An evaluation framework for responding to requests

By Sarah Beckett Ference, CPA, and Deborah K. Rood, CPA
CPAs regularly receive requests for services and should understand the fundamental risk management protocols — client and engagement acceptance, engagement letters, adherence to professional standards, and documentation — to implement in order to mitigate risk related to the delivery of client engagements.
But CPAs also face a variety of less typical questions and situations that may come from current or former clients or third parties. Consider these questions posed to CPAs in the AICPA Member Insurance Program:
  • From a tax return preparation client: I'm applying for a loan. The bank has a couple of questions about my tax return, and I can't answer them. Can you help me out and talk to them, please?
  • From a client accounting and CFO advisory services client: I'm selling my business and the potential buyer wants a copy of the general ledger, financial statements, and several other financial documents. Please give them what they need and answer their questions. You'll understand what they want better than me.
  • From the daughter of a recently deceased bill pay client: I'm trying to settle my parent's affairs. Could you give me her records?
  • From a minority shareholder in an S corporation tax client: I need a copy of the company's tax returns for the past five years.
  • From an audit client: We're evaluating our project managers' performance and doing a review of job costing. Can we get a copy of your workpapers in this area?
Dedication to client service often leads to a gut response of, "No problem!" However, the manner in which a CPA responds to even a seemingly benign request may introduce unnecessary professional liability risk.
The AICPA Code of Professional Conduct (the "Code"), specifically the "Confidential Client Information Rule" (ET §1.700.001), states that a member in public practice shall not disclose confidential information without the specific consent of the client. Moreover, providing information to an unauthorized individual may subject a CPA to disciplinary action. Internal Revenue Code Sec. 7216 imposes additional confidentiality obligations on CPAs related to a client's tax return information. If Sec. 7216 is violated, CPAs could be subject to monetary damages or even criminal charges.
Privity is a doctrine of contract law that says contracts such as engagement letters are only binding on the parties to the agreement, and only they may enforce it or be sued under the same. However, if a CPA is in privity with a third party, the CPA may owe the third party a duty of care and, thus, the third party may have standing to sue the CPA. A CPA's interactions with a third party may erode a privity defense that might otherwise be available to defend a claim. Consultation with legal counsel is recommended to better understand how the doctrine of privity of contract applies in a specific jurisdiction. Read "Professional Liability Spotlight: Defending Third-Party Audit Claims," JofA, May 2013,, for more information related to privity.
Scope creep
Being asked by a client to render additional services is one of the best compliments a CPA can receive. However, without appropriate documentation of, and agreement to, the details of the additional services, the scope of services described in an otherwise strong engagement letter may be challenged. Even if a scope dispute is not expressly alleged, defending a professional liability claim may be more challenging if the firm's activities were not in line with the scope described in the engagement letter.
Before responding to an ad hoc request, pause to better understand and evaluate what is being asked. While the specifics may vary, CPAs can contemplate the same series of questions to help guide their response (or lack thereof).
Who is asking?
Understand the requestor's relationship to the client. If it's a third party, they must have the appropriate authority to be privy to confidential client information.
Consider the daughter of the deceased client above. She may very well be the executor of the client's estate or have a power of attorney. Nevertheless, the CPA should obtain appropriate legal documentation providing evidence of such. Otherwise, the CPA may unknowingly be brought into the middle of a family squabble.
What are they asking for?
Depending on what is requested, the CPA may not be obligated to respond to the request. Consult the Code's "Records Requests" interpretation (ET §1.400.200) for definitions of the types of records held by CPAs and the CPA's response obligations.
Consider the audit client's request for the CPA firm's workpapers. The Code states that a CPA's workpapers are owned by the CPA firm, and a firm is not required to provide workpapers unless there is a legal or regulatory requirement to do so. The client may have other motives and be attempting to determine if there are grounds to assert a future claim.
Why are they asking?
What is the requestor's motivation? For what purpose might they use the information?
Consider the tax client's request to explain a line item to the client's bank. The bank may use information provided by the CPA as part of its credit decision and assert reliance on the CPA if the client subsequently defaults. Instead, explain the tax return item to the client to enable the client to provide the information to the bank.
What could go wrong?
Contemplate how the requestor may rely on the information provided by the CPA. Will they use it to make a decision? Could the CPA be blamed if something goes wrong? Take a skeptical point of view when pondering the potential answers to these questions. Doing so often helps identify additional risks to manage.
What about the request from the accounting services client? Presumably, the purchaser will rely upon statements made by the CPA regarding the client's business, profitability, forecasted sales, and more. Could the client complain about the price they received for their business? If the business does not perform as anticipated, could the purchaser blame the CPA for overpaying? Either situation is possible.
Can the information be obtained a different way?
Is the requestor asking for the information from the CPA rather than the client because they perceive it to be "easier"? Can the client provide the information instead? Or can the requestor obtain the information directly from another source, such as the IRS?
The request from the minority shareholder for copies of tax returns seems harmless enough, but the CPA does not know if there is a shareholder dispute. In addition, responding to requests from every owner of a business is hardly efficient. It's best to direct the minority shareholder to the company's representative or the IRS to obtain the information sought.
All CPAs should understand the benefits of engagement letters and their role in professional liability claim defense. They are also a useful tool when addressing other requests made of the CPA. Consider engagement letter language to reference the following:
  • The firm will not respond to third-party requests, including requests from lenders;
  • The identity of the client representative(s) with whom the CPA will work and to whom requests from other parties should be directed; and
  • That the client will pay the CPA firm's costs to respond to subpoena or deposition requests if the firm is not a party to the proceeding.
Responding to requests for favors from the client or a quick question from a third party takes time, something that many CPAs have in short supply. A few minutes here and there can add up. A quick response may seem easier, but it may lead to financial and professional liability headaches later.

Download PDF
Sarah Beckett Ference, CPA, is a risk control director at CNA. Deborah K. Rood, CPA, is a risk control consulting director at CNA. For more information about this article, contact
Continental Casualty Co., one of the CNA insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program. Aon Insurance Services, the National Program Administrator for the AICPA Professional Liability Program, is available at 800-221-3023 or visit
This information is produced and presented by CNA, which is solely responsible for its content. Continental Casualty Company, a member of the CNA group of insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program.

The purpose of this article is to provide information, rather than advice or opinion. It is accurate to the best of the authors’ knowledge as of the date of the article. Accordingly, this article should not be viewed as a substitute for the guidance and recommendations of a retained professional. In addition, CNA does not endorse any coverages, systems, processes or protocols addressed herein unless they are produced or created by CNA.

Any references to non-CNA Web sites are provided solely for convenience, and CNA disclaims any responsibility with respect to such websites.

Examples are for illustrative purposes only and not intended to establish any standards of care, serve as legal advice, or acknowledge any given factual situation is covered under any CNA insurance policy. The relevant insurance policy provides actual terms, coverages, amounts, conditions, and exclusions for an insured. All products and services may not be available in all states and may be subject to change without notice.

“CNA” is a registered trademark of CNA Financial Corporation. Certain CNA Financial Corporation subsidiaries use the “CNA” trademark in connection with insurance underwriting and claims activities. Copyright © 2021 CNA. All rights reserved.

How Helpful Was This Article?