CHAPTER 2

The International and U.S. Audit Environments

This chapter discusses factors influencing legal liability of auditors in the United States and abroad. This chapter focuses on:

• legislation and law in the United States that could affect the liability of auditors;
• legislation internationally that could affect the liability of auditors;
• liability to third parties, criminal liability under statutory law in the United States and in Europe;
• important differences in legislation that could affect the liability of U.S. auditors working in a European environment.

Introduction

Many parties rely on audited financial statements. The parties include, but are not limited to, stockholders, trade creditors, bankers, customers, employees, state governments, and the federal government. All these parties could be adversely affected by inappropriate audit opinions and, hence, could potentially sue the auditor. To what extent is the auditor liable to each of these parties? This is a difficult question to answer. In the United States, the nature and extent of liability could vary from state to state. To understand legal liability, we have to first understand laws that affect the auditor when carrying out the audit function on behalf of the client. The audit firm, as an institution, has a duty to enforce compliance of its personnel to the relevant law and the individual auditor, regardless of the activities or preferences of their firm, has the obligation to follow the law. Auditors, both as audit firms and as individuals working in the audit firms, in the United States are affected by common law and statutory law. Laws in the United States and certain other countries (e.g., the United Kingdom) can be classified as either common law or statutory law. Common law is based on precedent or case law. Under common law, new laws are created through decisions made by judges. The judges in turn make decisions using earlier cases as precedents. If there are no prior cases that can be used as precedents, then whatever the judge decides becomes law. Statutory law, in contrast, is written law decided by the legislature or, with a grant of authority from the legislature through a provision in legislation, a government agency. These laws are not based on lawsuits that have been heard in a court of law, but rather are issued to meet the needs of citizens or to formalize existing law or to resolve an outstanding issue that the courts refer to the government.

The auditor could face either civil or criminal liability under statutory law. They also face liability as members who should be acting according to professional standards, but who are believed not to be doing so. That is, failure to meet professional standards in the conduct of an audit may subject the auditor to punishment under statutory law. In this chapter, regulation, which affects auditors in the United States and other countries (mainly Europe), and the background to the regulation is discussed. This is important because applicable laws and regulations vary by country. Further, in some countries only the auditor signing the contract (engagement letter) is liable, whereas in others all partners are liable. Some countries have laws which allow third parties to even sue the assistants who worked on the audit. Liability to third parties can vary. Finland is the extreme case where even statutory representatives of the auditor (banks, etc, which give information to the auditor) could be sued. There is usually a limit to the amount of time after a legal violation that the offense can be brought to court and ultimately punished, called the statute of limitations. The statute of limitations for law suits varies by country from 5 to 20 years. Further liability caps (the maximum amount for which the auditor can be sued) varies with specified amounts in some countries to unlimited amounts in others. In some countries, auditors are allowed to limit liability by including it in the contract signed with the company being audited. In other countries, this is not permissible. Thus, it is vital for auditors from the United States to be aware of these differences. We first discuss relevant regulation that affects auditors in the United States. Then we do a comparative analysis with other countries. This chapter then concludes by discussing the Sarbanes-Oxley Act in the United States and its comparable equivalent in Europe and the implications of these new laws for auditors.

Legal Liability in the United States

A client, as a plaintiff or injured party, can bring action against an auditor in the form of breach of contract; injured third parties can bring a tort action for negligence. A tort in common law is a civil wrong, which unfairly causes someone else to suffer loss or harm resulting in legal liability for the person who commits the tortious act. Whereas crimes may be torts, the cause of legal action is not necessarily a crime; the harm may be due to negligence that does not amount to criminal negligence. The victim of the harm can recover their loss as damages in a lawsuit. In order to prevail, the plaintiff in the law suit must show that the actions or lack of action was the legally recognizable cause of the harm.

In the United States, Certified Public Accountants (CPAs) have both common law liability and statutory law liability. Common law liability arises from negligence, breach of contract and fraud. Statutory law liability is the obligation that comes from a certain statute or law. The sources can be summarized as follows:

• Privity: CPAs and their clients enter into a contract to perform certain services. Liability occurs when there is a breach of contract. This would apply when the CPAs do not perform what they stated in the engagement letter.
• Negligence: Negligence can be thought of as failure to exercise professional care. This can arise from a wrongful act, injury, or damage for which a civil action can be brought. Negligence in turn is dichotomized into ordinary and gross. Ordinary negligence is defined as failure of duty in accordance with applicable standards and gross negligence occurs when there is an apparent lack of concern for the likelihood that injuries will result.
• Fraud: Fraud is the misrepresentation of a material fact by a people who are aware of their actions and its consequences.

  There is the intention of misleading the other party, and the other party suffers injury as a result.

• Statutory liability: CPAs have statutory liability under both federal and state security laws. Under statutory law, an auditor can be held civilly or criminally liable.

Tort actions are the most common because the monetary awards are substantially higher. Liability can be incurred under common law if a plaintiff can prove that the auditor did not discover financial statement fraud or employee fraud because they were negligent when conducting their audit. The injured party can be a client who has contracted with the auditor for an audit performed according to professional standards and who subsequently feels that contract has been breached by the auditor’s (alleged) failure to perform, or the injured party can be a third party or both the client and a third party. The right of the client itself to sue for breach of contract has long been settled law. The right of others, third parties, to sue in the event of an alleged failed audit has evolved over the years. Although this right of third parties has long been contested by auditors on the grounds of lack of privity of contract with the auditor— that the auditor never directly contracted with these parties to perform the audit—the auditor’s position in this regard has eroded over the years. We discuss the evolution of auditor liability to third parties, first in the United States and then in key European nations and the European Community (EC).

