Which of the following risks do auditors face when deciding whether or not to accept a new client

Auditors know there’s never been a more challenging time to monitor and meet evolving regulatory changes and professional standards. How their jobs are performed now requires more than accounting and audit knowledge and skills. In fact, the accounting and audit professions have gradually been drawn into the world of automation and automation tools.

To that end, we’ve prepared an audit engagement checklist that explores how automated tools and techniques can enhance the processes and steps.

Each audit engagement is unique, but most share the basic steps of preparation, planning, field testing, and audit procedures, as well as subsequently rendering the audit opinion. To ensure a timely and successful audit, creating and following a succinct outline of your audit strategy (including planning and preparation) is paramount.

Prior to the global pandemic, technology and automation started to take root as necessary tools for audit professionals. But as the pandemic marches on, the utilization of technology — including automated tools — has become mandatory, especially in the tax and audit profession.

Pre-audit engagement

After the decision is made to accept an audit engagement, the auditing team does a thorough risk assessment of the client’s company, which includes assessing the industry, management’s integrity, governance procedures, and internal controls. Today, most companies and industries rely heavily on data, and the ability for auditing teams to examine and analyze the client’s data is necessary. The use of technology at this point can greatly assist in determining the right scope of the data in order to make it relevant to the intended audit.

Having a checklist not only organizes but provides a comprehensive approach to the audit.

Audit engagement checklist

An audit engagement checklist can clarify the audit elements, allowing the auditing team to undertake a holistic review, research, and execution of the audit. An engagement checklist can be as specific as required, based on the specificity of the audit; however, here is a basic framework to create an effective checklist. A useful tool to create the audit engagement checklist is Smartsheet, which allows multiple people to work on the same document without overriding work being done by others. Below is a list of items to consider for the checklist:

1. Prepare & Plan

“One of the most common causes of unsuccessful audits is inadequate planning” says Wade Brylow, Internal Audit Director at Northrop Grumman. Engagement planning starts with creating a strategy for how to approach and execute the audit, and the engagement plan should include the following steps:

• The audit objective is the foundation of planning and its clarity determines how to proceed with planning.
• Next, set the parameters and scope of the audit. The number of parameters and the size of the scope is determined by audit itself — consider more than just the tradition parameters.
• An exhausted list of constraints are identified, including the usual items of budget, time, and resources.
• Conduct a risk assessment not only of the organization, but of the industry, if needed.
• Finally, decide which method or techniques to employ for the audit approaches. The approaches are based upon the audit objective, its parameters and constraints, and also taking into consideration compliance-related issues. This critical step can be key to having an effective and efficient audit.

2. Conduct fieldwork

Fieldwork is done based on the planning and includes gathering evidence, statistical and analytical analyses, and all information identified in the parameters. In this step, information is gathered and reviewed, and then audit testing is done to ensure the proper controls are selected.

In addition, at this point key staff members are interviewed and assessments of risk are determined. Obviously, given the restrictions on face-to-face access as a result of the global COVID-19 pandemic, the way audit evidence now is gathered has changed. Automated tools and techniques are required, including, for example, the use of cameras and drones to observe inventory counts. And the use of video conferencing services to conduct interviews is now a necessity.

3. Gather evidence

When planning to gather evidence, it is important that the practitioner maintains a focus on the engagement objectives. Traditionally, proper evidence gathering included physical observation and staff interviews; however, there were some acceptable exceptions, such as the use of telephone interviews if individuals were dispersed around the globe.

In fact, the American Institute of Certified Public Accountants (AICPA) recently issued its Statement on Standards Number 142, which included a list of automated tools and techniques. The Statement also highlighted innovative ways to gather evidence when working remotely.

4. Report findings & file supporting documents

After all the evidence is gathered and the fieldwork is completed, the final piece of the audit engagement checklist is, naturally, to report your findings and file any necessary supporting documents. Using robotic process automation (RPA) and cloud-based software can aggregate all information and data, and allow for more thorough analysis and collaboration among team members. Further, these tools can make vast quantities of data more manageable with much greatly accuracy. In addition, automatization of this steps removes the arduous manual tasks of copying and pasting between applications or cross-referencing data.

