Aprio Risk Monitor Version 2017-01

August 4, 2017

Risk issues that impact Aprio and its employees

Welcome to the inaugural edition of the The Aprio Risk Monitor. Going forward, The Risk Monitor, which will be an internal and limited distribution newsletter, will be published several times throughout the year to help keep everyone informed about a variety of risk management issues that impact the firm and each of us individually.

Engagement Letters – One of a CPA Firm’s Most Important Risk Management Tools

Imagine this. It’s the middle of the day and, as usual, you have work to do, and deadlines to meet. Suddenly, you hear your name being paged to come to the reception area.

You have no idea who could be coming to see you today. A local sheriff greets you with a handshake and hands you a document. It’s a lawsuit. You’ve been served. A thousand thoughts are rushing through your mind. Do I have your attention yet?

If we roll back the clock to the point in time when we first began to work on the project in question, we need to ask ourselves: is there anything we could have done differently to better protect ourselves against this type of unfortunate incident?

More and more professionals are focusing on the engagement letters they use as a first line of defense and a significant asset within their risk management arsenal.


Accounting firms are opting for alternatives to civil litigation such as mediation or arbitration, and many are also attempting to limit their damage exposure through limitation-of-liability clauses in engagement letters. But is ADR really a better alternative than civil litigation and are clauses limiting our firm’s liability even enforceable? There are two primary ADR methods: mediation and arbitration. Parties may agree to settle disputes through mediation or arbitration by including a clause in an engagement letter or agree to ADR after a dispute arises.


In mediation, the parties to a dispute agree to meet with an independent, impartial, mutually-selected facilitator who works with them to reach a resolution. The process is nonbinding and confidential. Mediation offers several benefits. The exchange of information between the parties is simple, typically consisting of an exchange of position papers. The mediator’s role is to help each side understand the other side’s point of view and provide a neutral “voice of reason.” It can cost significantly less than litigation or even arbitration, and an agreement can be reached relatively quickly. Some professional liability insurance carriers offer an incentive for settling disputes via mediation.

Mediation, however, has its drawbacks. If the parties begin mediation too soon or are unprepared, or the case is not yet developed, resolution is unlikely. In addition, because mediation is informal, the parties and their attorneys confront one another directly regarding the strengths and weaknesses of their respective positions. Sometimes, this interaction can cause the parties to become further entrenched, making resolution more difficult. Finally, less effective or less experienced mediators may not fully evaluate the merits of the dispute or may create a rift between a defendant and its insurance carrier to leverage a larger settlement offer.


In arbitration, the dispute is referred to arbitrators who hear evidence from the parties and render an award. The award is binding and typically cannot be appealed. Arbitration is more formal than mediation. The parties have more input in the selection of arbitrators than they would in judicial and/or jury selection in a civil court system. Arbitration permits focused discovery and more efficient methods of exchanging information. This streamlined discovery approach will significantly contain defense costs. However, our engagement letter authorizes the arbitrator to control the amount of discovery to be conducted and may allow significant discovery to proceed in complex cases. If the arbitrators are busy, it can take months to conclude a case. Moreover, inexperienced arbitrators may be reluctant to make decisions, leading to delay and confusion.

For these, and other reasons we have decided to name JAMS as the designated arbitrators in our engagement letters. The current slate of JAMS arbitrators located in Georgia is excellent and extremely qualified to hear CPA firm cases. Specifically, the JAMS arbitrators are experienced and impartial arbitrators/mediators who have a high degree of sophistication and knowledge regarding technical financial and accounting issues germane to the type of disputes in which we are most likely to find ourselves involved.

It is important to understand that mandatory arbitration clauses in contracts do not apply to third parties. A CPA involved in arbitration with a client may also be sued in civil court by a third party, such as a lender that alleges it relied on the CPA’s work. This is why it is important to understand the concepts surrounding privity and to know how and when to interact with third parties to our clients. Finally, one of the more significant drawbacks to arbitration is that there is generally no process for appealing an unfair award.


