Your client’s bank calls you to ask you to verify the client’s self-employment income or authenticate that the client is turning a profit. What is the harm, right? There is pressure to respond as a matter of providing good client service, and to just be generally helpful to someone that is looking for a piece of information. Unfortunately, even a verbal response or attempt to provide a written “non-answer” for any request by a third party for verification or comfort can put your CPA practice at risk. Whether it is for breaching client confidentiality, inappropriately providing assurance on a matter of solvency, or other reason.
There are certain allowable statements of fact that a CPA may properly make, without adding a lot of practice risk. However, in order to properly be able to defend against possible professional liability claims, a CPA may not be able to respond to the third party’s specific request as originally presented. Instead, the CPA may need to suggest that the client or third party engage the CPA in an alternative attest or nonattest service that would both meet the needs of the requesting parties, but also help the CPA manage practice risk.
For example, a CPA can’t sign a letter or provide verbal representations addressing the long-term effect on the client’s business of withdrawing money for a specific business purpose. However, a CPA can compile or examine forecasted financial statements reflecting the expected effect that a withdrawal may have on a business given certain assumptions (where the reasonableness and suitability for an intended purpose are the responsibility of another party) under the SSAEs.
In another example, a CPA can’t verify that a client is not insolvent at the time debt is incurred (or whether would become insolvent by taking on debt). However, a CPA may prepare, compile or review a fair value balance sheet as a special purpose framework in accordance with SSARS 21.
The downloadable and customizable practice aids in The Essential Third Party Verification Toolkit helps CPAs make more informed decisions about how to respond to outside requests for verification or other form of comfort.