SysTrust and third-party risk.How is your state likely to treat a third-party lawsuit after a SysTrust engagement? Although corporate information systems have progressed exponentially ex·po·nen·tial adj. 1. Of or relating to an exponent. 2. Mathematics a. Containing, involving, or expressed as an exponent. b. in the past 100 years, some things have not changed: CPAs are still associated with the information; corporate systems are still subject to failure and even criminal attacks; and concerns about lawsuits from third parties continue to dog the profession. And the launch of the SysTrust assurance service ("Reporting on Systems Reliability," JofA, Nov. 99, page 75), which allows a CPA (Computer Press Association, Landing, NJ) An earlier membership organization founded in 1983 that promoted excellence in computer journalism. Its annual awards honored outstanding examples in print, broadcast and electronic media. The CPA disbanded in 2000. to report on the availability, security, integrity and maintainability of a system, has tied CPAs more closely than ever to such systems--and legal liability for their failure. Nevertheless, CPAs who understand some legal basics can provide this new assurance service in confidence. Increased reliance on information systems has led to some spectacular disasters involving astronomical as·tro·nom·i·cal also as·tro·nom·ic adj. 1. Of or relating to astronomy. 2. Of enormous magnitude; immense: an astronomical increase in the deficit. sums: Hackers shut down Yahoo! and eBay with denial-of-service attacks "DoS" redirects here. For other uses, see DOS (disambiguation). A denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended users. and E-Trade lost $2.5 billion in market value when its system crashed. Procter & Gamble discovered problems with its new SourceOne global database system that led to many wasted hours as employees rechecked the accuracy of quarterly financial reports. And how close to disaster were ToysRUs.com and Amazon.com when both sites crashed in November 1999 because their systems were not able to handle the volume of users? Clearly, the liability risk could be huge from nonclients (individuals or entities), the third parties that rely on SysTrust assurance reports. But CPAs can protect themselves by understanding the legal precedents that could come into play with this new service and the various laws that apply in different jurisdictions. A look at some litigation An action brought in court to enforce a particular right. The act or process of bringing a lawsuit in and of itself; a judicial contest; any dispute. When a person begins a civil lawsuit, the person enters into a process called litigation. history should clarify the applicable law and strategies that can minimize litigation risk. DEEP POCKETS, WIDE GAPS Accounting and assurance services Assurance services have been defined by the American Institute of Certified Public Accountants (AICPA) as 'Independent Professional Services that improve information quality or its context'. traditionally have carried litigation risk for CPAs. As perceived guarantors of financial statement accuracy, auditors have long been targets of disappointed shareholders or creditors--third parties that view them as having "deep pockets." The introduction of any new assurance service may involve even greater risks. For example, the still-new technological aspects of SysTrust make some litigation issues even more complex than those for traditional engagements. As early as 1996, SEC Commissioner Steven Wallman Steven Wallman was Commissioner of the U.S. Securities and Exchange Commission (SEC) from 1994 to 1997, for which he was appointed by Bill Clinton. He founded FOLIOfn, headquartered in the Tysons Corner, Virginia suburbs of Washington DC in 1998. predicted how the evolution of information technology would affect accountants, causing a shift away from "substance attestation The act of attending the execution of a document and bearing witness to its authenticity, by signing one's name to it to affirm that it is genuine. The certification by a custodian of records that a copy of an original document is a true copy that is demonstrated by his or her " toward "process attestation." For accountants, process attestation means providing assurance about the reliability of the system a client employs rather than about the integrity of the business information that system produces. In the world Wallman described, an unqualified SysTrust assurance report could provide many parties with confidence about the reliability of a system. Thus, the potential liability for assurance providers is considerable, given that shareholders, customers, suppliers, employees, creditors and other stakeholders Stakeholders All parties that have an interest, financial or otherwise, in a firm-stockholders, creditors, bondholders, employees, customers, management, the