As Amy Pawlicki, VP in Assurance and Advisory Innovation at AICPA, said in a recent blog post: “Better access to more data, cloud storage, and technologies such as AI in particular bring tremendous potential to support deeper analytics and greater insights for the benefit… of audits”.

Today, auditors are now finding ways to work differently, and by using the technologies and automation tools that allow them to gather and analyze data, collaborate across teams, and present their findings clearly and more accurately, they are ensuring that these key as aspects of remote work will continue.

To learn more about how to be successful in your audit engagement, check out the Cloud Audit Suite from Thomson Reuters.

Auditors bear many responsibilities to their clients, but they also have a duty to uphold the public trust. The negative actions of clients can sometimes rebound on auditors, damaging that reputation; preventing this means carefully vetting clients and their activities at every stage of an engagement. The authors share advice from several professionals on proper practices for client acceptance, continuance, and—when necessary—disengagement.

After issuing a clean audit opinion, no auditor wants to learn that the client has been accused of fraud. But that risk, as well as many others, is present when a CPA firm does not follow industry-recommended client acceptance and continuance practices.

In one recent case, defense attorney Thomas R. Manisero of Wilson Elser represented an accounting firm that performed an audit for an investment fund after merging with another firm. The service area was particularly high risk and outside the realm of services normally offered by the firm, but the merger produced an engagement partner with the requisite experience to lead the audit. Unfortunately, that partner became disabled during the audit and, rather than disengage from the client, the firm appointed another engagement partner who was not well versed in the type of audit in question.

“The engagement continued through a course of several difficult exchanges with the client, who himself was aggressive and abusive,” Manisero said. “Finally, succumbing to the pressure of the client to complete the audit, the firm issued a clean opinion. A short while later, the client was publicly exposed for having operated a fraud. The firm was further embarrassed when it discovered that a junior member of the audit team had received information that, if properly evaluated by knowledgeable, more senior audit team members, would have exposed the fraud. The experience had dire consequences for the firm.”

The lessons learned are simple, Manisero said: “Don’t take on work that you are not capable of doing, and if the scope of services evolves beyond your firm’s expertise, terminate the engagement.”

While this case involved acceptance of a new client, inadequate client continuance screening is frequently a factor in the defense of professional liability claims. This often occurs when an existing client asks an audit firm to render a service it has performed infrequently or not at all, or when circumstances affecting the engagement have changed significantly. Due diligence surrounding client acceptance and continuance is a central risk management issue for firms of all sizes, and depending on their size, firms may approach it differently.

The CPAs interviewed in this article stress the need to follow an industry-recommended checklist (see the sidebar, Applying Professional Standards) and trust their instincts regarding a client or an industry. Many accountants use the client evaluation acceptance tool available from the Private Companies Practice Section (PCPS) of the AICPA. Despite such advances in client-screening technology, however, CPAs still find value in face-to-face client contact. CPAs in industry also can provide valuable input about the acceptance and continuance of their customers, adopting many of the recommendations discussed in this article.

EisnerAmper Chief Risk Officer Peter Bible says his firm uses different screening processes for its attest and nonattest clients. “The real key is a good safety net,” he said. “You must have a way to catch one-offs, especially as you get large. We put a control in place in our finance department for new engagements. Before a client number is assigned, a checklist must be completed and answers provided.”

For attest clients, EisnerAmper runs background checks on key officers in the client company, searching for birth dates; criminal, civil, and regulatory proceedings; and tax liens to assess management integrity. The firm then considers whether it has experience providing services within the potential client’s industry. “We won’t touch the cannabis industry or cryptocurrencies,” said Bible, whose 30 years of experience include senior leadership in both public and private accounting. “We don’t like certain capital structures where liquidity can be withdrawn.”

Before EisnerAmper accepts an attest client, the client must be approved by Bible, the firm’s chief revenue officer, or a small group of senior audit partners. “All data must be presented to one of these people or all of us as a group,” he said. “At the end of the day, it’s my call. We do have a final decision maker—that’s me or our executive committee.” The process for nonattest clients is less rigorous. “When small tax clients present some concerns, we check the sources of their income—a big key,” Bible said.

Lisa Kirisits founded Kirisits & Associates 21 years ago; this Buffalo-based boutique practice specializes in tax preparation and planning services, as well as audits, reviews, and compilations for businesses and not-for-profit organizations. Before accepting audit clients, she researches information about their board members and obtains references for them. She also meets with them in person.

