Auditing Pacini 2000

At the Interface of the Electronic Frontier and the
Law: The International Legal Environment for

Systems Reliability Assurance Services
Carl Pacini
William Hillison
Dominic Peltier-Rivest
Dave Sinason
Ratnam Alagiah
In response to concerns about unreliable information systems, the American Institute of

Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants
(CICA) have launched a new assurance service called SysTrust. The objective of a SysTrust
engagement is for the practitioner to issue an attestation/assurance report on system(s)
reliability.
The development and deployment of the CPA/CA SysTrust service, however, is done in a
high litigation risk environment, especially in the United States, Canada, Australia, New
Zealand, and the United Kingdom. Our purpose is to evaluate the legal environment in these
five nations so CAs and CPAs can comprehend the issues involving potential litigation prior
to initiating SysTrust engagements. Presently, no legal case in the U.S., Canada, Australia,
New Zealand, and the United Kingdom has yet been reported which addresses directly
accountant liability to third parties for negligent information system assurance services. An
analysis of related legal cases sheds light on the potential liability of SysTrust providers.
However, the current international legal environment is characterized by a high level of
uncertainty. Several risk management strategies, including risk exposure analysis, client
Carl Pacini ● Department of Accounting, Finance, & Business Law, Florida Gulf Coast University,
10501 FGCU Blvd. S., Ft. Myers, FL 33965-6565; Phone: 941-590-7344. William Hillison ●
Florida State University, Tallahassee, FL 32306 . Dominic Peltier-Rivest ● Department of Ac-
countancy, Faculty of Commerce and Administration, Concordia University, 1455 de Maisonneuve
Blvd. West, Montréal, Québec, Canada H3G 1M8. Dave Sinason ● Northern Illinois University,
DeKalb, IL 60115-2854 . Ratnam Alagiah ● Griffith University–Gold Coast Campus, PMB 50
Gold Coast Mail Centre, Queensland 9726, Australia.
Journal of International Accounting, Auditing & Taxation, 9(2):185–218 ISSN: 1061-9518
Copyright © 2000 by Elsevier Science Inc. All rights of reproduction in any form reserved.
186 INTERNATIONAL ACCOUNTING, AUDITING & TAXATION, 9(2) 2000
engagement evaluation, engagement letters, loss-limit clauses, and alternative dispute reso-
lution, are presented that SysTrust providers may implement to minimize litigation risk. ©
2000 Elsevier Science Inc. All rights reserved.
Key Words: SysTrust; Assurance Liability; Accountant Liability; Negligence; Information

Systems
INTRODUCTION
How do you define a “world class” systems failure? Ask Hershey Foods,
which missed candy deliveries worth $200 million and experienced a 19%
drop in 1999 third quarter earnings because of glitches in its new $112 million
computer system (Nelson & Ramstad, 1999). Ask Halifax, the United King-
dom’s largest mortgage bank, which had its new Internet service taken off line
for a week to repair flaws in a system upgrade that had allowed customers to
access other customers’ accounts (Woodyard & Hansen, 1999). And ask Royal
Doulton, which lost £12 million in sales and experienced a 45% decrease in
share price when its newly installed software failed to deliver promised results
(Hickley, 1999).
Each of these entities would be able to provide a vivid picture of a world-
class systems failure. However, corporations have not been the only victims of
these types of events. For example, the Legal Services Board of New Zealand,
which processes claims for legal aid, ceased legal-aid payments to lawyers for
weeks because of a computer system failure (Yvonne, 1999). As another example,
the crash of a computer-betting system for interstate horse racing in Australia
resulted in the loss of hundreds of thousands of dollars (Eddy, 1999).
Information technology has spread to many areas affecting entities, differ-
entiates one entity from another, and requires increasing amounts of capital. As
business and government dependence on information technology increases, tol-
erance for system failure decreases. Users demand systems that are secure,
available when needed, and able to produce accurate information on a consistent
basis. An unreliable or ineffective system can cause a chain of events that
negatively affect a company and its customers, suppliers, shareholders, and
business partners as well as a government agency and its constituents (Ayers,
Frownfelter-Lohrke, & Hunton, 1999).
In response to concerns about unreliable systems, the American Institute
of Certified Public Accountants (AICPA) and the Canadian Institute of Char-
tered Accountants (CICA) recently launched a new assurance service called
SysTrust. It is expected that professional organizations in other nations will
eventually adopt SysTrust given the importance of information systems in
business and the willingness of accountants in Canada, Australia, New Zea-
land and the United Kingdom to provide the service to clients (Primoff,
1998).1 The objective of a SysTrust engagement is for the practitioner to issue
At the Interface of the Electronic Frontier and the Law 187
an attestation/assurance report on whether management maintained appropri-

