CPA Engagement Letters: Liability & Protection FAQ

A CPA engagement letter is a formal written agreement between a Certified Public Accountant and their client that defines the scope, terms, and conditions of the professional services to be rendered. While not universally mandated by statute, engagement letters are required by professional standards and strongly recommended by state CPA boards as essential risk management tools.

The American Institute of Certified Public Accountants (AICPA) professional standards require engagement letters for audit, review, and compilation engagements under AU-C Section 210 and AR-C Sections 60, 70, 80, and 90. Many state boards of accountancy have adopted rules requiring written engagement letters for attest services.

Beyond regulatory requirements, engagement letters serve critical legal functions:

• Establish the contractual relationship between CPA and client
• Define the scope of services to prevent scope creep
• Allocate responsibilities between the parties
• Limit the CPA's liability exposure
• Establish billing arrangements
• Provide evidence of agreed terms if disputes arise

Without a properly executed engagement letter, CPAs face significant exposure to claims that they failed to perform services the client expected, even if those expectations were never communicated.

A comprehensive CPA engagement letter should include several essential elements to be effective legally and professionally:

1. Identification of Parties: The client's legal name (entity name for businesses) and the CPA or firm name
2. Scope of Services: Clearly describe exactly what services will be provided (e.g., "preparation of individual income tax return for tax year 2024")
3. Limitations on Scope: Explicitly state what is NOT included in the engagement
4. Management Responsibilities: For attest engagements, clarify client's responsibility for internal controls, representations, and document accuracy
5. Fee Arrangement: Specify hourly rates, fixed fee, or retainer arrangements and billing terms
6. Liability Limitations: Damage caps, indemnification provisions, and disclaimers
7. Dispute Resolution: Specify mediation, arbitration, or litigation venue
8. Engagement Period: Establish the timeframe and termination provisions
9. Representations and Warranties: From both parties
10. Signature Blocks: Dated signatures from authorized representatives

The AICPA provides sample engagement letters, but these should be customized for each client relationship and reviewed by legal counsel familiar with the CPA's state requirements.

Liability caps in CPA engagement letters are generally enforceable, but their validity depends on state law, the reasonableness of the limitation, and proper drafting. Courts in most jurisdictions will enforce contractual limitations on liability between sophisticated parties, particularly in commercial contexts.

Factors affecting enforceability:

• Conspicuousness: The limitation must be clearly written so the client understands they are waiving rights to full recovery
• Reasonableness: Courts may strike down caps that are unconscionably low relative to potential damages or fees paid
• Exclusions: Liability cannot be limited for gross negligence, fraud, or willful misconduct in most states
• Public Policy: Some jurisdictions restrict professionals from limiting liability for their own negligence
• Bargaining Power: The client must have meaningful choice; adhesion contracts with consumers face greater scrutiny

Common approaches include:

• Capping liability at a multiple of fees paid (e.g., one to three times fees)
• Setting an absolute dollar cap
• Limiting liability to the amount covered by professional liability insurance

The AICPA Professional Liability Insurance Program recommends including liability limitations but advises members to consult state board rules and legal counsel.

Scope limitations are among the most important protective provisions in CPA engagement letters because they define what the CPA agreed to do and, critically, what the CPA did NOT agree to do. In malpractice litigation, plaintiffs often claim the CPA should have identified issues or performed procedures outside the original engagement. Clear scope limitations defeat these claims by establishing the boundaries of professional duty.

Effective scope limitations should:

• Explicitly list services included in the engagement
• Clearly state services that are excluded
• Note that additional services require separate engagement letters
• Specify that the CPA is not responsible for detecting fraud (unless specifically engaged)
• Disclaim responsibility for legal or tax advice beyond the specific engagement
• Note reliance on client-provided information

Example for tax preparation: The engagement letter should state that the CPA is not engaged to audit or verify the accuracy of information provided, that the engagement does not include representation in examination or appeals, and that tax planning advice beyond preparation is excluded.

Courts regularly cite engagement letter limitations when dismissing malpractice claims for services outside the agreed scope, making precise drafting essential.

State boards of accountancy regulate CPA practice within their jurisdictions and many have specific rules regarding engagement letters. Requirements vary significantly by state, but common themes include:

• Mandatory written agreements for attest services (audits, reviews, compilations)
• Required disclosures about lack of CPA independence for certain services
• Restrictions on limiting liability for certain types of services
• Requirements to maintain engagement letters in workpapers
• Rules about engagement letter modifications

The California Board of Accountancy, for example, requires that a licensee who performs an attest engagement shall issue a written communication to the client establishing an understanding of the services to be performed and the responsibilities of both parties.

The Texas State Board of Public Accountancy has similar requirements under Board Rule 501.76.

Some states specifically address limitation of liability clauses in accountant-client agreements, either restricting or permitting them under certain conditions.

CPAs should consult their state board rules, as violations can result in disciplinary action independent of any malpractice liability. The AICPA and state CPA societies often provide guidance on compliance with state-specific requirements.