“Instinct plays a role,” said Kirisits, who also relies on the checklist for client engagement and continuance issued by Practitioners Publishing Company (PPC). “The checklists are in the binder, and the partner on the job makes sure it’s signed off.” Ethical behavior in client companies is set at the top, she says, and to remind herself of the importance of working with ethical companies, Kirisits keeps on her desk a framed Warren Buffett quotation: “It takes 20 years to build a relationship and five minutes to ruin it. If you think about that, you’ll do things differently.”

At Vasilakos & Vasilakos LLP in Brooklyn, all clients are approved by partners Peter and Basil Vasilakos. “Our process is more formalized than in the past,” said Peter Vasilakos, who cofounded the firm in 1999. “We now have five staff accountants and two interns during tax season. Today we use more checklists. We meet with every client to understand who they are and what services they are seeking.”

Sometimes, Vasilakos said, it’s difficult for a growing firm to step back and look for red flags. “We always ask for prior tax returns and financials. We raise the bar with document requests until we’re comfortable that a potential client is not doing anything wrong. If you raise the bar high enough and the potential client is not sincere in what they’re saying, they usually just go away.”

Years ago, Vasilakos’s firm made a commitment to learn the environmental and regulatory issues affecting the dry cleaning industry so that it could accept a dry cleaner client, which it still works with today. “After being in practice all these years, you get an instinct about which clients to accept and which to reject,” he said.

Ray Nowicki, founder and managing partner of Nowicki and Company LLP, a peer reviewer for over 30 years, and a member of both the AICPA and NYSSCPA peer review committees, advises that “everybody must cut their teeth on something when they start practicing, but they need to get up to speed on the new services or client industry.” To that end, Nowicki recommends “a boatload of continuing education in a live classroom with real instructors that you can interact with.”

When accepting a client from an unfamiliar industry, Nowicki recommends engaging someone to perform a quality control review. “Don’t send your audit to the client without having it reviewed by a CPA who knows the industry well. When I audited a 403(b) plan for the first time, I engaged a subject matter expert (SME) at the AICPA to review it. The $2,500 cost of the review was worth it because if I made any mistakes, I wanted them to be caught by the SME and not the Department of Labor.”

A quality control review is a mark of professionalism, he says. Those who choose to forgo such a review may “pay the price down the road, and it will be far worse.”

CPA firms that follow best practices for client acceptance sometimes fall short in their due diligence on client continuance, Manisero said. He strongly recommends periodically running and reading background checks on the client and its management, including criminal records, bankruptcy and litigation searches, and Dun and Bradstreet (D&B) reports.

“There are a host of affordable services that provide reports containing this information,” he said, noting that they are commonly used in connection with client acceptance procedures for new attest clients. “They should also be utilized as part of client continuation procedures for all attest clients, and in the acceptance and continuation of significant nonattest client engagements as well, such as tax engagements for high-net-worth individuals and business management or family office services for high-net-worth individuals or celebrities.”

CPA firms that follow best practices for client acceptance sometimes fall short in their due diligence on client continuance.

Manisero believes it is a client continuance best practice to constantly evaluate how clients are performing financially. “Are there financial stresses? Have there been changes in the client’s personal or business circumstances that change the nature of the client? Staying in touch with and understanding the client, no matter what the nature of the engagement, is the best way to determine if there is elevated risk in continuing to service the client.”

EisnerAmper reviews every client with fees of $50,000 or more at least annually, Bible said. Among the issues it reviews are whether a client’s business has changed as the result of an acquisition, a new line of business, or a change in senior management. “We consider whether we’ve had difficulties with the client, such as accessing records and if they are treating our staff poorly. We look for anything that’s changed in their business models.”

Telephone and face-to-face client contact are “absolutely critical,” Bible said. If there is a history of concerning issues with a client, Bible or another senior member of the firm meets with the client to talk through the issues. “We pay attention to geography. If the company is doing substantial business in China or Indonesia, we won’t continue the engagement because I’m a big believer in knowing your client and their markets.”