ate reliability controls over its system(s). Potential users of a SysTrust report
include the entity itself as well as its shareholders, creditors, customers,
suppliers, third-party users, including those who outsource to other entities,
and any other party who in some fashion relies on an information system.
The development and deployment by CPAs/CAs of any new assurance
service, such as SysTrust, is done in a high litigation risk environment.
Accountants often become defendants in lawsuits filed by aggrieved share-
holders, creditors, or other third parties because accountants (or their mal-
practice insurers or both) are perceived as “deep pockets”(Schwartz & Menon,
1985; Boynton & Kell, 1996). During the last 25 years, the accounting
profession has confronted an international litigation crisis, especially in the
Western world (Gonzalo, 1997; Willekens, Steele, & Miltz, 1996). However,
the crisis has been most severe in the United States, Canada, Australia, New
Zealand, and United Kingdom (Willekens, Steele, & Miltz, 1996; Pacini,
Sinason, & Peltier-Rivest, 1999; and Porter, 1993).2
It is more than coincidence that these five common law countries have a
serious accountant litigation problem given the relationship between legal systems
and accounting practices and rules (Meek & Saudagaran, 1990). Salter and
Doupnik (1992) document that the accounting practices of a country are related to
that nation’s legal system. Accountant judgment is exercised to a much greater
extent in common law countries. Greater use of professional judgment creates
more opportunities for that judgment to be challenged by accounting and assur-
ance service users.3
Given the high level of litigation risk faced by a SysTrust provider, it is
imperative that CPAs and CAs comprehend the issues involving potential litiga-
tion prior to initiating SysTrust engagements. Although it is difficult to predict
how the law will evolve in any country with regard to assurances linked to
information systems (including broader communication issues and the Internet),
this paper attempts to evaluate the existing international legal environment faced
by accountants in the United States, Canada, Australia, New Zealand, and the
United Kingdom who perform SysTrust services and to suggest risk management
strategies to minimize SysTrust litigation risk. We focus this study on these
common law nations because they have a serious accountant litigation problem.
Significantly, these five nations, along with the International Accounting Stan-
dards Committee, also comprise the G4⫹1, an informal but influential group in
setting international accounting standards.
The remainder of this paper consists of four sections including the conclu-
sion. First, the nature of the SysTrust assurance service is analyzed. Second, the
legal environments faced by SysTrust assurance providers in these five countries
are analyzed. Third, several steps to minimize litigation risk are outlined. Last, we
summarize the findings of this study.
NATURE OF SYSTRUST
Typical means of access to an entity’s information system(s) include Elec-

tronic Data Interchange (EDI), Extranets, and the Internet.
EDI allows information systems to exchange information in a structured
format. This exchange may involve the electronic transmittal of purchase orders,
invoices, payment information, status reports, and other data vital to the relation-
ship between connected businesses or other entities. For example, company A is
a supplier to company B. The two firms share information using EDI. Company
A is able to access company B’s information system, review the online inventory
status report, and ship materials to company B without receiving a formal
purchase order. Company B may access company A’s information system to
check on the status of pending orders. In this example, both companies are
vulnerable not only to their own control weaknesses but those of the other firm as
well.
Another means of access to an entity’s information system is via an Extranet
(an internal computer network unique to a particular entity that can be accessed
by customers, suppliers, and other business partners). An Extranet gives rise to the
same electronic efficiencies as EDI without each entity requiring connected
computers. For example, a closely held firm may permit access to online financial
information by allowing specific parties to connect to an internal computer
network. However, concerns over authorization, data integrity, and secured trans-
actions that exist in EDI are also present in an Extranet environment.
A third mode of access to an entity’s information system is the Internet. The
interconnection of millions of computers allows entities and individuals to com-
municate by e-mail, provide information to the public via websites and engage in
e-commerce. Such third-party users are concerned about protection against un-
authorized physical and logical access, system availability (particularly for busi-
ness websites), and system processing integrity. The SysTrust assurance service
provides an independent evaluation that covers these three concerns.
SysTrust is one example of a tool supporting the emergence of a business
reporting system in which the primary vehicle for transmission of business
information is a computer network. Former SEC Commissioner Steven Wallman
predicted a movement away from “substance attestation” toward “process attes-
tation” (Witmer, 1996). Process attestation means providing some type of assur-
ance about the integrity or reliability of the business reporting or information
system that a client uses rather than about the integrity of the information
produced by such a system.
The SysTrust practitioner evaluates management’s assertion that during a
specific period of time it complied with the AICPA/CICA “SysTrust Principles
and Criteria for Systems Reliability” (see Appendix A for an overview; AICPA,
1999b), for a given information system.4 The four essential principles of a reliable
system are:
1. Availability—The system is available for operation and use at times set

