The Law and CPA WebTrust

Afraid of WebTrust liability issues? Listen to the facts, not rumors.


  • THE MOVE TO THE INFORMATION AGE has opened up opportunities such as WebTrust for CPAs, but with new opportunities come possible litigation problems. Education is the key to safely performing WebTrust engagements.

  • IN BOTH NEW AND TRADITIONAL SERVICES, CPAs have had to face the expectation gap, the difference between public perception and what is actually provided.

  • CPAs HAVE LONG BEEN TARGETS OF LAWSUITS because they are perceived as having deep pockets. There is concern that disappointed online consumers will go after CPAs who perform WebTrust engagements.

  • THERE HAVE BEEN NO WEBTRUST COURT CASES YET, but parallels with some media cases appear to limit liability for WebTrust providers.

  • ACCORDING TO ONE RECENT CASE, anyone who negligently disseminates false information over a public medium will be immune from a negligence claim.

  • BECAUSE BUYERS IN FOREIGN COUNTRIES may make purchases on a WebTrust-certified U.S. site, CPAs could face liability in foreign courts. However, laws in many other countries make it difficult for litigious consumers to bring suit.

  • CPAs CAN MINIMIZE RISKS WITH loss-limiting clauses, hold-harmless provisions, cautionary language in engagement letters and other techniques.
    CARL PACINI, CPA, PhD, CFSA, is an assistant professor of accounting at Georgia Southern University, Statesboro. He is a member of the Florida Bar and has served on the professional liability committee of the Florida Institute of CPAs. His e-mail address is
    DAVID SINASON, CPA, PhD, CFSA, CFE, is an assistant professor of accounting at Northern Illinois University, DeKalb. His e-mail address is

    Internet fraud may not soon be a staple of TV crime shows such as Law and Order and NYPD Blue , but that doesn’t mean CPAs should wait until there’s drama to take a look at the legal ramifications of WebTrust. If a problem requiring court intervention arises in an e-commerce case involving a WebTrust engagement, what are a CPA's liabilities? What legal precedents come into play with this new assurance service? The law ultimately will evolve with regard to assurances linked to electronic commerce, but for now, the well-prepared CPA will want to know precedents and strategies that can minimize litigation risk. CPAs should not be needlessly frightened away from WebTrust because of this risk; increased awareness, not fear, is the answer.

    Development and deployment of any new CPA assurance service and, indeed, many accounting services, carry some litigation risk. Perceived as guarantors of financial statement accuracy, CPAs often are targets in lawsuits filed by aggrieved shareholders or creditors who see accountants or their malpractice insurers as deep pockets. Technological aspects of WebTrust make some litigation issues even more complex than in standard engagements. In December 1996before the AICPA unveiled WebTrust, SEC Commissioner Steven Wallman commented on how the evolution of financial information technology would affect accountants, predicting it would cause a shift away from substance attestation toward process attestation. For accountants, process attestation means providing assurance about the integrity or reliability of the system a client employs rather than about the integrity of the business information that system produces.

    In the world Wallman described, the potential liability of assurance service providers is staggering given that virtually any computer user, anywhere in the world, can access a business Web site that displays a WebTrust seal. The accountant’s potential liability exposure is global, since the Internet knows no borders. Given the potential exposure, CPAs must become familiar with the litigation-risk issues before they initiate WebTrust engagements.

    WebTrust liability does not exist in a vacuum. For the past several decades, the accounting profession has faced an expectation gap, the difference between the public's perception of the scope of an independent accountant's responsibilities and his or her actual responsibilities. Various groups have concluded that the public assigns independent accountants a greater responsibility for detecting and reporting fraud and financial misinformation than can be met. Many e-commerce consumers may not understand the limitations of WebTrust and may incorrectly assume the CPA behind the seal guarantees the quality of goods bought over the Internet. However, WebTrust's purpose is to assist entities and their customers in assessing the risks of doing business electronically, according to the AICPA/CICA WebTrust Principles and Criteria for Business-to-Consumer Electronic Commerce. (Go to index.htm.)

