All in a Dishonest Day’s Work

This article originally appeared in the August 2014 issue of the Journal of Accountancy. Minor changes have been made to statistics and references used herein. Advice provided in this article has been reviewed and remains current.
 
It’s difficult to believe, but sometimes CPA firm employees, and even partners, steal from clients. While a CPA firm’s leaders may believe this would never happen to them, claim experience in the AICPA Professional Liability Insurance Program demonstrates this does occur. Consider these claim scenarios:
 
Scenario 1
A CPA firm provided bookkeeping and bill-paying services to several clients. Because of his relationships with the clients, the engagement partner was deeply involved with the provision of these services. One of the clients thought a balance appeared unusual and requested supporting documentation from the manager on the engagement team. As the manager began to assemble the records, he noted some odd transactions and brought them to the managing partner’s attention. After a review of the activity, the managing partner scheduled a meeting the next morning with the engagement partner.
 
Distraught, the engagement partner attempted suicide later that evening, leaving a note in which he admitted to embezzling more than $1.5 million from multiple clients over several years. The engagement partner was convicted for the thefts but was unable to make restitution to the affected clients. The clients subsequently brought suit against the CPA firm for the shortfall, alleging the firm failed to supervise its partner and thus enabled the theft to occur.
 
Scenario 2
A CPA firm prepared tax returns and provided bookkeeping and bill-paying services for an individual and several of his companies. A long-term employee of the firm embezzled a substantial amount of money from the client over a five-year period by writing unauthorized checks to herself. The employee was aware that her boss, the CPA who signed the checks, never reviewed supporting documentation for the payments.
 
Upon discovery of the embezzlement, the firm noticed that the documentation for the unauthorized payments consisted of invoices from a vendor with the same initials as the thief. The fraud should have been fairly obvious if the CPA had reviewed the supporting documentation. Moreover, the employee also reconciled the bank account for the CPA’s review, which was cursory. The client sued the CPA firm for the unauthorized disbursements, alleging the firm failed to properly supervise the long-term employee.
 
Scenario 3
A CPA firm hired a new associate. The associate was considered a new business development star when she brought in an elderly and wealthy family friend as a new client. Unfortunately, the firm did not realize that when socializing with her family friend, the “star” used it as an opportunity to write unauthorized checks to herself and to pay personal bills with the friend’s money.
 
Following the client’s death, the heirs discovered the theft and sued the CPA firm, alleging that when the associate stole the funds, she was acting within the scope of her employment at the CPA firm. The CPA firm’s attorney argued that the theft was clearly outside the associate’s scope of employment since the CPA firm’s services were limited to tax compliance. Additionally, the associate did not provide bill-paying services to clients. These services were provided by other members of the firm.
 
Unfortunately, the CPA firm had not issued an engagement letter limiting the scope of services to tax compliance, and the testimony of the partner who met with the client conflicted with that of the associate. As a result, the court held that the firm was legally responsible for the associate’s actions.
 

Background

Remember the components of the fraud triangle? They are financial need, opportunity, and rationalization. These components can apply to CPA firm employees and partners who handle client funds. CPAs often warn clients of fraud risks (see Exhibit 1 for more information), but sometimes the problem is closer to home.
 
Smaller organizations generally incur proportionally larger losses due to occupational fraud, often because duties are not segregated and internal controls are lax. Because of this, individuals with access to funds of a small business, including a CPA firm employee performing bill-paying services, may have a greater opportunity to steal.
 

Risk Management Tips

The AICPA Professional Liability Insurance Program’s experience demonstrates that some CPA firms fail to follow the advice they provide clients and do not implement systems to prevent or detect thefts themselves. Consider using the following procedures:
 

• Perform background checks on a recurring basis for both new hires and current employees handling client funds.
• Segregate duties among CPA firm personnel who have access to client or firm funds. For example, different individuals should initiate payments, authorize disbursements, and reconcile the bank account.
• Strengthen internal controls at the CPA firm. For example, client checkbooks and signature stamps should be maintained in a secure manner.
• Protect client bank account information—including account numbers, passwords, log-in procedures, and similar information—by limiting access to only those with a business need.
• Establish a system for firm employees to report potential fraud or suspicious activity anonymously.

 
In addition, clients should appropriately oversee their management responsibilities for the CPA’s services. For example, consider:

• Documenting in the engagement letter the client’s responsibility for implementing and maintaining internal controls.
• Requiring client approval of invoices to be paid.
• Providing the monthly payment register to the client for review.
• Requesting the client authorize new vendors before payment occurs.
• Establishing procedures for unusual items, as noted by the CPA, to be examined by the client.

 
Residual Risk

While having strong controls reduces the risk of employee theft, a residual risk remains, which may be addressed, in part, through the appropriate insurance coverages. While a CPA firm may believe a partner or employee theft would never happen to it, understanding how various insurance products would respond to theft helps practically manage and address this residual risk.
 

In Summary

Theft from clients is an unfortunate and costly reality. Implementing appropriate controls to reduce the opportunity to commit theft, detecting theft as quickly as possible, and maintaining related insurance coverage are essential in operating a business. CPAs should review insurance coverage with their agent or broker, as well as review the status and application of internal controls at both the client and the CPA firm.
 
Exhibit 1: Cold Hard Facts
The Association of Certified Fraud Examiners conducted a global study in 2020 that illustrates fraud’s impact.

• Five percent of an organization’s revenue is lost to fraud every year, an amount most clients would find significant.
• Seventy-six percent of fraud is perpetrated by employees and managers, while owners are responsible for 20%.
• The median loss of an employee theft is $60,000 compared with $150,000 for a manager and $600,000 for an owner.
• Only 7% of occupational fraudsters had been convicted of a fraud-related offense before committing the crime in the study. This underscores the importance of continual monitoring and early identification of warning signs.
• Forty-three percent of thefts are detected by tips, and half of those tips come from employees. Customers are the next most frequent source of detection.

Source: 2020 Report to the Nations on Occupational Fraud and Abuse, Association of Certified Fraud Examiners, https://www.acfe.com/report-to-the-nations/2020/
 

_{Deborah K. Rood is a risk control consulting director at CNA. Gretchen McCole is an assistant vice president at Aon Insurance Services. For more information about this article, contact specialtyriskcontrol@cna.com.}