The Dangers of Dabbling – AICPA Professional Liability Spotlight

CA CPA liability insuranceTo meet evolving marketplace needs, CPAs often look to diversify their service offerings. However, undertaking a new service or providing service to a client in an industry with which the CPA is unfamiliar, frequently referred to as “dabbling,” can elevate the risk of errors and professional liability claims. Why? Reasons include inexperience and inadequate training, which may limit the CPA’s ability to identify and address issues.


One of the fundamental principles of the CPA profession is the standard of due care. Section 0.300.060, Due Care, of the AICPA Code of Professional Conduct indicates that due care requires the CPA to conduct his or her activities “with competence and diligence.” This section also states that the CPA should “undertake to achieve a level of competence that will assure that the quality of the [CPA’s] services meets the high level of professionalism required” by the professional standards.Further, a CPA’s level of competence establishes “the limitations of a member’s capabilities.” Thus, understanding the CPA firm’s strengths and being cognizant of its limitations constitute not only a good risk management practice, but also are required under the professional standards.


Dianne Wainwright, Esq., a partner with Margolis Edelstein in Pittsburgh; Thomas Falkenberg, Esq., a partner with Williams, Montgomery & John Ltd. in Chicago; and Kevin Murphy, Esq., managing attorney for Carr Maloney PC in Washington, all specialize in the defense of accountants’ professional liability claims. They shared their insights about the relevance of professional competence in defending CPAs, in the following Q&A.

Can you share a story in which “dabbling” created a professional liability issue?

Wainwright: I defended a CPA firm in a lawsuit filed by a bank. The firm’s client was an online retailer. The bank provided asset-based lending to the client and required an audit. The CPA firm performed the engagement despite having no prior experience working with web-based businesses. The client got the loan but later defaulted, and the bank sued them as well as the CPA firm. An issue that arose during the audit was the capitalization of expenses incurred in setting up the company website. CPA firm staff had not encountered this issue before. They performed some research and concluded that the client’s percentage of  expenses capitalized was appropriate, but did not document their research or rationale for this conclusion. Some of these expenses could not be capitalized in accordance with generally accepted accounting principles. Given the firm’s inexperience in the industry and lack of documentation, defending the work would have been difficult, and the case was settled.

How often does the subject of competence come up in defending accountants?

Falkenberg: I would estimate this issue plays a role in 25% of the lawsuits I defend, at least in part.
Murphy: Competence is often implicated in defending tax engagements, especially those performed for clients in niche industries or in niche services, such as estate or gift tax, where the rules are complex and frequently changing.
Wainwright: Competence is one of the areas where the plaintiff’s attorney will seek extensive discovery on all engagement personnel to determine if the team had the right background, training, and expertise to perform the work.

To enter a new practice area, there must be a “first time” that service is rendered. What insights have you gained from defending lawsuits involving CPA firms rendering a “first time” service?

Murphy: The professional competence of the firm to perform the engagement will be challenged. Robust documentation of research performed regarding the service and the client’s industry, as well as applicable professional guidance and standards are important. It is also helpful to have documentation evidencing that members of the engagement team completed directly relevant continuing professional

Does the need for specialized industry knowledge come up in professional liability claims? How can CPAs mitigate risks when undertaking engagements requiring such knowledge?

Falkenberg: A common line of questioning by plaintiff attorneys in professional liability lawsuits related to audits is the number of audits the CPA firm previously performed for other clients in the same industry. Engaging an expert with related industry experience to assist with the audit can help mitigate this risk, but the firm must have sufficient knowledge to evaluate the work of the expert.

Murphy: This issue frequently arises in cases involving highly regulated industries, such as banking, insurance, or health care. Industries with unique financial reporting and audit considerations, such as governmental and not-for-profit entities, are also ripe for such allegations. If the CPA firm lacks relevant experience, the plaintiff attorney may argue that the CPA firm “went out on a limb” to secure a new client or hold onto an existing one that was entering a new industry.

What about competence at the firm level versus that at the team-member level? How does that factor in?

Falkenberg: At the firm level, efforts should be made to ensure that each engagement is properly staffed. If an engagement requires the use of personnel with limited experience, additional monitoring is warranted to ensure that the work is competently performed.
Murphy: If a firm has only one member with relevant industry expertise in an engagement, the adequacy of firm quality-control practices may be subject to challenge.
Wainwright: Working papers should be sufficiently documented to reflect that the engagement partner, manager, and team members were competent to render the services they were tasked with performing.

In view of these comments, do you have any recommendations for CPA firms regarding professional development and training plans?

Murphy: CPA firms may benefit from routine review of firm engagements by a partner who is not part of the engagement team, applying the critical eye of a would-be challenger of the firm’s competence. Recommendations for additional training should be documented and communicated, when necessary, to the engagement partner.
Falkenberg: Do not take classes simply to meet CPE licensing requirements. Consider the services you perform, and complete coursework that will help improve your competence. You need to get the CPE credit, so make the training worthwhile.
Wainwright: Management should encourage CPAs who complete coursework specific to an industry or service to share that knowledge with others in the firm who can benefit from the training. This internal training should be documented for peer reviewers and others who may examine firm quality-control practices.


