Well before the 1929 stock market crash, auditors were providing audits for clients and have been liable to those clients to perform as professionals. However, the only companies requiring audits were those that needed capital from banks. Companies acquiring capital by selling securities to stockholders were not required to have audited financial statements. This would change with the collapse of the stock market in 1929 and a massive fraud perpetrated by Ivar Kreuger that unraveled after the crash due to his inability to find purchasers for his company's securities. Kreuger argued that audited financial statements should not be required to maintain trade secrecy.
Within weeks of running out of new funding to fuel his ponzi scheme, Kreuger's company was in the largest bankruptcy case in history at the time. As a result, securities law reform, which had stalled in Congress, was now popular with the voting public. Soon after, Congress passed the Securities Act of 1933, which opened new sources of business for auditors.
The government tends to make changes on a reactionary basis and this has been the case over the last century as large frauds have occurred and triggered reform in auditor liability. The 1980s had the savings and loans scandals, the 1990s witnessed many auditor litigations, and the 2000s had monstrous frauds perpetrated and subsequent record bankruptcies in which auditors failed to perform up to standards set by the profession and the law. As a result, new standards and laws have been enacted. There was the Statement on Internal Auditing Standards in 1984, the Financial Fraud Detection and Disclosure Act of 1992, and the Sarbanes Oxley Act of 2002.
Liability to Clients Under Common Law
Auditors are in a contractual relationship with their clients and must perform according to the contract's terms or the client may sue for breach. A client may also sue an auditor for ordinary or gross negligence. Ordinary negligence can occur when an auditor acts in an inferior manner compared to normal standards for the profession. Gross negligence does not require intent, but does include recklessness on the part of the auditor. Finally, a client may sue for fraud, which can occur when an auditor intentionally acts to deceive.
Auditors may use several defenses to refute legal claims of clients. Lack of duty to perform means that the CPA is arguing that there was no implied or expressed contract. Use of an engagement letter and its contents may be used as a basis to demonstrate services that were agreed upon. Auditors may argue for nonnegligent performance of the audit. In other words, the audit was performed in accordance with GAAS. A defense of contributory negligence means that the client's own actions, either intentionally or unintentionally, caused or contributed to the auditor's inability to perform an adequate audit. For a client to succeed in the suit against the auditor, the client must demonstrate a close casual connection. Or, that the auditor's actions actually caused damages to the client.
Liability to 3rd Parties
Today, auditors may be sued by 3rd parties that may or may not have privity of contract. However, that was not always the case. Under that strict privity doctrine, 3rd parties must enjoy a contractual relationship with the auditor in order for an auditor to be liable to a 3rd party. This doctrine was established in 1931 under the case of Ultamares Corp v. Touche. In that case, even though the auditors were found negligent, the court ruled that the plaintiff did not have a contractual relationship with the defendant and for that reason, Touche could not be held liable.
Strict privity under Ultramares was loosened in 1986 slightly with the Credit Alliance v. Arthur Anderson Company case. In that case the court developed a test to determine the auditor's liability to a third party. The test includes three parts: The auditor must know that his work is being used for a particular purpose; a known third party was intending to rely on the auditor's work; and the auditor's actions must link the auditor and the relying third party.
The Foreseeability rule was first applied by the New Jersey Supreme Court in 1983. Under this approach, the court recognizes the duty that the auditor has to the public, and therefore,to all foreseeable users that rely on the auditor's work product. In addition, the court ruled that Foreseeability only applies to third party users that receive the audited financial statements directly from the company.
Most frequently, states use the Restatement of Torts that was developed in 1968. Under this rule, the accountant may be liable to a limited group of users that the auditor knows may rely on his or her work product. The auditor is liable to this group even though there is no privity of contract and the auditor does not know specifically who these financial statement users are at the time the work is completed. Compared to Foreseeability, Restatement narrows or limits the 3rd parties to those that are intended to benefit.
