auditing pacini 2000

8/19/2019 Auditing Pacini 2000

1/34

At the Interface of the Electronic Frontier and theLaw: The International Legal Environment forSystems Reliability Assurance Services

Carl PaciniWilliam HillisonDominic Peltier-RivestDave SinasonRatnam Alagiah

In response to concerns about unreliable information systems, the American Institute of

Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants

(CICA) have launched a new assurance service called SysTrust. The objective of a SysTrust

engagement is for the practitioner to issue an attestation/assurance report on system(s)

reliability.

The development and deployment of the CPA/CA SysTrust service, however, is done in a

high litigation risk environment, especially in the United States, Canada, Australia, New

Zealand, and the United Kingdom. Our purpose is to evaluate the legal environment in these

five nations so CAs and CPAs can comprehend the issues involving potential litigation prior

to initiating SysTrust engagements. Presently, no legal case in the U.S., Canada, Australia,

New Zealand, and the United Kingdom has yet been reported which addresses directly

accountant liability to third parties for negligent information system assurance services. An

analysis of related legal cases sheds light on the potential liability of SysTrust providers.

However, the current international legal environment is characterized by a high level of uncertainty. Several risk management strategies, including risk exposure analysis, client

Carl Pacini ● Department of Accounting, Finance, & Business Law, Florida Gulf Coast University,

10501 FGCU Blvd. S., Ft. Myers, FL 33965-6565; Phone: 941-590-7344. William Hillison ●

Florida State University, Tallahassee, FL 32306 . Dominic Peltier-Rivest ● Department of Ac-

countancy, Faculty of Commerce and Administration, Concordia University, 1455 de Maisonneuve

Blvd. West, Montréal, Québec, Canada H3G 1M8. Dave Sinason ● Northern Illinois University,

DeKalb, IL 60115-2854 . Ratnam Alagiah ● Griffith University–Gold Coast Campus, PMB 50

Gold Coast Mail Centre, Queensland 9726, Australia.

Journal of International Accounting, Auditing & Taxation, 9(2):185–218 ISSN: 1061-9518

Copyright © 2000 by Elsevier Science Inc. All rights of reproduction in any form reserved.


2/34

engagement evaluation, engagement letters, loss-limit clauses, and alternative dispute reso-

lution, are presented that SysTrust providers may implement to minimize litigation risk. ©

2000 Elsevier Science Inc. All rights reserved.

Key Words: SysTrust; Assurance Liability; Accountant Liability; Negligence; Information

Systems

INTRODUCTION

How do you define a “world class” systems failure? Ask Hershey Foods,

which missed candy deliveries worth $200 million and experienced a 19%drop in 1999 third quarter earnings because of glitches in its new $112 millioncomputer system (Nelson & Ramstad, 1999). Ask Halifax, the United King-dom’s largest mortgage bank, which had its new Internet service taken off linefor a week to repair flaws in a system upgrade that had allowed customers toaccess other customers’ accounts (Woodyard & Hansen, 1999). And ask RoyalDoulton, which lost £12 million in sales and experienced a 45% decrease inshare price when its newly installed software failed to deliver promised results(Hickley, 1999).

Each of these entities would be able to provide a vivid picture of a world-class systems failure. However, corporations have not been the only victims of these types of events. For example, the Legal Services Board of New Zealand,which processes claims for legal aid, ceased legal-aid payments to lawyers forweeks because of a computer system failure (Yvonne, 1999). As another example,the crash of a computer-betting system for interstate horse racing in Australiaresulted in the loss of hundreds of thousands of dollars (Eddy, 1999).

Information technology has spread to many areas affecting entities, differ-entiates one entity from another, and requires increasing amounts of capital. Asbusiness and government dependence on information technology increases, tol-

erance for system failure decreases. Users demand systems that are secure,available when needed, and able to produce accurate information on a consistentbasis. An unreliable or ineffective system can cause a chain of events thatnegatively affect a company and its customers, suppliers, shareholders, andbusiness partners as well as a government agency and its constituents (Ayers,Frownfelter-Lohrke, & Hunton, 1999).

In response to concerns about unreliable systems, the American Instituteof Certified Public Accountants (AICPA) and the Canadian Institute of Char-tered Accountants (CICA) recently launched a new assurance service called

SysTrust. It is expected that professional organizations in other nations willeventually adopt SysTrust given the importance of information systems inbusiness and the willingness of accountants in Canada, Australia, New Zea-land and the United Kingdom to provide the service to clients (Primoff,1998).1 The objective of a SysTrust engagement is for the practitioner to issue

186 INTERNATIONAL ACCOUNTING, AUDITING & TAXATION, 9(2) 2000


3/34

an attestation/assurance report on whether management maintained appropri-

ate reliability controls over its system(s). Potential users of a SysTrust reportinclude the entity itself as well as its shareholders, creditors, customers,

suppliers, third-party users, including those who outsource to other entities,

and any other party who in some fashion relies on an information system.

The development and deployment by CPAs/CAs of any new assurance

service, such as SysTrust, is done in a high litigation risk environment.

Accountants often become defendants in lawsuits filed by aggrieved share-

holders, creditors, or other third parties because accountants (or their mal-

practice insurers or both) are perceived as “deep pockets”(Schwartz & Menon,

1985; Boynton & Kell, 1996). During the last 25 years, the accountingprofession has confronted an international litigation crisis, especially in the

Western world (Gonzalo, 1997; Willekens, Steele, & Miltz, 1996). However,

the crisis has been most severe in the United States, Canada, Australia, New

Zealand, and United Kingdom (Willekens, Steele, & Miltz, 1996; Pacini,

Sinason, & Peltier-Rivest, 1999; and Porter, 1993).2

It is more than coincidence that these five common law countries have a

serious accountant litigation problem given the relationship between legal systems

and accounting practices and rules (Meek & Saudagaran, 1990). Salter and

Doupnik (1992) document that the accounting practices of a country are related tothat nation’s legal system. Accountant judgment is exercised to a much greater

extent in common law countries. Greater use of professional judgment creates

more opportunities for that judgment to be challenged by accounting and assur-

ance service users.3

Given the high level of litigation risk faced by a SysTrust provider, it is

imperative that CPAs and CAs comprehend the issues involving potential litiga-

tion prior to initiating SysTrust engagements. Although it is difficult to predict

how the law will evolve in any country with regard to assurances linked to

information systems (including broader communication issues and the Internet),this paper attempts to evaluate the existing international legal environment faced

by accountants in the United States, Canada, Australia, New Zealand, and the

United Kingdom who perform SysTrust services and to suggest risk management

strategies to minimize SysTrust litigation risk. We focus this study on these

common law nations because they have a serious accountant litigation problem.

Significantly, these five nations, along with the International Accounting Stan-

dards Committee, also comprise the G41, an informal but influential group in

setting international accounting standards.

The remainder of this paper consists of four sections including the conclu-sion. First, the nature of the SysTrust assurance service is analyzed. Second, the

legal environments faced by SysTrust assurance providers in these five countries

are analyzed. Third, several steps to minimize litigation risk are outlined. Last, we

summarize the findings of this study.

187 At the Interface of the Electronic Frontier and the Law


4/34

NATURE OF SYSTRUST

Typical means of access to an entity’s information system(s) include Elec-tronic Data Interchange (EDI), Extranets, and the Internet.

EDI allows information systems to exchange information in a structuredformat. This exchange may involve the electronic transmittal of purchase orders,invoices, payment information, status reports, and other data vital to the relation-ship between connected businesses or other entities. For example, company A isa supplier to company B. The two firms share information using EDI. CompanyA is able to access company B’s information system, review the online inventory

status report, and ship materials to company B without receiving a formalpurchase order. Company B may access company A’s information system tocheck on the status of pending orders. In this example, both companies arevulnerable not only to their own control weaknesses but those of the other firm aswell.

Another means of access to an entity’s information system is via an Extranet(an internal computer network unique to a particular entity that can be accessedby customers, suppliers, and other business partners). An Extranet gives rise to thesame electronic efficiencies as EDI without each entity requiring connectedcomputers. For example, a closely held firm may permit access to online financialinformation by allowing specific parties to connect to an internal computernetwork. However, concerns over authorization, data integrity, and secured trans-actions that exist in EDI are also present in an Extranet environment.