CPA firms can mitigate the risk of experiencing competency-related professional liability claims by implementing these basic steps:

  • Avoid “dabbling” and one-off engagements performed as an accommodation to existing clients.
  • Ensure that the engagement team has completed sufficient CPE relevant to the service and client industry.
  • Consider engaging an industry expert to assist with engagements, when appropriate.
  • When using an expert, firm management should have sufficient expertise to monitor the expert’s work.
  • Consider the need for second partner review in engagements where the firm has limited experience.
  • Document all research performed and conclusions reached in the working paper file.
  • Send written communications to clients documenting research findings on tax and accounting positions.

Contact me to learn more about the AICPA Professional Liability Program:

Paul Morris

(415) 883-2525

Article By:

Deborah K. Rood ( is a risk control consulting director at CNA. Joseph Wolfe is a retired risk control consulting director at CNA.
Continental Casualty Co., one of the CNA insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program. For more information, please call Aon Insurance Services, the National Program Administrator for the AICPA Professional Liability Insurance Program, at 800-221-3023 or visit
This article provides information, rather than advice or opinion. It is accurate to the best of the author’s knowledge as of the article date. This article should not be viewed as a substitute for recommendations of a retained professional. Such consultation is recommended in applying this material in any particular factual situations.
Examples are for illustrative purposes only and not intended to establish any standards of care, serve as legal advice, or acknowledge any given factual situation is covered under any CNA insurance policy. The relevant insurance policy provides actual terms, coverages, amounts, conditions, and exclusions for an insured. All products and services may not be available in all states and may be subject to change without notice.

What now? Responding to a subsequent discovery of fact – AICPA Professional Liability Spotlight

insurance CPAConsider the following scenario. One morning, you see your audit client’s name emblazoned across the front page of the local newspaper. The story describes a long-term business deal gone awry and hints of embezzlement by the corporate controller. Doubt enters your mind as you envision every document you inspected and recall every conversation you had during the audit. You wonder if you missed something.

Whether it is a newspaper headline, a conversation with a client, or an industry development, a seemingly innocuous piece of new
information about a completed audit engagement may raise concern that, had this been known when the auditor’s report was issued, the auditor might have revised the report. Referred to as a “subsequent discovery of fact,” new information that comes to light after the financial statements and related audit report are issued necessitates the auditor’s consideration. This consideration and management’s response may reveal that the financial statements or related disclosures require adjustment, the report may need to be withdrawn and reissued, users of the financial statements may need to be notified, and the CPA firm may even need to consider ending the client relationship. Consider the auditor in the scenario above. What if a bank had loaned money to the client, or a new investor had just made a large cash infusion into the business? What if key financial metrics or debt covenants were barely reached and now may be questionable? If a CPA firm does not respond properly to a subsequent discovery of fact, third-party users of the financial statements may assert that the CPA firm failed to take necessary action to prevent reliance on the auditor’s report on the financial statements. Indeed, approximately one-quarter of audit claims asserted against CPA firms in the AICPA Professional Liability Insurance Program are brought by third parties. Consequently, it is important that CPA firms be vigilant regarding information received after issuing an audit report and cognizant of the professional standards that guide their response.

The AICPA Clarified Statements on Auditing Standards, specifically AU-C Section 560, Subsequent Events and Subsequently Discovered Facts, guide the auditor’s response to subsequently discovered facts in an audit engagement. Auditors should consider implementing the following measures when responding to a subsequent discovery of fact:

  • Discuss the matter with client management. Determine if the financial statements, including disclosures, require revision and, if so, inquire how management intends to address the matter in the financial statements. Involve those charged with governance when appropriate.
  • Ensure third-party users are notified. If the financial statements (before necessary revision) have been made available to third parties, client management, not the auditor, should inform the users of the situation and advise them not to rely on the financial statements and related audit report. The auditor should verify that the client has provided adequate notice to third parties. Timely and appropriate notification to third-party users represents a critical step in mitigating the risk of a professional liability claim.
  • Audit the new information. The auditor should audit how the client has accounted for the new information and reflected it in the financial statements and related notes.
  • Update and reissue the auditor’s report. If the audit opinion differs from the originally issued opinion, an emphasis-of-matter
    paragraph or other-matter paragraph should be added to the report. The auditor has two choices related to the date of the reissued audit report:

    • Date the report as of a later date. Extend subsequent event procedures and obtain client management representations through the new report date.
    • Dual-date the report. A note to the financial statements should disclose the new financial information and the financial statement impact, and include a statement that audit procedures applied subsequent to the original audit report date were limited solely to the revised financial information. Additional management representations should also be obtained in this

A client may disagree or choose not to revise the financial statements. Even if client management agrees to revise the financial statements, it may not properly inform financial statement users of the situation. Should either of these situations arise, the CPA should take specific steps depending on the circumstance as outlined in AU-C Section 560, paragraphs .14, .17—.18, and .A23—.A26. These steps may include communications to management and those charged with governance, notification to applicable regulatory agencies, and notification to third-party users. Consultation with the firm’s legal counsel is also recommended.

