Managing risk related to consulting engagements

By Jamie Yoo
This article originally appeared in the February 2020 issue of the Journal of Accountancy. Advice provided in this article has been reviewed and remains current.
Over the past 10 years, consulting has grown from a $153 billion industry to a $259 billion industry. Even though consulting is not necessarily a "traditional" service delivered by a CPA firm, consider the number of times a client has asked for advice. In many instances, such ad hoc advice can evolve into a larger consulting opportunity and a great way to enhance the practitioner's value proposition.
If traditional tax or attestation engagements are like a coloring book, where the professional standards and guidance provide pre-formatted guidelines within which the practitioner should color, consulting engagements are like a blank canvas, limited only by the practitioner's imagination. Consulting engagements can lend themselves to more creativity and flexibility but do require more professional judgment, preparation, and planning to help ensure the end result is a success and not a flop. This column provides some tips to consider when sketching out your plan for a consulting engagement.
A sculptor might not possess the skills to be an impressionist painter. A cartoonist may not be the best at blowing a glass sculpture. Similarly, before accepting a consulting engagement, practitioners should first objectively assess whether they possess the appropriate expertise and knowledge of the engagement's subject matter. The AICPA Code of Professional Conduct requires the CPA to conduct his or her activities "with competence and diligence" (ET §0.300.060, Due Care). Further, AICPA Statement on Standards for Consulting Services (SSCS) §100.06 requires practitioners to undertake only those services they can reasonably expect to complete with professional competence.
Accept engagements only when the firm has expertise to deliver the service with competence. The phrase "fake it until you make it" shouldn't be one that is heard in your office. Understand and evaluate the firm's knowledge gaps to determine whether additional training or expertise is needed. Playing to the firm's strengths and making a commitment to learning and professional improvement is a good risk management practice and is required by the professional standards. Regardless of what the professional standards say, being competent in one's chosen medium or subject matter just makes good business sense.
Once the practitioner has determined that the firm possesses the appropriate expertise and resources to support a consulting engagement opportunity, another question the CPA may ask is, "What professional standard(s) will govern my service?"
Sometimes the service requested by the client does not neatly align with an AICPA professional standard that can govern the service. In these instances, the CPA should ask probing questions to determine what risk the client is seeking to address and what the client is seeking to achieve from the service. Following this, the practitioner will likely determine that the appropriate body of standards is the SSCS. Per SSCS §100.02, "the practitioner develops the findings, conclusions, and recommendations presented" in a consulting engagement. This approach lends itself nicely to a wide variety of engagements related to nearly any subject matter. Indeed, consulting engagements can entail problem-solving, evaluation of alternatives, and recommending or implementing a course of action, with the primary objective to provide advice that is only for the use and benefit of the client. Since the specific methodologies to be followed and procedures to be employed are at the discretion and professional judgment of the practitioner, knowledge of other professional guidance or widely accepted frameworks may be necessary.
For example, practitioners engaged to evaluate a client's processes and internal controls related to the revenue cycle may require additional expertise beyond their existing financial reporting knowledge. A firm that has been engaged to provide a gap assessment of a client's cybersecurity practices and policies may need experience with widely accepted industry frameworks such as the National Institute of Standards and Technology's Cybersecurity Framework.
The applicable professional standard or framework should also be included and described in the engagement letter to document the client's and the CPA's understanding and acknowledgment.
Scope management is important for all engagements but is especially crucial for consulting engagements, as the nature and scope of work performed is determined solely between the practitioner and the client. In addition, the likelihood of the scope to evolve based upon information discovered during the engagement is greater than for an attest or tax engagement, and that expansion is sometimes expected. Given this, it is important for the practitioner and client to be aligned in the understanding of scope and responsibilities through every step of the engagement. Consider the following ripped-from-the-headlines, cautionary tale of a consulting engagement gone awry:
A consulting firm was engaged by a client to test the adequacy and effectiveness of security in place at various company locations, including a highly sensitive research-and-development facility, and identify possible vulnerabilities. The consulting firm obtained an executed engagement letter and a form signed by the client authorizing the consultants to carry out their planned engagement activities.
Two consultants arrived at the research-and-development facility after business hours, with the authorization form in hand to carry out the engagement activities. The tests performed by the consultants ultimately triggered the security system as expected. When law enforcement arrived, the consultants calmly presented a copy of the authorization form to explain the intrusion. However, it was not accepted by law enforcement, as they were not made aware of the engagement prior to the planned break-in attempt. As a result, the consultants were arrested and their mugshots taken.
What unfolded was a saga of differences in interpretations of the engagement scope between the firm and the client, and a lack of communication about the engagement by the client to other affected parties. The client had not anticipated that the engagement would involve attempting a forced entry into a building and did not communicate to law enforcement in advance that the penetration test was to occur. Additionally, the executed engagement letter included contradictory statements about whether testing could occur after business hours.
This unfortunate event reminds us of the importance of:
  • Agreeing upon the scope, detailed engagement activities, and respective client and practitioner responsibilities at the beginning of the engagement.
  • Educating the client about its responsibility to manage communication within the organization regarding the engagement so that it does not become the practitioner's burden to bear.
  • Documenting this agreement and understanding in an executed engagement letter. As the scope changes, update the engagement letter through a formal addendum or other written communication with the client. An email exchange can often suffice.
  • Managing client expectations throughout the engagement. Over-communication is better than an unaddressed misunderstanding.
  • Retaining supporting documentation in firm workpapers for research performed to support the practitioner's conclusion.
Careful and objective assessment supported by appropriate risk management measures can help mitigate the professional liability risk associated with consulting services. Preparation and planning are important, but look out for unexpected bumps in the road or questions from clients. When a question or request for services appears to be high-risk despite the application of the aforementioned safeguards, remember that it's OK to say no rather than advising clients in haste.
Jamie Yoo, CISA, is a risk control consultant at CNA. For more information about this article, contact
This information is produced and presented by CNA, which is solely responsible for its content. Continental Casualty Company, a member of the CNA group of insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program.
The purpose of this article is to provide information, rather than advice or opinion. It is accurate to the best of the authors’ knowledge as of the date of the article. Accordingly, this article should not be viewed as a substitute for the guidance and recommendations of a retained professional. In addition, CNA does not endorse any coverages, systems, processes or protocols addressed herein unless they are produced or created by CNA.
Any references to non-CNA websites are provided solely for convenience, and CNA disclaims any responsibility with respect to such websites.
Examples are for illustrative purposes only and not intended to establish any standards of care, serve as legal advice, or acknowledge any given factual situation is covered under any CNA insurance policy. The relevant insurance policy provides actual terms, coverages, amounts, conditions, and exclusions for an insured. All products and services may not be available in all states and may be subject to change without notice.
“CNA” is a registered trademark of CNA Financial Corporation. Certain CNA Financial Corporation subsidiaries use the “CNA” trademark in connection with insurance underwriting and claims activities.
Copyright © 2021 CNA. All rights reserved

How Helpful Was This Article?


Related Content

Moments That Matter

Related Products