Early in the 20th century, audits of company financial statements served merely as verification for management that a company was productive and efficient. After the 1929 stock market crash, the role of the auditor evolved. The Securities Act of 1933 and the Securities Exchange Act of 1934 established requirements for SEC member companies to produce audited financial statements to provide assurance to investors as to the accuracy of those financial statements.
In the ensuing years, this led to an expansion of the scope of audit services offered by the CPA profession. In response, the AICPA expanded its audit standards to improve the quality of professional accounting services. Following the savings and loan crisis in the 1980s, legislation and case law in many states extended the obligations of auditors to various third parties.
In a typical third-party malpractice case, a nonclient enters into a business relationship with an audit client and receives a copy of the client’s audited financial statements. The business relationship sours, and the third party alleges that the audited financial statements misstated the client’s true financial condition. The third party further asserts that it entered into the business deal, in part, based on reliance on the accuracy of the audited financial statements, and sues the auditor for damages. Examples of third-party claimants include third-party lenders, investors, and shareholders.
For many, the above scenario seems unfair, arbitrary, and fraught with uncertainty. How can a third party sue an auditor for malpractice when there was no contract between the two parties? Does it matter that the auditor did not have any contact with or knowledge of the third party?
FROM THE DEFENSE COUNSEL
Henry E. Kinser, a partner with the law firm Wyatt Tarrant & Combs LLP in Lexington, Ky., is a leading attorney specializing in the defense of audit malpractice claims. He is an experienced trial lawyer with more than 100 jury trials and has attained the highest professional rating by Martindale-Hubbell, a national peer review rating service for lawyers. Kinser shared his insights about these exposures.
Sterna: Henry, in recent years there seems to have been an increase in third-party audit claims. To what do you attribute this increase?
Kinser: Well, I would say that the downturn in the economy has had a significant impact. Business deals have failed, loans have gone into default, and investments have gone bad. As a result, many businesspeople, lenders, and shareholders are looking for someone to blame for their business failings. Professionals such as auditors, who have liability insurance, are an attractive “deep pocket” from which to recover these losses.
Sterna: How is it that a nonclient third party, who never had any dealings with the auditor, can successfully sue the CPA firm?
Kinser: It all comes down to a legal term called “privity of contract.” Essentially, an auditor will owe a duty of care to a third party only if there is some sort of privity between the accountant and the nonclient.
Sterna: Can you define “privity”?
Kinser: Privity once meant that a contract between the third party and auditor was required before any liability could exist. However, courts now overlook traditional privity and apply legal approaches referred to as “near privity” as well as other approaches, without giving much weight to traditional privity.
Today, there are three basic approaches to third-party liability, depending on which state law applies. The first approach is called the privity-of-contract approach. In such a case, a third party must be in privity or near privity with an auditor to recover for ordinary negligence. For this to happen, the auditor must be aware that a known third party intended to rely upon the audit information provided to the client for a particular purpose. There also has to be conduct by the auditor linking it to a third party’s reliance.
Sterna: Can you give an example?
Kinser: Let’s say a client retains a CPA firm to audit the financial statements required by a bank as a prerequisite to extending a loan to the client. The auditor knows the bank is the client’s principal lender and is aware of the bank’s reliance on the financial statements, particularly the valuation of inventory or accounts receivable. Additionally, the bank and auditor have direct oral and written communication during the lending period and even meet to discuss the client’s financial statements.
After the audit report is issued, the bank discovers that the client’s inventory or accounts receivable were overstated. The client subsequently goes bankrupt and defaults on the loan. The bank alleges that the auditor failed to communicate about the inadequacy of the client’s internal recordkeeping and inventory control. Under the privity-of-contract approach, the bank would have standing to sue the auditor even though there wasn’t a formal contract between the auditor and the bank.
Sterna: That seems fair, but I understand that many states have expanded privity. Can this be found in the other two legal approaches?