To further minimize exposure, many CPA firms include a limitation-of-liability clause in their engagement letters. These clauses limit professional liability exposure to a mutually agreed-upon amount or reduce damages to a reimbursement of the fees or multiple of fees paid to the CPA firm by the client for the disputed services. Either way, the benefits of such a clause are obvious. But are such clauses enforceable? A bedrock principle of contract law is that parties should be free to contract as they see fit and courts should enforce an agreement as written and agreed to by the parties. In general, if an agreement is unambiguous and not open to judicial construction, it will be enforced as written. Following this concept, courts in a variety of settings have upheld the validity of limitation-of-liability clauses for a party’s negligence.

However, limitation-of-liability clauses may be deemed unconscionable when they are contrary to “public policy.” Public policy can be defined as the policy adopted by the public through various legal processes, and as reflected in state and federal constitutions, statutes and the common law. To determine whether a limitation-of-liability clause is contrary to public policy, courts look to whether the parties were of equal bargaining power and whether the clause was clear and not otherwise buried within the terms of the agreement. Some courts go further and hold that since CPAs are regulated by the states and offer services to the public, it is against the public interest to enforce clauses limiting their liability. The enforceability of such clauses is often a question of equity and public policy, subject to the dictates of the controlling legal jurisdiction.

We have consulted with our attorney and our professional liability carrier to ensure there is no public policy exception that would preclude the clause’s enforceability in Georgia and Alabama. Our legal counsel indicated that an important enforceability factor is the ability to show that such clauses were negotiated between two parties with relatively equal bargaining power, that the clauses were clearly set forth in the engagement letter and that both parties to the agreement understood and consented to the clauses. Since we have included a limitation-of-liability clause in our engagement letter, we should take certain steps to ensure that the language is clear, the parties understand and agree to the provision, and the engagement letter is signed. Where possible, engage the client in a frank, upfront discussion about the concept of equitable risk allocation, and document it in our client file. You may point out to the client that without these ADR, indemnification and liability limitation clauses, their fees would be higher to compensate for our elevated risk. If our client has significant problems with the terms of our engagement letter, we should consider providing our client with the option of higher fees; such an option may serve as evidence that the clauses were negotiated and not forced upon the client.


Alternative dispute resolution

In general, alternative dispute resolution (ADR) techniques to resolve a dispute with an attest client do not threaten independence if they are designed to facilitate negotiation and do not place the CPA firm and attest client in positions of material adverse interest. However, if ADR is sufficiently similar to litigation, such as binding arbitration, an adverse interest threat to independence may exist. Refer to AICPA Code of Professional Conduct, Section 1.228.030, Alternative Dispute Resolution, and Section 1.290.010, Actual or Threatened Litigation, for more information.

Limitation of liability

For certain audit and attest clients, the use of limitation of-liability provisions in engagement letters is prohibited. Example clients include those regulated by the SEC, state insurance commissions, and federal banking and other regulators. Refer to AICPA Code of Professional Conduct, Section 1.400.060, Indemnification and Limitation of Liability Provisions, for more information.


Indemnification clauses typically provide that a client will indemnify or hold our firm harmless in the event the firm sustains a loss resulting from claims arising from our work. Indemnification clauses are typically intended to limit liability when client management knowingly makes misrepresentations to us, causes or participates in fraud, conceals information from us or otherwise misleads us.

The indemnification clauses provide valuable protection to us and not only serve as a deterrent against a client considering a potential claim against us, but also can be used to require the client to indemnify us for attorney fees and costs, as well as the costs of any judgments or awards arising from claims made against us by third parties.

Except when prohibited by applicable law, regulation or ethics rules, we intend to utilize indemnification clauses in all of our engagement letters. The SEC, federal banking and other regulators and many state insurance departments prohibit indemnification or limitation of liability arrangements between the regulated entities and CPA firms performing audit or other attest services. According to AICPA Ethics Interpretation 501-8, use of indemnification and liability limitation clauses disregarding the rules and requirements of regulators would be considered an ethics violation.

