Requests for third party verifications (a.k.a. “comfort letters”) seem to be like ocean tides – ebbing and rising with regularity. While the reasons are varied, the tide of comfort letters appears to be coming-in fairly rapidly. While we all want to avoid confrontations with our clients and help them to achieve their successes, accountants need to be prudent when producing comfort letters requested third parties. This brief article provides some general reminder guidance to practitioners on the potential pitfalls of third-party verifications and how to avoid them.
What are Comfort Letters?
Comfort letters should need no introduction, but a brief description seems to be in order. Comfort letters are requests from clients, lenders, mortgage brokers, insurance underwriters, adoption agencies, healthcare or life insurance providers, government agencies, regulators, or other third parties for accountants to verify certain information regarding the client, usually financial in nature. A common request for comfort letters involves self-employed borrowers and their prospective lenders. (A “comfort letter” in the context of this article does not include statements made by accountants in connection with a securities offering.)
In order to minimize their risk, third parties frequently undertake a fairly routine “due diligence” process to verify a client’s financial (or other) information; and assure itself that the proposed transaction (e.g. a loan, insurance policy, government payment programs, etc.) is within the parameters of acceptable financial or compliance risks. While comfort letters are part of ordinary due diligence practices, they can also be a deliberate mechanism for shifting the transaction risk from the third party to the CPA - and its professional liability carrier. If, for example, a client/borrower defaults on a mortgage, the lender may take the position that it relied, to its determent, on the representation sin the accountant’s comfort letter in making the decision to extend credit. In the event of a default, the accountant may well be drawn into a law suit brought by the lender to recover the balance of the loan – something to be avoided.
Guidance for Practitioners
The following is some high-level guidance on how to respond to third party requests for verification of client information.
- Third parties seeking verification will often have their own “standard” letter to be signed by the accountant. Chances are the letter makes assertions well beyond what the accountant can actually verify; and may ask for an opinion, certification, assurance, attestation, or conclusion. Third parties can be quite bold in their request. It is not uncommon for requester to insist that the CPA acknowledge their reliance on the comfort letter. Some third parties will flatly refuse to grant a loan or write an insurance policy unless the CPA complies. Pressure from the client notwithstanding, accountants should stick strictly to the facts, and avoid rendering an opinion, giving assurances or make an attestation unless they have been specifically engaged for that purpose; namely hired to perform an audit, review, compilation or agreed upon procedures. In all likelihood, the client will not be interested in incurring incremental fees to perform such an engagement.
- It is critical that comfort letters be carefully drafted, and state very clearly and precisely the facts related to the work performed for the client, the underlying assumptions, and the limitations and exclusions. In addition, appropriate disclaimers should be included in the letter, such as (i) the third party is responsible for all decisions related to its use of the letter, (ii) the letter does not establish any relationship between the third party and the accountant, and (iii) the accountant is not responsible and has no liability for any losses or damages resulting for the third party’s use of the letter. While there are excellent sample comfort letters available, practitioners should cautiously tailor their letters to the specific request. In addition, accountants should avoid “shooting off a quick email” in response to a call for a comfort letter. They tend to be imprecise and inadequate.
- Consistent with the prior bullet, it is important that there is no ambiguity in the comfort letter with respect to what the CPA did or did not do. One of the best examples is the seemingly harmless request for a client’s tax returns. Accountants should make it clear that information appearing on a tax return was furnished by the client, and, in accordance with Circular 230, was not audited or verified by the CPA; and that the practitioner does not make any assurances about its accuracy. Similar, if financial statements prepared by the CPA are provided to the third party, the legend required under SSARS 21, Sec. 70 should be included in both the financial statements and the comfort letter.
- The AICPA’s professional standards prohibit accountants from providing assurances on matters related to solvency. (See AT Sec. 101, AT Sec. 9101 (Interpretations of Sec. 101), Interpretation No. 2.) The basis of this prohibition is the legal complexities and interpretation of insolvency under the federal bankruptcy code and related state statues. There simply is no suitable standard for accountants to evaluate solvency, and, as a result, render any form of assurance. As suggested above, one of the limitations that should be contained in a comfort letter is the unambiguous absence of any assurance or assertion regarding solvency. Assurances about insolvency can come in many forms, and practitioners need to make sure that the requests for verification are not well camouflaged inquiries about solvency. Conversely, an engagement may be structured to give the third-party information that is an adequate substitute for an assurance on solvency.
- It is important to remember the professional standards and statutes related to the disclosure of a client’s confidential information. Most notably, IRC Sec. 7216 prohibits the disclosure of a client’s tax related information without the client’s written permission; and actually makes failure to comply a criminal offense. The Code also prescribes the actual format of the client’s consent. (See Rev. Proc. 2013-14.) Beyond §7216, the AICPA’s Code of Professional Conduct prohibits the disclosure of confidential client information, tax or otherwise, to third parties without the client’s consent. (See 1.700.001, Confidential Client Information Rule.) In addition, there are a variety of state and federal laws and regulations, like the Gramm-Leach -Bliley Act, HIPPA, and other privacy laws, that proscribe the unauthorized disclosure of personal information. In a word, the scope and protectable nature of the information to which a verification request applies must be understood, and the appropriate permission obtained.
If accountants had their “druthers,” they would likely not produce comfort letters at all. Nonetheless, they are an unavoidable aspect of client relationships and the profession. Special care needs to be taken when preparing comfort letters to avoid the risk of claims by the requester against the CPA if the transaction with the client goes awry; as well as exercising diligence in complying with professional standards. This brief article serves as high level guidance on comfort letters, and practitioners are encouraged to develop a full understanding of the risks associated with these letters, and how to mitigate them.
About the Author
R. Peter Fontaine is the managing partner of NewGate Law which provides legal and risk management services exclusively to the accounting profession. He can be reached at firstname.lastname@example.org.