Rogue behavior: Risks your CPA firm should avoid

Unintentional rogue conduct, or failing to do what one is expected to do, arises more often than you might think and can have serious consequences.
By Deborah K. Rood, CPA, MST
This article originally appeared in the June 2022 issue of the Journal of Accountancy

Going rogue sounds so cool, but it can have serious consequences. Claim experience of the AICPA Professional Liability Insurance Program has demonstrated that rogue behavior, especially at the partner level, can lead to professional liability claims.
What is meant by rogue behavior? In a nutshell, it is failing to do what an individual in the same or similar position is expected to do. Unintentional rogue conduct arises more often than one might think. Consider these scenarios.

Flying solo increases the likelihood of a crash

John, a tax partner at a midsize CPA firm, died unexpectedly. The firm reassigned his clients to other partners at the firm, many to Denise. While reviewing tax returns prepared by John, Denise noticed a number of tax positions that, on the surface, appeared to be incorrect. Further review of John's workpapers and other client files uncovered a pattern of unfiled tax returns, poor documentation, and multiple errors. Questions asked of staff who typically worked with John revealed that he chose to perform much of the work himself. Despite appearing overwhelmed and distracted, John did not request assistance and often refused any offer of help. The firm had to inform several clients that previously filed tax returns should be amended and lost several clients in the process. The firm's professional liability insurer was placed on notice for a number of potential claims.


Oversight failures show a firm's blind spots: 

A large CPA firm acquired a smaller firm, including its successful governmental audit practice. Upon joining the larger firm, the legacy firm's governmental audit lead partner and his staff continued to operate from the legacy firm's out-of-state office. Subsequently, the U.S. Government Accountability Office reviewed one of the legacy firm's audit engagements and noted multiple deficiencies, including limited evidence of the performance of required audit procedures that were sufficient to support the audit opinion. Moreover, legacy firm audit staff had not completed the required governmental continuing professional education.

When the acquiring firm questioned the governmental audit partner about the deficiencies, he asserted that this was how he and his team had always performed the audits and was unaware of his acquiring firm's policies and quality control procedures. Consequently, the acquiring firm reviewed additional audit engagements performed by the legacy firm, noted similar discrepancies, and had to spend a significant amount of unbillable time remediating the deficiencies to ensure previously issued audit reports were appropriate.

Pressure to win leads to a loss: 

A junior partner in a CPA firm's advisory practice had an opportunity to perform a quality of earnings engagement on a target in the health care industry. Although the partner had some due diligence experience, she had no experience with health care. However, by accepting this engagement she would meet her new business goal for the year, which would significantly impact her compensation.

Due to her limited experience, the partner failed to identify issues with the target's Medicare billing procedures that the buyer discovered only following completion of the acquisition. The CPA firm faced a professional liability claim after the client asserted that the issues should have been identified during the due diligence process and that the failure to do so resulted in their paying too much for the target.
The above scenarios illustrate how the rogue actions of an individual, even if unintentional, may place an entire firm at risk. Consider these risk management tips to help prevent rogue behavior:

Develop and communicate policies and procedures

Establishing policies and procedures that embody a firm's risk tolerances is a good first step to mitigating practice risk. For example, a firm may implement internal quality control procedures that outline the circumstances when additional review of a work product is required prior to issuance, or identify monitoring mechanisms to help detect incomplete returns that the firm has been engaged to prepare.
Once such policies and procedures are established, firmwide training about them is the next step and can help ensure that all partners and employees are focused on the importance of practice risk mitigation. In addition, routine communications around risk policies, in the form of easily digestible "lessons learned" scenarios, are a great way to educate firm members about things done right — and how easy it is for things to go wrong.
Consider a policy that encourages senior partners nearing retirement to work collaboratively with less-experienced partners during the client transition process to allow them to share the "risk lessons" they've learned over time.

Trust but verify — everyone is subject to oversight

President Ronald Reagan said it best — trust but verify. Firms trust their partners and staff to understand and follow the firm's policies and procedures. Nevertheless, a timely, well-run compliance or internal inspection program that periodically reviews a selection of completed engagements for compliance with the firm's policies can help ensure that quality control procedures are understood and effectively implemented by engagement teams. Firms should tailor compliance programs to their size and practice areas. The population from which they select engagements for review should include all service lines, as well as every partner or final reviewer, and should occur on a regular basis, such as annually. Other considerations when selecting engagements for a compliance review may include those involving new services and those led by recently promoted or onboarded partners.
Results from compliance program inspections may identify a better way to accomplish a task, areas where firm members are struggling to implement a specific policy, or areas where additional training is needed. Incorporate lessons learned from internal inspections into firm training.

Consulting isn't just a CPA firm service

Generally speaking, firms with consultative and collaborative cultures not only deliver better service but also are better equipped to mitigate risk. The likelihood of rogue activity decreases when a firm encourages open dialogue if engagement teams encounter issues they need help resolving or if a firm member notes conduct that is inconsistent with established policies. Consider activities that encourage collaboration. For example, when laws or standards change, form a diverse working group to examine guidance and develop a firmwide approach to implementation. Think about establishing a quality control champion within the firm who can provide guidance and insights as situations arise.

Incentivize good behavior

Positive reinforcement works for everyone, including CPAs. Compensation models should provide an incentive for good behavior, such as adherence to the firm's quality procedures, in addition to meeting financial and other metrics. Spot bonus programs can provide real-time rewards for those who demonstrate quality-minded behaviors, such as collaborating with experts on a high-risk engagement or asking for help with a difficult situation.


Practice risk management is everyone's responsibility. Firm leadership sets the tone at the top and leads by example. Consulting with one another and staff, following risk management protocols, and encouraging staff to value risk management are all examples of how leadership can help prevent rogue behavior.

82 Median number of professionals (including owners) in firms with $10 million or more in annual revenue.
Source: 2021 AICPA PCPS/ National Management of an Accounting Practice Survey.

Deborah K. Rood, CPA, is a risk control consulting director at CNA. For more information about this article, contact
This information is produced and presented by CNA, which is solely responsible for its content. Continental Casualty Company, a member of the CNA group of insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program.
The purpose of this article is to provide information, rather than advice or opinion. It is accurate to the best of the authors’ knowledge as of the date of the article. Accordingly, this article should not be viewed as a substitute for the guidance and recommendations of a retained professional. In addition, CNA does not endorse any coverages, systems, processes or protocols addressed herein unless they are produced or created by CNA.
Any references to non-CNA websites are provided solely for convenience, and CNA disclaims any responsibility with respect to such websites.
Examples are for illustrative purposes only and not intended to establish any standards of care, serve as legal advice, or acknowledge any given factual situation is covered under any CNA insurance policy. The relevant insurance policy provides actual terms, coverages, amounts, conditions, and exclusions for an insured. All products and services may not be available in all states and may be subject to change without notice.
“CNA” is a registered trademark of CNA Financial Corporation. Certain CNA Financial Corporation subsidiaries use the “CNA” trademark in connection with insurance underwriting and claims activities.
Copyright © 2022 CNA. All rights reserved.

How Helpful Was This Article?


Related Content

Related Products