ISCPA Comfort Letters/Third Party Verification

AU-C section 920, Letters for Underwriters and Certain Other Requesting Parties (AICPA, Professional Standards), defines a comfort letter as a letter issued by an auditor in accordance with AU-C section 920 to requesting parties in connection with an entity’s financial statements included in a securities offering.

The requests that CPAs are actually receiving from third parties pertain to verification letters. The requested information may relate to a pending loan, employee medical insurance, child adoption applications, or use-tax certification. Mortgages originated by private mortgage companies, which were resold to Fannie Mae and Freddie Mac and past due, are subject to required quality reviews. Quality review standards may require the mortgage originator to contact CPAs whose comfort letters/third party verification are contained within the loan file to confirm the statements made in such letters.

Below we have compiled some articles, sample letters and various resources to help you navigate through these requests.

CPA-to-Lender Letters … the Saga Continues

Written by Suzanne M. Holl, CPA, is senior vice president of loss prevention services with CAMICO (

Samples of the letters and forms Suzanne refers to throughout this article may be found at the bottom of this page.

CPAs remain under fire from banks and other lenders pressuring them to provide assurance-type opinions regarding the financial strength of their clients. Many CPAs have shared their frustrations and concerns with CAMICO regarding the veiled threats they have received from aggressive brokers and lenders telling them that unless they meet lender demands for a letter confirming their client’s loan qualifications, the client will not qualify for the loan. Some brokers even suggest the client should seek "a more cooperative" CPA.

Tempting as it may be for CPAs to comply with such requests, providing the requested assurances could put CPAs and their licenses at significant risk.

First, CPAs may face the risk of falling below professional standards if they don’t adhere to AICPA Professional Standards, AT Section 9101, Attest Interpretation No. 2, "Responding to Requests for Reports on Matters Relating to Solvency."

Another risk is that lenders would allege CPAs misrepresented their clients' creditworthiness should their clients later default on the loans in question. CAMICO has faced claims scenarios in which lenders have gone after the CPA after the client defaulted. The allegations against CPAs included negligent misrepresentations based on CPAs' assurances regarding their clients' 1) self-employment status, and 2) financial condition and/or creditworthiness.

Use Professional Judgment
The creditworthiness dilemma is a balancing act—CPAs need to carefully evaluate the risks associated with complying with these requests. For example, since professional standards do not require CPAs to provide any letters to third parties, what are the risks of just saying "no" (e.g., losing the client, being sued by the client should the loan fall through) versus the risks of saying "yes" (e.g., becoming a "deep pocket" target down the road for the lending institution if the client defaults, falling below the professional standard of care). Following are examples of trends and some ideas on how to traverse the delicate balance of controlling your risks while managing client and third-party expectations.

Trend 1: Verification of Tax Information/Employment/Self-Employment
Financial institutions will send forms directly to the CPA, requesting: 1) verification of tax information, employment, or self-employment; and/or 2) assurances that the client's business will not be impacted by having to repay a recent or contemplated loan. The form is generally short, often completed, and calls for the CPA's response and signature verifying the information provided. CAMICO strongly encourages CPAs to exercise caution in replying to these requests. Assuming the client has provided the CPA with appropriate written consent in advance, CAMICO encourages CPAs to draft a letter in response that clearly identifies:

  1. the scope and limits of the services rendered to the client;
  2. the responsibility of the financial institution to exercise its own due diligence and to perform independent procedures and tests deemed necessary to make the determination of whether or not to extend credit; and
  3. the limited response "facts" to the questions posed on the form that are relevant to your client, stating that these answers are based solely upon the information shared by the client and were not audited or otherwise verified. In order to avoid potential privity issues, this letter should also clearly state that the CPA's response is not intended to establish a client relationship with the financial institution. CAMICO has prepared [a] sample response letter for this type of scenario, "Sample Response Letter to Bank—Verification of Tax Information/Employment/Self-Employment" [may be found below].

Trend 2: Telephone Verification Requests
Another twist that adds even more exposure to CPAs are calls received from the so-called "Underwriting Quality Control" divisions of large financial institutions asking CPAs to provide verbal confirmations regarding their clients'; self-employment and/or other assurances regarding their clients'; financial information. CAMICO recommends pushing back with the caller and letting them know that your professional standards regarding client confidentiality prohibit you from discussing your clients with them over the phone. Request that they put any questions they may have in writing and, if you receive written client consent to respond, you will address their inquiries in writing as you deem appropriate, given the scope and limitations of the services you have provided. A sample letter that can be tailored as appropriate, if written responses are deemed necessary [may be found below], "Lender Sample Response Letter."

Trend 3: Requests to Confirm Information on a Previously Issued Lender Letter
Finally, if ever contacted after the fact by a third party who indicates that they are requesting that you confirm some client information previously provided to the lender on behalf of your client, be wary. These individuals often are working for a mortgage insurance company or other organization and are likely fraud investigators trying to build a fraud case against a borrower who has defaulted on a loan. You have no professional obligation to respond to these requests and, in fact, would breach client confidentiality if you responded to this type of request without written client consent. As such, we strongly recommend that you do NOT sign or make any statements in writing, over the phone, or in person, to requests of this nature.

Tips When Responding to Third-Party Requests

    Before tailoring your own response letters, please remember the following:
  • Be sure to receive written consent from your client before disclosing tax return information in a context other than the preparation and filing of tax returns. A sample form for this purpose [may be found below], "7216 Consent – Client Request to Send Tax Returns and Other Info to Third Party."
  • Keep the language of your letter simple and clear.
  • Document only facts, including the services you performed. Refrain from speculation or comments regarding future events (e.g., forecast future income or contingencies) and avoid making conclusions that were not part of the services rendered to your client (i.e., do not make assurances regarding the accuracy or completeness of the information provided unless the scope of your services enable you to provide such assurances).
  • Do not provide any form of assurance regarding matters of solvency.
  • Stay away from words that expand, rather than narrow, your responsibilities.

Tips for Educating Your Clients

  • Have a conversation with your client regarding the scope and limits of the services you rendered.
  • Clarify for the client what you can and cannot provide under the scope and limits of the services rendered.
  • Explain that you are unable to provide an assurance opinion on the client’s financial position when you have not performed the requisite scope of services to do so.
  • State that professional standards for CPAs prevent you from providing any form of assurance regarding matters of solvency.

Following the guidelines set forth in the preceding article is essential when the client or financial institution gives you little or no time to educate your client about the issues.

Sample letters and consent forms

AICPA Resources

Sue Coffey, CPA, CGMA, Senior Vice President - Public Practice and Global Alliance, discusses the AICPA response to member concerns regarding third-party verification letters in this video.

The AICPA would like to know more about the types of third-party verification requests you’re receiving and we’re here to help answer your specific concerns. Please email us at for more information.

"Comfort Letter" Resource Center