The July issue of Accounting Today makes important points about accounting risk for failure to detect and report fraud. Sarah Ference, Risk Control Director for CNA, notes that while CPA engagements are not typically designed to detect or report fraud, most clients, and perhaps most jurors, think CPAs should always be on the lookout for fraud. 25% of claims arising from audit and attest engagements allege that the CPA failed to detect and report fraud. 6% of tax service claims also allege a failure to detect and report fraud. Ms. Ference notes the importance of engagement letters to manage expectations and, where appropriate, disclaim reliance. Mission creep, of course, can render the best engagement letter ineffective. Finally, the article suggests that anything sinister or unusual observed during the engagement should be reported in writing to the client. The disconnect between client/juror expectations and an accountant’s scope of engagement will apparently always be with us. Paying attention to potential fraud and reporting it may help your accounting firm avoid becoming a data point in the claims statistics.
I was fortunate to attend and speak on a panel at the CLM Annual Conference in Houston last week. I thought I would pass along a few takeaways from the professional liability sessions I attended.
- The increase in autonomy for “Physician Extenders” (CRNA, NP, PA, midwives) likely comes with increased liability risk to them. Analyzing contracts with the supervising physician, actual supervision of the physician extender, whether the extender’s liability insurance coverage matches the realities of their practice, and whether the extender will be held to the physician standard of care are all important considerations in advising and defending a physician extender.
- Lawyers must embrace Artificial Intelligence in analyzing cases and use it to their advantage. They must be prepared to discuss why the data is or is not accurate and how it can be applied to a specific case.
- Don’t forget about paper and unsaved emails in the “high-stakes” insurance broker case. The tendency may be to focus on ESI due to the vast amount of documentation in a multi-million dollar claim. But a hand-written note documenting a meeting or phone call, or an email that was not saved to the client file could be the key piece of evidence to support the broker’s position that a coverage was refused or a particular risk was discussed.
- High exposure does not necessarily translate to the existence of a special relationship with an insurance broker. Key factors to address in opposing a special relationship finding are:
- Other brokers involved/seeking competing bids
- Criticism or questioning of the broker by the client
- The sophistication of the client and autonomy in decision-making
- Cyber-attacks and data breaches pose an increasing risk to professionals such as lawyers, accountants, insurance agents, and medical professionals, who possess a significant amount of potentially valuable data.
- As the sophistication of the attacks has increased, so has the variety in available insurance coverages.
- Make sure that your firm and your clients have adequate coverages to address the wide range of cyber risk to you and your clients.
- The sooner you respond to a cyber-attack, the better, starting with reporting it to your insurance carrier who likely has the resources to assist with addressing the issue.
Today the CPA Dailey Letter (citing CBS News and the IRS) warned against phishing attacks on accounting firm computer networks resulting in stolen data and fraudulent tax returns. We helped an unfortunate client facing this problem last year. They merged in a smaller firm in the middle of busy season and didn’t get the small firm converted to the large firm’s computer system quickly enough. Imagine a hacker getting copies of all your clients’ 2016 returns and then using your clients’ data to file fraudulent 2017 returns seeking big refunds. You and your clients learn about the problem when notices start drifting in from the IRS rejecting returns that seek 7 figure refunds. Eventually you get such a notice for every one of your tax return clients. You have to call each and every one of them to tell them that fraudsters have all their personal information from the return. Fraudulent tax returns may just be the beginning of their identity theft problems. This problem could really ruin your quarter and your year. Keep your software updates current and do some simulated attacks to protect your clients and your firm.
Earlier this week the Wall Street Journal and others reported that KPMG had hired former PCAOB staffers to reveal the secret list of KPMG audits that the PCAOB would examine. The article reported that the SEC had indicted 5 former KPMG employees including 3 former partners for fraud. KPMG apparently discovered the scheme in March of 2017 and self-reported. Allegedly almost half the 2013 KPMG audits reviewed by the PCAOB in 2014 had been found deficient and the firm felt pressure to improve its audit quality. The partners charged included those formerly in charge of national audit quality and another responsible for inspections.
A few days later GE announced an SEC probe of its accounting practices along with a restatement of its 2016 and 2017 financial results. At least part of the problem arises from revenue recognition issues in its jet engine and power turbine business. Other problems stem from charges in its long term care insurance business. Together the adjustments may total over 21 Billion dollars. KPMG has served as GE’s auditor since 1909.
These articles highlight the challenges even the largest audit firms face in detecting material misstatements in a client’s financials. We face increasing complexity in public company financials and auditors are struggling to keep up with the standards in a difficult environment.
Matt Gass and Joe Kingma won a motion to dismiss against a seller after a deal fell through. The seller alleged malpractice, misrepresentation and intentional interference; essentially that the purchaser wanted to get out of their agreement and used the accountant to achieve that result. Joe and Matt filed an early motion to dismiss and prevailed on all the claims.
Claims arising from the accountant’s role in mergers and acquisitions are definitely on the rise, and we are handling several more of those now, so check back for updates.
1. Cyber Insurance is cheap and important to protect against risks not covered by E&O. Work with a knowledgeable broker and insurer and buy the coverage because the risk is real and growing.