Common Law Sources of Auditor Liability in the United States

In this section, we discuss the evolution of auditor liability to third parties, first in the United States and then in key European nations and the European Community (EC). In most engagements, the auditor does not know specifically who will be using the financial statements but is aware that third parties, that is individuals or organizations other than the client organization and the auditor themselves, will be using them. Generally, the courts have held auditors liable to injured third parties when the auditor has been found guilty of fraud. The fundamental question, however, is who exactly is a third party? Whereas a third party is defined as an outsider who takes action (either investing or lending) based on the auditor’s report, there are different types of third parties. The courts differ as to which third party the auditor should be liable to. Overall the rule is forseeability, namely, could the auditor have foreseen that a specific party would be adversely affected as a result of an inappropriate opinion?

Forseeability and Negligence in Common Law

The fundamental issue is what a third party must prove to be successful in obtaining damages from an auditor. Overall, third parties must prove that:

• they suffered a loss;
• the loss was due to reliance on misleading financial statements;
• the auditor knew, or should have known, that the financial statements were misleading.

However, courts have varied the standard or burden of proof by the plaintiff, depending on the likelihood that an auditor could reasonably foresee that a user might have relied upon the financial statements or other attestation services provided by the auditor. Generally, less foreseeable plaintiffs have a greater burden in proving that the auditor had a duty to them. However, the courts are not uniform on this issue. Overall, common law is based on court decisions. The most important case in the United States was the Ultramares case (1931).

The Ultramares Case: The Third Party Beneficiary Test

The landmark case of Ultramares Corporation v. Touche set the precedent for auditor liability to third parties. It was decided by the New York Court of Appeals in 1931. Judge Cardoza, writing the unanimous decision, expressed concern about expansive auditor liability to third parties. The court held that auditors are liable to third parties for fraud and gross negligence but not for ordinary negligence unless the plaintiff is part of the contract. A third party beneficiary must be specifically identified in the engagement letter as a user for whom the audit is being conducted. That specific identification makes the user a “known” user. For example, assume that a bank requires that an audit be conducted as part of the loan approval process and the name of the bank is specifically mentioned in the engagement letter. If the bank approved the loan based on a clean (unqualified) report and circumstances subsequently showed that an unqualified report was inappropriate, then the auditor may be held liable to the bank for ordinary negligence. If the bank had not been named in the engagement letter, however, such liability would not exist. And the auditors could not be sued by the bank as an injured third party.

The precedent set in the Ultramares case dominated judicial thinking for many years and is still followed in many jurisdictions. For example, in 1992, the California Supreme Court upheld the precedent set in the Ultramares case in the case of Bily v. Arthur Young and Co. A third party who had dealings with the Osborne Computer Company, which subsequently filed for bankruptcy, sued the auditor on the basis that they had taken action based on a clean opinion provided by the auditor. The plaintiff, Bily, noted that there was no impending warning in the auditor’s report to indicate the possibility of the company subsequently failing. The California Supreme Court upheld the Ultramares precedent. It concluded that extending auditor liability to other third parties “raises the spectre of multibillion dollar professional liability that is distinctly out of proportion to: (1) the fault of the auditor; and (2) the connection between the auditor’s conduct and third party’s injury.” However, in the 1980s the Ultramares precedent was amended by what was referred to as the foreseen user and foreseeable user tests. These are discussed below.

Expansion of Ultramares: The Identified (Foreseen) User Test

In the 1985 case of Credit Alliance Corp v. Arthur Andersen and Co, the New York Court of Appeals broke away from the Ultramares precedent and extended auditor liability for ordinary negligence to what they described as identified users. An identified user was defined as “a specific third party who the auditor knows will use the audited financial statements for a particular purpose, even though the identified user is not named in the engagement letter”. This is also referred to as the foreseen user test because the auditor is expected to foresee that these users would be impacted by negligence on the part of the auditor.

Expansion of Ultramares: The Foreseeable User Test

Some courts subsequently extended auditor liability to foreseeable users of audited financial statements. This was based on the notion that the environment had changed considerably since 1931. A foreseeable user is a third party who the auditor, in hindsight, could foresee as depending on the auditor’s report. In Rosenblum Inc. v. Adler, the New Jersey Supreme Court noted that the nature of the economy had changed since the Ultramares case and that auditors act as if a number of potential users rely on their audit opinion. The New Jersey court made it clear, however, that to have a valid claim, foreseeable users must have obtained the financial statements from the client for proper business purposes. This view is upheld by the Wisconsin Supreme Court as well. In Citizens State Bank v. Timm, Schmidt and Co, the Wisconsin Supreme Court extended auditor liability to creditors who could foreseeably use the audited financial statements as well. However, it must be noted that this does not apply equally in all states in the United States. Different rules apply in different jurisdictions.

Auditor Civil Liability under Statutory Law

Most countries have statutory laws that affect the civil liabilities of auditors. Securities laws, for example, may impose strict standards on professional accountants. In the United States, the Securities Act of 1933 created the Securities and Exchange Commission (SEC), and the subsequent 1934 Act regulates the trading of securities after their initial issuance. The Securities Act of 1933 requires a company to register with the Securities and Exchange Commission. In order to complete registration, the company must include audited financial statements and numerous other disclosures. If the registration statement is found to be materially misstated both the company and its auditors may be held liable. Plaintiffs need only prove that they suffered a loss because the registration statement was misleading. However, it must be noted that, in order to complete registration, the company must include audited financial statements along with numerous other disclosures. In order to avoid liability, the auditor must prove that the audit was performed with due diligence; that the plaintiff’s losses were not caused by misstated financial statements; and that the plaintiffs knew of the misstatement at the time the securities were purchased. The Securities Exchange Act of 1934 requires all public companies under SEC jurisdiction to file an annual audit and have quarterly review of financial statements. A review of financial statements is a much less detailed look at the process that generated the financial statements than would be found happening in an audit. It involves making inquiries of management and using analytical procedures (analyses of the relationships between numbers on the financial statements, for example) to acquire a limited assurance that the financial statements are not misstated.