community, and the government. all depend on systems in processing business transactions. SysTrust, like other services, also faces an expectation gap--the difference between the public's perception of the scope of an independent accountant's responsibilities and his or her actual responsibilities. Parties that rely on a SysTrust report may incorrectly assume the practitioner guarantees the operation, security and accuracy of a company information system. Even though SysTrust's stated purpose is to increase the comfort of management and other stakeholders, it is likely that users will not fully understand there are limitations. PRESENT LAW The courts have not yet addressed this expectation gap. SysTrust is so new that no legal case has directly addressed accountants' liability to third parties. For now accountants can assume the courts will apply the common and statutory law that pertains to accountant liability for negligent negligent adj., adv. careless in not fulfilling responsibility. (See: negligence) audits. That would be state law, so the SysTrust practitioner faces 50 jurisdictions, each with the authority to determine the legal standard under which nonclients have a legal right to sue for negligence. Courts use four legal standards, or rules, to judge which nonclients are owed a duty by accountants: * Privity A close, direct, or successive relationship; having a mutual interest or right. Privity refers to a connection or bond between parties to a particular transaction. Privity of contract is the relationship that exists between two or more parties to an agreement. . * Near-privity. * Restatement Restatement A revision in a company's earlier financial statements. Notes: The need for restating financial figures can result from fraud, misrepresentation, or a simple clerical error. rule (also known as "known user's"). * Reasonable foreseeability. The outcome of a SysTrust case will depend on which standard a jurisdiction follows. These four standards, discussed below, are not actually discrete points but lie on a continuum. Privity. This is the most restrictive standard and results in the least likelihood of liability for the SysTrust provider (the "practitioner"). Privity requires a direct connection or contractual relationship to exist between an accountant and a third party for the latter to be able to sue the SysTrust practitioner. First applied in Pennsylvania in 1919, strict privity is driven by contract law and has been applied in a small number of traditional cases. Currently, only Pennsylvania and Virginia follow it. A nonclient would have no legal right to sue a SysTrust provider under a strict privity rule. Near-privity (primary benefit). This standard was first applied to define the scope of an accountant's duty to nonclients for negligence in Ultramares Corp. v. Touche, 174 N.E. 441 (N.Y. 1931). In that case, the New York New York, state, United States New York, Middle Atlantic state of the United States. It is bordered by Vermont, Massachusetts, Connecticut, and the Atlantic Ocean (E), New Jersey and Pennsylvania (S), Lakes Erie and Ontario and the Canadian province of Court of Appeals denied plaintiff Ultramares' negligence claim but fashioned an exception to strict privity that became known as the primary benefit rule. In order to prevail, the plaintiff must be an intended third-part beneficiary of the contract between the accountant and the client. The court recognized that the auditor knew the audited balance sheet would be shown to various unidentified creditors and stockholders. However, Touche had not been engaged with the knowledge that plaintiff Ultramares was an intended third-party beneficiary third-party beneficiary n. a person who is not a party to a contract, but has legal rights to enforce the contract or share in proceeds because the contract was made for the third party's benefit. of Touche's work. Overly rigorous interpretations of Ultramares through the years have resulted in the case's becoming a symbol of a virtual privity requirement for recovery under a negligence theory. In 1985 the New York Court of Appeals clarified the Ultramares rule by setting forth a legal test (known as the Credit Alliance standard) containing three elements that must be satisfied for a nonclient to be able to sue an accountant for negligent misrepresentation misrepresentation In law, any false or misleading expression of fact, usually with the intent to deceive or defraud. It most commonly occurs in insurance and real-estate contracts. False advertising may also constitute misrepresentation. under the near-privity standard: * The accountant must have known that his or her work product was to be used for a particular purpose. * A known party or parties were intended to be able to rely on the accountant's work product. * Some conduct must have linked the accountant to the relying party. As shown in the exhibit