Well managed accounting firms universally use engagement letters to document the understanding with its clients. For some services, written engagement letters are essentially mandated by professional standards, such as AU-C Section 210, Terms of Engagement, which governs audit engagements. Next to basic quality standards, well drafted engagement letters are the single most important risk management tool available to CPA firms.
The Exari Study
A study recently released by Exari, a sales contract automation company, contained some results that were not, unfortunately, very surprising. Exari surveyed several hundred in-house lawyers from a variety of industries regarding their contracting practices and processes with the following discoveries:
- 75% confessed that they “cut and paste” their contracts from prior agreements or templates.
- 60% felt the process for generating contracts was ineffective.
- 40% said that their contracts did not align well with the actual risks.
- 25% believed that the contracting process led to high risk of errors.
As discussed below, our experience with accounting firm engagement letters is strongly correlated with the Exari study.
Many engagement letters are “mimeograph copies” of another letter, and do not take into consideration changes in the scope of the work, professional standards, such as the new SSARS 21, Section 70 on the preparation of financial statement, or applicable regulations, such as the tangible property regulations. In addition, it is not uncommon to see engagement documentation with important provisions missing or containing sections unrelated to the service offered service – clearly suggesting a “cut and paste” job. The danger, obviously, is that the risks or requirements of the present engagement are not adequately addressed in the borrowed letter. Similarly, some engagement letters are simply not well drafted. They contain provisions that are not clear or concise, and likely to be misunderstood; terms that are redundant, yet inconsistent; and paragraphs left over from prior letters that beg for explanation.
Engagement letters that omit risk “immunizations” or contain other unhealthy terms are like viruses. They can contaminate one engagement, get reproduced over and over again, and infect others. This can unknowingly spawn multiple engagements with risks or obligations that far exceed the income they generate. These contract viruses are hard to eradicate, and can lay dormant for many years. How does it happen? In addition to the simple copying described above, critical contract provisions are deleted or modified, never get restored, and are used over and over again. They become the de facto standard. These are often the legal protection clauses that limit the firm’s professional liability exposure. Repeated tinkering with the major risk management terms – particularly when there are exceptions to the exceptions – erodes the firm’s protective cover. It is difficult to understand and manage the firm’s risk profile when there is a lack of consistency in business terms.
The process used to put quality engagement letters in place is key to their success as a risk management tool. Unfortunately, the process is often awkward, inefficient and a low priority. The place to start is with a basic standard engagement letter that is clear, concise, understandable by the audience, and largely immutable. While there are many good samples available from professional organizations, insurance carriers and law firms, these should be used as a guide and tailored to meet the individual firm’s personality, service offerings and risk profile. Most engagement letters have a core of common provisions, and more peripheral service line specific terms. These service specific terms should also be standardize to the fullest extent possible. Delegating the preparation of engagement letters to uninitiated staff or administrative personnel, while seemingly efficient, can be dangerous. Client interfacing personnel need to understand and have the ability to explain the meaning and purpose of each provision of the engagement letter, as well as the authority to negotiate them. Certain critical clause should not be altered without the review and approval of a more senior member of the firm, or at least a concurring partner. If nothing else, this allows the firm’s management to monitor and control the firm’s risk profile.
Auditing the Auditors
The only real way to determine if firm personnel are complying with the policies established for preparing engagement letters is to periodically review client files. This can be done as part of a more general quality assurance or risk management audit; and can be done using internal or external resources. Do engagement letter covering the current work exist and are the signed by the client? Does the scope of the letter reflect the scope of the work? Does the letter contain the appropriate/required provisions, including risk management clauses? Have deviations been approved as required by firm policies? These are some of the areas that should be covered by the review. Once the review is completed and a findings report generated, consideration can be given to revising the standard engagement letters or letter preparation policies.
Selling? House in Order?
Acquirers often query, “Where do we begin our due diligence?” A great place to start is the file room – or the electronic version thereof. The condition of client files can reveal quite a lot about the target firm – technical competence, depth of knowledge, quality assurance standards, management capabilities, operational effectiveness, and risk management and internal controls. In particular, the prominence of missing or inadequate engagement letters and related processes reflects poorly on the seller’s leadership, raises risk and liability concerns for the buyer, and is likely to affect deal pricing and terms. Any firm considering a sale should ensure their house is in order, including the condition of their engagement letters and how they are generated. Buyers – make looking at the files a due diligence priority.
The Final Provision
There is no debate about the virtues of CPA firm engagement letters – it is critical to have them. There is even fairly wide agreement on the basic provisions of an engagement letter. Simply having a solid standard engagement contract, however, is not sufficient. The integrity of the process for generating the letters must be maintained. It needs to ensure that each letter properly reflects the nature of the work and protects against the known risks; and, to the extent there are significant deviations from the standard, these are brought to the attention of the firm’s senior management.