A subsequent discovery of fact, whether it is embezzlement within a client’s organization, the termination of a key contract affecting previously recognized revenue, or another unexpected event, places CPAs in a delicate situation that demands a focused and timely response. Consider the following risk management techniques to help minimize professional liability risk related to a subsequent discovery of fact:

  • Be alert for new information. Keep a close watch on client news and industry developments. This attentiveness can help identify new information.
  • Know and adhere to the professional standards. Review AU-C Section 560 if new information is uncovered subsequent to engagement completion. Address the issue according to the professional standards.
  • Reduce the likelihood of surprising new information by performing a thorough audit, including subsequent-event procedures. Diligent performance of these procedures may reveal facts in sufficient time to respond prior to issuance of the original audit report.
  • Review training and quality-control procedures. Proactively assess audit training and quality-control procedures related to this area to ensure all firm personnel respond appropriately when faced with new information.
  • Consult with others. Revisions to financial statements often lead clients and third parties to assign blame to the CPA firm for failure to detect the information sooner. Consult the firm’s legal counsel to assist with the response. Your firm’s professional liability insurance carrier also may have resources to assist you.
  • Consider termination if the client’s response is insufficient. If the client does not respond appropriately, or if it appears that the client has withheld information, consider the impact on your ability to rely upon its representations and consider terminating the relationship.
  • Report the matter to the firm’s professional liability insurance carrier, if required. Most policies require reporting of acts or omissions that may reasonably be expected to be the basis of a professional liability claim during the policy period. Review the professional liability policy’s claim reporting requirements with the firm’s insurance agent or broker.

The AICPA Statements on Standards for Accounting and Review Services (SSARSs) guide a CPA’s response to a subsequent discovery of fact after the date of an accountant’s review report. Accountants performing review services are advised to consult the SSARSs when faced with a subsequent discovery of fact.

Contact me to learn more about the AICPA Professional Liability Program:

Paul Morris

(415) 883-2525

Article By:

Daniel J. Gartland ( is a risk control consultant at CNA.
Continental Casualty Co., one of the CNA insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program. For more information, please call Aon Insurance Services, the National Program Administrator for the AICPA Professional Liability Insurance Program, at 800-221-3023 or visit
This article provides information, rather than advice or opinion. It is accurate to the best of the author’s knowledge as of the article date. This article should not be viewed as a substitute for recommendations of a retained professional. Such consultation is recommended in applying this material in any particular factual situations.
Examples are for illustrative purposes only and not intended to establish any standards of care, serve as legal advice, or acknowledge any given factual situation is covered under any CNA insurance policy. The relevant insurance policy provides actual terms, coverages, amounts, conditions, and exclusions for an insured.

Due diligence with CPA firm subcontractors – AICPA Professional Liability Spotlight

CPACPA firms often use subcontractors to help provide payroll, tax, accounting, and audit services or to provide administrative support to the firm. In the course of rendering these services, subcontractors may obtain access to a vast amount of confidential client data. Examples of subcontractors include part-time help hired during busy season, other accounting firms assisting with tax return preparation, or even companies that provide mailroom or office cleaning services.

Individuals with access to large amounts of electronic data pertaining to clients and the firm can create havoc in minutes. The legal and professional responsibilities of a CPA firm related to privacy of client data also extend to the actions of their
subcontractors. Consider this related story involving a privacy breach by a subcontractor in the health care industry.

Example. GMR Transcription Services (GMR) employed a subcontractor named Fedtrans to transcribe audio files received from GMR’s customers. Fedtrans downloaded the files from GMR’s network, transcribed them, and uploaded the transcripts back to the network. Because of an error by the subcontractor, the transcripts were indexed by a major internet search engine and became publicly available to anyone using the search engine. The files contained detailed notes from medical examinations about psychiatric disorders, alcohol use, and other confidential patient information. The Federal Trade Commission (FTC) conducted an investigation and charged GMR with failing to employ reasonable and appropriate measures to prevent unauthorized access to personal information by the subcontractor. The terms of the settlement with the FTC required GMR to submit biennial assessments and reports on its information security program for 20 years. (Federal Trade Commission, “Provider of Medical Transcript Services Settles FTC Charges That It Failed to Adequately Protect Consumers’ Personal Information,” available at


Typically, unauthorized disclosure of confidential client data by a subcontractor relates to the activities of its employees rather than a rogue act by an unknown third-party hacker. Subcontractors with inadequate controls over access to data present elevated risk to CPA firms. A breach may arise from unintentional and careless mistakes, as well as from intentional acts by subcontractor employees.