A third mode of access to an entity’s information system is the Internet. Theinterconnection of millions of computers allows entities and individuals to com-municate by e-mail, provide information to the public via websites and engage ine-commerce. Such third-party users are concerned about protection against un-authorized physical and logical access, system availability (particularly for busi-ness websites), and system processing integrity. The SysTrust assurance service

provides an independent evaluation that covers these three concerns.SysTrust is one example of a tool supporting the emergence of a business

reporting system in which the primary vehicle for transmission of businessinformation is a computer network. Former SEC Commissioner Steven Wallmanpredicted a movement away from “substance attestation” toward “process attes-tation” (Witmer, 1996). Process attestation means providing some type of assur-ance about the integrity or reliability of the business reporting or informationsystem that a client uses rather than about the integrity of the informationproduced by such a system.

The SysTrust practitioner evaluates management’s assertion that during aspecific period of time it complied with the AICPA/CICA “SysTrust Principlesand Criteria for Systems Reliability” (see Appendix A for an overview; AICPA,1999b), for a given information system.4 The four essential principles of a reliablesystem are:



5/34

1. Availability—The system is available for operation and use at times set

forth in service agreements;2. Security—The system is protected against unauthorized physical andlogical access;

3. Integrity—System processing is complete, accurate, timely, and in accor-dance with the entity’s transaction approval and output distribution pol-icy; and

4. Maintainability—The system can be updated in a manner that providescontinuous availability, security, and integrity.

Criteria are set forth to allow a practitioner to judge whether an information

system satisfies the four principles. The criteria are organized into three catego-ries:

1. Communications—The entity has defined and communicated perfor-mance objectives, policies, and standards for system availability, security,integrity, and maintainability;

2. Procedures—The entity uses procedures, people, software, data, andinfrastructure to achieve system availability, security, integrity and main-tainability objectives in accordance with established policies and stan-dards; and

3. Monitoring—The entity monitors the system and takes action to achievecompliance with system availability, security, integrity, and maintainabil-ity objectives, policies, and standards (Boritz, Mackler, & McPhie, 1999).

An information system must satisfy all of the SysTrust criteria to be deemedreliable. A SysTrust practitioner examines system controls related to the criteriato collect evidence that the criteria have been met (Boritz, Mackler, & McPhie,1999). Appendix A contains SysTrust principles and illustrative criteria.

SysTrust reports cover a historical period, not a point in time. An unqualified

report can provide many parties with confidence about the reliability of systemsthey use in e-commerce or for which they pay user fees despite that it covers a pastperiod (Boritz, Mackler, & McPhie, 1999). The selection of an appropriate periodcovered by the report is at the discretion of the practitioner, but periods of lessthan 3 months would not be meaningful (AICPA, 1999b). Factors to consider inestablishing a reporting period may include: (1) anticipated report users and theirneeds; (2) the need to support a continuous audit model; (3) the degree andfrequency of change in system components; (4) the cyclical nature of systemprocessing; and (5) information about past system reliability (AICPA, 1999b).

OVERVIEW OF LEGAL SYSTEMS

Readers should note that a key difference exists between the legal environ-ments of the United Kingdom, Canada, Australia, and New Zealand (i.e., Com-



6/34

monwealth nations) and the U.S. In the four Commonwealth nations, the issue of

which third parties are owed a duty of care by an accountant or assurance provideris decided at the national level. In other words, the highest national court (e.g.,Supreme Court of Canada) has the authority and power to make a decisionbinding on all courts in the country. In the U.S., the duty of care issue is decidedindividually by state courts (Brecht, 1989) or state legislatures (in the form of accountant liability statutes) (Pacini, Hillison, & Sinason, 2000). Thus, the U.S.has 50 different jurisdictions that apply different judicial reasoning which resultsin numerous rules of law that exist across the states (Pacini & Sinason, 1998).Finally, the four Commonwealth nations often rely on cases decided in otherCommonwealth courts (Fleming, 1998). For example, a decision by the House of

Lords (the highest court of law in the UK) is, at a minimum, influential in aCanadian, Australian, or New Zealand court (Godsell, 1991). American decisionsare cited occasionally by Commonwealth courts. Also, Commonwealth decisionsare cited occasionally by American courts but usually do not have as muchprecedential value as another American court.

RESEARCH AND METHODOLOGY

A starting point of the research was evaluation of prior literature related tothe issues discussed in this paper. We then researched appellate court decisions of the United States, Canada, Australia, New Zealand, and the United Kingdomusing two different methods. First, the Lexis-Nexis database and the Internet weresearched using numerous search terms related to accountant liability, assuranceservices, and information systems. Each case retrieved by the search was thenreviewed for its relevance to this study. Second, appropriate law digests andreporters from each nation were searched for relevant court decisions. All theresearch was coordinated by one of the coauthors (who is a lawyer).

Any court case cited in this study was also “shepardized” or researched todetermine whether any legal principle relevant to accountant liability to thirdparties has been overruled or changed. This is a necessary step in legal analysisto ensure that a cited case is still valid law on a given legal issue.

PRESENT LAW AND SYSTRUST

Currently, no legal case has yet been reported in the United States, Canada,Australia, New Zealand, or the United Kingdom that addresses directly theliability of accountants to third parties for negligent information system assuranceservices. Each of these five nations has a case or cases that could affect accountantliability to third parties for negligent performance of the SysTrust assurance



7/34

service. The focus here is on the legal environments of the United States and

Canada for three reasons:

1. The SysTrust assurance service was developed and launched by the CICAand AICPA.

2. Almost two-thirds of Internet users are located in North America (Bour-nellis, 1995).

3. The United States and Canada are the world’s largest trading partners(Ivankovich, 1994).

United States

Presently, no reported legal case has yet addressed directly accountants’liability to third parties for negligent performance of a SysTrust engagement. Thisraises the question of what existing body of law, if any, courts would apply to anaction for negligence against a SysTrust provider. The most logical conclusion isthe existing body of state common and statutory law applied generally to accoun-tant liability to third parties for negligent performance of accounting and auditingservices.

The scope of an accountant’s duty to third parties for negligent accounting orassurance services is a question of state rather than federal law. Among the states,

four legal standards have evolved to judge which nonclients are owed a duty byaccountants: (1) privity; (2) near privity; (3) the user’s or Restatement approach;and the reasonable foreseeability rule. Application of a different standard to thesame set of facts can lead to different outcomes, that is, whether the nonclient hasa right to sue.5 These four standards are not actually discrete points but lie on acontinuum as represented in Figure 1. The following section discusses each of these standards.

Privity Rule

The strict privity rule is the most restrictive standard. Privity requires a directconnection or contractual relationship to exist between an accountant and a thirdparty for the latter to be able to sue the SysTrust practitioner. Strict privity wasfirst established as a legal standard in 1919 in Landell v. Lybrand.6 Today, strictprivity is the law in only Pennsylvania and Virginia.

Certainly, a nonclient would have no legal right to sue a SysTrust providerunder a strict privity rule due to a lack of a direct connection or contractualrelationship. In a strict privity state, only the client has a legal right to sue aSysTrust provider under a negligence theory.

Near-privity Standard

The near-privity standard was first applied to define the scope of an accoun-tant’s duty to nonclients for negligence in Ultramares Corp v. Touche.7 In that



8/34

F I G U R E

1 .

L i a b i l i t y c o n t i n u u m

f o r t h o s

e s t a t e s a n d C o m m o n w e a l t h c o u n t r i e s w h i c h h a v e d i r e c t r u l i n g s o

r a p p l i c a b l e s t a t u e s o n a c c o u n t a n

t

l i a b i l i t y t o t h i r d p a r t i e s f o r n e g l i

g e n t m i s r e p r e s e n t a t i o n .