Kirisits and Vasilakos are also strong believers in knowing the client. “It’s always important to talk to people and to read their body language,” Kirisits said. “The human connection is lost in e-mail. If you monitor and interact with your clients regularly, problems will present themselves to you. Sometimes you realize it’s not a good relationship anymore.”

No matter how careful one is, problems sometimes rear up and affect a firm’s bottom line. Vasilakos recalled a recent New York–based client that purchased a rehabilitation center in Florida. The CPA originally employed by the client disengaged abruptly, so Vasilakos’ firm prepared its return. Immediately afterward, the company went bankrupt without paying its fee. “In retrospect, we should have gotten a higher retainer,” he said. “We should have insisted on payment at that moment.”

Vasilakos said his firm ended a relationship with another client when its partners began fighting two years into the engagement. “One partner accused me of taking the other partner’s side and threatened me,” he said. “Although we didn’t take sides, sometimes people perceive that differently.”

When a client is unethical, slow to pay its bills, or has internal disagreements, the firm should disengage, Vasilakos said. “But when you’re trying to grow your practice and you want to help people, it’s hard to step back and look for red flags.”

Hubris can cause a professional to miss a red flag. “The root cause of many audit failures can be traced back to a partner asking, ‘How hard can it be?’” Nowicki said. The answer can be, “Harder than it looks,” especially if the firm lacks expertise with a new service. Nowicki believes small firms that have only one or two large clients sometimes fear a growing client needing more services will be stolen if they refer it to another firm for, say, an employee benefit plan audit. He recommends introducing the other firm to the client in exchange for a noncompete agreement.

Sarah Ference, a CPA and risk control director for CNA, the insurance underwriter for the AICPA Professional Liability Insurance Program, stated that from a professional liability perspective, some services present elevated risk. “For clients in the cannabis or other heavily regulated industries, assessment of the client’s knowledge of and compliance with applicable laws and regulations is paramount,” she said.

While the risks associated with rendering audit services are widely understood, the experts say risk factors that can arise in other types of services must also be evaluated. These include the following:

• The client is in an industry where small changes in commodity prices or currency values quickly affect sales or operational costs.
• The client is in an industry experiencing business turnover and consolidation due to rapid technological changes.
• The client has requested a service in connection with a planned or proposed business transaction.
• The client has requested a service associated with raising capital.

Nonaudit services that may be requested when these risk factors are present include the following:

• Agreed-upon procedures
• Buy/sell consulting services
• Financial forecasts and projections
• Tax projections.
• Valuation and calculation engagements.

When these risk factors are identified, one must determine whether additional engagement acceptance and continuance screening is warranted. Consider additional screening for conflicts of interest and independence. Quality control and billing practices also warrant additional oversight.

Professional standards exist to help firms navigate the client acceptance and continuance process. The AICPA (Professional Standards, QC Section 10, and AU-C Section 220), the PCAOB (Interim Quality Control Standards, QC Section 20), the U.S. Government Accountability Office (Government Auditing Standards, Chapter 5, section 5.12), and the International Auditing and Assurance Standards Board (Quality Control for an Audit of Financial Statements, ISA 220) have all published standards for client acceptance and continuance.

While professional standards address client acceptance and continuance for audit and attest services, this is equally important in other areas of practice. Historically, more than 50% of all professional liability claims in the AICPA Professional Liability Insurance Program have originated from tax engagements. Consider establishing a committee to provide oversight for client acceptance and continuance in all areas of practice. A committee can help provide an unbiased evaluation, providing the perspectives of experienced managers and partners.

The AICPA Statements on Quality Control Standards (SQCS) apply to all CPA firms with respect to engagements in their accounting and auditing practices. They require CPA firms to establish policies and procedures for the acceptance and continuance of client relationships and specific engagements, and specifically to develop relevant policies and procedures on continuing an engagement and the client relationship when firms obtain information that would have caused them to decline the engagement earlier (QC section 10.30, “A Firm’s System of Quality Control,” AICPA Professional Standards).

Additionally, AU-C section 220 of the Statements on Auditing Standards (SAS) details the responsibilities of the engagement partner regarding acceptance and continuance of client relationships and audit engagements.