2. Make sure your engagement letter includes:
• a specific description of the work you will do;
• limitation of damages provision where not precluded by standards;
• indemnification where not prohibited by standards;
• disclaimers where appropriate ( i.e. AUP’s);
• jurisdiction, venue and choice of law provisions; and
• a provision for the client to pay for time and expense you incur for subpoena compliance.
Watch out for client changes including cyber representations and indemnifications of any kind.
3. Evaluate the risk to your firm before responding to subpoenas or document requests. Consultation with your insurer or outside counsel may be time well spent. The risk runs from minimal to existential and different risks require different responses.
4. You save money by not engaging with bad clients. Red flags include:
• financially stressed or unprofitable clients;
• clients whose work you are not really equipped to handle;
• clients whose interests conflict with other clients; and
• clients who lack management integrity.
These all should be evaluated for disengagement. Consider firing your bottom 5 or 10% and investing those resources into developing better opportunities.
5. All of us have clients who present some special risk. Do what you can to mitigate that risk with:
• thorough client acceptance procedures;
• engagement letters;
• robust conflict analysis; and
• continuous reevaluation.
Employ detailed financial management including precise billing entries, timely billing and early AR follow-up in order to spot problems quickly.
As public offerings have gotten more complex and expensive, capital has flowed to non-public securities. Consequently, the exempt securities market has expanded and increased in complexity and risk. Issued on July 27, 2017, SAS 133 is intended to provide guidance to bring auditing consistency across offerings and increase public confidence in the presentation of financial information.
Beginning with offerings made in June 2018, this new standard will apply when audited financials are used in connection with exempt securities offerings. Common exemptions involve private placements, municipal securities, not-for-profit securities, new crowd-funding and Regulation A offerings, and franchise offerings. Thus, heightened audit procedures will be the rule rather than the exception, applying in some form to both private and public capital raising efforts.
SAS 133 will apply when an auditor is “involved” in an exempt offering. Being involved has two components: (1) the auditor’s report is included or referenced in the exempt offering document and (2) the auditor performs specific activities with respect to the offering document like reading the offering materials, offering a comfort letter, or agreeing to allow the use of the report in connection with the offering. These requirements are designed to protect auditors from fallout from the use of their audits in connection with exempt offerings without their knowledge.
Among other things, SAS 133 will import the requirements AU-C Section 720 regarding “other information in documents containing audited financial statements” and AU-C Section 560, which requires auditors to consider whether events after the report would cause the auditor to revise the report.
This new auditing standard will require auditors to pay attention to two related developments. First, auditors will have to be more attuned to which transactions count as securities. For example, the SEC recently decided that offering cryptocurrency is a securities offering requiring registration or exemption. Second, auditors will have to consider how closely to hue to GAAP and the FASB’s auditing standards, which are not yet mandatory but do influence how disappointed investors seek redress for failed investments. For more information on non-GAAP accounting and the state of the industry, see our video here.
Billy Newcomb and I recently won summary judgment for a top 100 accounting firm. A publicly traded company had sued in a Florida court, alleging negligent failure to detect fraud and claiming damages well into eight figures. Six other defendants, including a top 10 accounting firm, settled with the Plaintiff just after suit was filed, leaving our clients as the sole defendants. At court-ordered mediation, the Plaintiff, perhaps a little too confident in its home court advantage, refused to lower its demand under $5 million. Immediately after the mediation failed, the trial court granted summary judgment to CCS’ clients and dismissed all of the Plaintiff’s claims with prejudice.
Billy practiced law in Florida for five years and regularly litigates Florida cases, and he and I have done well in Florida over the years. We felt strongly about our liability and damages defenses and didn’t want to waste our clients’ money on an excessive settlement. Our clients agreed and had the confidence to stand up to the Plaintiff. If early summary judgment had not been granted, Billy and I planned to prevail on another dispositive motion or at trial.
When a Plaintiff makes a reasonable demand, we often recommend settlement to our clients. But, when the plaintiffs are unreasonable, we know how to get a better result at the courthouse.
As Churchill announced:
we shall fight on the beaches,
we shall fight on the landing grounds,
we shall fight in the fields and in the streets,
we shall fight in the hills;
we shall never surrender…
There are no sure things in litigation, but if you want to know what a case is worth, sometimes you must have the courage to fight. We are both very grateful to our clients for their courage in letting us go forward.
Takeaways from Professional Liability Underwriting Society (PLUS) International Conference 2016:
1. Law firms fail because of: too much debt, rapid expansion, guaranteed salaries, and/or cultural divides.
2. We are all expecting a U.S. law or accounting firm to get hit with a Panama Papers style data breach which brings down the firm and probably yields management liability claims as well.
3. The IRS will continue its attack on captive insurance companies utilized to avoid tax with no real risk transfer.
4. Mary Jo White will be missed and you might expect the SEC to focus less on Wall Street and more on Main Street in the next four years.
I was fortunate to prevail in a bench trial for a great CPA firm in August and was reminded of these takeaways:
1) A CPA’s work product will seldom be perfect but good workpapers can save you from many apparent sins.
2) Identify sources of data in your work product or you may end up as guarantor of data you should not be responsible for.
3) Smart and highly educated Plaintiffs who exaggerate their claims can be systematically destroyed, but only with a light touch.
4) Credibility and likeability are critical in a factually complex case and lawyers and CPAs need to begin to establish both on day one of their engagement.
5) Our trial system is not perfect, but it often yields the right result so defendants should not despair.