks.
In both scenarios, the lack of an engagement letter memorializing the
scope and limitations of services performed and management’s
responsibilities was detrimental to the CPA’s defense.
LIMITING RISK EXPOSURES
CPAs can use several techniques to protect themselves against risk
exposures related to failure to detect theft and fraud. They include:
– Regularly evaluate the risk of the client and the
engagement. Client and engagement acceptance and continuance
are not simply for audit engagements. Regularly screen clients and
consider the risks associated with both the client and the services
you are being engaged to perform. It should raise a red flag for the
CPA when clients dismiss internal control weaknesses brought to their
attention. Is this a situation where the client has an unreasonable
service expectation, or is it possibly one of questionable integrity?
Either way, the CPA should take precautions.
– Use engagement letters on all engagements. That’s
correct—all engagements. A well-crafted engagement letter can
help reduce expectation gaps and can serve as key evidence in the
defense of a professional liability claim. The engagement letter
should include an understandable description of the scope and
limitation of services to be performed, a statement that the
engagement is not designed to detect theft or fraud, and the
responsibilities of both the client and the CPA. The engagement letter
should also be renewed and signed by the client annually.
– Stay within the scope of the engagement. An
engagement letter is useful only if the CPA adheres to the defined
scope in rendering the professional services. Additional services, or
modifications to agreed-upon services, should be memorialized in
writing with the client, whether it’s through email, a new engagement
letter, or an amendment to the existing engagement letter.
– Be fraud aware. Train all firm personnel, not only
auditors, about potential fraud risk factors and the “fraud risk
triangle” (opportunity, rationalization, and incentive/pressure).
Learn about the risk factors associated with common frauds, such as
embezzlement by an unmonitored bookkeeper or controller with excessive
authority or access, or use of business credit cards for personal
expenses. Firm personnel should be educated about common internal
control weaknesses that create an opportunity for fraud to occur, such
as a lack of segregation of duties, poor tone at the top, or
infrequent vacations taken by key financial employees.
– Apply professional skepticism to all engagements.
This is particularly important on engagements with longtime clients,
where a level of established comfort could threaten objectivity. Trust
your instincts and follow up on matters that don’t seem quite right.
– If you see something, say something. Management
letters with suggestions for control or process improvements are not
designed solely for audit clients. If you observe a weakness in
internal controls or believe management should follow up on an
observation noted, inform your client orally and in writing. If the
weakness persists year after year, keep telling the client both orally
and in writing until the deficiency is addressed.
– Document, document, document. Contemporaneous
documentation represents critical evidence in the defense of
professional liability claims. Strong documentation includes, at a
minimum, a well-crafted and detailed engagement letter, documentation
regarding client inquiries made and responses received, and
communication of internal control matters or suspicious activities
Sarah Beckett Ference (
) is a risk control consulting director at CNA.
Continental Casualty Company, one of the CNA insurance companies,
is the underwriter of the AICPA Professional Liability Insurance
Program. Aon Insurance Services, the National Program Administrator
for the AICPA Professional Liability Program, is available at
800-221-3023 or visit cpai.com.
This article provides information, rather than advice or opinion.
It is accurate to the best of the author’s knowledge as of the
article date. This article should not be viewed as a substitute for
recommendations of a retained professional. Such consultation is
recommended in applying this material in any particular factual situations.
Examples are for illustrative purposes only and not intended to
establish any standards of care, serve as legal advice, or
acknowledge any given factual situation is covered under any CNA
insurance policy. The relevant insurance policy provides actual
terms, coverages, amounts, conditions, and exclusions for an
Research & References of Failure to detect theft and fraud: It’s not just an audit issue|A&C Accounting And Tax Services