above, 12 states follow a near-privity rule, although there are some variations among them. The SysTrust practitioner should consult local legal counsel for advice on any given state court decision or statute. Restatement rule. Under this rule, established by a federal court in 1968, an accountant who audits or prepares financial information for a client owes a duty not only to that client but also to any other person or one of a group of persons whom the accountant or client intends the reformation Reformation, religious revolution that took place in Western Europe in the 16th cent. It arose from objections to doctrines and practices in the medieval church (see Roman Catholic Church) and ultimately led to the freedom of dissent (see Protestantism). to benefit, if both of the following conditions are met: * That person or entity justifiably jus·ti·fi·a·ble adj. Having sufficient grounds for justification; possible to justify: justifiable resentment. jus relies on the information in a transaction that the accountant or client intends the information to influence. * Such reliance results in a pecuniary Monetary; relating to money; financial; consisting of money or that which can be valued in money. pecuniary adj. relating to money, as in "pecuniary loss. loss for the person or group. No liability exists, however, when the accountant had no reason to believe the information would be made available to third parties or when the client's transaction, as represented to the auditor, changes so as to increase the audit risk materially. Although the restatement rule is the most frequently followed legal standard, with 21 states applying it (see the exhibit), historically courts have had some difficulty in applying it: No bright line exists to distinguish one type of user (that is, one who "justifiably relies" on the information) from another. Despite such difficulty, certain general principles have evolved in numerous cases applying the restatement rule. First, the accountant need not know the exact identity of the nonclient to be held liable under the restatement rule. The professional owes a duty to individuals or a limited group of individuals he or she is aware will rely on the information. The restatement rule does not render the accountant liable to third parties, however, if no accountant-client communications exist concerning the intended use of the accountant's work product. The accountant must supply the information, or know that his or her client intends to supply the information, to a person or a limited group of persons. The major difference between the near-privity rule and the restatement rule is that the latter does not require the practitioner to know the identity of specific parties, only that they be members of a limited group known to the practitioner. Another general principle of the restatement rule requires that a suing party justifiably rely on the information or work product the accountant provided. Justifiable jus·ti·fi·a·ble adj. Having sufficient grounds for justification; possible to justify: justifiable resentment. jus reliance consists of two elements, both of which must be met: * The suing party must in fact rely on the information. * The reliance must be reasonable. The second element requires that a reasonable connection exist between the contents of the accountant's misrepresentations and the action the suing party took by relying on them. The issue of reasonableness is considered in light of the suing party's intelligence, education and experience. Clearly, however, reliance is unjustified when the relying party is negligent. Under the restatement rule, the SysTrust provider could be liable only to intended identifiable beneficiaries, not an unknown, large group of unidentified users of the SysTrust report. Moreover, the SysTrust provider must actually be aware of the transaction for which the SysTrust report will be used. The suing party also must justifiably rely on the SysTrust report for the SysTrust provider to owe a duty. More third parties have the legal right to sue the SysTrust provider under the restatement rule than under the near-privity standard. However, liability is limited because the restatement rule provides the SysTrust practitioner with sufficient knowledge of third-party users to allow the practitioner to obtain liability insurance, set higher fees or adopt other protective measures. Given the varying interpretations of the restatement rule, the SysTrust provider should seek the advice of local legal counsel. Reasonable foreseeability. An expanded scope of accountant duty to third parties was recognized in 1983 with the decision in Rosenblum v. Adler, 461 A.2d 138 (N.J. 1983). The New Jersey Supreme Court concluded that accountants have a duty to all those whom they should reasonably foresee fore·see tr.v. fore·saw , fore·seen , fore·see·ing, fore·sees To see or know beforehand: foresaw the rapid increase in unemployment. as receiving and relying on the accountant's work product--in that case, audited financial statements. Under Rosenblum, the auditor owes a duty of care, however, only to those who obtain a firm's financial statements directly from the audited entity, for a proper business purpose. There is no duty of care to those obtaining the statements from an annual report in a library, government file or other source. The foreseeability criterion results in the broadest scope of third-party liability for the accountant. At present only Mississippi and Wisconsin apply the foreseeability rule. In those states, the courts may decide that SysTrust providers owe a duty to all those they should reasonably foresee as receiving and relying on a SysTrust report. Presumably pre·sum·a·ble adj. That can be presumed or taken for granted; reasonable as a supposition: presumable causes of the disaster. , the duty extends only to report users whose decision to rely on a client's information system is influenced by a SysTrust assurance report. However, potential liability under this rule poses a limited risk, as only two states have adopted it, and no other states have joined them in the past decade. HOW TO PLAY IT SAFE No matter where a practitioner lives, there are ways to minimize litigation risk. As suggested by the AICPA's litigation risk model for assurance services ("AICPA AICPA See American Institute of Certified Public Accountants (AICPA). Assurance Service Liability," www.aicpa.org/assurance/scas/maj theme/svcliab/index.htm), the first step SysTrust providers should take is to determine whether to accept an assurance engagement. Firm partners first must have a good grasp of the risk posed by the services it already offers and then consider the AICPA attestation standards The introduction to this article provides insufficient context for those unfamiliar with the subject matter. Please help [ improve the introduction] to meet Wikipedia's layout standards. You can discuss the issue on the talk page. that apply to this service and the impact of the SysTrust engagement on the firm's overall litigation exposure. The firm should * Identify the risks. Who are the parties that can bring suit? On what grounds? * Evaluate the risks. What are the costs and benefits? * Quantify risks. What are the likely dollar ranges of loss? Obviously, a CPA is not required to perform a SysTrust service for every business that requests it. Practitioners should read carefully the official literature on "acceptance and continuance The adjournment or postponement of an action pending in a court to a later date of the same or another session of the court, granted by a court in response to a motion made by a party to a lawsuit. of clients" (AICPA Statement on Quality Control Standards no. 2, System of Quality Control for a CPA Firm 5 Accounting and Auditing Practice [AICPA, Professional Standards, vol. 2, QC section 20.14-.16]). The steps involved in the SysTrust engagement evaluation process include * Evaluating the integrity of the client's management. * Identifying special circumstances special circumstances n. in criminal cases, particularly homicides, actions of the accused or the situation under which the crime was committed for which state statutes allow or require imposition of a more severe punishment. and unusual risks. * Assessing the firm's competencies to perform the SysTrust engagement. * Evaluating independence, * Determining the CPA's ability to use due care. * Preparing an engagement letter. THE ENGAGEMENT LETTER A firm should enter into written engagement agreements with SysTrust clients. The SysTrust license agreement requires an engagement letter. From a risk viewpoint, the letter's provisions should include the following: * The objective of a SysTrust engagement--an opinion on the client's conformity with the AICPA/CICA Systrust Principle's and Criteria for Systems Reliability for a given information system. This publication, available in print and CD-ROM CD-ROM: see compact disc. CD-ROM in full compact disc read-only memory Type of computer storage medium that is read optically (e.g., by a laser). from the AICPA order department (1-888-777-7077), contains authoritative guidance that explains SysTrust. It is intended to equip practitioners to perform SysTrust engagements. * Compliance--management's responsibility for establishing and maintaining the SysTrust standards For availability, security, integrity and maintainability. Management is responsible for making all required information available to the SysTrust provider. * The use of specialists--in areas such as e-commerce and information system security. * Third-party access--conditions under which the practitioner's working papers working papers pl.n. Legal documents certifying the right to employment of a minor or alien. Noun 1. working papers may be granted