Understanding subcontractors’ restrictions on access to electronic data and instituting redundant systems to limit access represent critical factors in conducting due diligence. However, due diligence also demands CPA firms evaluate the privacy and security practices of potential subcontractors. In addition, a CPA firm should review each subcontractor’s protocol in screening, training, and monitoring its workers with access to confidential client data, as well as its physical security safeguards. The CPA firm also should review indemnification, data breach protocol, and insurance coverage provisions in contracts with subcontractors.


CPA firms are subject to privacy and security obligations under AICPA Professional Standards, state boards of accountancy rules, and the Internal Revenue Code (IRC). The AICPA Code of Professional Conduct addresses the use of third-party service providers in ET Sections 1.150.040, 1.300.040, and 1.700.040. ET Section 1.700.040 indicates that in the absence of obtaining specific consent from the client before disclosing confidential information to the provider, the CPA should enter into a contractual agreement with any subcontractor addressing procedures to prevent the unauthorized release of confidential information to others.

IRC Sec. 7216 imposes misdemeanor criminal penalties on tax return preparers who disclose or improperly use taxpayer information. The regulations and IRS guidance require tax return preparers to obtain specific taxpayer consent prior to disclosing tax return information to subcontractors (and any other third parties) and require the use of an “adequate data protection safeguard” when taxpayer information is sent to a return preparer located outside the United States (Regs. Sec. 301.7216-3 and Rev. Proc. 2013-14, §5, as modified by Rev. Proc. 2013-19).

CPA firms and their subcontractors also must comply with applicable privacy laws, such as the FTC Safeguards Rule, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health Act (the HITECH Act), and state security breach notification laws. (For more information, see “Professional Liability Spotlight: A Breach of Client Data: Risks to CPA Firms,” JofA, Aug. 2013, page 18, and “How Health Care Data Security Rules May Affect You,” JofA, Jan. 2015, page 54.)

Responsibility for compliance with these professional and legal obligations extends to the privacy and security practices of subcontractors.

So, what are CPA firms to do? Relying on the good faith of subcontractors is not a viable solution. Rather, a CPA firm should consider implementing appropriate risk mitigation strategies.


CPAs should understand how subcontractors screen, train, and monitor workers who have access to confidential client data.

• Does the subcontractor use a third-party company to perform background checks or have a written policy on screening? Background screening companies vary widely in experience, qualifications, and services provided. Review the subcontractor’s screening policy, if applicable. While confidential client information is vulnerable to exploitation for profit, employers are restricted in asking about criminal convictions in the hiring process. (For more information, see “Professional Liability Spotlight: Criminal Background Checks Can’t Remain in the Background Anymore,” JofA, April 2013, page 16.)

• Review the subcontractor’s written employee policies and training materials on maintaining confidentiality. Training materials should encompass ethical conduct, as well as a response when unethical actions or behaviors by others are observed. An “open door” policy to encourage disclosure of concerns regarding employee behavior or misconduct without fear of retaliation is desirable.

• Ask about the subcontractor’s controls over physical security, and processes to monitor employee behaviors and actions.

If these issues raise concerns, consider how to best mitigate the risks. Some techniques are within the direct control of the CPA firm, such as maintaining a “clean desk” policy to prevent unauthorized access to records by cleaning service employees. Other risks may be mitigated through further action by the subcontractor. CPAs should advise subcontractors to consult with their attorneys regarding employee screening and monitoring processes.


CPA firms also should review subcontractors’ privacy and security policies. While small subcontractors may not have written policies, CPAs should confirm that prospective subcontractors maintain adequate controls over these matters. Due diligence should be performed when seeking services from new subcontractors and updated at regular intervals in ongoing relationships.

An excellent related resource is the Generally Accepted Privacy Principles (GAPP) issued by the AICPA and the Chartered Professional Accountants of Canada. The business version of these 10 Generally Accepted Privacy Principles is available at Consider using these privacy principles to evaluate and recommend improvements to subcontractors’ policies and procedures.


Enter into a written contract with the subcontractor that addresses privacy and security policies, indemnification, data breach protocol, and insurance coverage, and have your attorney review the contract prior to execution. Among other issues, it should address:

• Representations made by the subcontractor regarding privacy and security practices;
• The subcontractor’s obligation to maintain privacy and security;
• The obligation to promptly inform the CPA firm in writing in the event that a breach of privacy occurs;
• Indemnification of the CPA firm in the event of a security breach; and
• Minimum limits of liability insurance required.

Contractual provisions may be important in defending a CPA firm’s actions in the event of a regulatory investigation or lawsuit related to a subcontractor’s privacy breach.