9/34

case, the New York Court of Appeals denied plaintiff Ultramares’ negligence

claim but fashioned an exception to strict privity that has become known as theprimary benefit rule. To prevail, the suing party must be an intended third-partybeneficiary of the contract between the accountant and the client. The courtdecided that although the auditor (Touche Niven & Co.) knew that the auditedbalance sheet would be shown to various unidentified creditors and stockholders,Touche had not been hired by its client (Fred Stern and Co.) with the knowledgethat Ultramares (the plaintiff) was an intended third-party beneficiary of Touche’swork. Even though the plaintiff failed to prevail as a third-party beneficiary, thetheory was established. Overly rigorous interpretations of Ultramares during theyears have resulted in the case incorrectly symbolizing a privity requirement for

a nonclient to recover (Gormley, 1984; Daley & Gibson, 1994).In 1985, the New York Court of Appeals clarified the Ultramares rule in

Credit Alliance v. Arthur Andersen & Co.8 The court set forth a legal testcontaining three elements that must be satisfied for a third party to be within thescope of an accountant’s duty for negligent accounting or assurance services: (1)the accountant must have known that his or her work product was to be used fora particular purpose; (2) a known party or parties were intended to be able to relyon the accountant’s work product; and (3) there must have been some conductlinking the accountant to the relying party. As presented in Figure 1 and Table 1,

a near-privity approach is followed by 12 states; eight by statute9

and four bycourt decision.10

In general, a near-privity standard, statutory or otherwise, requires theaccountant to know that a specific person or persons intend to rely on the work product with regard to a specific transaction. In a SysTrust engagement, both of these conditions could be met in the cases of EDI partners and Extranet users. Itis a question of fact whether the SysTrust practitioner will know the identity of aspecific third party, such as a customer, supplier, or creditor at the time the serviceis rendered. Also, it is situation specific whether a SysTrust provider would be

aware of the particular purpose (or transaction) for which the SysTrust reportwould be used. Thus, unless the SysTrust provider was aware of the specificthird-party’s identity and that party’s reliance on a SysTrust report for a specifictransaction, liability exposure would likely be confined to a small group of nonclients.

The Restatement Standard

In 1968, a federal district court in Rhode Island first expanded accountant

liability for negligent accounting services to specifically foreseen or known usersin Rusch Factors v. Levin,11 applying §552 of the American Law Institute’sRestatement (Second) of Torts.12 Under this standard, an accountant who auditsor prepares financial information for a client owes a duty not only to that client,but to any other person or one of a group of persons whom the accountant or client



10/34

TABLE 1

Legal Standards for Accountant Liability to Third Parties for Negligence

Nation/State Statute or Case Name Legal Standard

Australia Esanda Finance Corp.

Ltd. v. Peat Marwick

Hungerfords (1997)

71 A. L. J. R. 448.

Both foreseeability of harm and proximity are necessary

for a duty to a third party to arise. A duty of care is

difficult to establish unless the accountant intends to

induce reliance on the work product by a nonclient.

Other factors, in addition to the intent to induce

reliance, may establish proximity. The High Court

outlined numerous policy factors to consider.Canada Hercules

Managements Ltd. v. Ernst & Young [1997]

2 S. C. R. 165.

The Supreme Court of Canada adopted the two-prong

Anns/Kamloops test for all types of negligentmisstatement cases involving economic loss. The first

prong requires: 1) that the accountant should reasonably

foresee that a third party will rely on the accountant’s

work product; and 2) that the nonclient’s reliance is

reasonable. The second part considers policy factors

that limit or negate any duty established.New

Zealand

Boyd Knight v.

Purdue [1999] 2

N.Z.L.R. 276.

Accountants owe no duty to present or future creditors

who may be contemplating investing in a firm’s debt or

equity securities. Accountants owe a duty only to a

third person to whom they themselves show the

accounts, or to whom they know their client is going toshow the accounts. Any duty aplies only to those

transactions for which the auditors know their accounts

were required. A suing party must prove actual, specific

reliance on the auditor’s work product.United

Kingdom

Caparo Industries

PLC v. Dickman

[1990] AC 605.

The House of Lords held that an auditor of a public

company, in the absence of special circumstances, owes

no duty of care to an outside investor or an existing

shareholder who buys stock in reliance on a statutory

audit. The court fashioned a three-prong test for a duty

of care to arise: 1) foreseeability; 2) proximity; and 3) it

must be just and reasonable on a policy basis to impose

a duty. Accountant liability for negligent misstatements

is confined to cases in which it can be established that

the accountant knew his or her work would be

communicated to a nonclient, either as a member of a

limited class or individually, and the third party relied

on the work product in connection with a particular

transaction.Arkansas Ark. Code Ann. §16-

114-302 (Michie

1998).

Statutory near privity rule that shields the accountant

from liability except to those third parties identified in

writing by the accountant.California Bily v. Arthur Young

& Co., 834 P. 2d 745

(Cal. 1992)

Restatement §552. The accountant must know, with

substantial certainty, that the third party or the class to

which the nonclient belongs will rely on the

accountant’s work product.



11/34

TABLE 1

(Continued)


Colorado Marquest Medical

Products v. Daniel,

McKee, & Co., 791 P.

2d 14 (Colo. App.

1990).

Restatement §552.

Connecticut Near privity standard

and Restatement §552.

No appellate court decision has been reported. State

trial courts have split on the appropriate legal standard.Delaware N/A No direct state court ruling or accountant liability

statute.Florida First Florida Bank v.

Max Mitchell & Co.,

558 So. 2d 9 (Fla.

1990).

Restatement §552.

Georgia Badische Corp. v.

Caylor, 356 S. E. 2d

198 (Ga. 1987)

Restatement §552.

Hawaii Kohala Agriculture v.

Deloitte & Touche,

949 P. 2d 141 (Haw.

Ct. App. 1997).

Restatement §552.

Idaho Idaho Bank & Trust

Co. v. First Bancorp,

772 P. 2d 720 (Idaho

1989).

Near privity standard (Credit Alliance rule).

Illinois 225 ILL. COMP.

STAT. 450/30.1

(1998).

Statutory near privity rule. Identical to the Arkansas

statute but a court has held that a nonclient may state a

valid claim under the statute without a writing. If no

writing from the accountant exists, the nonclient must

prove the client’s intent and the accountant’s knowledge

of that intent.Indiana N/A No direct state court ruling or accountant liability

statute.Iowa Ryan v. Kanne, 170

N. W. 2d 395 (Iowa

1969); Eldred v.

McGladrey,

Hendrickson &

Pullen, 468 N. W. 2d

218 (Iowa 1991).

Restatement §552.

Kansas KAN. STAT. ANN.

§1-402 (1998).

Statutory near privity rule.

Kentucky N/A No direct state court ruling or accountant liability

statute.Louisiana La. Rev. Stat. Ann.

§37.91 (West 1999).

Statutory near privity standard.



12/34

TABLE 1

(Continued)


Maine N/A No direct state court ruling or accountant liability

statute.Maryland N/A No direct state or court ruling or accountant liability

statute.Massachusetts Nycal Corp. v. KPMG

Peat Marwick, 688

N. E. 2d 1368

(Mass. 1998)

Restatement §552.

Michigan MICH. COMP.LAWS §600.2962

(1998).

Statutory near privity law.

Minnesota Bonhiver v. Graff, 248

N. W. 2d 291

(Minn. 1976).

Expansive version of Restatement §552.

Mississippi Touche Ross v.

Commercial Union

Insurance Co., 514

So. 2d 315 (Miss.

1987).

Reasonable foreseeability rule.

Missouri MidAmerican Bank &

Trust Co. v.

Harrison, 851 S. W.

2d 563 (Mo. App.

1993)

Restatement §552.

Montana Thayer v. Hicks, 793

P. 2d 784 (Mont.

1990).

Near privity rule.

Nebraska Citizens National

Bank of Wisner v.

Kennedy & Coe,

441 N. W. 2d 180

(Neb. 1989).

Near privity rule.

Nevada N/A No direct state court ruling or accountant liability

statute.New

Hampshire

Spherex, Inc. v.

Alexander Grant &

Co., 451 A. 2d

1308 (N. H. 1982);

Demetracopoulos v.

Wilson, 640 A. 2d

279 (N. H. 1994).

Restatement §552.

New Jersey N. J. STAT. ANN.

§2A:53A–25 (West1998).

Statutory near privity rule that is quite similar to the

Credit Alliance standard.

New

Mexico

N/A No direct state court ruling or accountant liability

statute.



13/34

TABLE 1

(Continued)


New York Credit Alliance v.

Arthur Andersen &

Co., 483 N. E. 2d 110

(N. Y. 1985).

Near privity rule.

North

Carolina

Raritan River Steel v.

Cherry et al., 367 S.

E. 2d 609 (N. C.

1988)

Restatement §552.

NorthDakota N/A No direct state court ruling or accountant liabilitystatute.Ohio Haddon View

Investment Co. v.