    Financial statement users who suffer investment or credit losses often seek reimbursement or indemnification from accountants. In fact, research indicates that demand for auditing services is partly explained by clients and users desire to have the accountant serve as de facto insurer if losses are sustained. (Several articles have noted this, including The Economic Role of the Audit in Free and Regulated Markets: A Review, by W. Wallace, Research in Accounting Regulation , 1987, 1:7-34.) The accountant is deemed a deep pocket, as the CPA firm often carries malpractice insurance or is, in many cases, the only solvent defendant in a lawsuit.

    It is not hard to imagine several scenarios in which consumers are defrauded in an e-commerce transaction and feel they have no recourse. In such situations, it’s easy to see how a disgruntled customer might target the CPA WebTrust provider.

    So far, no legal case has directly addressed accountants liability to third parties (or nonclients) for disseminating misleading or false financial information over the Internet. Several cases exist, however, that may have bearing on accountants liability to third parties for computer-disseminated data. These cases serve as examples of what might happen should a WebTrust case ever make it to court. The good news is that such cases appear to reduce CPAs liability.

    Precedents antedate not only the Internet but computers themselves. Jaillet v. Cashman (189 N.Y.S. 743 [Sup. Ct. 1921], affd, 194 N.Y.S. 947 [App. Div.]; affd 130 N.E. 714 [N.Y. 1923]) was decided by a New York State trial court in 1921. On March 8, 1920, Dow Jones & Co. reported incorrectly over its ticker service the effect of a U.S. Supreme Court decision on the taxable status of stock dividends as income. An investor saw the ticker report in his broker’s office and sold stocks in the belief that stock prices would drop. When the Dow Jones report was corrected, the market rose. The investor sued Dow Jones for negligently reporting the court case. The New York trial court dismissed the investor’s lawsuit, reasoning that as a matter of practical expediency the law did not impose a legal duty on Dow Jones toward every member of the community who could be misled by an incorrect report.

    In 1987, a New York trial court faced the issue of the liability of a media company that disseminated incorrect financial data over an electronic network. Daniel v. Dow Jones & Co., Inc. (520 N.Y.S. 2d 334 [Civ. Ct. 1987]) involved Eldridge Daniel, a subscriber to the Dow Jones News Retrieval Service; the service provided instantaneous news transmission by computer-to-computer linkup. Daniel made an investment based on a report that Huskey Oil, a Canadian corporation, was restructuring. The news report omitted that the prices quoted were in Canadian, not U.S., dollars. Daniel lost money and sued Dow Jones for negligent misrepresentation.

    The court dismissed Daniels claim, holding that as a matter of public policy the class of plaintiffs to whom Dow Jones could be liable must be carefully circumscribed to avoid the potential of unlimited liability. The court found no reason existed for treating a person who reads data on a computer screen differently from one who reads it on paper. The special relationship required to allow a claim for negligent misstatements did not exist between Daniel and Dow Jones. The relationship that did exist, in the eyes of the court, was that between the ordinary buyer and seller.

    Significantly, the court also found that the First Amendment, freedom of the press, barred the negligence claim. Established law prohibits imposing liability on a media defendant for nondefamatory, negligently untruthful news. But the degree of First Amendment protection offered to WebTrust service providers who are nonmedia parties is uncertain and controversial.

    According to attorneys Richard Miller and Michael Young in Financial Reporting and Risk Management in the 21st Century, in the April 1997 issue of the Fordham Law Review , the rule that can be distilled from the Jaillet and Daniel cases is that one who negligently disseminates false financial or other information over a public medium is immune from a negligence claim. The Jaillet rule has been applied to a newspaper, an investment newsletter and an interactive computer network. Miller and Young also point out that the Jaillet rule does not appear to be more or less valid based on the number of users. The rule has been applied when the number of subscribers was as few as 2,200.