Kinser: Yes. In the second approach, liability is found when the third party is within a class of individuals or entities which normally rely upon an auditor’s report. In such a case, if the auditor knew or should know of reliance by this class, reliance by the third party on the audit report is regarded as reasonable. Consider, for example, a situation when a client is negotiating a loan with a bank requiring audited financial statements. The client hires a CPA firm, explaining that the purpose of the audit is to negotiate a loan. The auditor has a duty to the bank even though it was not a known third-party user. This is because the bank is within the limited class of third parties that the auditor knew could potentially rely upon its audit report.
Sterna: And the third approach?
Kinser: The third approach is called the foreseeability approach. While used in a minority of states, it is much more expansive than the two other approaches that I mentioned. Essentially, an auditor can be liable to any person whom the auditor could reasonably foresee obtaining and relying upon the audit report. This includes both known and unknown parties.
Sterna: Can you give an example?
Kinser: A CPA audits a company and opines that the financial statements fairly represent the financial condition of the entity. Unbeknownst to the auditor, a bank made loans to the client after receiving the audited financial statements. The financial statements contained numerous errors, and the client subsequently defaulted on the loans. Under the foreseeability approach, a question of fact would exist as to whether the bank was a foreseeable third party who could be expected to rely upon the audit report. This is true even though the auditor did not know of the bank’s use of the financial statements until after the fact.
Sterna: How does an auditor know which approach applies?
Kinser: State law controls this. The law varies by jurisdiction from strict privity to almost no privity requirement. I would suggest that an auditor speak with a lawyer familiar with the laws of the state in which they practice and in which the client and third party are domiciled. This helps determine the privity approach that applies. Please note that I am only speaking of audits of private companies. Audits of publicly traded companies are governed by rules adopted by the SEC as a result of passage of the Sarbanes-Oxley Act.
Sterna: Regardless of which approach applies, what can an auditor do to decrease the risk of a third-party claim and limit liability to a third party?
Kinser: At the beginning of an engagement, the auditor should gain an understanding of the financial statement users and consider this when performing a risk analysis during the client/engagement acceptance and continuance process. I already mentioned the importance of understanding which privity law applies to the engagement based on where the CPA firm, client, and third-party users are domiciled. This, too, should be factored into the analysis.
Contact with third parties should be limited, especially in states where privity laws provide legal protection if contact is avoided.
Finally, the engagement letter may also limit the use of the report and require the auditor’s consent in the event the client wishes to use the audit report in a private or public securities offering. If report use is restricted to specified users, the engagement letter should also require consent from the auditor before the report is distributed, published, or reproduced to users not specified in the engagement letter.
Third Party Claim Basics
- CPA firms are often sued by nonclient third parties in connection with audit services. In 2012, 22% of all audit, review, and compilation claims experienced by the AICPA Professional Liability Program were made by third parties.
- Third parties may assert reliance upon the audit report to their detriment when making a business decision related to the audit client.
- To assert a claim, the third party must be in privity or near privity with the auditor.
- In this interview, defense attorney Henry E. Kinser offers insights for auditors on these risks and provides tips to help minimize professional liability risk.
Stanley Sterna (email@example.com) is business leader and director of CNA's Accountants Professional Liability Claim Unit.
Continental Casualty Co., one of the CNA insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program. For more information, call Aon Insurance Services, the National Program Administrator for the AICPA Professional Liability Program, at 800-221-3023 or visit cpai.com.
This article provides information, rather than advice or opinion. It is accurate to the best of the author’s knowledge as of the article date. This article should not be viewed as a substitute for recommendations of a retained professional. Such consultation is recommended in applying this material in any particular factual situations.
Examples are for illustrative purposes only and not intended to
establish any standards of care, serve as legal advice, or
acknowledge any given factual situation is covered under any CNA
insurance policy. The relevant insurance policy provides actual
terms, coverages, amounts, conditions, and exclusions for an insured.