Coopers & Lybrand,

436 N. E. 2d 212

(Ohio 1982).

Restatement §552.

Oklahoma N/A No direct state court ruling or accountant liability

statute.Oregon N/A No direct state court ruling or accountant liability

statute.Pennsylvania Landell v. Lybrand,

107 A. 783 (Pa.

1919); Raymond

Rosen & Co. v.

Seidman & Seidman,

579 A. 2d 424 (Pa.

Super. Ct. 1990).

Privity rule.

Rhode

Island


statute.South

Carolina

M-L Lee Acquisition

Fund v. Deloitte &

Touche, 463 S. E. 2d

618 (S.C. Ct. App.

1995), aff’d 489 S. E.

2d 470 (S. C. 1997).

Restatement §552.

South

Dakota


statute.Tennessee Bethlehem Steel Corp.

v. Ernst & Whinney,

822 S. W. 2d 592

(Tenn. 1991).

Restatement §552.

Texas Blue Bell, Inc. v. Peat,

Marwick, Mitchell &

Co., 715 S. W. 2d 408(Tex. App. 1986).

Expansive version of Restatement §552.

Utah UTAH CODE ANN.

§58-26-12 (1998).

Statutory near privity rule.



14/34

intends the information to benefit if (1) that person justifiably relies on theinformation in a transaction that the accountant or client intends the informationto influence; and (2) such reliance results in a pecuniary loss for the person (Daley& Gibson, 1994). No liability exists, however, to parties whom the accountant hadno reason to believe the information would be made available, or when the client’stransaction, as represented to the accountant, changes so as to materially increaseaudit risk.

The major difference between the primary benefit or Ultramares rule and the

Restatement standard is that the latter does not require the identity of specificparties be known to the accountant, only that they be members of a limited groupknown to the accountant (Gossman, 1988). The Restatement standard enlarges theclass of persons to whom the accountant owes a duty to intended identifiablebeneficiaries and to any unidentified members of the intended class of beneficia-ries.

SysTrust practitioners should note that Minnesota and Texas have adoptedexpansive versions of the Restatement standard. This means that appellate courtsin those states have applied the legal standard in such a broad fashion that the class

of third parties to whom an accountant owes a duty is almost as wide as thereasonably foreseeable users’ rule (discussion follows) (Pacini & Sinason, 1998).In general, the Restatement standard indicates that an accountant owes a duty

to any person or one of a limited group of persons who justifiably relies oninformation in a transaction that the accountant or client intends the information

TABLE 1

(Continued)


Vermont N/A No direct state court ruling or accountant liability

statute.Virginia Ward v. Ernst &

Young, 435 S. E. 2d

628 (Va. 1993)

Privity rule.

Washington Haberman v. Public

Power Supply System,

744 P. 2d 1032

(Wash. 1987).

Restatement §552.

West

Virginia

First National Bank of

Bluefield v. Crawford,

386 S. E. 2d 310 (W.

Va. 1989).

Restatement §552.

Wisconsin Citizens State Bank v.

Timm, Schmidt &

Co., 335 N. W. 2d

361 (Wisc. 1983).

Reasonable foreseeability rule.

Wyoming WYO. STAT. ANN.

§33-3-201 (1998).

Statutory near privity standard.



15/34

to influence. Although a SysTrust provider need not know the exact identity of a

SysTrust third-party user, a duty is owed only to those persons, or the limited classof persons, whom the SysTrust provider is actually aware of will rely on the

SysTrust report. This could include all EDI partners that the client had identified

and, possibly, many Extranet users disclosed to the provider by the client. Thus,

the SysTrust provider could be liable to intended identifiable beneficiaries, but not

an unknown, large group of unidentified users of the SysTrust report.13 Moreover,

the SysTrust provider must actually be aware of the transaction or purpose for

which the SysTrust report will be used. The suing party must also justifiably rely

on the SysTrust report to be owed a duty by the provider. In Texas and Minnesota,

however, a SysTrust provider could owe a duty to a larger class of third partiesthan in other Restatement jurisdictions.

In sum, more third parties have the legal right to sue the SysTrust provider

under the Restatement standard than the near-privity standard. However, potential

liability is circumscribed because the Restatement rule provides the SysTrust

practitioner with sufficient knowledge of which third parties will rely on the

SysTrust report to allow the practitioner to obtain liability insurance, set higher

fees, or adopt other protective measures.

Reasonable Foreseeability Rule

An expanded scope of accountant duty to nonclients was recognized in 1983

with the decision in Rosenblum v. Adler.14 The New Jersey Supreme Court

concluded that accountants have a duty to all those whom they should reasonably

foresee as receiving and relying on the accountant’s work product. However, the

duty extends only to those users whose decision is influenced by audited state-

ments obtained from the audited entity for a proper business purpose. Under

Rosenblum, the auditor owes a duty of care to all who obtain a firm’s financialstatements directly from the audited entity, but owes no such duty of care to those

who obtain them from an annual report in a library, government file, or other

source (Causey, 1987). The foreseeability criterion results in the broadest scope of

third-party liability for the accountant. As noted in Figure 1, only Mississippi and

Wisconsin apply the foreseeability rule, and no state has adopted it since 1987.

An argument can be made that an assurance provider could be liable to an

aggrieved SysTrust report user in most situations under a reasonable foreseeabil-

ity rule. This may include Internet users as well as EDI partners and Extranet

users. Under this standard, the SysTrust provider may be deemed to owe a duty

to all those whom the assurance provider should reasonably foresee as receiving

and relying on the SysTrust report. Presumably, the duty would extend only to

those report users whose decision to rely on the client’s information system is

influenced by a SysTrust assurance report.



16/34

Canada

The most significant case that could govern the negligence liability of SysTrust providers to third parties is Hercules Managements Ltd. v. Ernst &Young decided in 1997.15 Before this landmark decision, the law relating toaccountant liability for negligence had remained static since the Haig v. Bam- ford 16 decision in 1977 (Deturbide, 1998). Plaintiffs in Hercules were sharehold-ers in Northguard Acceptance Ltd. (NGA) and Northguard Holdings Ltd. (NHL),companies engaged in commercial and real estate lending. Ernst & Young (E&Y)was originally hired by the Northguard firms to render annual financial statementaudits. In 1984, both Northguard companies went into receivership. In 1988, anumber of shareholders in the Northguard firms brought suit against E&Ycontending that the 1980–1982 audit reports, on which they relied, were preparednegligently.

The Supreme Court of Canada, in a unanimous decision, dismissed thenegligence claim. The court reached its finding by application of the two-pronged Anns/Kamloops test.17 The first part of the test examines proximity, in which it isdecided whether the wrongdoer’s carelessness might reasonably cause damage tothe person harmed. If this question is answered affirmatively, part two of the testanalyzes policy considerations that could curtail or eliminate any duty of care

owed by the accountant to the plaintiff (Deturbide, 1998).Significantly, the court endorsed the use of the Anns/Kamloops test for all

types of negligent misrepresentation actions regardless of the type of economicloss or the nature of the defendant.18 The court rejected the proposition thataccountants should be subjected to a broader range of liability than other profes-sionals (Rafferty, 1998). The unanimous opinion emphasized the need for somecontrol device, using the second prong of the Anns/Kamloops test, to combat thedanger of indeterminate liability for accountants and others (Rafferty, 1998).

With regard to the first prong of the test, CAs and CPAs should note that the

term “proximity” means that the assurance provider has an obligation to bemindful of the SysTrust report user’s “legitimate interests.” Proximity can be saidto exist when the SysTrust provider:

1. Should reasonably foresee that a third party will rely on the SysTrustreport: and

2. Reliance by the third party is reasonable

The court noted, however, that even if the accountant knows that the third party

is relying on information supplied by the accountant, no duty of care will ariseunless it is reasonable for the nonclient to rely on the accountant under thecircumstances. In most instances involving SysTrust engagements, the CA wouldprobably be deemed to owe a duty to nonclients under the proximity test becausethey are foreseeable.19



17/34

The crucial considerations, with regard to SysTrust provider liability, are

policy factors that could serve to curtail or eliminate any duty established.Interestingly, the court indicated that a fundamental policy consideration is thatthe alleged wrongdoer should not be exposed to “liability in an indeterminateamount for an indeterminate time to an indeterminate class.”20 The court’sconcern with indeterminate liability reflects the opinion of the CICA (Deturbide,1998).