Liability insurance for the actions of subcontractors should also be evaluated, including exposures related to privacy breaches in handling CPA firm data, working on the premises of the CPA firm or its clients, and traveling to and from these locations. Investigate the application of insurance coverage under CPA firm policies to the acts of subcontractors. Some policies extend coverage to the acts of subcontractors, while others do not. CPA firms should consult with their attorney and insurance agent or broker regarding these matters.


While the above items are good considerations to help evaluate a subcontractor’s privacy and confidentiality policies, what would happen if a client asked your CPA firm similar questions? Now is an excellent time to review and update the firm’s processes to protect confidential client data, train employees, and understand how insurance coverage may apply in the event of a data breach.

Contact me to learn more about the AICPA Professional Liability Program:

Paul Morris

(415) 883-2525

Article By:

Joseph Wolfe ( is a risk control consulting director at CNA.
Continental Casualty Co., one of the CNA insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program. For more information, please call Aon Insurance Services, the National Program Administrator for the AICPA Professional Liability Insurance Program, at 800-221-3023 or visit
This article provides information, rather than advice or opinion. It is accurate to the best of the author’s knowledge as of the article date. This article should not be viewed as a substitute for recommendations of a retained professional. Such consultation is recommended in applying this material in any particular factual situations.
Examples are for illustrative purposes only and not intended to establish any standards of care, serve as legal advice, or acknowledge any given factual situation is covered under any CNA insurance policy. The relevant insurance policy provides actual terms, coverages, amounts, conditions, and exclusions for an insured.

The importance of tax quality control – AICPA Professional Liability Spotlight

insurance as CPAQuality control (QC) is of utmost importance when delivering professional services, including tax planning and compliance services. In 2014, 67% of the claims in the AICPA Professional Liability Insurance Program were related to tax planning and compliance services. Unfortunately, almost all of these claims included a failure in quality control. When a professional liability claim is asserted and QC breakdowns have occurred, defense counsel’s ability to negotiate a favorable result for the CPA may be compromised.  Rather than several claim stories with seemingly innocent breakdowns in QC, what follows is a combination of real claim scenarios resulting in a disastrous QC collapse. While this scenario may seem unrealistic, any one of these QC breakdowns could compromise the defense of a professional liability claim.

The new private-equity client
The managing partner of XYZ CPAs Inc. said it was the firm’s highest priority to obtain new clients in private equity by year end. As a result, when an attorney with whom the firm regularly worked mentioned that one of his private-equity clients operating as a partnership needed tax compliance services, the firm bypassed its customary client and engagement acceptance procedures to obtain the desired business. The firm agreed to prepare the tax returns but failed to issue an engagement letter.  Had the firm followed its customary client and engagement acceptance procedures, it may have discovered that the fund organizer was a convicted felon who previously operated a Ponzi scheme. In addition, the firm may have questioned why a small firm in a neighboring state was performing the fund’s audit instead of a specialized firm. Routine client acceptance procedures also may have revealed that the client’s CFO was the husband of one of XYZ’s audit partners, representing a potential conflict of interest.  The QC problems related to this engagement continued to accumulate. The tax partner was new to XYZ but had worked with the managing partner 20 years before. Based on this relationship, the firm did not confirm the new tax partner’s licensure or previous experience. Notably, she had been disciplined by the state board of accountancy due to a conflict of interest on another tax return. The client demanded the Schedules K-1 be issued to investors by April 10, despite incomplete information regarding Schedules K-1 from the company’s investments. The “experienced” tax partner explained that she regularly used estimates and adjusted for final numbers on the following year’s return at her old firm so Schedules K-1 could be issued on a timely basis.

The only staff member available to prepare the fund’s tax returns was in his second tax season and had primarily worked with C corporations. Since he lacked experience in partnership filings, the staff member did not allocate income based on the partnership agreement. The staff member relied on the computations generated by the tax preparation software. The
tax partner’s review consisted of confirming the book-income-to-taxable-income reconciliation and discussing the calculation with the client. Moreover, the new tax partner was not supervised on any engagements, including the high-risk returns relating to this matter. The return was finalized and electronically filed—without a Form 8879-PE, IRS e-file Signature Authorization for Form 1065. This series of errors continued for the following six years.

Approximately one month after the firm prepared its seventh tax return for the client, federal agents raided the client’s office.  The client was operating another Ponzi scheme. Soon after the raid, investors began filing professional liability claims against the CPA firm, alleging the firm should have discovered the fraud.  In addition, investors alleged that the firm improperly allocated taxable income to them, causing them to overpay tax, incur additional professional fees, and, in some years, lose the ability to obtain a refund because the statute of limitation had expired.