As a result, when considering the use of indemnification and liability limitation clauses in our audit or other attest engagement letter, if the client is in a regulated industry, check for regulatory rules prohibiting the use of these clauses. AICPA ethics rules also apply. With respect to indemnification and limitation of liability clauses, an AICPA Ethics Ruling indicates that clauses which limit liability resulting from knowing misrepresentations by client management do not impair independence. Accordingly, if indemnification clauses are limited in this manner and are not prohibited by regulation, they are permissible in engagement letters for attest services.

For non-attest services, there are typically no restrictions on the use of indemnification and liability limitation clauses in our engagement letters. The terms in those clauses are subject to negotiation between us and our client. While we prefer the use of such clauses, we will, at times, face resistance from our clients. So, it’s necessary to explain the rationale for using those clauses to clients. For example, in an engagement to prepare a compilation report for management use only, we can explain that because our work product is intended solely for their use, we should not be responsible for claims arising from use of the report by others.

States, like Georgia, have adopted a strict privity standard that prohibits third-party lawsuits against a CPA firm unless there is evidence to show that the firm was aware that its work product would be provided to that third party. In our non-attest engagement letter, we should consider restricting the use and distribution of our work product and include an indemnification clause applicable to claims made by third parties. If the client gives our work product to a third party without our consent and the third party later files a claim against us, we will have afforded ourselves a valuable defense. In addition, the client will be required to indemnify us in connection with any expenses and costs associated with the claim.

Can We Indemnify Our Client?

Can we indemnify or defend our client for damages, losses or costs incurred by the client relating to our services, if requested?

First, and most importantly: under AICPA Ethics Ruling 102, Indemnification of a Client, indemnifying the client for damages, losses or costs arising from lawsuits, claims or settlements that relate, directly or indirectly, to client acts impairs independence.

Additionally, when a client requests such provision in connection with non-attest engagements, you must consult with the firm’s Chief Risk Officer prior to entering into the agreement, as our professional liability insurance policy excludes coverage for liabilities assumed when entering into a professional services agreement. Additionally, we should always consult our attorney prior to entering into any agreement to indemnify, defend or hold harmless another party in connection with any of our professional services.

Now let me provide a little background and insight into indemnifications.

Client requests for defense and indemnity by a CPA firm are on the rise. Defense and indemnification provisions are commonly requested by governmental entities, construction contractors or entities that use a procurement or purchasing group to manage their bidding and contracting process. These entities may require certain clauses in all contracts with vendors, regardless of the product or service provided.

A typical engagement letter provision requested by the client may read as follows:

CPA Firm shall indemnify, defend, and hold harmless Client, its officers, directors, members, employees, and agents from and against any and all claims, demands, suits, costs, liabilities, losses, and expenses (including attorneys’ fees) arising out of or in connection with (i) the Services provided hereunder; (ii) any negligent or intentional acts or omissions of CPA Firm or any of its officers, directors, employees, or agents; (iii) the inaccuracy or breach of any of the covenants, representations, obligations, and warranties made in this Agreement; and (iv) any action by a third party against Client or its affiliates or representatives relating to the Services, supporting data, or materials.

In plain English, this provision obligates us to pay our client’s costs to defend a claim made by third parties against the client that resulted from our negligence; fund any settlement, judgment or award entered against us for a claim resulting from our negligence; and fund any settlement, judgment or award incurred by the client for a claim made by a third party from our negligence.

Clients include defense and indemnification provisions in engagement letters in an attempt to insulate themselves from exposure and shift responsibility to the CPA firm. More egregious provisions even include requests to reimburse the client’s costs upon notification and without evaluation of the firm’s liability. When enforced, these provisions may lead to significant costs to our firm that may not be covered by our professional liability insurance.

Most accountants’ professional liability policies generally exclude insurance coverage for claims arising out of liability assumed under a contract unless that liability would have been present regardless of the existence of the contract. For example, absent a contractual agreement to do so, a CPA firm is generally not liable to reimburse a client for its legal costs or amounts paid by the client to settle claims made against the client by a third party. In addition, many states have anti-indemnification statutes, some of which may prohibit the inclusion of additional insured provisions in contracts. The law that applies varies depending on which Aprio office is involved or where the client is located and where the services are rendered.