Ference said client acceptance and continuance procedures may vary based upon firm size and area of practice, but she generally recommends the following:

• Understanding the client and its business, including—
  • management experience, financial knowledge and credentials;
  • changes in ownership, management, and those charged with governance;
  • management’s attitude towards internal controls;
  • whether management accepts and understands its responsibilities;
  • the client’s understanding of the services provided by the CPA firm, including the limitations of such services; and
  • any management and ownership disputes.
• Assessing the client’s integrity through—
  • an Internet search regarding client owner/key members of management or those charged with governance;
  • background check procedures on client owner/key members of management or those charged with governance;
  • inquiries of the predecessor CPA firm, the client’s other professional service providers, and the referral source, if applicable;
  • evaluation of why the client is seeking a change in service provider;
  • understanding the client’s litigation history against its advisors; and
  • evaluation of the client’s reputation in the community.
• Assessing the client’s financial stability, including the ability or desire to pay, by—
  • reading the client’s financial statements;
  • researching the client’s credit history, and
  • determining whether the client owes money to a predecessor CPA firm or other service provider.

To formulate protocols for client acceptance, experts advise firms to—

• define the firm’s “ideal client” by industry, size, geographic location, and desired services to objectively assess fit;
• develop criteria and procedures for accepting a client;
• create and mandate use of client acceptance forms; and
• require engagement letters approved by management and signed by the client.

To formulate protocols for client continuance, experts advise firms to—

• perform evaluations at least annually,
• develop criteria and procedures for continuing a client and undertaking an engagement to perform the requested service,
• consider the client’s reasonableness in the application of relevant accounting standards and in determining required reserves,
• develop criteria to determine when to rehabilitate versus terminate a client relationship, and
• establish client termination procedures.

By establishing strict criteria, policies, and procedures for client and engagement acceptance and continuance, firms ensure their compliance with professional standards and mitigate the risks of—

• accepting engagements the firm is not qualified to perform,
• rendering services to clients who lack integrity,
• experiencing billing and collection problems, and
• experiencing professional liability claims and lawsuits.

Vincent J. Love, principal of VJL Consulting, serves as an expert witness in professional liability claims made against accounting firms, and is a former member of both the AICPA Council and the NYSSCPA board of directors. Pursuing lucrative clients without performing proper due diligence is a common mistake Love sees on claim postmortems. “Ineffective or nonexistent client acceptance procedures are often an underlying cause of many lawsuits against CPAs, either directly or indirectly,” he said. “It is an important process, since the client’s character is a significant ingredient in its ethical business behavior. Client management is responsible for the financial statements, amounts contained therein, and disclosure in the notes thereto. Management also makes representations to a CPA that are critical in performing attestation engagements. The acceptance procedures should include background checks on the senior management and on the entity itself.”

Love further noted that the procedures should include an in-depth analysis of independence issues, including relationships with the company and its officers outside of the business environment. In performing due diligence, Love advises a basic Internet search, noting that certain industries are inherently risky.

Obvious signs of a high-risk client or engagement are often overlooked or ignored, Manisero said. He cautions firms regarding potential clients that—

• have a history of changing accountants frequently and complain about the services they received from the predecessor accountants;
• are in unfamiliar businesses or industries;
• are difficult to onboard, either because they argue about the terms of the engagement letter or make it difficult for the accountants to get access to the records or information they need to plan or perform the engagement; or
• are in highly regulated businesses, such as public companies, broker/dealers, or insurers.

“I remind my clients that they are not public buses that are required to give a ride to every passenger who can pay the fare—they have the right, and indeed the responsibility, to refuse clients who make them uncomfortable for whatever reason,” Manisero said. “It is easier to say ‘no’ to a potential client before signing an engagement letter than it is to disengage once the engagement letter has been signed. Indeed, I strongly advise accountants not to start work on an engagement until an engagement letter is in place.”

CPA firms also need to develop criteria to determine when to rehabilitate and when to terminate an existing client. A firm may decide to terminate a client relationship for any number of reasons:

• The firm becomes uncomfortable with new management and finds they have differences of opinion.
• The nature of the client’s business changes, and the firm no longer believes it has the expertise to perform the services needed.
• The client experiences recurring financial problems and becomes slow to pay.
• The client has difficult interactions with firm staff.
• The firm suspects the client is dishonest or withholding information relevant to the services performed.