    WebTrust practitioners should note that the Jaillet rule also has been applied in a situation in which the user and disseminator of financial information had an explicit agreement. In First Equity Corp. v. Standard & Poors Corp. (869 F.2d 175 [2d Cir. 1989]), First Equity, an investment banking firm, entered into a one-year subscription agreement with S&P to receive Corporation Records , a loose-leaf publication summarizing the business operations and finances of many corporations. The publication did not make investment recommendations and included a disclaimer that S&P did not guarantee the accuracy and completeness of the information. First Equity and one of its clients, Robert Cornfeld, claimed losses in excess of $200,000 as a result of inaccurate information in Corporation Records about a redemption feature in certain trust notes. In dismissing the negligence claim against S&P, the Second Circuit Court of Appeals applied the Jaillet rule, finding the subscription agreement did not create a special relationship amounting to privity (a direct connection or contractual relationship) between First Equity and S&P.

    Interestingly, the Second Circuit said its decision in First Equity was partially supported by New York case law regarding the liability of accountants for nondefamatory negligent misrepresentations. New York law has avoided exposing accountants to the potential liability represented by a large class of third-party users of negligently audited financial statements.

    The key lesson for CPAs in WebTrust engagements is Miller and Young’s argument that consistent application of the legal rules involved in the Jaillet, Daniel and First Equity cases should, by inference, give accountants immunity from liability for negligence for information disseminated over the Internet. However, no court has applied Jaillet to an accountant providing assurance services over the Internet. The Jaillet rule also is not entirely consistent with the existing body of law on accountants’ liability for negligence to nonclients. Furthermore, the Jaillet rule does not protect against legal claims based on fraud or recklessness. CPAs also should remember that Jaillet may not be applied uniformly by all jurisdictions. WebTrust service providers must closely monitor legal developments.

    The Internet crosses international boundaries, and so do the legal issues surrounding WebTrust. Miller and Young point out that foreign nations usually can assert jurisdiction over nonresidents when the exercise of that jurisdiction is reasonable: You are regularly conducting business in a foreign country; engaging in an activity outside the foreign country that has a substantial, direct and foreseeable effect within that particular country; or performing an activity owned, possessed or used in the foreign country that is the subject of court action. Conceivably, a court in another country could deem it reasonable to exercise jurisdiction over a U.S. accounting firm that provided a WebTrust seal of assurance for an e-commerce transaction involving one of its citizens.

    Once a WebTrust service provider becomes subject to the power of a foreign court, the question is what country’s law applies to the transaction in dispute. Miller and Young say a foreign court may apply U.S. law or local law. Suffice it to say that a foreign court would have significant leeway in deciding which body of law to apply to a U.S. accounting firm that has disseminated false or misleading information over the Internet. Being subjected to the application of another country’s laws in that nation's courts, however, might not pose as much risk to a U.S. firm as U.S. law would in a domestic court.

    Miller and Young indicate that various procedural aspects of foreign law may render a foreign court more hospitable than a U.S. court to a CPA WebTrust service provider:

    • In general, class-action lawsuits may not be filed under the laws of other countries. This is a significant procedural deterrent to a group of aggrieved consumers, each of whom may have lost a modest sum of money.

    • Most countries do not permit contingency fees; anyone who seeks to file a legal claim against a party must pay the lawyer out-of-pocket as a case progresses.

    • Many countries follow the English rule for payment of attorneys’ fees, the loser must pay the winners fees as well as his own, which discourages frivolous lawsuits.

    Miller and Young also point out that lawsuits against accountants outside the United States do not offer the prospect of large jury awards, because most foreign jurisdictions do not permit either jury trials or punitive damage awards. The WebTrust service provider should keep in mind, however, that foreign laws can change just as U.S. laws do.

    Which third parties or nonclients in a foreign nation have the right to sue a WebTrust service provider? It is far from clear. Miller and Young say that foreign law covering accountants’ liability to nonclients for negligence is not as well developed as U.S. law. Even if a consumer in a foreign country obtains a judgment against a U.S. firm, it often must be enforced through a proceeding in a U.S. court, increasing the burden on a foreign consumer suing in a foreign jurisdiction.