forth in service agreements;
2. Security—The system is protected against unauthorized physical and
logical access;
3. Integrity—System processing is complete, accurate, timely, and in accor-
dance with the entity’s transaction approval and output distribution pol-
icy; and
4. Maintainability—The system can be updated in a manner that provides
continuous availability, security, and integrity.
Criteria are set forth to allow a practitioner to judge whether an information

system satisfies the four principles. The criteria are organized into three catego-
ries:
1. Communications—The entity has defined and communicated perfor-

mance objectives, policies, and standards for system availability, security,
integrity, and maintainability;
2. Procedures—The entity uses procedures, people, software, data, and
infrastructure to achieve system availability, security, integrity and main-
tainability objectives in accordance with established policies and stan-
dards; and
3. Monitoring—The entity monitors the system and takes action to achieve
compliance with system availability, security, integrity, and maintainabil-
ity objectives, policies, and standards (Boritz, Mackler, & McPhie, 1999).
An information system must satisfy all of the SysTrust criteria to be deemed

reliable. A SysTrust practitioner examines system controls related to the criteria
to collect evidence that the criteria have been met (Boritz, Mackler, & McPhie,
1999). Appendix A contains SysTrust principles and illustrative criteria.
SysTrust reports cover a historical period, not a point in time. An unqualified
report can provide many parties with confidence about the reliability of systems
they use in e-commerce or for which they pay user fees despite that it covers a past
period (Boritz, Mackler, & McPhie, 1999). The selection of an appropriate period
covered by the report is at the discretion of the practitioner, but periods of less
than 3 months would not be meaningful (AICPA, 1999b). Factors to consider in
establishing a reporting period may include: (1) anticipated report users and their
needs; (2) the need to support a continuous audit model; (3) the degree and
frequency of change in system components; (4) the cyclical nature of system
processing; and (5) information about past system reliability (AICPA, 1999b).
OVERVIEW OF LEGAL SYSTEMS

Readers should note that a key difference exists between the legal environ-
ments of the United Kingdom, Canada, Australia, and New Zealand (i.e., Com-
monwealth nations) and the U.S. In the four Commonwealth nations, the issue of
which third parties are owed a duty of care by an accountant or assurance provider
is decided at the national level. In other words, the highest national court (e.g.,
Supreme Court of Canada) has the authority and power to make a decision
binding on all courts in the country. In the U.S., the duty of care issue is decided
individually by state courts (Brecht, 1989) or state legislatures (in the form of
accountant liability statutes) (Pacini, Hillison, & Sinason, 2000). Thus, the U.S.
has 50 different jurisdictions that apply different judicial reasoning which results
in numerous rules of law that exist across the states (Pacini & Sinason, 1998).
Finally, the four Commonwealth nations often rely on cases decided in other
Commonwealth courts (Fleming, 1998). For example, a decision by the House of
Lords (the highest court of law in the UK) is, at a minimum, influential in a
Canadian, Australian, or New Zealand court (Godsell, 1991). American decisions
are cited occasionally by Commonwealth courts. Also, Commonwealth decisions
are cited occasionally by American courts but usually do not have as much
precedential value as another American court.
RESEARCH AND METHODOLOGY
A starting point of the research was evaluation of prior literature related to

the issues discussed in this paper. We then researched appellate court decisions of
the United States, Canada, Australia, New Zealand, and the United Kingdom
using two different methods. First, the Lexis-Nexis database and the Internet were
searched using numerous search terms related to accountant liability, assurance
services, and information systems. Each case retrieved by the search was then
reviewed for its relevance to this study. Second, appropriate law digests and
reporters from each nation were searched for relevant court decisions. All the
research was coordinated by one of the coauthors (who is a lawyer).
Any court case cited in this study was also “shepardized” or researched to
determine whether any legal principle relevant to accountant liability to third
parties has been overruled or changed. This is a necessary step in legal analysis
to ensure that a cited case is still valid law on a given legal issue.
PRESENT LAW AND SYSTRUST
Currently, no legal case has yet been reported in the United States, Canada,
Australia, New Zealand, or the United Kingdom that addresses directly the
liability of accountants to third parties for negligent information system assurance
services. Each of these five nations has a case or cases that could affect accountant
liability to third parties for negligent performance of the SysTrust assurance
service. The focus here is on the legal environments of the United States and
Canada for three reasons:
1. The SysTrust assurance service was developed and launched by the CICA
and AICPA.
2. Almost two-thirds of Internet users are located in North America (Bour-
nellis, 1995).
3. The United States and Canada are the world’s largest trading partners
(Ivankovich, 1994).
United States
Presently, no reported legal case has yet addressed directly accountants’