The judges engaged in a lengthy discussion of the undesirable consequencesof imposing limitless liability on accountants. The Hercules Managements casestates that some of the consequences include an increase in liability insurancepremiums, a decrease in the supply of accounting and assurance services, an

increase in the cost of accounting services, and a negative effect on the timelinessof accountant work product (as accountants would expend more time in theperformance of services to reduce the risk of litigation). Another consequencewould be a serious logjam of court cases. The court also noted that boundlessliability promotes “free ridership” on the part of relying third parties who losetheir incentive to exercise vigilance. In short, the court indicated that concernsover indeterminate liability will serve to negate any duty owed to nonclients inmost cases (Deturbide, 1998). The Hercules Managements case resulted inCanada adopting a restricted version of the limited class of users test (Pacini,

Martin, & Hamilton, 2000).21

Although Hercules does not directly address the negligence liability of a CAto third parties for providing assurance services involving information systems,the ruling can be applied to a SysTrust engagement. The court’s emphasis on thepublic policy reasoning against the specter of limitless liability seems to indicatethat SysTrust providers will be insulated from liability to third-party users of SysTrust reports in Internet situations. However, EDI and Extranet users mightfall into the category of a limited class of user who relies on a SysTrust report fora known, specific purpose or transaction. This possibility points out the impor-

tance of SysTrust providers taking the necessary steps to minimize SysTrustlitigation risk.

Australia

Australia also has no reported case that addresses directly the liability of aCA to third parties for performing negligent information system assurance ser-vices. However, in 1997, the High Court of Australia issued a ruling in EsandaFinance Corp. Ltd. v. Peat Marwick Hungerfords22 that could have a bearing on

the negligence liability of SysTrust assurance providers to third parties. EsandaFinance provided financing to Excel Finance Corp. and a number of its subsid-iaries. Excel guaranteed all debt financing provided by Esanda. When Excel wentinto bankruptcy, Esanda filed suit against Peat Marwick claiming losses as a resultof a negligent audit.



18/34

In dismissing Esanda’s negligence claim, the High Court unanimously held

that mere reasonable foreseeability that third parties might rely on an accountant’swork product was insufficient to give rise to a duty of care (Swanton & Mc-

Donald, 1997). Australian law requires both foreseeability of harm and a “rela-

tionship of proximity” for a duty of care to arise in cases of pure economic loss

(such as a SysTrust engagement). Such a relationship may exist in EDI or Extranet

business transactions with trading partners.

In Australia, the relationship of proximity can be established in a number of

ways. However, mere knowledge by a CA that his or her work product will be

communicated to a third party is insufficient to create a duty of care. The High

Court also refused to endorse the principle that liability of accountants shouldextend to members of a class whom the accountant knows or ought to know will

rely on the work product. A duty of care to a nonclient, absent a CA’s response

to a request for information from a specific third party, is difficult to establish. The

CA must intend to induce reliance on his or her work product by a third party or

a limited class to which the third party belongs (as might be the case in EDI or

Extranet transactions) for a duty to arise.23 If the accountant knows the purpose

for which information is supplied to a nonclient and the information is, in fact,

used for that purpose (e.g., a specific transaction) then the third party’s reliance is

considered reasonable (i.e., intent to induce reliance is inferred). However, a lack

of intent to induce reliance is not necessarily fatal to establishing a duty of care

because other factors may exist that establish proximity.24

As well as analyzing proximity, the High Court outlined numerous policy

factors that should be weighed in deciding whether an accountant assurance

provider owes a duty of care to a nonclient. These factors include:

1. Liability insurance—the effect on the accountant’s ability to obtain lia-

bility insurance.

2. Supply of services—the likely reduction in the supply of accountingservices.

3. Standard of care—a reduction in the level of accountants’ due profes-

sional care because of cost-cutting measures implemented to keep fees

competitive.

4. Legal system—the potential adverse effects on the administration of

justice in the form of lengthy hearings clogging the court system if a duty

to a large number of third-party users is recognized.

5. Investors and creditors—the realization that many plaintiffs are sophisti-

cated and have other means of avoiding risks.6. Cause of loss—the understanding that the accountant’s role in the third

party’s loss is secondary to that of the client’s.

7. Role of assurance report—a recognition that the third party is likely to be

influenced by a myriad of factors other than the assurance report.



19/34

8. Unlimited guarantee–the understanding that the imposition of a duty of

care would amount to the creation of an unlimited guarantee in favor of nonclients for which assurance providers receive no payment.

In summary, the Esanda ruling gives some cause to expect that the trend inAustralian law will be toward contraction rather than expansion of the scope of the negligence liability of assurance providers (Swanton & McDonald, 1997).However, as in Canada, EDI and Extranet users might be considered a limitedclass of user who relies on a SysTrust report for a known specific purpose ortransaction. Thus, assurance providers need to be aware of potential litigation risk

and adopt strategies to minimize that risk.

New Zealand

Again, we consider the law of accountant liability to nonclients for negli-gence due to a lack of any specific court decision(s) dealing with third-partyliability for negligent information systems reliability assurance. The leading NewZealand case is now Boyd Knight v. Purdue.25 In that case, a group of investorspurchased secured bonds from Burbery Mortgage Finance & Savings, Ltd.,between July 1 and August 10, 1988. The purchases were made in response to anoffer made in a prospectus that contained a report signed by Boyd Knight, a firmof chartered accountants. Burbery ultimately failed and the bond purchasers, as aclass, sued the auditors for negligently failing to detect fraud committed by theCEO. Shareholders’ equity was overstated by $1.5 million (NZ) on the balancesheet included with the prospectus. At the trial level, the plaintiffs were awarded$375,000.

In addressing the issue of the accountant’s duty of care, the Court of Appealstated that accountants do not assume a responsibility to anyone other than their

corporate client, and through it, its shareholders. Accountants owe no duty topresent or future creditors or to those who may be contemplating investing, orfurther investing, in the company’s debt or equity securities. Accountants owe aduty only to a third person whom they, themselves, show their work product, orto whom they know their client is going to show the work product, so as to inducethe third person to invest money or take some other action. Moreover, any dutyapplies only to those transactions for which the accountants knew their work product was required.

The Court of Appeal emphasized that actual reliance on an accountant’s

work product must be proven by the suing party for the accountant to owe a dutyof care to an aggrieved third party under a negligence theory. An accountant hasno obligation to a nonclient who has not read and relied on the accountant’s work product. For a duty of care to arise, actual reliance refers to a “specific influence”of the work product on the mind of the user not just a general reliance occasioned



20/34

by an assumption that an investment, purchase, or expenditure is sound because

a prospectus or other document contains information attested to by an accountant.It is likely that the Boyd Knight case will make it more difficult for thethird-party user of a SysTrust report to have a legal right to sue an assuranceservice provider. The SysTrust provider must be aware of the particular third partyor limited group of nonclients and actual reliance must be demonstrated by thosethird parties for a duty of care to arise.

United Kingdom

No decided case exists in the United Kingdom on the liability of an assuranceprovider to third parties for the negligent performance of system reliabilityassurance services. However, one case that could govern the negligence decisionsof systems reliability assurance providers is Caparo Industries PLC v. Dickman.26

Caparo Industries owned shares in Fidelity PLC for which Caparo was consid-ering a takeover bid. Caparo received a copy of the 1984 financial statementsaudited by Touche Ross. In reliance on a reported profit of £1.3 million, Caparomade a successful takeover bid for Fidelity. Subsequently, Caparo discovered thatFidelity had actually lost £460,000. Caparo alleged that the audited financialstatements had been negligently prepared.

