CAMICO's 33+ years of CPA claims experience provides a wealth of information and lessons learned about the dangers facing CPAs. The following "classic" claims scenario has recurred many times over the years, yet CPAs often can't believe that it is happening to them. The services rendered were "low level" enough (e.g., bookkeeping, accounting services, tax engagements) that the CPAs engaged to provide them had in effect let their guards down due to their perception that: 1) there was little liability exposure from embezzlement or fraud, or 2) embezzlement prevention wasn’t their job.
As the following pie graph on "Fraud Claims by Engagement" shows, there is plenty of liability exposure from "low level" engagements. Fraud claims arising from bookkeeping/accounting services and tax engagements combined for a total of 51 percent of all fraud claims reported during the three-year period from 2016 through 2018.
How the Scenario Usually Unfolds
The client is a small business owner too busy running the business to supervise the bookkeeping and banking activities. On top of that, there aren’t enough employees to allow segregation of duties.
The duties of receiving and disbursing funds and reconciling the bank accounts are all handled by one trusted employee who uses an accounting software program to stay on top of financial activity. The program enables one person to control the business’s funds and bank accounts, thereby facilitating the perpetration of fraud.
The client engages a CPA to perform services that do not include any procedures designed to discover embezzlements, defalcations, or other irregularities. The CPA is aware of the internal control shortcomings, especially late or missing bank reconciliations, and has discussed them with the owner but never documented the warnings and advice.
After five or so years have elapsed with the CPA rendering such services, the client discovers an embezzlement by the trusted employee and is extremely disappointed that the CPA did not uncover the fraud as part of the services rendered.
The longer the CPA has been performing services for the client, the more disappointed the client is that the CPA didn’t identify the fraud. A typical jury expects CPAs who have serviced a small business client for about five years to have a profound understanding of the client’s business, regardless of the services performed.
What Claims Experience Has Taught Us
CAMICO's claims experience and jury studies show that most jurors will agree with a client's expectation that the CPA should have detected fraud, especially after several years of services. Client, jury and public expectations of CPAs have increased over the years to the point where CPAs are expected to: 1) always detect fraud; and 2) advise and warn clients about their fraud exposures.
The expectation to always detect fraud can be extremely difficult to meet, but the expectation to advise and warn is not so difficult. By advising and warning clients of their risk exposures, CPAs can minimize liability stemming from the expectation to detect fraud.
Advice to clients is best provided in an advisory letter that: 1) warns about the general risks; 2) suggests steps clients can take to reduce the risks; and 3) offers CPA services to help address the risks. An informed client is better able to avoid fraud. If fraud is later uncovered, the CPA has documented evidence of having warned the client and offered services to help address the risk. Clients should also be notified of "loose ends" such as sloppy bookkeeping and late bank reconciliations.
An advisory letter can also outline some ways to improve internal controls, such as:
- Assign related duties to different people (separation of duties) to provide cross-references for accuracy and consistency. The owner should open all bank statements and examine checks if there are not enough employees to separate duties. The owner should rely more on systems and processes—and less on employees.
- Reconcile and scrutinize bank statements every month, examine checks and endorsements, track transactions between accounts, compare payroll checks with employee records, and ask questions.
- Ask for proper supporting documentation or proof before signing a check or authorizing a transaction, cancel the supporting materials after signing the check, and verify the names of vendors and employees periodically.
- Keep blank checks and signature stamps secured, deposit checks daily, and secure valuables, fidelity bonds and insurance for all accounting and key personnel.
- Verify employee references before hiring, consider employment screening reports for key employee hires, and watch for signs of trouble, such as possible substance abuse and personal spending patterns inconsistent with salary. The nature of fraud requires the constant presence of the embezzler—a lack of vacations and a proprietary sense about books are common signs.
Offer additional services to help the client develop and implement improvements to their internal controls. This will reinforce the message that you are trying to help protect the client from risk.
Engagement letter language should include a client acknowledgment that they understand and agree that the CPA’s services are limited in scope and not designed to detect employee embezzlement or other fraudulent activities involving the client’s bank accounts.
Limitation of liability clauses can also be useful for containing liability. CAMICO strongly encourages CPAs to review such clauses with a risk advisor or legal counsel, as appropriate, for possible modifications. Also, it is important to note that the U.S. Securities and Exchange Commission (SEC) forbids the use of indemnity clauses in engagement letters with public companies.
Ron Klein, J.D., is risk management counsel with CAMICO ( www.camico.com ). Klein has been with CAMICO since its inception in 1986 and managed the claims department for 20 years. In his current role, he leverages his extensive knowledge and expertise of CPA professional liability issues to help CAMICO policyholders practice sound risk management, which can help them avoid or mitigate claims.