When disengaging from a client, Love says firms should do everything possible to ensure the client has time to get another CPA. He also recommends getting legal advice and informing the firm’s insurance carrier of the issue. “Realize that the loss of a receivable can be a better result than litigation,” he warned. “CPAs know they need to follow client acceptance and continuance procedures, but they often breeze through the process because they think it’s more important to secure the client. Undertaking an engagement is not just about the standards, but about using your head.

“All the state societies, including New York, have information on client acceptance and continuance procedures. Sometimes the problem isn’t knowing what to do but economics. Many CPAs overlook client acceptance and continuance procedures to take on or continue with a lucrative engagement. But ask yourself: Are you willing to risk a $200,000 claim in exchange for a $20,000 engagement?”

From a timing standpoint, once problems have been identified, withdrawing from a client engagement should be considered sooner rather than later. New York law permits a plaintiff to allege both tort and breach of contract claims when pursuing claims against professional service firms for alleged errors in the performance of those services. Manisero provided some perspective: “If at any time during an engagement the CPA becomes uncomfortable for whatever reason with continuing the engagement, the CPA should consider disengagement, but it should be done in a way that puts the client in the least amount of potential jeopardy.

“Disengaging a tax client on the day before the tax returns are due is typically not wise, nor is disengaging from a public company audit client the day before the 10-K is due. There may be instances where this needs to be done, but usually the grounds upon which the accountant is going to decide to disengage are or should be known well in advance of the filing deadline.

“When a decision is made to disengage, there should be a clear and unambiguous declaration to the client (in a disengagement letter) that the engagement is over; it is not sufficient to tell the client that ‘unless X or Y happens, we will disengage.’”

Although it may seem counterintuitive, Ference recommends that firms avoid specifying the reasons for ending the engagement in the termination letter. “The reason is usually obvious, and antagonizing the client by explaining why you no longer wish to perform professional services does more harm than good. The termination letter should list any items for client followup and the corresponding deadlines for such. You do not want the client to miss an important deadline and blame you for not advising them. This letter should be sent via a traceable delivery method that provides the CPA with evidence of the client’s receipt of the termination letter.”

Ference also noted that CPAs who postpone termination in the hope of collecting an outstanding large receivable typically wind up with a larger receivable balance. Her recommendation is to “cut the cord and minimize any write-off.”

Regardless of the amount due, Ference strongly discourages taking any collection action because it typically results in a counterclaim for negligence. “Even if you believe such a claim is frivolous,” she said, “you will probably spend more time and money responding to a counterclaim than you would have collected in the first place.”

When merging with or acquiring another practice, CPA firms should undertake the same client acceptance and continuance process that they use themselves. Evaluate whether the target firm’s clients and engagements are compatible with the firm’s risk appetite. If not, consider walking away from the transaction or be prepared to identify and terminate incompatible client relationships. If newly inherited staff from the target firm can competently continue to perform client services that the existing staff is not qualified to perform, don’t disengage. Implement staff training to ensure there is adequate quality control to supervise these services. In addition, ensure that any new staff, services, and clients are fully integrated into the firm’s culture and adhere to the existing quality control framework to ensure that the merger or acquisition remains a good fit.

When screening potential clients, CPA firms must consider the integrity of the client and whether firm staff is qualified to provide services in that niche, which could be highly specialized or regulated. For continuing clients, particularly long-term clients, the firm must re-evaluate the nature of the client relationship and the risks inherent in the same. As the client’s business changes over time, so do the risks of servicing the client.

CPAs should continually engage with clients, listening carefully to what is said and what might have been omitted from the discussion. They should probe for clarification and be on the alert for hidden assumptions. Firms always must balance the wants and needs of clients against compliance with professional standards.

Finally, CPAs should listen to their instincts. “While ineffective client acceptance or continuance may not, in and of itself, result in a professional liability claim,” Ference said. “CPA firms often indicate knowing that ‘something just didn’t feel right’ about a particular client or engagement that later became the source of a claim.”

There is a wealth of information available through both the AICPA and state CPA societies that can assist firms in developing client acceptance and continuance checklists and tools that can be customized for the firm, service, industry, and individual clients.

This article is provided for general informational purposes only and is not intended to provide individualized business, insurance, or legal advice. Continental Casualty Company, one of the CNA insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program.