Further, the Securities and Exchange Act of 1934 in the United States requires every company with securities traded on national and over the counter exchanges to submit audited financial statements annually. These are the most common periodic reports:

• Annual reports to shareholders and 10Ks: 10Ks are corporate annual reports filed with the SEC. Both contain audited financial statements as well as other descriptive information on the company.
• Quarterly financial reports to shareholders and 10Qs:

  10Qs are quarterly reports filed with the SEC. 10Qs must be filed within 45 days of the end of each of the first three quarters and must be reviewed by the auditors.

The Act sets out (Rule 10b-5) criminal liability conditions if the auditor employs any device, scheme, or artifice to defraud or make any untrue statement of a material fact or omits to state a material fact, that is, the auditor intentionally or recklessly misrepresents information for third party use. The SEC also has authority to sanction or suspend an auditor from doing audits for SEC-registered companies.

These laws established the first statutory civil recovery rules for third parties against auditors. The liability provisions in these laws are similar to common law. The act explicitly makes it unlawful to make any untrue statement of a material fact or to omit to state a material fact that is necessary for understanding the financial statements. In Herzfeld v. Laventhol, Krekstein, Howarth and Howarth (1974) the auditors were found liable under the 1934 act for failure to fully disclose the facts and circumstances underlying their qualified opinion. Judge Friendly stated that the auditor cannot be content merely to see that the financial statements meet minimum requirements of GAAP but that the auditor has a duty to inform the public if adherence to GAAP does not fairly portray the economic results of the company being audited.

Under the 1934 act, an auditor may also be held liable for fraud in the purchase or sale of any security. Original purchasers of securities of a newly registered company making a public offering have recourse against the auditor if the financial statements are false or misleading under the Securities Act of 1933. Anyone who purchased securities described in the registration statement (S1) may sue the auditor for material representations or omissions in financial statements published in the S1 if they depended on the auditor’s report for their decision to purchase. (The registration statement has key information including, but not limited to: the nature of the business; rights of different classes of securities issued; directors and officer names; material contracts, balance sheets, and income statements covering three preceding fiscal years; any further financial statements which the SEC may deem necessary.) The auditor has the burden of demonstrating that reasonable investigation was conducted or all the loss of the purchaser of securities (plaintiff) was caused by factors other than the misleading financial statements. If the auditor cannot prove this, the plaintiff wins the case.

Criminal Liability under Statutory Law

Rittenberg, Schwieger and Johnstone (2008) note that a professional accountant may be held criminally liable under the laws of a country or district that makes it a criminal offense to defraud another person through knowingly being involved with false financial statements. As an illustration, in the United States v. Natelli (1975) two auditors were convicted of criminal liability for certifying the financial statements of National Marketing Corporation that contained inadequate disclosures pertaining to accounts receivable. In United States v. Weiner (1975), three auditors were convicted of securities fraud in connection with their audit of Equity Funding Corporation of America. Rittenberg et al. note that the fraud that the company perpetrated was so massive and the audit work so substandard that the court concluded that the auditors must have been aware of the fraud. In ESM Government Securities v. Alexander Grant and Co (1985), management revealed to the audit partner that the prior years’ financials were misstated and the partner agreed to say nothing in the auditor’s report. The partner was convicted of criminal charges for his role in sustaining the fraud and was sentenced to a 12-year prison term.

Auditor legal liability depends on the outcome of the court case. The plaintiff has to prove the case against the auditor in order to establish that liability. Specifically, in order to win a case, the plaintiff must prove the following:

• The auditor has been negligent.
• The auditor owes a duty of care to the plaintiff.
• The plaintiff incurred losses because of the negligence of the auditor.
• The plaintiff can quantify the extent of the loss suffered as a result of the auditor’s negligence.

The action taken against the auditors can vary depending on the perceived extent of the negligence. The sanction can be a fine, a reprimand (oral or written), a suspension for a limited period of time, or in the worst case scenario, a lifetime ban from the profession.

In the United States, these trials can be public and the verdicts too are made public, especially if the verdict is severe such as a suspension or life time ban. The auditor has the right to appeal against the verdicts.

The issues discussed in the preceding section can be summarized as follows:

Applicable Laws and Regulations

In the United States, auditors are liable under contract law, common law, and statutory law. Under contract law, liability is based on breach of contract. Under common law, liability concepts are developed from court decisions such as those discussed above. Under statutory law, liability is based on federal securities laws primarily. To the auditing profession, the most important of these statutes are the Securities Act of 1933 and the Securities Exchange Act of 1934. These have been discussed earlier.

Who is Liable

There is a general misconception that an audit partner who signed the audit report is solely liable. This is not true. The audit report is signed with the name of the audit firm, for example, EY. Although the partner who oversees the audit is responsible for ensuring that the audit is carried out in accordance with professional standards, all partners jointly have to bear the losses in the event of a lawsuit.

