Advice from the experts: Defending audit claims

By Deborah K. Rood, CPA
Download PDF

Originally published in the January 2021 edition of Journal of Accountancy

Nobody wants to be the subject of a professional liability claim. Wouldn't it be nice to know what might help defend against that claim before it arises? I spoke with Kelly Bebow, CPA, principal at Rehmann, who testifies as an expert in audit claims, and attorney Tom Falkenberg, managing partner at Falkenberg Ives who specializes in defending CPA firms, about what advice they would provide to auditors.
Based upon your experience, what makes defending a claim against a CPA challenging?
Bebow: Poor workpaper documentation is the primary challenge. Inadequate documentation includes a lack of evidence that appropriate supervision and review occurred during the planning and execution of the audit.
Falkenberg: The public's misconception of the role of the CPA is another big challenge. The belief exists that if an outside CPA is involved, their role is to ensure there is no fraud or misstatements. This is true even for basic bookkeeping or tax preparation work, not just audits.
What can CPAs do to address these challenges?
Bebow: Document the risk assessment process during the planning phase of the engagement, and design and execute audit procedures to appropriately address the identified risks, especially for significant audit areas.
Falkenberg: Many of the risks accountants face could be significantly mitigated by utilizing a strong engagement letter.
We think engagement letters are a useful tool in helping to defend CPAs as well. What provisions have you found particularly useful?
Falkenberg: Three provisions that are very helpful include limitations of liability, limitation of damages, and contractual statutes of limitations. While these provisions are only enforceable as to claims made by the client and cannot be used for certain audit clients, such as public companies, they're worth considering. These provisions may help minimize exposure and can lead to quicker resolution of a disputed matter or, perhaps, avoidance altogether.
  • A limitation-of-liability clause generally limits damages to some multiple of fees.
  • A limitation-of-damages clause limits the types of damages to actual, direct damages rather than speculative damages, such as lost profits.
  • Rules regarding the statute of limitations period vary by jurisdiction. The goal is to eliminate the "discovery rule" if it applies in your jurisdiction and start the statute of limitations as of a date certain, such as the issuance of an audit report. Under the discovery rule, the statute of limitations to file a claim against the CPA begins when the damaged party knew or should have known of an act or omission. By removing this uncertainty, there is less wiggle room for a claimant to argue what they knew and when they knew it.
Bebow: Engagement letters should include clauses to clarify and define the CPA's responsibilities, including that an audit is not designed to:
  • Detect immaterial misstatements or violations of laws or governmental regulations not having a direct and material effect on the financial statements.
  • Detect errors or fraud that are immaterial to the financial statements and that management has not engaged the auditor to extend procedures specifically designed to detect fraud.
  • Provide assurance on internal control, identify deficiencies in internal control, or express an opinion on the effectiveness of internal control over financial reporting, unless engaged to do so.
The ultimate responsibility for the financial statements always remains with management, who is overseen by those charged with governance.
Workpaper review is an important component of preparing the defense of a CPA firm. What do you look for in the engagement workpapers?
Bebow: In addition to documentation of the risk assessment and audit procedures performed, I always look for evidence of the firm's assessment of the client's internal controls and how the audit approach was modified to address control weaknesses. I also look for communications of internal control weaknesses to management and those charged with governance. If it is not in writing, it can, and will, be assumed it didn't occur.
Falkenberg: Not only do I want to see proper documentation of work performed, but I do not want to see extraneous information, such as drafts or review notes. Such information may raise questions as to whether there were "flaws" in the engagement. Including unnecessary information in the workpapers can cause problems for the defense.
Is there anything else you do not want to see in the CPA's workpapers?
Bebow: I have a laundry list of items I don't want to see in the workpapers. Here are a few more egregious examples:
  • The notation "SALY," or same as last year, could be interpreted as doing nothing. Document your expectation, why you have it, and the evidence to support that statement.
  • Unresolved differences that appear to have been ignored by the auditor are problematic. Auditors should investigate differences and perform procedures in order to conclude that there is not a material error in the financial statements — and this should be documented.
Falkenberg: A sound records retention policy is oftentimes not in place or is not followed. Retaining too many records or years of files can significantly increase defense costs as well as open doors for the plaintiff that would be otherwise unavailable.
A claim may be avoided if the client or engagement is not accepted by the firm. Any warning signs to note?
Bebow: The CPA should have the appropriate experience or knowledge with the client's industry or, at least, have a plan to obtain it. Consider whether the prospect has aggressive financial goals, putting undue pressure on operating results. Are appropriate resources devoted to accounting and maintaining an effective internal control environment? Assess whether the business is highly leveraged and/or showing minimal operating profits. Is there a concentration in customers or suppliers or significant related-party transactions, especially with unconsolidated entities? These characteristics pose greater audit risk.
Falkenberg: Be alert for clients that have frequently changed CPA firms, and obviously be very careful of clients who have engaged in litigation with a prior accountant. Consider the impact of turnover in client management. A strong tone at the top and client accountability for its results and operations are also important considerations.
When an audit client fails, CPAs are frequently the target of a professional liability claim. What do you recommend to mitigate this risk?
Falkenberg: Strong client acceptance policies. Consider the client's integrity, and decline clients if integrity is questionable. Do not take on work that you are not well experienced to perform. I have defended a number of claims where the CPA firm only had one audit client or only one client in a particular industry.
Bebow: The CPA should always maintain professional skepticism and never get too comfortable with the client.
Another common claim against CPA firms relates to the failure to detect a theft or fraud at the client. What should CPAs do to help their defense?
Falkenberg: In the engagement letter, specify what you were engaged to do, what you are not engaged to do, and include the limitations of the scope of the work. Clear, plain language can be very effective. An engagement letter that specifies that the CPA's engagement does not include the detection of theft or fraud that is not material to the financial statements is very powerful and is easily understood by a jury.
Bebow: Communicate any segregation of duties issues to the client in writing! If segregation of duties is impossible because the client is small, communicate in writing that there is not appropriate segregation of duties. Modify management representation letters to include the understanding and acceptance of the risks of not implementing more robust internal controls. Repeat these communications every year, even if management has no plans to address the control weakness.
Deborah K. Rood, CPA, is a risk control consulting director at CNA. For more information about this article, contact
Continental Casualty Company, one of the CNA insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program. Aon Insurance Services, the National Program Administrator for the AICPA Professional Liability Program, is available at 800-221-3023 or visit
This article provides information, rather than advice or opinion. It is accurate to the best of the author's knowledge as of the article date. Quotations and comments provided reflect the individual's perspective and not their respective firm. This article should not be viewed as a substitute for recommendations of a retained professional. Such consultation is recommended in applying this material in any particular factual situations.
Examples are for illustrative purposes only and not intended to establish any standards of care, serve as legal advice, or acknowledge any given factual situation is covered under any CNA insurance policy. The relevant insurance policy provides actual terms, coverages, amounts, conditions, and exclusions for an insured. All products and services may not be available in all states and may be subject to change without notice. 

"CNA” is a registered trademark of CNA Financial Corporation. Certain CNA Financial Corporation subsidiaries use the “CNA” trademark in connection with insurance underwriting and claims activities.
Copyright © 2021 CNA. All rights reserved.

How Helpful Was This Article?


Related Content

Moments That Matter

Related Products