Auditors may use several defenses to refute legal claims of third parties. Lack of duty to perform means that the CPA is arguing that there was no privity of contract. This defense can prevail with courts that recognize Ultramares. Auditors may argue for nonnegligent performance if the audit was performed in accordance with GAAS. For a client to succeed in the suit against the auditor, the client must demonstrate a close casual connection. Or, that the auditor's actions actually caused damages to the client.
Federal Statutory liability
Congress greatly increased auditor legal liability with the Securities Act of 1933 and the Securities Exchange Act of 1934. These SEC acts also dramatically increased the public's perception of auditor accountability. In fact, the 1933 act shifts the burden of proof to the auditor. Both of these acts are available to clients and third parties.
The Securities Act of 1933 is limited to public companies issuing new securities. The only parties that can recover under the Act are the initial purchasers of new securities. Under Section 11, plaintiffs must prove that the financial statements contained material misstatements or omitted material information and that a loss occurred. Privity is not required. Nor is reliance on the materially misstated information in order to recover.
The Securities Exchange Act of 1934 requires audited financial statements for public companies' annual reports submitted to the SEC. Most frequently, litigation against auditors occurs under section 10(b). Privity is not required. However, ordinary negligence on the part of the auditor is insufficient for the plaintiff to prevail. There must be an intent to deceive or recklessness on the part of the auditor. In 1995, the Private Securities Litigation Act was passed with the objective to reduce litigation risk for auditors and others. It amends the Securities Exchange Act to restrict the use of joint and several liability so that auditors may only be required to pay their share of the plaintiff's loss rather than the entire loss.
Criminal liability
An auditor can be held criminally liable in both state and federal courts. It is a criminal offense to knowingly be involved in falsifying financial statements. In addition, SOX made it illegal to destroy or falsify documents in order to obstruct criminal investigation. Auditor independence in fact and appearance is especially important in a defense against a criminal inquiry. Proper documentation is essential in defending oneself against criminal charges.
Impact of Sarbanes-Oxley Act and SAS 99
Congress passed the Sarbanes Oxley Act in July, 2002. This sweeping reform added responsibility and liability for auditors of public companies. In order to boost auditor independence, the act prohibits CPA firms from providing certain other services when that same firm performs the external audit. The act created the PCAOB to issue auditing standards for public companies and that board was given oversight responsibility for financial auditors. Section 404 of the act requires that management assess the effectiveness of internal controls and that auditors provide an opinion on that evaluation, thus increasing the auditor's liability.
Under SOX, a public company must have an audit committee made up of independent members of the Board of Directors. That committee's responsibilities include the hiring of the CPA firm to conduct financial audits and negotiation of the auditor's fee. The CPA firm reports directly to the Audit Committee and that committee is responsible for dispute resolution between the auditor and management. Auditors must report to the audit committee all material issues identified during the audit.
SAS 99, also established in 2002, changed the audit process and the auditor's responsibility for identifying fraud. Auditors are not just required to look for fraud during their audits, but now have the responsibility to brainstorm how frauds might be committed and materiality risk for each. Those fraud risks identified as high risk need to be contemplated in the audit process and procedures. Auditors must report all instances of fraud to the appropriate level of management and notify the audit committee of material instances of identified fraud.
Increased auditor liability impact on audit fees, audit quality, and client access to capital
The CPA profession has argued that excessive auditor legal liability will make accounting firms less likely to engage with risky clients and, as a result, those prospective clients will have less access to capital. Factors relevant to this discussion include: Change in legal liability; audit fee; level of audit quality; damages available from the auditor to investors; and other implications for the auditors such as criminal penalties, legal fees, and damage to reputation.