Elements of a strong QC system
While QC may be difficult to get excited about, its importance cannot be overstated. As a result, tax professionals should consider the following to create a strong QC system:

Circular 230
In June 2014, Treasury Circular 230, Regulations Governing Practice Before the Internal Revenue Service (31 C.F.R. Part 10), which addresses practice before the IRS, was revised.  Section 10.36, Procedures to Ensure Compliance, now requires the person or persons responsible for overseeing a firm’s tax practice to take reasonable steps to ensure the firm has adequate procedures in effect to comply with Circular 230. This individual will be subject to discipline for failure to comply with the requirements if, through willfulness, recklessness, or gross incompetence, the individual does not take reasonable steps to ensure the firm has adequate procedures in place to comply with Section 10.36 and a firm member engages in a pattern of failure to comply with this part. Written tax QC materials represent one of the best tools for complying with Circular 230, Section 10.36.

Tax QC materials
QC materials may consist of (1) a tax QC manual; (2) tax policies and procedures; and (3) voluntary tax practice review.
The tax QC manual and tax policies and procedures should be written, updated regularly, accessible, and communicated to the tax practice through training.  The QC manual provides guidance in developing the tax group the firm desires. It should provide a foundation upon which all decisions for the tax group are based and be referenced when the tax group implements policies and procedures. The AICPA Tax Practice Quality Control Guide is based on the AICPA Statements on Quality Control Standards and contains the following six elements of QC (1) leadership; (2) ethical requirements; (3) client acceptance and continuance; (4) human resources; (5) engagement performance; and (6) monitoring.

  • Policies and procedures

Unlike a QC manual that is more aspirational, policies and procedures are instructional in nature. Tax policies and procedures should delineate every step in preparing a tax return from receipt of the information to electronic filing. In addition, policies and procedures should address all tax services, including planning, research, and consulting.

  • Voluntary tax practice review

A voluntary tax practice review is one method to monitor compliance with both a firm’s tax QC manual and its practices and procedures. In a two-person firm, one partner may review a select set of returns the other partner prepared and vice versa. Some firms may wish to work with a peer firm and review each other’s practices. This protocol exposes both firms to different techniques for accomplishing the same tasks, some of which may be an improvement. In a large, multi-office firm, a QC team may visit various offices, selecting returns from each partner to review.

AICPA Tax Section members have access to the Tax Practice Quality Control Guide, which includes sample QC policies for a sole practitioner with limited staff, a firm without a structured tax department, and a firm with a structured tax department. Tax Section members also may access sample engagement letters.  In addition, some professional liability insurers have tax QC manuals and sample engagement letters available to policyholders.

Lessons learned
In the claim scenario presented above, a QC breakdown occurred at every level. The managing partner set the tone at the top, sending the message that the firm valued new business over quality. The managing partner’s highest priority was having a private-equity client by year end, not the “right” client.

While the potential conflict of interest did not contribute to the claim, if it had been identified, steps should have been taken to reduce the potential for it to do so. Human resources for the firm generally verified the information on a new employee’s résumé, but those steps were bypassed.

Client acceptance procedures were also not observed. A background investigation of the client’s management should have revealed the organizer’s history of operating Ponzi schemes and the fact that it selected a small firm without expertise in the client’s business to conduct an audit. In addition, an engagement letter was not issued.

The engagement was not performed with professional competence, as required by Circular 230, Section 10.35, Competence. The preparer lacked relevant experience and was not adequately supervised. In addition, the new tax partner did not adequately review the return in light of the preparer’s inexperience, and the new tax partner’s work was not reviewed.

An adequate review of the return should have prevented the tax partner from signing an inaccurate return, which included estimates and improperly allocated income. Finally, the firm did not have adequate procedures to ensure returns were not electronically filed without a signed authorization form.

Appropriate monitoring of tax compliance processes may have identified these problems earlier, but the firm did not have a system in place. Firms that emphasize quality over realization are well-positioned in the event of a professional liability claim or investigation by the IRS Office of Professional Responsibility.

Contact me to learn more about the AICPA Professional Liability Program:

Paul Morris

(415) 883-2525

Article By:

Deborah K. Rood, CPA, MST (, is a risk control consulting director at CNA.
Continental Casualty Co., one of the CNA insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program. For more information, please call Aon Insurance Services, the National Program Administrator for the AICPA Professional Liability Insurance Program, at 800-221-3023 or visit
This article provides information, rather than advice or opinion. It is accurate to the best of the author’s knowledge as of the article date. This article should not be viewed as a substitute for recommendations of a retained professional. Such consultation is recommended in applying this material in any particular factual situations.
Examples are for illustrative purposes only and not intended to establish any standards of care, serve as legal advice, or acknowledge any given factual situation is covered under any CNA insurance policy. The relevant insurance policy provides actual terms, coverages, amounts, conditions, and exclusions for an insured.


Liability Insurance for Cyber Risk

With each year that goes by, businesses are becoming more and more reliant on technological developments and how they streamline business processes. From big e-commerce corporations to the small clothing boutique that keeps an electronic record of customer information, almost every business uses computers, software and various other technological innovations to perform daily operations. But as wonderful as these developments are, they also unfortunately open up businesses to an assortment of cyber risks.

What is a cyber risk? A cyber risk is the potential for electronic equipment to fail and for sensitive electronic data to be stolen and/or leaked, resulting in expensive cleanup tactics. Cyber risks come in many forms, often resulting in the liability of your business to take care of such threats. Here are some examples that your business might face:

  • A new installation corrupts your customer database
  • A hacker steals and leaks secret strategies or customer credit card information
  • A power surge after a storm causes computer equipment to fail
  • An employee accidentally leaves a work laptop in a public place and it’s stolen
  • An employee commits fraud internally

Remember the Target scandal last year where 40 million customers became at risk for identity theft following a data breach? Though not all cyber risks are at that large of a scale, many of these instances can result in damage control efforts and lawsuits that can easily add up to exceed six figures. While this may only put a chink in the armor of larger businesses, it could be devastating for smaller businesses (particularly if they don’t have IT departments to act as a first line of defense).

Even with firewalls and anti-viral software, over a third of all businesses experienced some sort of data breach last year. In order to protect your livelihood, it’s best that you do two things. First, have IT professionals equip your business with server protection and firewalls that meet industry-standard security best practices. Second, purchase cyber liability insurance to protect yourself for potential data breaches.

Cyber liability insurance should be considered by any business that retains sensitive electronic information and equipment. These businesses include online retailers and marketers, financial institutions, technology companies, law firms, healthcare professionals, schools/universities, etc. This coverage offers protection from the expenses associated with being held liable for both internal and external data breaches, which can cost your business financially, ruin your business’ reputation and scare off previously loyal customers. What exactly are the costs associated with a data breach? Depending on the circumstances of the breach, you may be responsible for paying for the following:

  • Containment and patching the source of the breach
  • Customer notification
  • Replacement of lost/corrupted data or equipment
  • PR and crisis management
  • Business interruption
  • Fines associated with cyber terrorism, extortion and libel/slander
  • Legal fees for defense

The small cost of cyber liability insurance is justified by the amount of protection it offers, which can be the difference between bouncing back and closing business doors permanently. Visit our Cyber Liability page for more info or give us a call at 888-512-8878.

Frequently Asked Questions Regarding Professional Liability Insurance

Here are some frequently asked questions by CPAs regarding Professional Liability insurance.

  • What does Professional Liability cover me for?
    • It covers you for claims made by your clients against you or your firm for services rendered by you.
  • How much does Professional Liability insurance cost?
    • Price is determined primarily by your gross revenue on an annual basis, then other factors are weighed, such as, how many professionals give advice, what internal controls you have in place, if you have any claims, and what limits and deductible your firm needs.
  • How much Professional Liability coverage do I need?
    • A general rule of thumb is to get limits in excess of what you gross annually, but other factors come into play, such as your personal assets that you want to protect, what exposures you have for the type of work you do, what net worth do your clients have, etc.
  • How does Professional Liability insurance work?
    • When you first start with coverage, your policy will cover you for services rendered on a going forward basis. Each year you renew, your policy will cover you for services rendered from your initial start date (prior-acts date or retroactive date). Premiums are initially discounted by approximately 50% since the carriers do not expect to see a claim for a few years. Your premiums “step up” until the mature year when you reach the actual 100% premium level.
  • Who do I contact if I have any questions regarding my Professional Liability policy?
    • You can always call us or use your desktop or smartphone to access our website. You will also have access to Claims Representatives, Subpoena Experts, and Risk Management Professionals depending on your circumstances.
  • What do I need to look for in a Professional Liability Program?
    • Does the carrier have Risk Management Support which can be critical to get your issues addressed in a timely manner? Does the carrier have experienced counsel at reasonable rates? If not, will I be blowing through my deductible quickly? Is the Program affordable overall, not just the premium but all components? Has the carrier shown a commitment to the profession by offering years of continuous coverage? Many carriers get in, collect premiums, then get out and move onto something else. All of these issues must be evaluated and considered.

If you have any further questions, please feel free to leave them in the comments section below or contact us directly at 888-512-8878.

General Liability & Professional Liability: What’s The Difference?

Many businesses have and need both general and professional liability policies; although many business owners have trouble distinguishing the two.  Both general and professional liability policies protect a business from risks related to individuals who come into contact with the business.  Professional liability, however, is more specific to clients of the business.

719070General Liability– This policy protects a business in instances that involve bodily injury to non-employees, property damage, slander and false advertising.  A common damage that general liability covers is if a customer slips and falls and injures himself/herself while in a store. Lawsuits brought against a business similar to these examples will be covered by their general liability insurance coverage.

Professional Liability– This policy, also known as Errors and Omissions (E&O), or malpractice in the case of medical professions, protects against lawsuits that may arise because of a service provided by a professional. Businesses that require professional liability insurance typically employ licensed professionals including Certified Public Accountants (CPAs), lawyers, and medical practitioners. These professionals are expected to perform to a certain standard and must adhere to specific codes of conduct in order to maintain their professional license.  Contractors and any other business can also obtain errors and omissions coverage.  If these businesses don’t carry professional liability coverage, they are susceptible to lawsuits such as, an unhappy client who believes he lost money in a divorce settlement due to a lawyer’s error.

Both of these policies are extremely important in maintaining a business’s financial security. Contact Mitchell and Mitchell today to ensure your business is properly covered.

Why Accountants Need Professional Liability Insurance

The accounting industry is difficult to work in, with so many changing laws and regulations to keep up with over the years. Accountants, CPAs and tax professionals are expected to manage the finances of clients and advise them on a variety of financial and investment strategies. However, one piece of bad advice—or even a perceived mistake—can result in an angry client suing your accounting business.

In today’s litigious society, everyone looks to point the blame elsewhere. If a business fails, the owners frequently turn to the accountants and blame them for shoddy bookkeeping. For this reason, it’s prudent for all accountants and finance professionals to purchase professional liability insurance.

This type of policy covers the costs of errors and/or omissions that may cause a client to make a claim against your business. In short, it protects the assets of your business (and perhaps even your personal assets) from the financial consequences of a claim, whether grounded or frivolous. Remember, even if you follow every accounting standard, you can still get sued by a client.

While there are many concentrations within the finance industry, the great number of professional liability claims comes from tax practices. However, the most expensive claims come from audit work.

Many professional accountants have noted that it’s foolish to operate without professional liability insurance. However, alongside insurance, you can take additional steps to protect your business from such claims. Ensure that at least two employees review contracts, advice etc. before handing them over to clients. Clearly identify the work you will perform and ensure that the client understands by discussing at length. And finally, do not accept just any client; do your homework to ensure that potential clients haven’t previously been involved in litigation.

Speak with an agent today about protecting your accounting business with professional liability insurance. You never know what future event will make you glad you did!

We’ll gladly explain your coverage options. Call Mitchell & Mitchell Insurance Agency at (415) 883-2525 for more information on California professional liability insurance.

How Should Accounting Practice Owners Protect Themselves From Their Own Employees?

In every accounting practice, employees and clients interact with each other on a regular basis.  It is the responsibility of the Owner to look over how these interactions go and if all the information that had been exchanged is honest and true.  Recently, in a practice in Sacramento, California, tax refunds were being stolen by one of the firm’s employees.  The employee started by stealing small amounts of money as low as $500 and then ramping up to a $4,000 refund.  It turns out that this employee had been stealing for several years without notice.

Firm owners must realize that they will be held liable for any employee theft or embezzlement of client funds. It is important to ensure that you have a comprehensive professional liability policy that includes coverage for employee dishonesty. While we want to believe that all of our employees are loyal, we can never be sure of their future actions.

The real “golden rule” that owners should follow is, get to know your employees. Subtleties on how they are doing at home, what types of vehicles they are driving, or jewelry they are wearing are all potential signs to look for in case you suspect an employee may be embezzling.

Last but certainly not least, the easiest way to protect your firm from embezzlement is to simply follow the rule of checks and balances. Allowing one person to file a tax return by him/herself opens up the possibility of details being overlooked.  Another partner or administrator of the firm should always take one last look before the tax return is filed.  It is just too easy for someone to mistype or make a mistake on a return and therefore it is vital for the firm owner or partners to review returns prior to filing.

For information on California accountant professional liability insurance, give Mitchell & Mitchell Insurance a call at 888-512-8878.


School is in session. Watch for school buses!

8/26/2013 8:17:10 AM
Now that the school year is just about underway, you will certainly be seeing a lot of school buses on the road.  Whether your child is on one of those school buses or you are merely another driver sharing the road with the buses, you will want to pay extra attention to safety.  

When you see school buses on the road, you might cringe at the thought of getting stuck behind them while they make their seemingly endless stops.  Sure, it can be a pain.  Finding an alternate route is in your best interest especially if you want to get to your destination on time.  However, if you can not find a different way to go you will need to know the rules of following a school bus during its route.

School bus drivers will give you plenty of indications that they will be coming to a stop before they get there.  First, they will turn on their yellow flashing lights so you will know to slow down.  Then, those lights will turn to red which means they are approaching a stop.  You will need to stop completely when those lights are on.  Be careful to not block any intersections and leave enough room behind the bus.  

When the bus is stopped, watch for children getting on and off and for parents who will be waiting for their kids.  Remember that kids will be excited and may not follow the rule of walking in front of the bus to cross the street.  They may take off in different directions.  Stay alert and do not drive off until the bus driver has turned off the red flashers.  And never pass a school bus when it is at a bus stop.

School bus safety is important for everyone who shares the road.  Keep everyone safe by paying extra attention this school year for school buses!