Legal liability of certified public accountants

Whether providing services as an accountant or auditor, a Certified Public Accountant (CPA) owes a duty of care to the client and third parties who foreseeably rely on the accountant's work. Accountants can be sued for negligence or malpractice in the performance of their duties, and for fraud.

Sources of CPAs' liability
Certified Public Accountants (CPAs) opinions affect their clients and their judgments can further affect investors, stockholders, firm creditors, or even partners. Large public accounting firms perform thousands of audits annually. Ultimately they will find unmodified reports on financial statements that could appear to be misleading. If CPAs fail to modify the audit report on financial statements that are materially misstated, investors and firm creditors may experience substantial losses.

Depending on the jurisdiction, CPAs may be liable for damages based upon common law, statutory law, or both. Common law liability arises from negligence, breach of contract, and fraud. Statutory law liability is the obligation that comes from a certain statute or a law, which is applied, to society. Recoveries from these liabilities vary by their source or “theory”. Some of these theories are: Due to the risk of liability, CPAs and accounting firms may carry professional liability insurance to provide some protection from legal claims and lawsuits, although some firms choose to self-insure. Concerns about high damage awards and insurance costs have led to proposals to limit liability for public accounting firms.
 * Privity: CPAs and their clients enter into a contract with an agreement to perform certain services. Liability occurs when there is a breach of contract. This applies to the CPA if they don’t perform what they stated in the engagement letter and the client suffers damages.
 * Professional negligence: Negligence may be viewed as “failure to exercise due professional care". Both clients and third parties can sue CPAs for the tort of negligence, which is a wrongful act, injury, or damage for which a civil action can be brought. Negligence can be referred to as ordinary negligence and gross negligence. Ordinary negligence is defined as failure of duty in accordance with applicable standards, and gross negligence is the lack of concern for the likelihood that injuries will result.
 * Fraud: Fraud is defined to be a misrepresentation of a material fact by a person who is aware of his or her actions, with the intention of misleading the other party with the other party injured as a result.
 * Statutory liability: CPAs have statutory liability under both federal and state securities laws. Statutory liability provides cover for defense costs, fines and penalties charged against the firm. Under statutory law, an auditor can be held civilly or criminally liable.

Liability to clients
CPAs have an obligation to their clients to exercise due professional care. With an engagement letter, it provides the client and other third parties with rights of recovery. Therefore, if the CPAs are not performing within the agreement set forth in the contract this will be considered a breach of contract. The clients may also claim negligence against the CPAs if the work was performed but contained errors or was not done professionally. This is considered a tort action.

In order to recover from an auditor under common law negligence theory, the client must prove:
 * Duty of care
 * Breach of Duty
 * Losses
 * Causation

CPAs may defend against a breach of contract if they can prove that the client’s loss occurred because of factors other than negligence by the auditors. If the auditor proves the loss resulted from causes other than the auditor’s negligence, a client may be accused of contributory negligence. If a state follows the doctrine of contributory negligence, the auditor may eliminate their liability to the client based on contributory negligence by the client. Many states do not follow this doctrine. Most states permit a jury to assess the fault and apply the correct percentage of fault to the parties involved. This is called comparative negligence.

Liability to third parties
Not all suits brought to an auditor are from a direct client. Third parties can also sue an auditor for fraud, in which case a contract (privity) is necessary. In order for a third party to prevail in a case, there are a number of things they must prove. First, the third party must prove that the auditor had a duty to exercise due care. Second, the third party must prove that the auditor breached that duty knowingly. Third, the third party must prove that the auditor's breach was the direct reason for the loss. Finally, the third party must prove that they suffered an actual loss.

Ultramares (known user) approach
In order for the court to decide if the auditor's duty actually extended to the third party, for ordinary negligence, there are four legal approaches each state could follow. First is the Privity approach, which states the auditor is liable to a third party if an existence of a contract is in existence. This approach was established in Ultramares Corporation v. Touche and is the most limiting approach in respect to scope. Ultramares occurred in 1933 where the defendant CPA distributed an unqualified opinion on the balance sheet of a company. In addition to the CPAs estimations, Ultramares wrote out several loans to the company shortly before the company declared bankruptcy. Ultramares sued the CPA for ordinary negligence. The New York Court of Appeals ruled that CPAs are held accountable for ordinary negligence to their clients and third parties who identify themselves as users of the CPAs reports.

The "near privity" approach was established in Credit Alliance Corp. v. Arthur Andersen & Company. This approach states that the auditor has liability under ordinary negligence if the third party is known to be using the financial statements and there has been some sort of direct communication between the two parties. An example could be the auditor directly giving a report to the bank that will be providing the loan for an actual client.