to others. * A representation letter--at the conclusion of the engagement, management's letter to the SysTrust provider confirming certain of management's representations made during the engagement. * Report distribution--a clear definition of the parties who may receive a copy of the SysTrust assurance report. Such a provision gives the SysTrust practitioner some control over the dissemination dissemination Medtalk The spread of a pernicious process–eg, CA, acute infection Oncology Metastasis, see there of the report. * Fee and billing arrangements. Watch your language. A carefully drawn-up engagement letter can reduce litigation risk. Loss-limiting clauses and hold-harmless provisions are potentially powerful but controversial weapons against litigation that limit how much a CPA can be sued for. The first is a contractual clause that limits the client to how much it can receive in a lawsuit (for example, fees paid). The latter option might specify that the client will indemnify To compensate for loss or damage; to provide security for financial reimbursement to an individual in case of a specified loss incurred by the person. Insurance companies indemnify their policyholders against damage caused by such things as fire, theft, and flooding, which the SysTrust provider against third-party claims. (Gross negligence An indifference to, and a blatant violation of, a legal duty with respect to the rights of others. Gross negligence is a conscious and voluntary disregard of the need to use reasonable care, which is likely to cause foreseeable grave injury or harm to persons, property, or and intentional in·ten·tion·al adj. 1. Done deliberately; intended: an intentional slight. See Synonyms at voluntary. 2. Having to do with intention. misrepresentation by the SysTrust provider nullify nul·li·fy tr.v. nul·li·fied, nul·li·fy·ing, nul·li·fies 1. To make null; invalidate. 2. To counteract the force or effectiveness of. such agreements.) Currently, an AICPA ethics interpretation allows a practitioner to add loss-limiting clauses to cover situations in which losses arise from intentional misrepresentations by the client. However, the SEC considers a loss-limiting clause an impairment Impairment 1. A reduction in a company's stated capital. 2. The total capital that is less than the par value of the company's capital stock. Notes: 1. This is usually reduced because of poorly estimated losses or gains. 2. to auditor independence. Therefore, a CPA offering SysTrust services should consult legal counsel before using a loss-limiting or hold-harmless clause in an engagement letter. Loss-limiting clauses may present the SysTrust provider with a means to control litigation risk, but their use, at best, is restricted. Another litigation risk-control device is cautionary language to warn the client about limitations regarding the scope of information attested at·test v. at·test·ed, at·test·ing, at·tests v.tr. 1. To affirm to be correct, true, or genuine: The date of the painting was attested by the appraiser. 2. to in a SysTrust engagement. Such wording may deter SysTrust report users from believing that the CPA guarantees the operation, security and accuracy of an entity's information system(s). CPAs should develop cautionary language used in the SysTrust engagement letter or elsewhere in consultation with legal counsel. The SysTrust assurance report actually requires some cautionary language, and the CPA would be well advised to follow the advice of lawyers and the authoritative literature. An alternative dispute resolution Procedures for settling disputes by means other than litigation; e.g., by Arbitration, mediation, or minitrials. Such procedures, which are usually less costly and more expeditious than litigation, are increasingly being used in commercial and labor disputes, Divorce (ADR ADR - Astra Digital Radio ) provision can reduce the cost when conflict is unavoidable. ADR refers to binding arbitration or to mediation in which a mediator mediator n. a person who conducts mediation. A mediator is usually a lawyer, or retired judge, but can be a non-attorney specialist in the subject matter (like child custody) who tries to bring people and their disputes to early resolution through a conference. assists in reaching a settlement. However, ADR is appropriate only for disputes with clients, not third parties. It helps avoid some uncertainties (for example, deciding in which venue a dispute will be heard) and is often quicker and less expensive than a court case. However, ADR's low cost may encourage grievances by clients that would not otherwise commence litigation. Also, some professional liability insurance policies limit its use. UNCERTAIN RISK The potential for liability should not deter CPAs from adding SysTrust or other assurance services to their practices. Public accounting practice has always dealt with litigation issues--new