To Whom May the Auditor Be Liable

The auditors can be held liable to clients in accordance with the terms of the contracts between them (usually the engagement letter). Auditors can be held liable to clients under contract law for breach of contract and can be sued by the client under the concepts of negligence, gross negligence, and fraud. Auditors can also be held liable by an approach established in the Ultramares case to assess the liability of an auditor for negligent misrepresentation. Prior to the Ultramares test, it was held that an accountant may be liable to any person whom the accountant could reasonably have foreseen would obtain and rely on the accountant’s opinion. Thus, the auditor’s liability was broad. The Ultramares test limits a CPAs liability. This limits the accountant’s liability to a noncontractual third party who relied on an inaccurate financial statement to his or her detriment only if the accountant was aware that the report was to be used for a particular purpose. If the auditor was not aware or could not have foreseen the user(s), then the auditor is not liable.

Liability Cap

There are no caps on liability. Thus the auditor can be sued for an unlimited amount, though in practice, the court rules what they determine to be a justifiable amount.

Limitation Period (Statute of Limitations)

A statute of limitations refers to an enactment in a common law legal system that sets the maximum time after an event that legal proceedings can be initiated. The limitation period for an auditor (i.e., the period in which to sue an auditor) varies by state. In New York, for example, the Civil Practices Act requires that law suits must be commenced within two years after the event. In California, the time limit favors the plaintiff by stating that the statute does not begin when the event took place but rather when a victim realizes that the accountant’s incorrect advice (clean audit report which was not justified, for example) was the cause of the suffering.

Legal Liability in Europe

We now consider legal liability in Europe. In Europe, individual shareholders, creditors, and prospective purchasers of the audited company are all in a position to rely on the statutory auditor’s report and, as a result, suffer damages. It must be noted that the extent of auditor’s duty of care, the amount and nature of the damages that can be granted, and the time period to file a law suit against the auditor (statute of limitations) are different from the United States and can vary by country in Europe. The discussion that follows is based on a report published by the European Economic Commission in 2005 entitled A study on systems of civil liability of statutory auditors in the context of a single market for auditing services in the European Union (hereafter referred to as the EEC Report).

According to the EEC report the basis for legal liability varies by country and this is a matter that auditors in the United States should be keenly aware of. In some countries, there are no specific statutory regulations (e.g., Denmark, Ireland, Luxemburg, Netherlands, and the United Kingdom). Hence, in these countries, only general rules civil liability are applied to auditors. Some countries have specific statutory regulations that apply only to auditors (Austria, Belgium, Finland, Germany, Greece, Portugal, Spain and Sweden). A summary of the EEC Report in 2005 is provided in Table 2.1. Table 2.1 shows, by nation, whether auditors are subject to liability for torts, contractual breaches, or both. The definition of torts is the commission of a civil (noncriminal) wrong that unfairly causes others to suffer damage or harm, including losses. Committing a tort results in legal liability for the person who committed that act. Torts may be due to negligence and may not necessarily constitute a crime. Torts, unlike criminal acts, are provable by a preponderance of the evidence. They do not require evidence showing guilt beyond a reasonable doubt. Contractual liability, in contrast, exists when a contract exists between individuals and one of the parties to the contract fails to perform his or her obligations under the contract. This is often called breach of contract. A key difference between tort law and contract lawsuits is the way damages are awarded. The purpose of damage awards in breach of contracts law suits is to restore the parties to their position before the breach occurred. In a torts claim, in contrast, the damages awarded serve to compensate the victims for the harm they suffered.

Table 2.1 Comparison of auditor liability by country in the European Union and elsewhere

Country	To audited (client) entities	To third parties
Austria	Contractual	Contractual/Tort
Belgium	Contractual/Tort	Tort
Denmark	Contractual	Tort
Finland	Tort	Tort
France	Tort	Tort
Germany	Contractual/Tort	Contractual/Tort
Greece	Contractual	Tort
Ireland	Contractual/Tort	Tort
Italy	Contractual	Tort
Luxemburg	Contractual	Tort
Netherlands	Contractual	Tort
Portugal	Contractual/Tort	Contractual/Tort
Spain	Contractual	Tort
Sweden	Contractual	Tort
UK	Contractual/Tort	Tort
United States	Contractual/Tort	ContractualTort

The EEC report notes that every country, except Finland and France, bases liability towards the audited company on the contract entered into between the auditor and the audited company. This situation is justified by the fact that the mission, though statutory in nature, arises from a contractual relationship between such parties.

The law concerning civil liability of statutory auditors in the various member states of the EU is summarized in the following section. (All information shown here is obtained from the EEC Report.)

Austria

Applicable Law and Regulations

Auditors are liable contractually and by tort. Contractual liability is based on the general rule as modified by Section 275 of the Handelsgesetzbuch (HGB). Tortious liability is governed by the general rules set forth in court cases.

Who is Liable

Not only the statutory auditor (either an individual or an audit firm) but also all his assistants as well as the statutory representatives of the auditing firm are directly liable to the injured party. All liable parties are jointly and severally liable.

To Whom May the Auditor Be Liable

The plaintiff in a suit brought under HGB Section 275 may be the audited company (i.e., the contracting party) or a company affiliated with the audited company as set forth in HGB Section 228.3. Liability towards third parties, which is possible under restrictive conditions, is based in tort, unless the court recognizes the existence of an implied contract between the third party and the auditor or of a contract with protective effects towards the third party.

Liability Cap

Under this specific statutory provision of HGB Section 275, liability cannot be waived nor limited. However, the liability of all possible defendants who did not act intentionally is limited to an amount of 364,000 Euros per audit.

Limitation Period

The statute of limitations is five years from the occurrence of the damage, instead of three according to the general rules for civil liability applicable in the case of tort liability.

Belgium

Applicable Laws and Regulations

In addition to the general rules of civil liability, the liability of statutory auditors falls within a specific legal framework. Article 64 of the Loi coordomnee sure les societes commerciales (LCSC) describes the duties of the auditor and the conditions of his liability.