Yes, CPAs can require clients to consent to liability limitations as a condition of engagement, but the consent must be knowing, voluntary, and properly documented. The enforceability of such consent depends on several factors:

• Clear Disclosure: The limitation must be clearly disclosed in the engagement letter, not buried in fine print. Courts require that waivers of legal rights be conspicuous and understandable.
• Opportunity to Review: The client should have opportunity to review terms, ask questions, and negotiate. Providing the engagement letter in advance supports enforceability.
• Sophisticated Parties: For sophisticated business clients, courts readily enforce liability limitations as arms-length contract terms. Individual consumers may face greater scrutiny.
• Reasonable Limits: Attempting to limit liability to zero or a nominal amount may be deemed unconscionable.
• Signed Acknowledgment: The client must actually sign the engagement letter acknowledging the limitation. Electronic signatures are generally acceptable.
• No Fraud or Gross Negligence: Even with consent, liability cannot be limited for fraud, gross negligence, or willful misconduct.

Best practice: Specifically call out liability limitation provisions in a cover letter, have the client initial those specific provisions, and retain signed copies in permanent files.

CPA professional liability (malpractice) insurance and engagement letter provisions work together as complementary risk management tools, but their interaction requires careful consideration. Most CPA malpractice policies are "claims-made" policies that cover claims arising from professional services rendered during the policy period, as defined by the engagement.

Key interactions include:

• Scope of Services: The engagement letter defines what services were agreed upon, determining whether a claim falls within covered "professional services"
• Liability Caps: Contractual caps may or may not reduce insurer exposure depending on policy terms and timing
• Policy Exclusions: Some policies exclude punitive damages or intentional acts; engagement letters cannot expand coverage beyond policy terms
• Condition of Coverage: Many insurers require signed engagement letters as a condition of coverage or risk claim denial
• Premium Discounts: Some insurers provide discounts for firms that consistently use properly drafted engagement letters
• Indemnification Provisions: Client indemnification provisions may need insurer approval and should be coordinated with policy terms

CPAs should review their engagement letter templates with their malpractice insurer and consider whether policy limits should align with any contractual liability caps.

Performing CPA services without an engagement letter creates significant legal and professional risks that can have serious consequences:

• Undefined Scope: Without a written agreement, the scope of services becomes undefined and the client may claim responsibility for services never discussed
• Fee Disputes: Billing disagreements become he-said-she-said arguments without documented terms
• Professional Standards Violations: AICPA and state board rules require engagement letters for attest services
• Lost Defenses: The CPA loses important defenses including liability caps, scope limitations, and dispute resolution provisions
• Insurance Issues: Some insurers require engagement letters as a condition of coverage
• Expert Testimony: Malpractice experts will likely testify that failure to obtain an engagement letter fell below the standard of care
• Implied Terms: Courts may imply terms from conduct, prior dealings, or industry custom, which may be unfavorable to the CPA

If a dispute arises without an engagement letter:

• Immediately document all communications
• Gather evidence of what was actually agreed
• Consult with a malpractice attorney before responding to claims
• Notify your malpractice insurer

For ongoing client relationships without engagement letters, CPAs should implement a program to obtain signed letters prospectively.

Third-party reliance provisions are critical engagement letter terms because CPAs can face liability to parties beyond their direct clients who rely on CPA work product. The foundational case Credit Alliance Corp. v. Arthur Andersen established varying standards across jurisdictions for when third parties can sue accountants for negligent misrepresentation.

Engagement letters should address this risk through:

Privity Limitations: State that services are solely for the client's benefit and no third party may rely on the work product.

Specific Disclaimers:

• "Financial statements are prepared solely for client's internal use and are not intended for distribution to third parties"
• "Reports are not intended for use by investors, lenders, or other third parties"
• "Tax returns are for filing with taxing authorities only"

If Third-Party Reliance is Intended (e.g., financial statements for a bank loan):

• Identify the specific third party by name
• Specify the intended purpose
• Include language limiting reliance to that specific party and purpose
• Consider requiring the third party to sign an acknowledgment

Consent to Reproduction: Require written consent before work product is shared.

Indemnification: Client indemnifies CPA for claims by third parties who rely on work product without authorization.

CPA engagement letters should be living documents that are updated to reflect changes in services, professional standards, and risk management practices. Best practices include:

Annual Renewals: Even for continuing clients, engagement letters should be renewed annually to confirm scope, update fee arrangements, and incorporate new protective provisions.

Scope Changes: Any significant change in scope during an engagement should be documented through a written amendment or new engagement letter signed by both parties before additional work begins.

Fee Modifications: Changes to billing rates or fee arrangements should be communicated in writing and acknowledged by the client.

Standards Updates: As professional standards evolve, engagement letters should be updated to reflect changes in AICPA standards, state board rules, and court decisions affecting liability.

Insurance Requirements: Any modifications required by malpractice insurers should be incorporated and documented.

Document Retention: Maintain an archive of all versions of engagement letters and amendments, with signatures and dates.

Client Acknowledgment: Give clients reasonable time to review changes and ask questions, documenting their acknowledgment.

Verbal Modifications: When circumstances require immediate changes, follow up verbal agreements promptly with written confirmation.

Legal Review: Work with legal counsel to review engagement letter templates whenever significant legal developments affect CPA liability.