However, there are alternatives when responding to the client’s request. We need to educate our clients and advise them that the proposed clauses may jeopardize our insurance coverage. Further, the client’s damages resulting from our negligence in providing professional services is covered by our professional liability policy anyway. Advise the client to consult with an attorney on how applicable state law may affect the defense and indemnification agreements. If statutes prohibit the inclusion of indemnification provisions in engagement letters, explain why these clauses would be unenforceable. Finally, appeal to the client’s sense of fairness and explain that it is simply not reasonable for a CPA firm to indiscriminately be held liable for legal obligations to defend third-party claims made against the client.

Many clients use defense and indemnification clauses in an attempt to control their own litigation costs and ensure their ability to recoup damages. We need to highlight that we’re already utilizing alternative dispute resolution provisions to accomplish the same goals.

As another alternative, we can suggest that we include a provision in the engagement letter that requires the firm to maintain professional liability insurance for the duration of the engagement and a specified period thereafter. The clause could reference the applicable professional liability policy, terms and limits, and required carrier rating. We’d even be willing to attach a certificate of insurance from the carrier so the client may verify that the policy remains in force.

If the above approaches are not successful and the client refuses to remove or modify the request for defense and indemnification, we will not accept unlimited liability. A client’s unwillingness to understand our position or work with you to find common ground during the proposal or engagement letter process does not foreshadow cooperation during the engagement.

What about Mutual Indemnification?

We seek indemnification from our clients for any claims made against the firm that arise from management’s misrepresentation or intentional withholding of information. If the client balks and does not wish to indemnify the firm without being indemnified itself (commonly called mutual indemnification), further education for the client is required. We will need to explain to the client that the risks and obligations of the firm and client are not the same, and therefore, mutual indemnification should not be expected. Indemnification provisions are closely tied to a party’s representations or warranties. For most of our services, we rely on our client’s representations or warranties. The firm should not expect to be liable to a client or to a third party in the event the representations or warranties are false. Moreover, we do not operate our client’s business. If a dispute arises with a third party as a result of our client’s products, services, operations, acts or omissions, we have no authority over and should not be held responsible to the third party for our client’s acts.


Most accountants know the importance of reaching an understanding with clients regarding professional services to be performed prior to the start of the engagement. Engagement letters are issued routinely and are strongly encouraged by professional standards when rendering certain types of professional services. Those letters can be critical to the defense of accountants who are sued for malpractice, especially when they define the scope of services and the time period of the engagement.

Clients sometimes attempt to assert accounting malpractice claims several years after the service they allegedly relied upon was rendered. In many cases, these claims would be time-barred based upon applicable state statutes of limitations. A successful statute of limitations defense may be dependent upon producing evidence that an engagement started or ended on a specific date. An engagement letter that defines the scope of services and the time period of the engagement and has been signed by both the client and the accounting firm can serve as such evidence.

In the interest of saving time, some CPA firms issue engagement letters that indicate services will continue until either party terminates the professional relationship. These types of engagement letters, often referred to as self-renewing or evergreen letters, do not indicate that the service concludes upon delivery of the accountant’s work product or advice, or at the end of a specified time period. As a result, in the event of a claim, evergreen letters have the potential to jeopardize a successful statute of limitations defense.

The statute of limitations establishes a time limit for the institution of legal proceedings, including those against professionals. The statute of limitations for accounting malpractice actions varies among the states, as most states did not adopt the Uniform Accountancy Act, which would provide a uniform statute of limitations. For example, in Georgia, the statute is four years, while it is only three years in Alabama.