In a unanimous decision, the House of Lords, the highest court of law in theUnited Kingdom, dismissed the negligence claim. The court ruled that an auditorof a public company, in the absence of special circumstances (e.g., an audit reportcommissioned on behalf of a party for a particular purpose), owes no duty of careto an outside investor or an existing shareholder who buys stock in reliance on astatutory audit (Nicholson, 1991). The court fashioned a three-prong test for anauditor’s duty of care to arise (Murphy, 1996). First, foreseeability of the thirdparty must exist. Second, proximity must be present between the suing party andthe accountant. Third, it must be just and reasonable on a policy basis to impose

a duty of care on the auditor (Ivankovich, 1991).The House of Lords’ legal analysis focused on “proximity,” the second prong

of the test. The following conditions must exist for proximity to arise: (1) theaccountant knew that his or her work product would be communicated to a knownthird party or a known third-party class; (2) the third party suffered damage as aresult of relying on the accountant’s work product; and (3) the work product wasused for the purpose for which it was prepared (Marshall, 1990).27 The accoun-tant’s knowledge includes not only actual knowledge, but such knowledge aswould be attributed to a reasonable person situated as the accountant (Morris,

1991). The knowledge requirement, however, must be met at the time theaccountant’s work is performed, not at some later date after an audit opinion,SysTrust report, and so forth, is disseminated (Ivankovich, 1991). These threerequirements may be met in EDI and Extranet situations. Liability will attachwhen the assurance provider knows the SysTrust report will be communicated to



21/34

a third party or known, limited, third-party class who suffered actual damage from

relying on such reports.If applied to a SysTrust provider, the Caparo approach would limit anypotential negligence liability to third parties. An unknown user of a SysTrustreport would be outside the scope of an assurance provider’s duty of care becausethe purpose of SysTrust is to increase the comfort of management and third-partyusers with an entity’s information system(s). A SysTrust provider would have tobe aware of the actual reliance on a SysTrust report by a member of a known,fixed, and definite class of third-party users for a specific purpose for a duty of care to arise. It is possible that the Caparo standard can be satisfied in certain EDI,Extranet, or Internet situations. Thus, assurance providers need to adopt litigation

risk minimization strategies at the onset of systems reliability assurance engage-ments.

OTHER INTERNATIONAL CONSIDERATIONS

SysTrust presents a challenge to private international law because the use of computer communication networks, such as value-added networks (VANs) (forEDI) and the Internet, are transcendent of spatial boundaries (Gosnell, 1998).

Computer communication networks flow indiscriminately across internationalboundaries as easily as they flow across the street. Thus, the legal uncertaintyfaced by SysTrust providers is increased by potential liability from breaking othernations’ laws. For example, foreign nations usually can assert jurisdiction overnonresidents when the exercise of that jurisdiction is “reasonable” (Wilske &Schiller, 1997). Circumstances that have been found in the past to be reasonableinclude:

1. Regularly conducting business in a foreign country.

2. Engaging in an activity outside the foreign country that had a substantial,direct, and foreseeable effect within the particular country.

3. An activity that is the subject of court action being owned, possessed, orused in the foreign country (American Law Institute, 1987).

Conceivably, a court in another country could deem it reasonable to exercise jurisdiction over an accounting firm that provided a SysTrust assurance reportregarding an information system relied on by a company within that nation’sborders in an international transaction.

Once a SysTrust provider becomes subject to the power of a foreign court,the question becomes what nation’s law would be applied to the transaction indispute. Wilske and Schiller (1997) indicate that a foreign court could apply thelaw of the country of the SysTrust provider or its own nation’s law. The choicesof applicable law in international disputes involving accountants’ liability are



22/34

blurred and lack uniformity (Ebke, 1984). Foreign courts have significant leeway

in deciding which body of law to apply to an American or Canadian accountingfirm. Being subjected to the application of another country’s laws in that nation’scourts, however, may not pose as much risk to a U.S., Canadian, Australian, NewZealand, or U.K. accounting firm as it would to a firm subjected to American lawin an American court (Miller & Young, 1997).

Various procedural aspects of foreign law may make a foreign court morehospitable to a SysTrust provider than an American court. First, as a general rule,except in Canada, class action lawsuits may not be filed under the laws of mostother nations (Ebke, 1984). This is a significant procedural deterrent to the filingof a claim against a SysTrust provider by a group of aggrieved third parties

composed of suppliers, customers, trading partners, and/or other third parties.Contingent fees (i.e., fees dependent on a particular outcome) are not permitted inmost countries outside of the U.S. and Canada (Silva, 1993). The absence of contingent fees means that one who files a legal claim against a SysTrust providermust pay his or her lawyer out-of-pocket as the case progresses (regardless of outcome). Third, many countries, as in Canada and the UK, follow the “Englishrule” with regard to the payment of legal fees (Hill, Metzger, & Schatzberg,1993). Under this rule, the loser must pay the winner’s legal fees. Such a rule isa disincentive to the filing of frivolous lawsuits. Also, accountant liability lawsuits

outside the U.S. do not offer the prospect of large jury awards because mostforeign jurisdictions do not permit jury trials or punitive damage awards (Smit,1996; Ebke, 1984). In Canada, punitive damage awards are possible, although nosuch cases were found involving accountants as defendants.

Even if a business or other entity or consumer obtains a judgment in a foreigncourt against an American or Canadian SysTrust provider, however, the judgmentoften must be enforced in an American or Canadian court. Such enforcement isnecessary if a foreign business, other entity or consumer seeks to levy on assetsin the U.S. or Canada owned by the SysTrust provider. Foreign judgments are

usually enforced in American or Canadian courts (Potter, 1997; Ivankovich,1994), but an additional court proceeding increases the burden on a foreignbusiness suing in a foreign jurisdiction.

STEPS TO MINIMIZE LITIGATION RISK

As suggested by the AICPA’s Litigation Risk Model for Assurance Services(AICPA, 1998), the first step SysTrust providers should take is to determine

whether to perform the assurance service. Firm partners should consider the effectof the SysTrust engagement on the firm’s overall litigation risk exposure as wellas the standards to which they will be held. The firm first must have a good graspof the risk posed by the services it already offers and consider the additionaloverall risk of SysTrust engagements by:



23/34

1. Identifying the risks—Who are the parties that can bring suit? What are

the legal grounds for bringing suit?2. Evaluating the risks—What are the costs and benefits to be derived? and3. Quantifying the risks—What is the likelihood of loss and what are the

dollar ranges of loss?

If, after evaluating all service offerings, the accounting firm decides the potentiallitigation risk posed by the SysTrust service is acceptable, then client acceptance/ rejection decisions must be made.

The importance of the decision to accept a SysTrust client or continue tooffer the service to an existing client is reflected in the inclusion of acceptance andcontinuance of clients as one of the five quality control elements for U.S. CPAfirms (AICPA, 1997). The steps involved in the SysTrust engagement evaluationprocess include:

1. Evaluating the integrity of management.2. Identifying special circumstances and unusual risks.3. Assessing the firm’s competencies to perform SysTrust engagements.4. Evaluating independence.5. Determining the accountant’s ability to use due care.

6. Preparing an engagement letter.

Many American and Canadian accounting firms enter into written engage-ment agreements with audit clients. A firm should make a comparable arrange-ment with a SysTrust client. Some of the more important provisions that shouldbe considered in a SysTrust engagement letter include:

1. The objective of a SysTrust engagement is the expression of an opinionon the client’s conformity with the SysTrust criteria for a given informa-

tion system.2. Management is responsible for establishing and maintaining compliance

with the SysTrust standards for accessibility, maintainability, integrity,and security.

3. Management is responsible for making all required information necessaryto complete the engagement available to the SysTrust provider.

4. At the conclusion of the engagement, management will provide theSysTrust provider with a letter that confirms certain representations madeby management during the engagement.

5. The use of a loss-limiting clause or hold-harmless provision.

A loss-limiting clause is a contractual provision that requires the client to belimited to a specified amount it can claim from the accountant (for example, feespaid) for losses caused by services delivered. Alternatively, these clauses might



24/34

specify that the client will indemnify the SysTrust provider against claims by third

parties. In short, such a clause or provision attempts to limit the amount for whicha CPA can be sued. (However, gross negligence and intentional misrepresentationby the SysTrust provider nullify such agreements).

Currently, an AICPA ethics interpretation allows a practitioner to add loss-limiting clauses to engagement letters to cover situations in which a loss arisesfrom an intentional misrepresentation by the client (AICPA, 1999c). However,AICPA guidelines are silent on whether a loss-limiting clause impairs a CPA’sindependence in an audit engagement. The SEC, however, considers a loss-limiting clause as an impairment to independence (AICPA, 1998). Moreover, thelegal effect of such clauses may vary by country. In sum, loss-limiting clauses

present the SysTrust provider with a means to control litigation risk, but their use,at best, is quite restricted. CPAs/CAs offering SysTrust services should consultlegal counsel before using a loss-limiting clause or hold-harmless provision in anengagement agreement.