Restatement of Torts (foreseen user) approach
The "foreseen" or "Restatement Standard" approach was established by the American Law Institute’s (ALI) Second Restatement of Law of Torts. With this approach the auditor is liable to all third parties in which their reliance is foreseen even if the auditor doesn't know the third party. This approach came about due to Rusch Factors, Inc. v. Levin. In this case, the CPA was found accountable for ordinary negligence to the third party who had not been specifically identified but the CPA was aware that the financial statements were to be used by this party.

Rosenblum (foreseeable user) approach
The "reasonably foreseeable" approach which was created due to Rosenblum v. Adler. This method is very liberal and broad in terms of scope, unlike the privity approach. This system holds an auditor liable to all third parties that rely on financial statements.

Statutory liability
Statutory law consists of written laws created by legislative bodies. Lawsuits brought against auditors based on statutory provisions differ from those under common law. Common law theories of liability may evolve or change over time, and interpretation and application may differ between jurisdictions, while statutory law is constrained to a greater degree by the text of the underlying statute.

United States
The two most important laws relating to auditors’ liability are the Securities Act of 1933 and the Securities Exchange Act of 1934. CPAs must also be concerned with the application of the Racketeer Influenced and Corrupt Organizations Act (RICO) and with each state’s blue sky laws (which regulate the issuance and trading of securities within a certain state).

The Securities Act of 1933 requires a company to register with the Securities and Exchange Commission (SEC). In order to complete registration, the company must include audited financial statements and numerous other disclosures. If the registration statement was to be found materially misstated, both the company and its auditors may be held liable. Those who initially purchase a security offered for sale are the only ones protected by the 1933 Act. These security purchasers, known as the plaintiffs, only need to prove a loss was constant and that the registration statement was misleading. They do not need to prove that they relied upon the registration or that the auditors were negligent. In order for an auditor to avoid liability, they must provide proof that the audit was performed with due diligence, the plaintiff’s losses were not caused by misstated financial statements, the plaintiffs knew of the misstatement at the time the securities were purchased, or the statute of limitations had expired (one year after the discovery of the misstatement, but no more than three years after the security was offered to the public). The due diligence defense is the defense that most auditors raise, even though it is difficult for auditors to prove their innocence. The standing precedent on interpretation of due diligence is Escott v. BarChris Construction Corporation, decided in 1968.

The Securities Exchange Act of 1934 requires all companies under SEC jurisdiction to file an annual audit and have quarterly review of financial statements. While the 1933 Act creates liability only to those investors involved in the initial distribution of public offerings, the 1934 Act increases that responsibility to subsequent purchasers and sellers of the stock. This act provides absolute protection to original and subsequent purchasers and sellers of securities. These plaintiffs must prove that:


 * 1) there was a substantial loss,
 * 2) the financial statements were misleading, and
 * 3) they relied upon the financial statements.

According to Ernst & Ernst v. Hochfelder, plaintiffs must show proof of scienter (the intent to deceive, manipulate, or defraud). In order to avoid liability, auditors must prove they are normally able to establish “good faith” unless they have been guilty of gross negligence or fraud. In addition, the auditors may rely on causation, meaning that the losses experienced by the plaintiffs were caused by factors other than the auditor’s behavior.

Racketeer Influenced and Corrupt Organization Act
In 1970, Congress established the Racketeer Influenced and Corrupt Organizations Act (RICO). This act was established as a means of making sure that CPAs who may have been involved with any illegal mob or racketeering activity were brought to justice. The RICO Act allows for triple damages in civil cases that were brought under the act. This later became an issue of liability in Reves vs. Ernst & Young. This was a significant court case, in that, the court decided that for accountants to be liable for damages of a company under this act, they must have participated in the operation or management of the organization. This also led to the Private Securities Litigation Reform Act which essentially eliminated securities fraud as a civil action under RICO unless prior conviction.

Criminal liability under the Securities Acts
The Continental Vending case (also known as United States v. Simon) has set the precedent of severe charges for accountants. In this case, the U.S. court of appeals convicted three CPAs of gross negligence. Although the CPAs had proof to establish that they complied with U.S. generally accepted accounting principles and the U.S. generally accepted accounting standards, Mano states that the district court judge instructed the jury that mere compliance with professional accounting standards was not a complete defense. This led to the conviction of the three CPAs, who were later pardoned by President Richard Nixon.

As the accounting standards and principles evolve, it is essential for those in regulation, of litigation and in the accounting profession to be aware of the principles and the potential risks affiliated with the system concerning liability. The Securities and Exchange Commission (SEC) along with the Public Company Accounting Oversight Board (PCAOB) have implemented consequences for those who are involved in auditing fraud and any other illegal or unethical behavior in the field. In 1995, the SEC established the Private Securities Litigation Reform Act which in essence mandated auditors to have even stricter guidelines as they pertains to any fraudulent or misleading behavior of their clients. This act simply states that the auditors must promptly report any illegal acts of its clients to the company’s board of directors and if severe enough, to the SEC. According to the guidelines of this Act, auditors are relieved of sanctions if they report required information about clients to the SEC in a timely manner.