The determination of when the statute of limitations is triggered can be complicated. The statute may begin to run upon the discovery of an error or when the plaintiff has incurred damage. Some states have enacted limitations provisions called statutes of repose that bar actions after a specified time period — for example, four years from the date of the act or omission, regardless of discovery. In Georgia, the statute language is very clear and generally favorable to an accounting firm. Alabama, on the other hand, has far less favorable rules as it relates to the tolling of the statute. Some jurisdictions provide for a tolling, or interruption, of the running of the time period if there is continuous representation of the client by the accountant. One rationale given is that it may be difficult to discover the error or damage while the professional is still representing the client. A defense based on the statute of limitations can be asserted in response to any type of professional malpractice allegation.

However, the defense may be weakened if a firm uses an evergreen or multi-year engagement letter. We have gone a step further and have written a contractual term into our engagement letters, whereby the statute has been reduced to one year. Obviously, where clients are willing to agree to this contractual term as opposed to the state-provided term, we will have greatly reduced our exposure to unwanted claims.

Continuous Representation

The continuous representation doctrine grew out of the doctrine established in medical malpractice cases termed “continuous treatment.” As defined in the medical malpractice arena, continuous treatment occurs when the patient continues to be treated by the same doctor or hospital for the condition that gives rise to the claim. In this instance, the statute of limitations is “tolled,” or suspended, until the treatment is concluded. One rationale behind this doctrine is that it relieves the patient of the burden of pursuing a timely claim within the statute of limitations while the patient is still receiving treatment from the health care provider.

Courts in some jurisdictions have recently begun to apply the continuous treatment doctrine to other types of professional malpractice cases, including accounting malpractice. Courts have ruled differently on its applicability based on the facts and circumstances of each case. However, one of the consistent factors considered by the courts is the use of annual signed engagement letters.

Consider the following case. In 2006, Apple filed a malpractice claim against PwC in New York related to the 2000 through 2004 audits and the preparation of the 2000 through 2003 tax returns. PwC filed a motion to dismiss the claims related to the 2000 through 2002 audit and tax work based on a statute of limitations defense. PwC had obtained signed engagement letters for each of the annual audits, which stated that any additional services would be covered by a separate engagement letter.

The court ruled that the claims related to the 2000 through 2002 audits were time-barred under the statute of limitations. However, the engagement letters did not discuss tax services. Instead, PwC provided annual written fee estimates to Apple, which referenced “additional consultations regarding tax planning ideas,” and billed the service separately throughout the year. Based on this fact, the court was unable to determine if each year’s tax return preparation was a separate and “discrete” or distinct service, independent of services provided in previous engagements. As a result, the court did not dismiss the claims related to the tax work.

This case illustrates the importance of obtaining annual signed engagement letters that clearly define the scope and time period of each engagement in supporting a successful statute of limitations defense. Additionally, our engagement letters should clearly state that the engagement will conclude upon delivery of the work product for the subject year (e.g., upon delivery of the auditor’s report on that year’s financial statements).

Another challenge presents itself when requests for new services grow out of existing services. When a client requests an additional service, we should issue an addendum describing the additional service, noting it will be governed by the terms and conditions of our original engagement letter. If the additional services are significant, we should obtain a new signed engagement letter covering those additional services.


Here are some random comments heard from our clients recently:

  • “The engagement letter is 14 pages long—it grows a page every year!”
  • “You expect me to read through all of this?”
  • “The tax engagement letter has different terms than the assurance letter.”
  • “Do you guys talk to each other?”

An engagement letter, even the most detailed and in-depth, is only as effective as the understanding it creates with our clients. If our clients do not understand the provisions of our engagement letters, we will likely limit the effectiveness of one of our most important professional liability defense tools. Yes, our engagement letter should be comprehensive, but our smaller, less sophisticated clients will no doubt argue it is impossible to read or understand our letters—an argument juries are often sympathetic to.

