This article originally appeared in the November 2019 issue of the Journal of Accountancy. Advice provided in this article has been reviewed and remains current.
Defending a professional liability claim can be complicated. The plaintiff and CPA firm defendant often disagree about the scope of service, the amount of damages, the firm's compliance with the applicable standard of care, and more. Resolving these differences becomes more difficult if the firm's independence, integrity, or objectivity is brought into question. Indeed, the mere suggestion of a potential independence violation or conflict of interest can negatively affect or thwart an otherwise good defense.
Consider the following claim made against a CPA firm in the AICPA Professional Liability Insurance Program:
A CPA firm performed an audit of a fund of funds for many years. The attest client's CFO had previously worked for the CPA firm and had started on the same day as the firm's engagement partner. The attest client invested in a number of hedge funds. During an economic downturn, many of these hedge funds failed and were discovered to be Ponzi schemes. The client subsequently declared bankruptcy, resulting in a complete loss to its investors. The investors filed a $20 million claim against the audit firm, asserting that more information about the funds should have been disclosed in the financial statement notes. Had these disclosures been made, the investors asserted they would have redeemed their shares prior to the bankruptcy.
An expert hired by the CPA firm's insurance company opined that the firm's audit work and documentation appeared to comply with the applicable standard of care. However, concern was raised regarding emails between the audit partner and the attest client CFO that suggested the CFO leveraged his relationship with the partner and firm to modify disclosures related to the hedge funds. The claim ultimately settled.
The AICPA Code of Professional Conduct
(the Code), state board of accountancy rules, and other sources identify situations that may impair independence or threaten a CPA's integrity or objectivity. However, the standards do not, and cannot, address and provide an answer for every situation.
Enter the conceptual framework (see the "Conceptual Framework for Members in Public Practice" (ET §1.000.010)) and its application to independence (see the "Conceptual Framework for Independence" (ET §1.210.010)) and conflicts of interest (see the "Conflicts of Interest for Members in Public Practice" interpretation (ET §1.110.010)). This framework provides a methodology for identifying, evaluating, and addressing threats to compliance with the Code resulting from a specific relationship or circumstance not otherwise explicitly addressed in the Code. The structured thought process provided by the conceptual framework helps CPAs to reflect upon a set of facts and arrive at a reasoned conclusion.
Easy as 1-2-3 (and 4)
The Code lays out a simple, three-step approach. From a professional liability perspective, an additional step is suggested.
Step 1: Identify threats
The Code recognizes that most threats to compliance can be categorized into seven types:
- Adverse interest: When the CPA's interests are in opposition to the client's.
- Advocacy: Promoting the client's interests or position.
- Familiarity: Being too sympathetic to the client's interests due to a long association between the CPA and the client.
- Management participation: Taking on a management role or assuming management responsibilities for a client.
- Self-interest: Benefiting, financially or otherwise, from an interest in or a relationship with a client.
- Self-review: The inability to appropriately evaluate evidence, judgments, or services performed by the CPA or the CPA's firm.
- Undue influence: Subordination of the CPA's judgment to a client or third party.
Professional liability claims include allegations of familiarity threats more than other threats. Longtime clients, casual emails, and an engagement team with multiple years of experience with the client all may pose familiarity threats. Management participation and/or self-review threats may exist when nonattest services are delivered to an attest client. A self-interest threat may exist if client fees constitute a significant portion of the firm's revenue. An engagement team brainstorming session may help identify threats not previously considered.
Step 2: Evaluate the significance of identified threats
Evaluate the significance of each identified threat to determine if it is at an acceptable level. For many threats, the Code provides specific guidance regarding which threats cannot be reduced to an acceptable level and, thus, impair independence or result in a conflict of interest. For all other threats, the evaluation of their significance should be viewed in the context of a "reasonable and informed third party who is aware of the relevant information" (see paragraph .07 of the "Conceptual Framework for Members in Public Practice") and include both qualitative and quantitative factors. To help mitigate professional liability risk, consider evaluating the significance of the threats from the perspective of a plaintiff's attorney and potential jurors. A plaintiff's attorney will use all available evidence, including emails, to discredit the CPA. Jurors will be influenced by other factors beyond the expert testimony, such as their own perception of what a CPA should be responsible for. Unfortunately, hindsight does not typically favor the CPA.
Step 3: Identify, evaluate, and apply safeguards
If the identified threat is not at an acceptable level, safeguards — actions or other measures that may eliminate the threat or reduce it to an acceptable level — should be identified and applied. For some threats, a single safeguard may be appropriate. For others, multiple safeguards may be more effective. The Code identifies several examples of safeguards created by the profession or that can be implemented by the firm or client. The effectiveness of a particular safeguard depends upon many factors, including how it is applied and who applies it, whether the client is a public interest entity, and more. CPA judgment is involved in making this determination.
Step 4: Document and share
Documentation, one of a CPA firm's most important allies in claim defense, is especially important in areas involving CPA judgment, including the evaluation of independence threats and potential conflicts of interest. Therefore, in addition to the Code's documentation requirements, consider documenting the firm's evaluation process, not just the outcome. Documentation could include how the evaluation was performed and the factors considered when evaluating the significance of a threat or the appropriateness of a safeguard. In a claim situation, a CPA firm's judgment and conclusions may be questioned or challenged. A lack of documentation allows a plaintiff's attorney to draw his or her own conclusions, which may differ from the CPA's.
Share the evaluation and conclusion with engagement team members and even the client, especially if these parties are responsible for implementing safeguards. Consider including the client's responsibilities regarding any safeguards under their purview in the engagement letter or other client communication.
Applying the Conceptual Framework to Other Ethics Considerations
Questions of independence are problematic in defense of attest claims. Questions of integrity or objectivity, especially those related to conflicts of interest, are problematic in defense of claims related to nonattest services. To help mitigate this risk, consider applying the conceptual framework approach to any relationship or circumstance that threatens the CPA's compliance with the Code.
To assist a CPA’s application of the conceptual framework steps, the AICPA Professional Ethics Division created the following publications: Conceptual Framework Toolkit for Independence and Conceptual Framework Toolkit for Members in Public Practice (both available at aicpa.org
Sarah Beckett Ference is a risk control director at CNA. For more information about this article, contact firstname.lastname@example.org.