    As suggested by the AICPA's litigation risk model for assurance services (AICPA Assurance Service Liability , index.htm), the first step WebTrust providers should take is to determine whether to perform the assurance service at all.

    U.S. Case Law With Parallels to WebTrust

    Case Name Description
    Jaillet v. Cashman (1921) A lawsuit by an investor against Dow Jones was dismissed on the grounds that the law did not impose a legal duty on Dow Jones toward every member of the community. Dow Jones reported incorrectly over its ticker service the effect of a U.S. Supreme Court decision on the taxable status of stock dividends as income.
    Gale v. Value Line (1986) A subscriber to the Value Line publication Value Line Convertibles lost money trading in the warrants of TransWorld Airlines due to a publication error concerning TWA's right to accelerate warrant expiration dates. The subscriber sued Value Line for negligence citing Restatement (Second) of Torts section 552. The federal district court in Rhode Island dismissed the lawsuit, holding that the imposition of a duty that required absolute and completely correct information as to every detail would establish an intolerable and probably unachievable standard of conduct.
    Gutter v. Dow Jones, Inc. (1986) This case presented the legal question of whether Dow Jones is liable to one of its subscribers for a nondefamatory negligent misrepresentation of a fact in the Wall Street Journal that was relied on by the reader in selecting a securities investment that resulted in a loss. The court dismissed the lawsuit, finding that (1) a newspaper subscriber does not fall within the limited class of plaintiffs owed a duty by Dow Jones under Restatement (Second) of Torts section 552 and (2) (relying on the Jaillet rule) no duty was owed to Gutter by Dow Jones, Inc., absent a special relationship.
    Daniel v. Dow Jones & Co., Inc. (1987) A subscriber to the Dow Jones News Retrieval Service lost money on an investment in Huskey Oil, a Canadian corporation. A news report omitted that quoted prices were in Canadian, not U.S., dollars. A trial court dismissed a claim against Dow Jones on the grounds that the class of individuals to whom the company could be liable must be carefully limited to avoid indeterminate liability.
    First Equity Corp. v.
    Standard & Poor's Corp.
    First Equity entered into a one-year subscription agreement with S&P to receive Corporation Records , a loose-leaf summary of corporate finances and operations. First Equity suffered losses on trading in convertible secured trust notes of Pan Am Airways due to faulty information in the publication. A federal appellate court dismissed a negligence claim by applying the Jaillet rule. The court found the subscription agreement did not create a special relationship between First Equity and S&P (necessary to sue for negligence).

    Firm partners should consider the impact of the WebTrust engagement on the firms overall litigation risk exposure. The firm first must have a good grasp of the risk posed by the services it already offers. Firms can obtain this understanding by following these steps for each service:

    1. Identify all the risks, what parties can sue the CPA in a particular engagement on what legal grounds.
    2. Look at risk factors such as the client’s financial condition.
    3. Quantify risk. Estimate potential monetary damages.
    4. Evaluate the risks and rewards of offering a service.

    A CPA is not required to perform the WebTrust service for every business that requests it. The importance of the decision to accept a new WebTrust client or continue to offer the service to an existing client is reflected in the inclusion of acceptance and continuance of clients as one of the five quality control elements for CPA firms (AICPA Statement on Quality Control Standards no. 2, System of Quality Control for a CPA Firms Accounting and Auditing Practice [QC section 20.14-.16]). The steps involved in the WebTrust engagement evaluation process include (1) evaluating the integrity of management, (2) identifying special circumstances and unusual risks, (3) assessing the firms competencies to perform the WebTrust engagement, (4) evaluating independence, (5) determining the CPAs ability to use due care and (6) preparing an engagement letter.

    Most, if not all, CPA firms enter into engagement agreements with audit clients (as recommended in SAS no. 83, Establishing an Understanding With the Client ). A firm should make a comparable arrangement with a WebTrust client. Engagement letters are required by the WebTrust license agreement and may contain numerous provisions.

    Another litigation-risk-control device is cautionary language to warn the reader about limitations regarding the scope of information certified in a WebTrust engagement. Cautionary wording is crucial to preclude e-commerce consumers from believing that a CPA WebTrust provider guarantees the quality of goods purchased, the prices quoted or delivery times posted on a Web site or the integrity of future transactions. The WebTrust seal denotes only that a CPA (1) has evaluated the Web site owners business practices and controls to determine whether they conform to the WebTrust Principles and Criteria for Business-to-Consumer Electronic Commerce and (2) has issued an assurance services report with an unqualified opinion. Cautionary language should be displayed on the clients business Web site or in the WebTrust assurance report. If the CPA WebTrust provider contemplates the use of cautionary language, he or she should also consider its effect on the salability and pricing of the WebTrust assurance service. Cautionary language that is too strong or prominently displayed may scare off both potential clients and potential customers visiting clients Web sites. CPAs should develop any cautionary language used in WebTrust engagement letters or in online sign-up procedures in consultation with legal counsel. Some cautionary language is actually required in the CPAs report.

    Another option is to include an alternative dispute resolution (ADR) provision in the engagement letter. ADR refers primarily to arbitration (in which the decision of a third party is binding) and mediation (in which a third party assists in reaching a settlement). ADR is aimed only at disputes with clients, not third parties. Primary benefits of ADR are avoidance of uncertainties (for example, deciding in which venue a dispute will be heard), delays and the expense of the judicial system. A disadvantage of ADR is that its low cost may encourage grievances by clients who would not otherwise commence litigation. ADR does have its limitations, so the WebTrust practitioner should consult legal counsel before using an ADR clause. CPAs should check their insurance: Some professional liability insurance policies limit use of ADR.

    The potential for liability should not deter CPAs from adding WebTrust or other assurance services to their practices. Public accounting practice has always had litigation issues; new services merely mean that the level of risk is still unknown. Fortunately, the results of past court cases give reason for encouragement: It appears that one who is accused of negligently disseminating misleading or false information over a public medium will be immune from liability. Although the legal environment is in flux, any CPA with the skill, background and knowledge of the issues can jump into this new service with confidence.

    Another Possible Tool

    The WebTrust service provider may wish to consider a loss-limiting clause or hold-harmless provision, although both are controversial. They are contractual clauses that require the client to be limited to a specified amount it can claim from the CPA (for example, fees paid) for losses caused by services delivered. Alternatively, these clauses might specify that the client will insure the WebTrust provider against claims by third parties. In short, such a clause or provision limits how much a CPA can be sued for. (Gross negligence and intentional misrepresentation by the WebTrust provider nullify such agreements.)

    Currently, an AICPA ethics interpretation allows a practitioner to add loss-limiting clauses to cover situations in which a loss arises from an intentional misrepresentation by the client. However, AICPA guidelines are silent on whether a loss-limiting clause impairs a CPA's independence in an audit engagement. The SEC considers a loss-limiting clause an impairment to auditor independence. Therefore, a CPA offering WebTrust services should consult legal counsel before using a loss-limiting or hold-harmless clause in an engagement letter. Loss-limiting clauses present the WebTrust provider with a means to control litigation risk, but their use, at best, is restricted.


    Year-end tax planning and what’s new for 2016

    Practitioners need to consider several tax planning opportunities to review with their clients before the end of the year. This report offers strategies for individuals and businesses, as well as recent federal tax law changes affecting this year’s tax returns.


    News quiz: Retirement planning, tax practice, and fraud risk

    Recent reports focused on a survey that gauges the worries about retirement among CPA financial planners’ clients, a suit that affects tax practitioners, and a guide that offers advice on fraud risk. See how much you know with this short quiz.


    Bolster your data defenses

    As you weather the dog days of summer, it’s a good time to make sure your cybersecurity structure can stand up to the heat of external and internal threats. Here are six steps to help shore up your systems.