Who is Liable

The statutory auditor, whether an audit firm or an individual, may be liable. The signing persons and the associates may also be jointly and severally liable.

To Whom May the Auditor Be Liable

Auditors may be liable towards the audited company and third parties. The liability towards the audited company is based either on the contract between the company and the statutory auditor, or in tort, the liability towards third parties is based in tort.

Liability Cap

There is no legal liability cap, and the parties cannot limit the amount of damages nor reduce the scope of auditor liability in the contract in a separate agreement.

Limitation Period

The limitation period for both contractual and tortious actions is five years from the occurrence of the damage.

Denmark

Applicable Law and Regulations

The liability of auditors arises from the general rules of liability to which reference is made in Section 141 of the Danish Companies Act as developed by case law.

Who is Liable

Both the individual statutory auditor in charge of the audit and the audit firm are liable. Associates who participated in the audit will not be liable under Danish law.

To Whom May the Auditor Be Liable

The statutory auditor’s liability to the audited company also extends to third parties from a breach of duty in tort.

Liability Cap

There is no statutory liability cap, but the auditor and the audited company may reduce the obligations of the statutory auditor by contract and set a liability cap. Such an agreement has no effect on third parties.

Limitation Period

The action can be brought within five years from the discovery of negligence. This period can be reduced by contract. Any such reduction is effective only between the statutory auditor and the audited company.

Finland

The auditor is liable under specific liability provisions based on Section 44 of the Act on Auditing Tilimtarkastuslaki (TTL). This act does not include any provisions on specific issues such as the calculation of damages, causation, or the level of breach of duty or contributory negligence of the plaintiff. In this regard, general principles of civil law are applied to damages caused in a contractual relationship.

Who is Liable

An action in tort under TTL 44 can be brought against the statutory auditor, whether an individual or an audit firm. In this case, the signing person is also liable. The associates may also be held liable.

To Whom May the Auditor Be Liable

The action in tort under TTL 44 is available to the audited company, its shareholders and members, and to any third party. As a consequence, the action in contract is of lesser interest because a wide variety of third parties can sue the auditor.

Liability Cap

There is no statutory liability cap, and contractual limitations to the statutory auditor’s liability do not exist in Finland, although they are possible in theory.

Limitation Period

The limitation period depends on the plaintiff. The limitation period is three years from the signature of the report if the plaintiff is the audited company and ten years from the occurrence of the damage if the plaintiff is a third party.

France

Applicable Law and Regulations

The statutory auditor’s liability is governed by a specific provision contained in Article 234 of the Company Law. This provision is considered to be no more than an application of the general civil liability rules of Article 1382 of the Civil Code, the concepts of fault, damages, and causation being the same.

Who is Liable

The statutory auditor, whether an audit firm or an individual qualified auditor, may be liable. If the appointed auditor is a firm, the signatory of the report is jointly and severally liable with the other partners of the firm. The associates cannot be liable under the specific provision of the company law.

To Whom May the Auditor Be Liable

The auditor is liable towards the audited company, its shareholders, and any third parties.

Liability Cap

There is no legal liability cap, and the parties cannot limit the amount of damages nor reduce the scope of the auditor’s liability in the contract or in a separate agreement.

Limitation Period

The action must be brought within three years from the damage-causing event.

Germany

Applicable Law and Regulations

Statutory auditors liability arises from the general rules for civil liability in tort as well as from specific statutory provisions for statutory auditors as contained in Article 323 of the law, which provides for contractual liability of auditors. Some of the statutory provisions applicable to auditor liability are also found in the professional rules contained in the Act on the Profession of Auditors (Wirtschaftspriferordnung).

Who is Liable

Under Section 323, not only the statutory auditor but also all his assistants as well as the statutory representatives of an auditing company participating in the audit are directly liable to the injured party. All liable parties are jointly and severally liable.

To Whom May the Auditor Be Liable

The plaintiff in a suit brought under article 323 of the law can be the audited company or a company affiliated to the audited company. An action may not be brought by the audited company in tort if the auditor fails to meet his contractual obligations under Article 323. The liability towards third parties, which is possible under restrictive conditions, is based in tort (unless the court recognizes the existence of an implied contract between the third party and the auditor).

Liability Cap

Under the specific statutory provision of Article 323, liability can neither be waived nor limited. An auditor’s contractual liability is limited to 4 million deutsche marks (1 million to 4 million deutsche marks depending on the circumstances).

Limitation Period

Action in contract should be brought within five years from when all elements of claim exist. The statute of limitation for an action in tort is three years from discovery of damages and the liable party.

Greece

Applicable Law and Regulation

Greek law distinguishes between common auditors and chartered auditors, who have specific professional responsibilities. Liability arises from general rules of law (civil code, penal code) and specific provisions, which include:

• Codified law 2190, which sets forth civil liability of auditors towards the company.
• Presidential decree 226/1992 concerning the establishment, organization and operation of the Corps of Chartered Auditors. Article 19 of the Decree also contains special provisions, which limit the civil liability of chartered auditors.

Who is Liable

The appointed statutory auditor and the statutory auditor’s associates are liable for the damages caused by the conduct of the audit. If the appointed auditor is a firm, the signatory of the report is jointly and severally liable along with the firm.

To Whom May the Auditor Be Liable

The statutory auditor’s liability to the audited company arises from the existence of a contract and to any third parties from a breach of duty in tort.

Liability Cap

The parties cannot limit the legal liability of the auditor by contract. The liability cap is either the quintuple of the annual salary (salaries) or the total amount of fee received by the chartered auditor during the previous fiscal year, whichever is higher.

Limitation Period

For the audited company, the limitation period is two years and starts when all elements of claim exist. Third parties should sue the auditor within five years from the discovery of the damages and the liable party and, in any case, within twenty years from the commission of the act.

Ireland

Applicable Law and Regulations

Liability arises from the general common law rules for civil liability (breach of contract, breach of statutory duty or tort) but claims could be raised if the auditors fail to meet their statutory obligations contained in the Companies Act of1963 and 1990. Section 163 of the Companies Act of 1963 and Sections 193 and 194 of the Companies Act 1990 state the scope of the auditor’s work and his main duties.

Who is Liable

If the statutory auditor is an individual, the action will be brought against that person. If the statutory auditor is a partnership, each partner is jointly and severally liable. The associates may also be liable, but there has not been any instance where this has occurred.

To Whom May the Auditor Be Liable

The audited company may bring an action in contract or in tort against the auditor, depending on the duty breached. Third parties may bring an action in tort under restrictive conditions.

Liability Cap

There is no legal liability cap, and the parties cannot limit the amount of damages nor reduce the scope of auditor liability in the contract or in a separate agreement.

Limitation Period

The limitation period is six years from the breach of contract and or from the occurrence of damage for both contractual and tort actions.

Italy

Applicable Law and Regulations

Statutory auditor’s liability is governed by specific provisions, which set forth two different liability systems applicable, respectively, to the Board of Auditors or to the auditing firm. Article 2407 of the Civil Code provides for the liability of the Board of Auditors, based on the duty of diligence of an agent. The liability of auditing firms is governed by Article 164 of the Legislative Decree of February 24, 1998, which refers to Article 2407 of the Civil Code.

Who is Liable

The appointed auditor (firm or individual) is liable. If the statutory auditor is a firm, the signatory of the report is also liable. The auditor member of the Board of Auditors is liable for the damages caused by his associates, whereas the associates of an auditing firm are jointly and severally liable with the firm.

To Whom May the Auditor Be Liable

The statutory auditor’s liability to the audited company arises due to being under contract, and to any third parties from a breach of duty in tort. A tort, in common law jurisdictions, is a civil wrong which unfairly causes someone else to suffer loss or harm. This results in legal liability for the party that commits the tortious act.

Liability Cap

There is no legal liability cap, and the parties cannot limit the amount of damages nor reduce the scope of auditor liability in the contract or in a separate agreement.

Limitation Period

The action against the Board of auditors should be brought within five years from discovery of the damage. The limitation period of the actions against auditing firms is either 10 years (if the damage is suffered by the audited company) or five years (if the plaintiff is a third party).

Luxembourg

Applicable Law and Regulations

The general legal rules for liability set forth in Article 1142 (contractual liability) as well as in Articles 1382 and 1383 (tortious liability) govern the liability of statutory auditors.

Who is Liable

In case of a breach of the contract, the appointed auditor only is liable, whether the appointed auditor is a firm or an individual person. In tort, the appointed auditor is liable together with the signing person and the associates for the damages they caused in the course of the audit.

To Whom May the Auditor Be Liable

The statutory auditor’s liability to the audited company arises due to being under contract and to any third parties from a breach of duty in tort.

Liability Cap

There is no legal liability cap. The audited company and the appointed auditor may set forth such a limitation by contract. However, this does not affect the tortious liability of the auditor towards third parties.

Limitation Period

The limitation period is five years from the signature of the report.

The Netherlands

Applicable Law and Regulations

There is no specific provision in the Dutch Civil Code, which deals with the liability of statutory auditors. General rules of civil liability, as enforced by the courts are, thus, applicable.

Who is Liable

In case of a breach of contract, the appointed auditor only is liable, whether the auditor is a firm or an individual person. In tort, the committer of the tort is liable together with the associates and the signing person, if any, for the damages they caused in the course of the audit.

To Whom May the Auditor Be Liable

The appointed auditor is liable towards the company for any breach of contract. Tortious liability towards third parties is not automatic. It requires specific circumstances showing breach of a duty of care that the auditor owes to a third party.

Liability Cap

There is no statutory liability cap, but the auditor and the audited company may include a clause in the contract reducing the liability. Such an agreement has no effect on third parties.

Limitation Period

The action should be brought within five years from the discovery of the damage and the liable party and, in any case, within 20 years from the event that caused the damage.

Portugal

Applicable Law and Regulations

The general rules of civil liability apply to statutory auditors. Tortious liability is governed by Article 483 of the civil code. There are, however, specific statutory provisions, the most important of which are:

• Articles 78, 81, and 82 of the Codigo das Sociedades Comerciais (CSC), which establish the auditor liability towards the audited company, the shareholders, and the creditors;
• Article 114 of Decreto Lie 487/99, dated 16 November 1999, which extends the scope of these provisions to the auditing firms;
• Article 10 of the Codigo de Mercado de Valores Mobiliarios, which aims to protect investors and third parties through an extended liability of stock listed company’s auditors; and
• Article 13 of the Codigo de Processo Tributario, which governs the liability of the auditor if the company cannot pay off its taxes.

Even where these provisions apply, the general rules of liability of the Civil Code provide the rules applicable for civil liability because these specific provisions do not include a complete regime.

Who is Liable

The appointed auditor and, if the auditor is a firm, the signatory of the report are jointly and severally liable. There are three qualifications to this general rule:

• The managers of the auditing company (usually the partners) may be liable towards the creditors of the audited company.
• The partners of the audit firm appointed as auditor of a stock listed company may be jointly and severally liable.
• The associates who participated in the audit may be liable, but this has not occurred in practice.

To Whom May the Auditor Be Liable

The statutory auditor’s liability to the audited company arises in contract or in tort and to any third parties mainly from a breach of duty in tort, some of which are legally defined as stated earlier.

Liability Cap

There is no legal liability cap, and the parties cannot limit the amount of damages nor reduce the scope of the auditor’s liability in the contract or in a separate agreement.

Limitation Period

The action should be brought within a period of five years from the discovery of negligence.

Spain

Applicable Laws and Regulations

The civil liability of statutory auditors is provided for by Articles 11 and 12 of Law 19/1988 of 12 July 1988 on the Audit of Accounts (Ley de Auditoria de Cuentas) and Articles 42 and 45 of Royal Decree 1636/1990 of 20 December 1990 approving the regulation of the Audit of Accounts. There is also a specific reference to auditors liability in Article 211 of the law of public companies (Ley de Sociedades Anonimas) approved by Royal Legislative Decree 1564/1989 of 22 December 1989. However, these provisions do not contain a full and complete set of rules and it is generally acknowledged that they should be construed as a reference to the general provisions regulating civil liability under Spanish law, namely (1) Articles 1101 et seq. of the Civil Code for contractual liability and (2) Articles 1902 et seq of the Civil Code for tortious liability.

Who is Liable

The statutory auditor, whether an individual or a firm, may be liable. The audit firm and the partner in charge of the work are jointly and severally liable. Once the remedies are exhausted against them, the other partners of the firm are also jointly and severally liable. Auditors are liable for the damages caused by their associates.

To Whom May the Auditor Be Liable

The statutory auditor’s liability to the audited company arises in contract. Their tortious liability towards third parties is subject to restrictive conditions.

Liability Cap

There is no statutory liability cap, but the auditor and the audited company may agree to a liability cap. Such an agreement has no effect on third parties.

Limitation Period

The audited company should bring the action within fifteen years from when all elements of claim exist. The statute of limitation for an action in tort is one year from discovery of damages.

Sweden

Applicable Law and Regulations

Civil liability for statutory auditors is specifically regulated in Chapter 15, Section 2 Swedish Companies Act. A statutory auditor may also be liable under the general damage rules of the Tort Liability Act. The damage suffered by the company or third parties in consequence of the acts or omissions of a statutory auditor will, however, usually be deemed pure financial damage (i.e., damage incurred without connection to bodily injury or property damage), which is in principle recoverable only if it is the result of a criminal offence.

Who is Liable

The appointed statutory auditor and, in case the auditor is an audit firm, the signatory of the report, are jointly and severally liable. The auditor is also liable for the damages caused by the associates.

To Whom May the Auditor Be Liable

The statutory auditor’s liability to the audited company arises due to being under contract and to any third parties from a breach of duty in tort.

Liability Cap

There is no legal liability cap, and the parties cannot limit the amount of damages nor reduce the scope of the auditor’s liability in the contract or in a separate agreement.

Limitation Period

For the audited company, the limitation period is five years from the end of the fiscal year. The third parties should sue the auditor within ten years from the occurrence of the damage.

United Kingdom

Applicable Law and Regulations

In the absence of applicable statutory provisions, liability arises from general rules of common law for civil liability.

Who is Liable

The statutory auditor (an individual or an audit firm) and, if the firm is a partnership, any or all of the partners, may be liable for the damages they as well as their associates caused. If the statutory auditor is not an audit firm, the signatory of the report is also liable.

To Whom May the Auditor Be Liable

The statutory auditor’s liability to the audited company arises concurrently in contract and in tort. The auditor may be liable to third parties under restrictive conditions.

Liability Cap

There is no legal cap, and the parties cannot limit the amount of damages nor reduce the scope of the auditor’s liability in the contract or in a separate agreement.

Limitation Period

In principle, the action must be brought within six years after the occurrence of the damage-causing event (the breach of contract if the claim is based on contract, the date when damage is suffered if the action is based on tort).

Recent Developments in Auditor Regulation in the United States and Elsewhere

The Sarbanes Oxley Act of2002 in the United States: The accounting scandals begun by the Enron collapse and extending to such giant companies as WorldCom, Xerox, and Tyco caused a backlash in the United States, resulting in legislation being signed into law by the U.S. president in July 2002. The Sarbanes Oxley Act (SOX) is the first accounting law passed by the United States since the Securities and Exchange Act of 1934. The SOX was named after sponsors Paul Sarbanes and U.S. Representative Michael G. Oxley.

The act has new requirements for audit firms and audit committees. Auditors must report to the audit committee, not management. The lead audit partner and audit review partner must be rotated every five years. It is believed that periodic rotation of partners helps bring a fresh approach to audits and minimize bias that may result from long term contacts with client management. To help assure auditor independence SOX prohibits registered public accounting firms from performing certain services for public company audit clients. The law prohibits the following:

• Bookkeeping or other services related to the accounting records or financial statements of the audit client
• Financial information systems design and implementation
• Actuarial services
• Internal audit outsourcing services
• Management functions or human resources
• Broker or dealer, investment adviser, or investment banking services
• Legal services and expert services unrelated to the audit

SOX requires that the audit committee of a public company be responsible for assessing an audit firm’s independence prior to hiring that firm. In addition, it requires that any nonaudit services to be performed by its audit firm must be preapproved by the audit committee (and also be approved after the fact) unless such services, in the aggregate, amount to less than 5 percent of the total amount paid to its audit firm during the year. To emphasize, the after the fact approval relates to amounts less than five percent. Nonaudit services not banned by the Act must be preapproved by the audit committee. Rittenberg, Schwieger, and Johnstone (1998) note that the AICPA’s Code of Professional Conduct allows public accounting firms to perform services not specifically prohibited for nonpublic audit clients if the firm determines that independence will not be compromised.

In the United States, the SEC approved updated New York Stock Exchange (NYSE) listing standards in November 2003. According to the NYSE, listed companies MUST maintain an internal audit function to provide management and the audit committee with ongoing assessments of the company’s risk management processes and system of internal control. In Europe, there is a duty assigned to the board and its audit committee by article 41 of the EU 8 th Directive. This directive puts internal auditing as part of the cornerstone of corporate governance because audit committees can look to the internal audit department for assurance of good organizational governance.

The directive states that the firm is advised to establish an understanding with the client that the client is responsible for:

• designating management level individuals to be responsible for overseeing the services being provided;
• evaluating the adequacy of the services performed and any resulting findings; and
• making management decisions related to the service.

SOX required the SEC to create a Public Company Accounting Oversight Board (PCAOB). The PCAOB is empowered to regularly inspect registered accounting firms’ operations and investigate potential violations of securities laws, standards, consistency, and conduct. The Board oversees and investigates the audits and auditors of public companies and sanctions both firms and individuals for violations of laws, regulations, and rules. The PCAOB has a wide ambit including not only auditors based in the United States but any firm registered with the SEC, irrespective of whether such a firm is headquartered in the United States or not. In essence SOX created the new requirements listed above and then created the PCAOB to establish additional oversight and rules.

The SOX act requires auditors to report on internal control. Hayes et al. note that support for reporting lies in the belief that users of financial information have a legitimate interest in the condition of the controls over the accounting system and management’s response to the suggestions of the auditors for correction of weaknesses. This issue is not without dispute. Opponents argue that requiring companies to evaluate and report on controls significantly increases the costs of audits without significantly enhancing the quality of financial reporting. Section 404 of the SOX and PCAOB Audit Standard No. 5 requires each annual report of a company to contain a report from the management, which has to state in clear words that (a) management takes responsibility for establishing and maintaining adequate internal controls and (b) makes an assessment of and comments on the effectiveness of the internal controls. The report also has to have a report by the auditors on management’s report on the internal control over financial reporting.

Non-United States Equivalents to SOX of the United States

Australia

In Australia, the Corporate Law Economic Reform Program Act 1999 established a new body, the Financial Reporting Council (FRC), with the responsibility for the broad oversight of the accounting and auditing standard setting process. The FRC is also required to review developments with respect to international accounting and auditing standards. The FRC is required to review these standards, and, if in their opinion the changes in the standards are relevant to Australia, make changes to Australian standards to ensure that these standards are up to date with those of the rest of the world.

Europe

In 2004, the Commission of the European Union proposed a major revision of the Eighth Company Directive, setting out a new structure for audit and corporate governance. Hayes et al. (2005) note that the proposal is the consequence of a reorientation of the EU policy on statutory audit that started in 1996 with a Green Paper on the role and responsibility of the statutory auditor in the EU. The proposal considerably broadens the scope of the existing Eighth Council Directive that basically deals with the approval of auditors. With reference to publicly listed companies, the proposal:

• Clearly explains the role and duties of statutory auditors (the term statutory auditor is another term for auditor used in Europe).
• Clearly explains the role required of auditors to maintain their independence and also provides ethical guidelines to auditors. Basic principles of professional ethics and auditor independence are defined. With respect to the role required by auditors to maintain their independence, the issues outlined follow closely the guidelines established by SOX discussed earlier.
• Creates an audit regulatory committee to ensure public oversight over the audit profession (equivalent to the PCAOB established by SOX in the United States).
• Identifies the steps to enhance audit quality within the EU.

  These steps include auditors being required to constantly enhance their knowledge with the latest developments in the auditing world.

• Sets forth requirement that all auditor firms wanting to conduct audits involving EU countries be registered with the EU. Further, an audit firm in any country within the EU can audit a firm in any other country within the EU without any hindrance. However, clear rules are provided to prevent low balling. This means preventing audit firms from other EU countries entering a member EU country and offering audit services and nonaudit services at much lower fees relative to the home country. All companies are required to state clearly in the notes to the financial statements the amount of audit fees and fees for nonaudit services provided to the auditor. Management is required to sign that all information provided is accurate.
• Sets forth that auditors should use international auditing standards for audits in EU countries (not U.S. auditing standards).
• Sets forth that common rules for all EU countries for the appointment and termination of statutory auditors. Companies are also required to document all communication with their auditors.
• Sets forth that, in the case of disciplinary actions having to be taken against an auditor, the local rules in an EU country where the violation has occurred are used to sanction or punish the auditors.

This chapter provided a summary of legal liability of auditors both in the United States and Europe. It is important for auditors to be aware of what criteria are used in different countries to establish liability as this can vary between countries. We described the differences in rules and regulations and discuss liability and limitations to liability pertinent to auditors operating in a global arena.

Implications for Researchers, Managers, and Students

This chapter has described features of the legal system in various countries that affect the auditor with respect to their responsibility to the client. For example, this chapter discussed different criteria used in different countries to establish liability. Understanding the sources of auditor legal liability is important to a manager because it helps raise the manager’s awareness of the auditor’s responsibility. Accordingly, when the auditor does not seem to fulfill that responsibility, the manager can search for a remedy. Also, in learning about the different kinds of legal liability of an auditor, the manager understands why the auditor may insist on certain things that may appear unnecessary to the manager during the audit. The brief summary of applicable legal considerations in this chapter would be of help to the researcher in the pursuit of their own research agenda. This chapter provides the student of business what they need to know about the auditor’s legal liability and thus the auditor’s role and actions, which in turn, may be useful in the student’s own studies or research. This information can also be used as a starting point for further exploration.