Another option is to consider including an alternative dispute resolution(ADR) provision in the engagement letter. ADR refers primarily to arbitration(in which the decision of an arbitrator is binding) and mediation (in which amediator assists in reaching a settlement). The courts and legislatures of leading countries have enunciated strong public policy favoring the resolution

of international commercial disputes by arbitration (Marinelli, 1998). How-ever, ADR is aimed at disputes with clients, not third parties. Primary benefitsof ADR are avoidance of uncertainties (for example, deciding in which venuea dispute will be heard), and reduction of delays and the expense of the judicial system. A disadvantage of ADR is that its low cost may encouragegrievances by clients who would not otherwise commence litigation. Accoun-tants should check their insurance because some insurance policies limit useof ADR. ADR does have its limitations, so the SysTrust provider shouldconsult legal counsel before using an ADR clause.

CONCLUSION

The AICPA/CICA have developed a new and promising assurance ser-vice for CPAs/CAs to offer clients–SysTrust. This assurance service is de-signed to increase the comfort of management, customers, suppliers, andbusiness partners with the systems that support a business or other entity. Anaccountant who wishes to offer SysTrust should understand the litigation risk

environment before proceeding to perform SysTrust engagements. Accoun-tants often become defendants in lawsuits filed by disgruntled third partiesbecause accountants are perceived as “deep pockets.” Moreover, the potentialliability of SysTrust providers is significant given the growing use of EDI,Extranets, and the Internet.



25/34

Presently, no United States, Canadian, Australia, New Zealand, or United

Kingdom court decision has been reported that addresses directly the liabilityof accountants to third parties for negligently performing system reliabilityassurance services. In Canada, Australia, New Zealand, and the United King-dom, present law regarding accountant liability indicates that a SysTrustpractitioner would owe third-party SysTrust report users a duty under limitedsets of circumstances (e.g., when the practitioner knows a SysTrust report willbe shown to a third party who is a member of a known, limited class of personsand the third party relies on the report in a known, specific transaction). In theUnited States, the results of existing court cases and application of accountantprivity statutes offer encouragement in some states, especially those that

follow a privity or near-privity standard. In the 18 states that follow thetraditional Restatement standard, the SysTrust provider has liability exposureto more third parties than under the privity or near-privity standard, but it stillis limited to known, fixed, limited groups of SysTrust report users. In Texas,Minnesota, Mississippi, and Wisconsin, however, the SysTrust practitionerfaces a higher degree of litigation risk. Under the reasonable foreseeabilityrule (or expansive interpretation of the Restatement standard), many third-party SysTrust report users would have a legal right to sue the assuranceprovider. The SysTrust practitioner’s legal exposure in those 13 states without

a direct court ruling or accountant privity statute is highly uncertain. Accoun-tants who exercise caution and common sense will likely find the SysTrustservice to be a profitable long-run addition to their list of services.

Acknowledgments: We would like to thank two anonymous reviewersfor their suggestions.

NOTES

1. There are differences between the CPA/CA SysTrust service and the CPA/CA WebTrust.

These differences relate to both the nature of the systems being addressed and the nature of

the assurance being provided. WebTrust focuses only on Internet-based systems; SysTrust

applies to numerous types of systems (Boritz, Mackler, & McPhie, 1999). CPA/CA WebTrust

is designed to instill confidence in consumers and entities that conduct business over the

Internet. Increased consumer trust and confidence in e-commerce is to be achieved by CPAs

and CAs evaluating and monitoring business website practices, procedures, and controls.

SysTrust, on the other hand, focuses specifically on the reliability of systems themselves

(Boritz, Mackler, & McPhie, 1999).

2. In the U.S., in 1993, the Big 6 (now Big 5) accounting firms’ expenditures for settling and

defending lawsuits were $1.1 billion or 11.9% of domestic auditing and accounting revenue

(Dalton, Hill, & Ramsay, 1994). In 1994, the Big 6 firms claimed that a tidal wave of liability

lawsuits threatened their existence (Marino & Marino, 1994). Large settlements have contin-

ued in the U.S. including a $125 million payment by Price Waterhouse Coopers and Ernst &

Young stemming from the collapse of the Bank of Credit and Commerce International (Trapp,



26/34

1999) and a $335 million payment by Ernst & Young to shareholders of CUC International

over the audit of that firm (Peel, 1999). In the United Kingdom, the Big 6 accounting firms

faced 627 outstanding legal cases claiming damages of £20 billion by mid-1994 (Beckett,

1994). The largest firms in the U.K. are paying as much as 8% of their auditing and accounting

fee income on professional liability insurance (Napier, 1998). UK accountants are concerned

that they could be heading toward an environment as litigious as the U.S. (Peel, 1999). By

1994, at least $1.3 billion (Canadian) of unresolved claims were pending against Canadian

accountants (Jeffrey, 1994). In Australia, accountants have faced an unprecedented litigation

problem (Cooper & Barkoczy, 1994). It is estimated that the total amount of negligence claims

that have been brought against Australian accountants accumulated to approximately A$8

billion (Miller, 1999). In New Zealand, a significant number of accounting firms have faced

litigation and the cost of defending such lawsuits has been recognized as a major business

problem (Lepper, 1992; Porter, 1993).

3. The degree to which accounting rules are legislated can affect the nature of an accounting

system. In code law countries, laws stipulate minimum requirements, and accounting rules

tend to be highly prescriptive and procedural. In common law countries, laws establish limits

beyond which it is illegal to venture, and within those limits experimentation is encouraged

(Meek & Saudagaran, 1990).

4. SysTrust services are performed in the United States under the AICPA’s Statement on

Standards for Attestation Engagements No. 1 (AT §100)(AICPA 1999a). In Canada, SysTrust

services are conducted under the CICA’s Standards for Assurance Engagements (§5025)

(CICA, 1999). Moreover, in the U.S. quality control standards apply to SysTrust engage-

ments. Quality control standards assure that attestation standards are applied to covered

engagements. Statement on Quality Control Standards No. 2, “System of Quality Control for

a CPA Firm’s Accounting and Auditing Practice,” requires that a firm have a comprehensive

and suitably designed quality control system, encompassing the firm’s organization structure,

internal policies, and procedures. The four Commonwealth nations also have quality standards

that apply to SysTrust services.

5. One prime example of such a situation occurred in Performance Motorcars v. Peat Marwick ,

643 A.2d 39 (N. J. Super., 1994). Performance Motorcars, Inc., a New York business, sued

Peat Marwick in a New Jersey court, alleging that it suffered losses after one of its customers,

Coated Sales, Inc., went bankrupt. Performance conceded that if New York law applied, it

would not be able to sue Peat Marwick. Ultimately, an appeals court held that New Jersey law

applied giving Performance a legal right to sue under New Jersey law applicable at the time

of the suit. In 1995, the New Jersey legislature passed a statute that changed state law to a

stricter standard (i.e., near privity) than the one applied in Performance Motorcars (i.e.,

reasonable foreseeability rule) for determining the scope of an accountant’s duty to nonclients.

6. 107 A. 783 (Pa. 1919)

7. 174 N. E. 441 (N.Y. 1931)

8. 483 N. E. 2d 110 (N.Y. 1985)

9. The eight states include Arkansas, Illinois, Kansas, Louisiana, Michigan, New Jersey, Utah,

and Wyoming.

10. The four states are Idaho, Montana, Nebraska, and New York

11. 284 F. Supp. 85 (D. R. I. 1968)

12. Restatements of the Law are a product of attorneys working under the aegis of the American

Law Institute. Restatements are not binding authority on courts but represent a synthesis of

common law rules.

13. Badische Corp. v. Caylor , 356 S. E. 2d 198 (Ga. 1987)

14. 461 A. 2d 138 (N. J. 1983)

15. [1997] 2 S. C. R. 165

16. [1977] 1 S. C. R. 466



27/34

17. Anns v. Merton London Borough Council, [1978] A. C. 728; Kamloops v. (City of) Nielson,

[1984] 2 S. C. R. 2.

18. The two-stage approach has been applied by the Supreme Court of Canada in the context

of various types of negligence actions, including cases involving claims for different

forms of economic loss. It was endorsed implicitly in the context of an action for

negligent misrepresentation in Edgeworth Construction Ltd. v. N. D. Lea & Associates

Ltd. [1993] 3 S. C. R. 206.