If auditor legal liability increases and no other conditions change, then the increase in liability would result in less willingness to take on risky client engagements. However, all other variables are not constant in actuality. Increasing auditor liability leads to an increase in damage payments that investors can expect to receive in litigation. This financial risk to auditors is passed to prospective clients in the form of increased fees. The economic cost of the higher fee can be recouped effectively by the client in the form of better financing terms. The improved financing terms are available because investors can expect larger damage payments from auditors if auditor liability can be proven. The savings associated with better financing terms allows the entrepreneur to pay the auditor's increased fee. Also, investors are also more likely to enjoy a higher quality audit, which leads to an improved investment decision. The result is that an increase in damage fees has no direct impact on client acceptance and investors may receive a benefit in the form of a better investment decision.
When other auditor implications are introduced, such as criminal penalties and damage to reputation, the above example no longer holds. That is because those adverse impacts resulting from legal liability cannot be remedied with a higher audit fee. Therefore, an increased legal liability environment increases the likelihood that auditors will reject engagements with risky clients and those potential clients' access to capital is reduced.
Recent trends in auditor legal liability
The common and statutory trends in state law include migration toward limiting liability for auditors. Currently only two states still recognize and enforce the Forseeability rule. Thirty-five states follow the doctrines of Restatement of Torts, strict privity or near-privity. The balance of remaining states have not declared which 3rd party liability approach they will take.
In June, 2010, the Florida Court of Appeals overturned a verdict in the case BDO Seidman, LLP v. Banco Espirito Santo Int'l. The court reaffirmed its position on auditor liability to third parties and the Restatement of Torts rule. Despite potential ordinary or gross negligence, the court held that the defendant was not aware at the time of the audit that the audit would be used for the purposes of a private placement of notes to the plaintiff.
The Texas Supreme Court reaffirmed that Texas law limits auditor liability to third parties consistent with the Restatement approach on July 2, 2010. In the case, the Texas court rejected claims from the plaintiffs that they did not sell (holder claim) securities that they had previously purchased. The court ruled that for holder claims to be valid, there must be direct communication between the defendant and the plaintiff. There was no such communication.
The Madoff fraud opened interesting questions regarding auditor liability and not just with regard to the very small audit firm that Madoff used for 17 years. The media and others have asked if auditors of huge hedge funds that placed investment dollars with Madoff should have some liability since they gave those hedge funds unqualified audits. Auditors from KPMG, PricewaterhouseCoopers, BDO Seidman, and McGladrey & Pullen never questioned the validity of returns that Madoff was reporting and did not perform any validation. Instead, they relied on opinions from Madoff's tiny audit firm, Friehling & Horowitz. The fact that Madoff was using such an auditing firm might be cause for question. Understanding whose work you are relying on and their level of competence is important.
Personal views of auditor legal liability
I believe that auditors should be held liable to clients in cases of breach of contract, ordinary and gross negligence, and in cases of fraud. The primary beneficiary that enjoys privity of contract should have confidence that the CPA firm performing the audit is competent and will perform the audit with due care expected of a professional.
Third party liability for auditors is much more controversial. Our litigious society expects those that are wronged to be able to recover and the CPA firm may still be a going concern when the audited company has already declared bankruptcy. I think the approach taken with the SEC acts make sense in that auditors can only be held liable if there is recklessness or fraud and proportional liability is used.
I also believe the Restatement of Torts approach rightly allows a limited group of third party users to hold the auditor responsible for negligence or fraud. Privity of contract requirement under Ultramares is too limited in today's business and investing climate where information access is so great. The Restatement approach also protects the auditor from an onslaught of potentially frivolous lawsuits when companies fail and third parties can sue under Foreseeability.
Summary and conclusion
Auditor legal liability has evolved substantially over the last 80 years. Audit firms must recognize the legal environment they are working under and stay up-to-date on changes to laws and court interpretations. The fact that states interpret auditor liability to third parties in many different ways makes it critical for CPA firms to recognize the conditions under which they work and the potential for legal action depending on the court jurisdiction.
Given the legal action risk, the complexity of statutes, and the complexity of client businesses, it is essential for CPA firm partners to organize themselves in a way that limits their liability and protects their personal assets. Carrying insurance is also paramount.