Since the terms of our typical tax services engagement letter differ from those for an attest service, several engagement letters should be issued for a single client. When a firm has several engagement letters for the same client with differing “boilerplate” terms, the client may suggest that there was really no meeting of the minds on the terms of service since the terms were inconsistent or incongruous across the multiple letters. Alternatively, the client may assert that the terms most advantageous for them apply to all engagements. When drafting documents, it is important to consider that inconsistencies and ambiguities may be construed against the drafter. Although some may suggest that the engagement letter is jointly drafted by the client and the CPA, courts may be inclined to interpret ambiguities and inconsistencies between two engagement letters for a single client against the CPA firm. Even if not argued in court, conflicting terms can lead to disagreements and confusion for our clients. In the event of a dispute, different engagement letter provisions make reaching a resolution challenging.

There is a remedy for this problem, and we have instituted it. We recently adopted a set of standard, firm-wide terms and conditions that will be updated periodically and are to be attached as an addendum to every engagement letter issued by the firm. Standard terms and conditions apply to all engagements and give us and our clients the benefit of a single understanding addressing the key contractual elements of our relationship. Now that we’ve employed this terms-and-conditions strategy, our respective client service groups/niches can focus their attention on the critical task of determining and agreeing engagement specifics with our clients, including the scope of services, deliverables, timing, fees, professional standards and client responsibilities.

The lack of a clear understanding of the scope of services to be provided to a client represents a leading issue in disputes between clients and their CPAs. Therefore, focusing our efforts on these elements generally helps to reduce the risk of a future disagreement. Before the engagement letter is finalized, the engagement team can add any special terms and attach our Terms and Conditions Addendum to the document to be signed by the client. Some of the provisions that are now included within our standard Terms and Conditions Addendum include:

  • Management’s responsibilities. This section details management’s role in making decisions, maintaining records, safeguarding assets, reviewing deliverables and disclosing client information to us. Management responsibilities specific to the services provided should be addressed in the actual engagement letter.
  • Responsible person/client contact. We’ve asked our clients to identify the party with whom our firm should communicate and rely on for elections, representations and changes in the engagement scope.
  • Payment terms. Because payment is so critical, we’ve decided to include the discussion of payment terms not only in the engagement letter, but also in the Terms and Conditions Addendum. Timeliness of payment and the consequences of late payments or a failure to pay are among the payment terms included. Inconsistent engagement letter provisions provide clients the opportunity to suggest that the firm did not follow its own policies on collecting invoices or the consequences of failing to pay.
  • Subpoenas. The terms included will help us to reach an understanding with our clients about how we will respond to subpoenas and clearly lay out both parties’ obligations and rights in the event a subpoena is received.
  • Third-party service providers. When any of our subcontractors receive or retain client data, we are required to disclose this protocol to the client under ET Sections 1.150.040, 1.300.040, and 1.700.040 of the AICPA Code of Professional Conduct. Our Terms and Conditions Addendum is an efficient means of fulfilling this mandate.
  • Document retention and ownership. Our Terms and Conditions Addendum explains that client records will be returned at the conclusion of the engagement and that the working papers we created are our property. We also disclose and make clear our document retention policy.
  • Dispute resolution. Our Terms and Conditions Addendum clearly states our agreement in advance with our client on alternative dispute resolution (ADR) and the jurisdiction, venue and forum for engaging in ADR.
  • Termination and withdrawal. The Terms and Conditions Addendum clearly defines the circumstances for when we, as a CPA firm, may withdraw from an engagement without completing services. The Addendum also addresses the fact that we are entitled to collect for any unpaid services and will not be liable for rebates of previously paid fees even if we are unable to finalize our work product.
  • Limitation of liability and indemnification of the firm. Where permissible, these clauses help limit the firm’s exposure if a claim arises. If the engagement is of a type whereby the firm would be precluded from including these clauses, which would impair the independence of the firm, we have made provision for the Addendum to be customized to strike or modify these terms.

The client should acknowledge that the Terms and Conditions Addendum has been received, read, and accepted in a separate acknowledgement, through checking a box on the engagement letter signature block indicating acceptance or by signature on the original Terms and Conditions Addendum.

Questions? Contact Kurt Huntzinger, chief risk officer, at kurt.huntzinger@aprio.com.

Stay informed with Aprio.

Get industry news and leading insights delivered straight to your inbox.

Stay informed with Aprio. Subscribe now.