19. Some Canadian legal commentators urge that foreseeability of harm cannot be the sole

determinant of liability. The predication of liability upon pure foreseeability of economic

harm is incompatible with a competitive economic system. A free market system treats many

types of losses as legitimate and even beneficial; the economically inefficient deserve to incur

certain losses. Once foreseeability of harm is established, to answer the duty question in any

given situation really involves an inquiry into two broad areas. First, does it make economicsense to shift this type of loss? Second, what do community expectations have to say about

whether the plaintiff is reasonably entitled to rely on the accountant or other defendant to

protect him or her from harm in the particular situation? Such questions are unavoidable and

are matters of policy (Cherniak & Stevens, 1992). This argument points out the overriding

importance of the second prong of the Anns/Kamloops test.

20. The quoted language is from Justice Cardozo’s famous opinion in Ultramares v. Touche, 174

N. E. 441 (N.Y. 1931). The Supreme Court of Canada cited Ultramares with approval.

21. The “limited class of users test” requires the accountant to have actual knowledge of the

limited class of users who will use and rely on the accountant’s work product. The Supreme

Court of Canada first applied an expanded version of the test to accountant liability in Haig

v. Bamford [1977] 1 S. C. R. 466. One of the most important considerations in application of

the limited class of users test is the nature of the intended transaction(s) that are the subject

of the accountant’s work product (Ish, 1977). It is one thing, in a relatively simple situation,

to identify a small and discreet group of individuals who are or can be identified as relying

directly on the judgments of professionals (e.g., a SysTrust provider) with whom they have no

direct contractual or fiduciary relationship. It is another question altogether, in more complex

cases, to contemplate the dimensions of the liability for negligence that may arise where it is

known that the opinions of an accountant or other professionals are to be widely disseminated

and relied on by a broad class of persons (Brown, 1977).

22. (1997) 71 A. L. J. R. 448

23. One Australian legal commentator has argued that it will be seldom, if ever, that an accountantwill perform services intending to induce third parties to rely on them or have any reason for

wanting third parties to so rely (Davies, 1991).

24. Certain factors may be identified by the fact that the High Court stressed their absence from

pleadings in the case. These factors are: (1) The maker of a statement may possess skill and

competence in the area that is the subject of communication; (2) The maker of a statement has

an interest in the recipient of the statement acting in a certain way; or (3) The provider of

information may warrant the correctness of the information supplied to a third party (Swanton

& McDonald, 1997).

25. [1999] 2 N. Z. L. R. 276

26. [1990] 2 A. C. 605

27. The three conditions that must be met to satisfy the proximity element make the Caparo testquite similar to the U.S. Restatement standard. The one aspect of the Caparo test not formally

outlined in the Restatement standard is imposing liability from a policy standpoint on a “just

and reasonable” basis. Ironically, U.S. courts often engage in open policy discussions when

addressing the scope of an accountant’s duty to third parties for negligence.



28/34

Appendix A. Overview of SysTrust Criteria

Availability Illustrative Controls

The entity has defined and

communicated performance

objectives, policies, and standards for

system availability.

● Procedures exist to identify and document authorized

system users and their availability requirements.

● Procedures exist to log and review requests from

authorized users for changes and additions to system

availability objectives, policies, and standards.

● A formal process exists to identify and review

contractual, legal, and other service level agreements

and applicable laws and regulations that could impact

system availability objectives, standards, and policies.

● The items noted above are properly documented and

communicated to appropriate personnel and/or system

users.

The entity utilizes procedures, people,

software, data, and infrastructure to

achieve system availability objectives

in accordance with established

policies and procedures.

● System availability features are regularly tested and

variances are recorded.

● A risk assessment is prepared and reviewed on a

regular basis and considers fire, flood, dust,

excessive heat, humidity, and labor problems.

● Vendors warranty specifications are complied with

and tested.

● Disaster recovery and contingency plans are

documented and tested.● Backup data processing capability is available. Data

and software are regularly backed up offsite.

● Physical and logical security controls exist to reduce

unauthorized actions by users.

● Competent personnel responsible for availability

have relevant experience and receive training.

The entity monitors the system and

takes action to achieve compliance

with system availability objectives,

policies, and standards.

● The internal audit function includes system

availability reviews in its annual audit plan.

● Problem logs are reviewed and trends are analyzed

to identify impact on system availability.● Procedures exist for the documentation, resolution,

and review of problems.

● System component changes are assessed for impact on

system availability, objectives, policies, and standards.

Security Illustrative Controls

The system security requirements of

authorized users, and system security

objectives, policies, and standards are

identified, documented, and

communicated to users.

● Objectives, policies, and standards exist that support

the implementation, operation, and maintenance of

security measures.

● Security levels are defined for each of the data

classifications identified above the level of “noprotection required.”

● A risk assessment approach has been established that

focuses on an examination of elements of risk such

as threats, vulnerabilities, safeguards and consequences.



29/34

Appendix A. Continued


● A security awareness program communicates the

information technology security policy to each user.

Documented system security

objectives, policies, and standards are

consistent with system security

requirements defined in contractual,

legal, and other service level

agreements and applicable laws and

regulations.

● A formal process exists to identify and review

contractual, legal, and other service legal agreements

and applicable laws and regulations that could impact

system security objectives, policies, and standards.

Responsibility and accountability for

system security have been assigned.

● Responsibility for the logical and physical security

of the entity’s information assets is assigned to

appropriate individuals.


software, data and infrastructure to

achieve system security objectives in

accordance with established policies

and standards.

● The access control and operating system facilities

have been appropriately installed, including

implementation of parameters to restrict access in

accordance with policies.

● The operators, users, and custodians of system

components implement and comply with procedures

and controls that meet security objectives, policies,and standards.

There are procedures to identify and

authenticate all users authorized to

access the system.

● All paths that allow access to significant information

resources are controlled by the access control system

facilities.

● Unique user IDs are assigned to individual users.

Passwords are used to validate IDs.

● Data owners are responsible for authorizing access to

data and systems, and proper segregation of duties is

considered in granting authorization.

● Access to utility programs that can read, add,change, or delete data or programs is restricted to

authorized individuals.

There are procedures to restrict access

to computer processing output and files

on off-line storage to authorized users.

● Processing outputs and off-line storage media are

stored in an area that reflects information classification.

There are procedures to protect

external access points against

unauthorized logical access.

● If connection to the Internet or other public networks

exist, adequate firewalls or other procedures are

operative to protect against unauthorized access.

There are procedures to protect the

system against infection by computer

viruses, malicious codes, and

unauthorized software.

● There are periodic checks of the entity’s computers

for unauthorized software.



30/34

Appendix A. Continued


There are procedures to segregate

incompatible functions within the

system and to protect the system

against unauthorized physical access.

● An assignment of responsibility is maintained that

ensures that no single individual has the authority to

read, add, change, or delete an information asset

without an independent review.

● Access to computers, disk, and tape storage devices,

communications equipment, and control console is

restricted to authorized personnel.

The entity monitors the system and

takes action to achieve compliance

with system security objectives,

policies, and standards.

● The internal audit function includes system security

reviews in its annual audit plan.

Environmental and technological

changes are monitored and their

impact on system security is

periodically assessed on a timely

basis.

● A risk assessment has been prepared and is reviewed

on a regular basis or when a significant change

occurs in either the internal or external environment.

Integrity Illustrative Controls

The entity has defined and

communicated performance

objectives, policies, and standards for

system processing integrity.

● Procedures exist to identify and document authorized

users of the system and their integrity requirements.

Documented system processing

integrity objectives, policies, and

standards have been communicated to

authorized users.

● Procedures exist to log and review requests from

authorized users for changes to system processing

integrity objectives, policies, and standards.


software, data, and infrastructure to

achieve system processing integrity

objectives.

● System processing integrity features are regularly

tested and variances are recorded and followed up.

● Hardware and software acquisitions and

implementations are subjected to extensive testing

prior to acceptance in production

● Input form design should help assure that errors and

omissions are minimized.

● The entity has procedures that all authorized source

documents are complete and accurate, properly

accounted for, and transmitted in a timely manner.

● Transaction data entered for processing are subjected

to a variety of controls to check for accuracy,

completeness, and validity.

There are procedures to ensure that

system processing is complete,

accurate, timely, and authorized.

● There is an appropriate segregation of incompatible

duties with regard to handling of production

auditing pacini 2000

Documents