services merely mean that the level of risk is not certain. State accountant privity statutes and the results of existing court cases offer encouragement in some states, especially those that follow a privity or near-privity standard. In the 19 states that follow the traditional restatement rule, the SysTrust provider has exposure to more third parties than under the privity or near-privity standard, but it is still defined and manageable. In Texas, Minnesota, Mississippi and Wisconsin, however, the SysTrust practitioner faces a higher degree of liability exposure. Under the reasonable foreseeability rule (or expansive interpretation of the restatement rule), many third-party SysTrust report users have a legal right to sue the assurance provider. The SysTrust practitioner's exposure in states without a direct court case or accountant privity statute, noted at the bottom of the exhibit, is highly uncertain. Although the legal environment in some states is in flux flux In metallurgy, any substance introduced in the smelting of ores to promote fluidity and to remove objectionable impurities in the form of slag. Limestone is commonly used for this purpose in smelting iron ores. , any CPA with the skill, background and knowledge of the issues can provide this service with confidence. [ILLUSTRATION OMITTED] EXECUTIVE SUMMARY * THE SYSTRUST ASSURANCE SERVICE ALLOWS CPAs to add a level of confidence to the reliability of corporate, IT systems, but carries with it litigation exposure, especially from third parties. * COURTS HAVE NOT YET SPECIFICALLY addressed the third-party legal ramifications ramifications npl → Auswirkungen pl of SysTrust because it is so new; but the state courts are likely to refer to many of the laws and precedents that apply to liability for negligent audits. * THERE ARE FOUR BASIC SYSTRUST STANDARDS, ranging from most restrictive (least likelihood of a successful third-party lawsuit) to least restrictive. Different states follow different standards. * Privity requires that a direct connection or contractual relationship exist between an accountant and a third party for the latter to be able to sue a practitioner. * Near-privity requires the plaintiff to prove he or she was an intended third-party beneficiary. * The restatement rule, in general, says a CPA owes a duty to a client (or others) whom the client or accountant intends the information to benefit. * Reasonable foreseeability says accountants have a duty to all whom they could reasonably foresee as receiving and relying on their work product. * ACCOUNTANTS CAN MINIMIZE LITIGATION RISK by carefully considering whether to perform a given engagement and carefully wording contract language in consultation with a lawyer. CARL PACINI, CPA, JD, PhD, is assistant professor of accounting and business law at Florida Gulf Coast University About FGCU History The newest university in the State University System of Florida, the school was established by then-governor Lawton Chiles in 1991, although the site of the university wasn't chosen until 1992, and construction pushed back even further still (until , Ft. Myers. His e-mail address See Internet address. e-mail address - electronic mail address is cpacini.fgcu.edu. STEPHEN E. LUDWIG, CPA, PhD, is assistant professor in the School of Accountancy at Georgia Southern University Georgia Southern University, established 1906, is a regional university located in Statesboro, Georgia, USA, and part of the University System of Georgia. It is the largest center of higher education in the southern half of Georgia and is the sixth largest institution in the , Statesboro. His e-mail address is sludwig@gasou.edu. WILLIAM HILLISON, CPA, PhD, is Arthur Andersen For the U.S. Supreme Court case commonly known as Arthur Andersen, see . Arthur Andersen LLP, based in Chicago, was once one of the "Big Five" accounting firms (the other four are PricewaterhouseCoopers, Deloitte Touche Tohmatsu, Ernst & Young and KPMG), performing Professor of Accounting at Florida State University Florida State University, at Tallahassee; coeducational; chartered 1851, opened 1857. Present name was adopted in 1947. Special research facilities include those in nuclear science and oceanography. , Tallahassee. His e-mail address is bhillis@cob.fsu.edu. DAVID David, in the Bible David, d. c.970 B.C., king of ancient Israel (c.1010–970 B.C.), successor of Saul. The Book of First Samuel introduces him as the youngest of eight sons who is anointed king by Samuel to replace Saul, who had been deemed a failure. SINASON, CPA, PhD, is assistant professor of accounting at Northern Illinois University , DeKalb. His e-mail address is dsinason@niu.edu. LESLEE HIGGINS, CPA, PhD, is assistant professor in the School of Accountancy at Georgia Southern University, Statesboro. Her e-mail address is higginsl@gasou.edu. |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion