SysTrust and Third-Party Risk

How is your state likely to treat a third-party lawsuit after a SysTrust engagement?


  • THE SYSTRUST ASSURANCE SERVICE ALLOWS CPAs to add a level of confidence to the reliability of corporate IT systems, but carries with it litigation exposure, especially from third parties.
  • COURTS HAVE NOT YET SPECIFICALLY addressed the third-party legal ramifications of SysTrust because it is so new; but the state courts are likely to refer to many of the laws and precedents that apply to liability for negligent audits.
  • THERE ARE FOUR BASIC SYSTRUST STANDARDS, ranging from most restrictive (least likelihood of a successful third-party lawsuit) to least restrictive. Different states follow different standards.
    • Privity requires that a direct connection or contractual relationship exist between an accountant and a third party for the latter to be able to sue a practitioner.
    • Near-privity requires the plaintiff to prove he or she was an intended third-party beneficiary.
    • The restatement rule, in general, says a CPA owes a duty to a client (or others) whom the client or accountant intends the information to benefit.
    • Reasonable foreseeability says accountants have a duty to all whom they could reasonably foresee as receiving and relying on their work product.
  • ACCOUNTANTS CAN MINIMIZE LITIGATION RISKS by carefully considering whether to perform a given engagement and carefully wording contract language in consultation with a lawyer.
CARL PACINI, CPA, JD, PhD, is assistant professor of accounting and business law at Florida Gulf Coast University, Ft. Myers. His e-mail address is . STEPHEN E. LUDWIG, CPA, PhD, is assistant professor in the School of Accountancy at Georgia Southern University, Statesboro. His e-mail address is . William Hillison, CPA, PhD, is Arthur Andersen Professor of Accounting at Florida State University, Tallahassee. His e-mail address is . David Sinason, CPA, PhD, is assistant professor of accounting at Northern Illinois University, DeKalb. His e-mail address is . Leslee Higgins, CPA, PhD, is assistant professor in the School of Accountancy at Georgia Southern University, Statesboro. Her e-mail address is .

lthough corporate information systems have progressed exponentially in the past 100 years, some things have not changed: CPAs are still associated with the information; corporate systems are still subject to failure and even criminal attacks; and concerns about lawsuits from third parties continue to dog the profession. And the launch of the SysTrust assurance service (“Reporting on Systems Reliability,” JofA, Nov.99, page 75), which allows a CPA to report on the availability, security, integrity and maintainability of a system, has tied CPAs more closely than ever to such systems—and legal liability for their failure. Nevertheless, CPAs who understand some legal basics can provide this new assurance service in confidence.

Is systems reliability important?

In 1999, Hershey Foods missed candy deliveries worth approximately $200 million because of system glitches in its new $112 million computer system.

Increased reliance on information systems has led to some spectacular disasters involving astronomical sums: Hackers shut down Yahoo! and eBay with denial-of-service attacks and E-Trade lost $2.5 billion in market value when its system crashed. Procter & Gamble discovered problems with its new SourceOne global database system that led to many wasted hours as employees rechecked the accuracy of quarterly financial reports. And how close to disaster were and when both sites crashed in November 1999 because their systems were not able to handle the volume of users?

Clearly, the liability risk could be huge from nonclients (individuals or entities), the third parties that rely on SysTrust assurance reports. But CPAs can protect themselves by understanding the legal precedents that could come into play with this new service and the various laws that apply in different jurisdictions. A look at some litigation history should clarify the applicable law and strategies that can minimize litigation risk.


Accounting and assurance services traditionally have carried litigation risk for CPAs. As perceived guarantors of financial statement accuracy, auditors have long been targets of disappointed shareholders or creditors—third parties that view them as having “deep pockets.” The introduction of any new assurance service may involve even greater risks. For example, the still-new technological aspects of SysTrust make some litigation issues even more complex than those for traditional engagements. As early as 1996, SEC Commissioner Steven Wallman predicted how the evolution of information technology would affect accountants, causing a shift away from “substance attestation” toward “process attestation.” For accountants, process attestation means providing assurance about the reliability of the system a client employs rather than about the integrity of the business information that system produces.

In the world Wallman described, an unqualified SysTrust assurance report could provide many parties with confidence about the reliability of a system. Thus, the potential liability for assurance providers is considerable, given that shareholders, customers, suppliers, employees, creditors and other stakeholders all depend on systems in processing business transactions.

SysTrust, like other services, also faces an expectation gap—the difference between the public’s perception of the scope of an independent accountant’s responsibilities and his or her actual responsibilities. Parties that rely on a SysTrust report may incorrectly assume the practitioner guarantees the operation, security and accuracy of a company information system. Even though SysTrust’s stated purpose is to increase the comfort of management and other stakeholders, it is likely that users will not fully understand there are limitations.

What’s the Law in Your State?
The standard each state is likely to follow for SysTrust


The courts have not yet addressed this expectation gap. SysTrust is so new that no legal case has directly addressed accountants’ liability to third parties. For now accountants can assume the courts will apply the common and statutory law that pertains to accountant liability for negligent audits. That would be state law, so the SysTrust practitioner faces 50 jurisdictions, each with the authority to determine the legal standard under which nonclients have a legal right to sue for negligence. Courts use four legal standards, or rules, to judge which nonclients are owed a duty by accountants:

  • Privity.

  • Near-privity.

  • Restatement rule (also known as “known user’s”).

  • Reasonable foreseeability.

The outcome of a SysTrust case will depend on which standard a jurisdiction follows. These four standards, discussed below, are not actually discrete points but lie on a continuum.

Privity. This is the most restrictive standard and results in the least likelihood of liability for the SysTrust provider (the “practitioner”). Privity requires a direct connection or contractual relationship to exist between an accountant and a third party for the latter to be able to sue the SysTrust practitioner. First applied in Pennsylvania in 1919, strict privity is driven by contract law and has been applied in a small number of traditional cases. Currently, only Pennsylvania and Virginia follow it. A nonclient would have no legal right to sue a SysTrust provider under a strict privity rule.

Near-privity (primary benefit). This standard was first applied to define the scope of an accountant’s duty to nonclients for negligence in Ultramares Corp. v. Touche, 174 N.E. 441 (N.Y. 1931). In that case, the New York Court of Appeals denied plaintiff Ultramares’ negligence claim but fashioned an exception to strict privity that became known as the primary benefit rule. In order to prevail, the plaintiff must be an intended third-party beneficiary of the contract between the accountant and the client. The court recognized that the auditor knew the audited balance sheet would be shown to various unidentified creditors and stockholders. However, Touche had not been engaged with the knowledge that plaintiff Ultramares was an intended third-party beneficiary of Touche’s work. Overly rigorous interpretations of Ultramares through the years have resulted in the case’s becoming a symbol of a virtual privity requirement for recovery under a negligence theory.

In 1985, the New York Court of Appeals clarified the Ultramares rule by setting forth a legal test (known as the Credit Alliance standard) containing three elements that must be satisfied for a nonclient to be able to sue an accountant for negligent misrepresentation under the near-privity standard:

  • The accountant must have known that his or her work product was to be used for a particular purpose.

  • A known party or parties were intended to be able to rely on the accountant’s work product.

  • Some conduct must have linked the accountant to the relying party.

As shown in the exhibit above, 12 states follow a near-privity rule, although there are some variations among them. The SysTrust practitioner should consult local legal counsel for advice on any given state court decision or statute.

Restatement rule. Under this rule, established by a federal court in 1968, an accountant who audits or prepares financial information for a client owes a duty not only to that client but also to any other person or one of a group of persons whom the accountant or client intends the information to benefit, if both of the following conditions are met:

  • That person or entity justifiably relies on the information in a transaction that the accountant or client intends the information to influence.

  • Such reliance results in a pecuniary loss for the person or group.

No liability exists, however, when the accountant had no reason to believe the information would be made available to third parties or when the client’s transaction, as represented to the auditor, changes so as to increase the audit risk materially. Although the restatement rule is the most frequently followed legal standard, with 21 states applying it (see the exhibit), historically courts have had some difficulty in applying it: No bright line exists to distinguish one type of user (that is, one who “justifiably relies” on the information) from another.

Despite such difficulty, certain general principles have evolved in numerous cases applying the restatement rule. First, the accountant need not know the exact identity of the nonclient to be held liable under the restatement rule. The professional owes a duty to individuals or a limited group of individuals he or she is aware will rely on the information. The restatement rule does not render the accountant liable to third parties, however, if no accountant–client communications exist concerning the intended use of the accountant’s work product. The accountant must supply the information, or know that his or her client intends to supply the information, to a person or a limited group of persons.

The major difference between the near-privity rule and the restatement rule is that the latter does not require the practitioner to know the identity of specific parties, only that they be members of a limited group known to the practitioner.

Another general principle of the restatement rule requires that a suing party justifiably rely on the information or work product the accountant provided. Justifiable reliance consists of two elements, both of which must be met:

  • The suing party must in fact rely on the information.

  • The reliance must be reasonable.

The second element requires that a reasonable connection exist between the contents of the accountant’s misrepresentations and the action the suing party took by relying on them. The issue of reasonableness is considered in light of the suing party’s intelligence, education and experience. Clearly, however, reliance is unjustified when the relying party is negligent.

Under the restatement rule, the SysTrust provider could be liable only to intended identifiable beneficiaries, not an unknown, large group of unidentified users of the SysTrust report. Moreover, the SysTrust provider must actually be aware of the transaction for which the SysTrust report will be used. The suing party also must justifiably rely on the SysTrust report for the SysTrust provider to owe a duty.

More third parties have the legal right to sue the SysTrust provider under the restatement rule than under the near-privity standard. However, liability is limited because the restatement rule provides the SysTrust practitioner with sufficient knowledge of third-party users to allow the practitioner to obtain liability insurance, set higher fees or adopt other protective measures. Given the varying interpretations of the restatement rule, the SysTrust provider should seek the advice of local legal counsel.

Reasonable foreseeability. An expanded scope of accountant duty to third parties was recognized in 1983 with the decision in Rosenblum v. Adler, 461 A.2d 138 (N.J. 1983). The New Jersey Supreme Court concluded that accountants have a duty to all those whom they should reasonably foresee as receiving and relying on the accountant’s work product—in that case, audited financial statements. Under Rosenblum, the auditor owes a duty of care, however, only to those who obtain a firm’s financial statements directly from the audited entity, for a proper business purpose. There is no duty of care to those obtaining the statements from an annual report in a library, government file or other source. The foreseeability criterion results in the broadest scope of third-party liability for the accountant.

At present only Mississippi and Wisconsin apply the foreseeability rule. In those states, the courts may decide that SysTrust providers owe a duty to all those they should reasonably foresee as receiving and relying on a SysTrust report. Presumably, the duty extends only to report users whose decision to rely on a client’s information system is influenced by a SysTrust assurance report. However, potential liability under this rule poses a limited risk, as only two states have adopted it, and no other states have joined them in the past decade.


No matter where a practitioner lives, there are ways to minimize litigation risk. As suggested by the AICPA’s litigation risk model for assurance services (“AICPA Assurance Service Liability,” ), the first step SysTrust providers should take is to determine whether to accept an assurance engagement. Firm partners first must have a good grasp of the risk posed by the services it already offers and then consider the AICPA attestation standards that apply to this service and the impact of the SysTrust engagement on the firm’s overall litigation exposure. The firm should

  • Identify the risks. Who are the parties that can bring suit? On what grounds?

  • Evaluate the risks. What are the costs and benefits?

  • Quantify risks. What are the likely dollar ranges of loss?

Obviously, a CPA is not required to perform a SysTrust service for every business that requests it. Practitioners should read carefully the official literature on “acceptance and continuance of clients” (AICPA Statement on Quality Control Standards no. 2, System of Quality Control for a CPA Firm’s Accounting and Auditing Practice [AICPA, Professional Standards, vol. 2, QC section 20.14-.16]). The steps involved in the SysTrust engagement evaluation process include

  • Evaluating the integrity of the client’s management.

  • Identifying special circumstances and unusual risks.

  • Assessing the firm’s competencies to perform the SysTrust engagement.

  • Evaluating independence.

  • Determining the CPA’s ability to use due care.

  • Preparing an engagement letter.


A firm should enter into written engagement agreements with SysTrust clients. The SysTrust license agreement requires an engagement letter. From a risk viewpoint, the letter’s provisions should include the following:

  • The objective of a SysTrust engagement—an opinion on the client’s conformity with the AICPA/CICA SysTrust Principles and Criteria for Systems Reliability for a given information system. This publication, available in print and CD-ROM from the AICPA order department (1-888-777-7077), contains authoritative guidance that explains SysTrust. It is intended to equip practitioners to perform SysTrust engagements.

  • Compliance—management’s responsibility for establishing and maintaining the SysTrust standards for availability, security, integrity and maintainability. Management is responsible for making all required information available to the SysTrust provider.

  • The use of specialists—in areas such as e-commerce and information system security.

  • Third-party access—conditions under which the practitioner’s working papers may be granted to others.

  • A representation letter—at the conclusion of the engagement, management’s letter to the SysTrust provider confirming certain of management’s representations made during the engagement.

  • Report distribution—a clear definition of the parties who may receive a copy of the SysTrust assurance report. Such a provision gives the SysTrust practitioner some control over the dissemination of the report.

  • Fee and billing arrangements.

Watch your language. A carefully drawn-up engagement letter can reduce litigation risk. Loss-limiting clauses and hold-harmless provisions are potentially powerful but controversial weapons against litigation that limit how much a CPA can be sued for. The first is a contractual clause that limits the client to how much it can receive in a lawsuit (for example, fees paid). The latter option might specify that the client will indemnify the SysTrust provider against third-party claims. (Gross negligence and intentional misrepresentation by the SysTrust provider nullify such agreements.)

Currently, an AICPA ethics interpretation allows a practitioner to add loss-limiting clauses to cover situations in which losses arise from intentional misrepresentations by the client. However, the SEC considers a loss-limiting clause an impairment to auditor independence. Therefore, a CPA offering SysTrust services should consult legal counsel before using a loss-limiting or hold-harmless clause in an engagement letter. Loss-limiting clauses may present the SysTrust provider with a means to control litigation risk, but their use, at best, is restricted.

Another litigation risk-control device is cautionary language to warn the client about limitations regarding the scope of information attested to in a SysTrust engagement. Such wording may deter SysTrust report users from believing that the CPA guarantees the operation, security and accuracy of an entity’s information system(s). CPAs should develop cautionary language used in the SysTrust engagement letter or elsewhere in consultation with legal counsel. The SysTrust assurance report actually requires some cautionary language, and the CPA would be well advised to follow the advice of lawyers and the authoritative literature.

An alternative dispute resolution (ADR) provision can reduce the cost when conflict is unavoidable. ADR refers to binding arbitration or to mediation in which a mediator assists in reaching a settlement. However, ADR is appropriate only for disputes with clients, not third parties. It helps avoid some uncertainties (for example, deciding in which venue a dispute will be heard) and is often quicker and less expensive than a court case. However, ADR’s low cost may encourage grievances by clients that would not otherwise commence litigation. Also, some professional liability insurance policies limit its use.


The potential for liability should not deter CPAs from adding SysTrust or other assurance services to their practices. Public accounting practice has always dealt with litigation issues—new services merely mean that the level of risk is not certain. State accountant privity statutes and the results of existing court cases offer encouragement in some states, especially those that follow a privity or near-privity standard. In the 19 states that follow the traditional restatement rule, the SysTrust provider has exposure to more third parties than under the privity or near-privity standard, but it is still defined and manageable. In Texas, Minnesota, Mississippi and Wisconsin, however, the SysTrust practitioner faces a higher degree of liability exposure. Under the reasonable foreseeability rule (or expansive interpretation of the restatement rule), many third-party SysTrust report users have a legal right to sue the assurance provider. The SysTrust practitioner’s exposure in states without a direct court case or accountant privity statute, noted at the bottom of the exhibit, is highly uncertain. Although the legal environment in some states is in flux, any CPA with the skill, background and knowledge of the issues can provide this service with confidence.

For a more comprehensive look at what standards apply in each state, see the exhibit, “The Word From the Bench: Key Precedents That May Apply to SysTrust,” at .


Year-end tax planning and what’s new for 2016

Practitioners need to consider several tax planning opportunities to review with their clients before the end of the year. This report offers strategies for individuals and businesses, as well as recent federal tax law changes affecting this year’s tax returns.


News quiz: Retirement planning, tax practice, and fraud risk

Recent reports focused on a survey that gauges the worries about retirement among CPA financial planners’ clients, a suit that affects tax practitioners, and a guide that offers advice on fraud risk. See how much you know with this short quiz.


Bolster your data defenses

As you weather the dog days of summer, it’s a good time to make sure your cybersecurity structure can stand up to the heat of external and internal threats. Here are six steps to help shore up your systems.