How to respond when fraud is suspected

When faced with the suspicion that their client may have been the victim of fraud, CPAs often want to, and do, come to the rescue. But in their eagerness to help, they may be bypassing key steps, which could result in evidence spoliation and waste valuable time. Moreover, CPAs who act hastily might be placing themselves in the line of fire. All too often, attorneys representing parties impacted by fraud successfully allege that the CPA’s hurried response violated professional standards as well as the profession’s independence and objectivity rules.   

If we use the general standards set forth in ET Section 201 of the AICPA’s Professional Code of Conduct as a starting point in determining how best to approach fraud, CPAs should first ensure that they have the professional competence to respond to the alleged fraud, can exercise due professional care, can adequately plan or supervise the response, and can obtain sufficient relevant data to support statements made regarding the alleged fraud.

In assessing whether or not they meet these criteria and are equipped to take on such an assignment, it may help CPAs to answer the following questions:

  • Will I impair my independence?
  • Am I “conflicted out”?
  • Do I have the requisite competence?
  • Do I have the necessary experience/qualifications?
  • Will I be digging my own grave?

Ensuring independence and objectivity
To avoid repercussions, it’s important that CPAs take care to reduce the likelihood that stakeholders will perceive their investigation as not being independent, objective or competently performed.

In order to ensure independence, CPAs performing attest services, such as audits or reviews, will normally refrain from participating in their clients’ investigations. (If you are not performing an attest engagement, it won’t matter if the engagement impairs your independence.) Due to independence impairment issues, forensic accountants should not be the external CPAs engaged to perform financial statement services other than compiled financial statements, for which they indicate they are not independent.

Since certified fraud examiners and CPAs who are certified in financial forensics have obtained additional training in this arena, CPAs who are concerned about responding appropriately to fraud allegations may want to consider teaming up with peers who possess these credentials.

Initial response and recommendations
The goals for the initial response should not include a determination of exactly what occurred or a quantification of any losses. Instead, the response should establish a foundation to assist the entity’s management in making effective, prompt decisions to protect the company’s finances and reputation.

To avoid allegations that their fraud response is unauthorized or libelous, CPAs should first obtain sufficient predication of fraud suspicions, describing the nature, background and the basis for the suspicions. They should also establish that fraud suspicions are alleged by others, and obtain written approval before accessing records or interviewing personnel.

If sufficient predication exists, CPAs should then encourage management to—

  • remain calm, so they can participate in making informed decisions in response;
  • inform legal counsel (investigations led by counsel preserve available legal privileges);
  • promptly notify the board of directors if the allegations pertain to senior management or officers;
  • identify documentation and records to be preserved and protected;
  • share information only with those who have the responsibility and skills to respond to the issues (investigations can be hindered by loose lips);
  • separate facts from concerns and assumptions;
  • take steps to minimize further losses (e.g., consider changing locks, passwords, combinations and Internet access to financial records); and
  • consider whether it is wise to restrict duties or place on administrative leave those under suspicion, until cleared.

            Suspected fraudsters are often tempted to destroy or alter evidence. Consequently, it is important to secure records, documentation and any other relevant items as soon as possible and make sure that concerned clients take the requisite precautions to preserve them.

Establish a written understanding
            CPAs should obtain written understandings (i.e., engagement letters) that clearly define the client’s (or management’s) and the CPA’s responsibilities for fraud prevention, detection and the communication of related matters, before performing services. All letters relating to the issuance of financial statements should require clients to acknowledge their responsibility for both fraud prevention and detection.

Whenever the CPA elects to participate in a fraud investigation, the CPA should use the engagement letter to—

  • define the scope and limits of the engagement (as a consultant or expert witness),
  • indicate that services will be performed under the AICPA’s Statements on Standards for Consulting Services (which distinguish the work from any attest service),
  • indicate that services will be directed by the client’s attorney and
  • request a retainer.

CPAs should avoid describing expected results in the engagement letter and should call their professional liability carrier for a review of the engagement letter, their responsibilities and the best courses of action when faced with a potential fraud.

The client’s responsibilities for fraud detection and prevention aren’t limited to just financial statement engagements, though, so why not specify these responsibilities in all engagement letters, and not just those accountabilities mandated by professional standards? Whenever tolerable, add engagement letter language indicating that it is the client’s responsibility to prevent and detect fraud.

As a final word, remember that hasty decisions made in response to an initial suggestion that fraud may have occurred can have devastating consequences. But a competent, considered approach in response to the justification for a fraud investigation avoids missteps that could compromise the investigation and prosecution.

Duncan B. Will, CPA/ABV/CFF, CFE, is a loss prevention accounting and auditing specialist with Camico ( He responds to CAMICO loss prevention hotline inquiries and speaks to CPA groups on various topics.

Practical fraud loss prevention tips

  • Periodically warn clients of embezzlement risk.
  • Offer clients internal control assistance.
  • Offer two-tiered bank reconciliation services—one that provides additional services to help protect against embezzlement, and one that does not.
  • Recognize potential independence and objectivity impairment; ask yourself whether you can be objective when evaluating potential fraud that you did not discover when performing your previous services, and then document that assessment.
  • Encourage clients to require vacations as well as job and task rotation (fraudsters can’t take the chance that the evidence of their fraud will surface on someone else’s watch).
  • Suggest that clients establish fraud/ethics hotlines.
  • Encourage clients to perform fraud risk assessments (and consider serving as the discussion leader).
  • Retain contemporaneous defensive documentation of each of the above steps.

For information on the Camico program, contact:

Reggie DeJean
Lawley Service, Inc.

Dan Hudson
Chesapeake Professional Liability Brokers, Inc.

Or call Camico direct at 800-652-1772.