liability to third parties for negligent performance of a SysTrust engagement. This
raises the question of what existing body of law, if any, courts would apply to an
action for negligence against a SysTrust provider. The most logical conclusion is
the existing body of state common and statutory law applied generally to accoun-
tant liability to third parties for negligent performance of accounting and auditing
services.
The scope of an accountant’s duty to third parties for negligent accounting or
assurance services is a question of state rather than federal law. Among the states,
four legal standards have evolved to judge which nonclients are owed a duty by
accountants: (1) privity; (2) near privity; (3) the user’s or Restatement approach;
and the reasonable foreseeability rule. Application of a different standard to the
same set of facts can lead to different outcomes, that is, whether the nonclient has
a right to sue.5 These four standards are not actually discrete points but lie on a
continuum as represented in Figure 1. The following section discusses each of
these standards.
Privity Rule
The strict privity rule is the most restrictive standard. Privity requires a direct
connection or contractual relationship to exist between an accountant and a third
party for the latter to be able to sue the SysTrust practitioner. Strict privity was
first established as a legal standard in 1919 in Landell v. Lybrand.6 Today, strict
privity is the law in only Pennsylvania and Virginia.
Certainly, a nonclient would have no legal right to sue a SysTrust provider
under a strict privity rule due to a lack of a direct connection or contractual
relationship. In a strict privity state, only the client has a legal right to sue a
SysTrust provider under a negligence theory.
Near-privity Standard
The near-privity standard was first applied to define the scope of an accoun-
tant’s duty to nonclients for negligence in Ultramares Corp v. Touche.7 In that
192
INTERNATIONAL ACCOUNTING, AUDITING & TAXATION, 9(2)
FIGURE 1. Liability continuum for those states and Commonwealth countries which have direct rulings or applicable statues on accountant
2000
liability to third parties for negligent misrepresentation.

case, the New York Court of Appeals denied plaintiff Ultramares’ negligence
claim but fashioned an exception to strict privity that has become known as the
primary benefit rule. To prevail, the suing party must be an intended third-party
beneficiary of the contract between the accountant and the client. The court
decided that although the auditor (Touche Niven & Co.) knew that the audited
balance sheet would be shown to various unidentified creditors and stockholders,
Touche had not been hired by its client (Fred Stern and Co.) with the knowledge
that Ultramares (the plaintiff) was an intended third-party beneficiary of Touche’s
work. Even though the plaintiff failed to prevail as a third-party beneficiary, the
theory was established. Overly rigorous interpretations of Ultramares during the
years have resulted in the case incorrectly symbolizing a privity requirement for
a nonclient to recover (Gormley, 1984; Daley & Gibson, 1994).
In 1985, the New York Court of Appeals clarified the Ultramares rule in
Credit Alliance v. Arthur Andersen & Co.8 The court set forth a legal test
containing three elements that must be satisfied for a third party to be within the
scope of an accountant’s duty for negligent accounting or assurance services: (1)
the accountant must have known that his or her work product was to be used for
a particular purpose; (2) a known party or parties were intended to be able to rely
on the accountant’s work product; and (3) there must have been some conduct
linking the accountant to the relying party. As presented in Figure 1 and Table 1,
a near-privity approach is followed by 12 states; eight by statute9 and four by
court decision.10
In general, a near-privity standard, statutory or otherwise, requires the
accountant to know that a specific person or persons intend to rely on the work
product with regard to a specific transaction. In a SysTrust engagement, both of
these conditions could be met in the cases of EDI partners and Extranet users. It
is a question of fact whether the SysTrust practitioner will know the identity of a
specific third party, such as a customer, supplier, or creditor at the time the service
is rendered. Also, it is situation specific whether a SysTrust provider would be
aware of the particular purpose (or transaction) for which the SysTrust report
would be used. Thus, unless the SysTrust provider was aware of the specific
third-party’s identity and that party’s reliance on a SysTrust report for a specific
transaction, liability exposure would likely be confined to a small group of
nonclients.
The Restatement Standard
In 1968, a federal district court in Rhode Island first expanded accountant

liability for negligent accounting services to specifically foreseen or known users
in Rusch Factors v. Levin,11 applying §552 of the American Law Institute’s
Restatement (Second) of Torts.12 Under this standard, an accountant who audits
or prepares financial information for a client owes a duty not only to that client,
but to any other person or one of a group of persons whom the accountant or client
TABLE 1
Legal Standards for Accountant Liability to Third Parties for Negligence
Nation/State Statute or Case Name Legal Standard
Australia Esanda Finance Corp. Both foreseeability of harm and proximity are necessary
Ltd. v. Peat Marwick for a duty to a third party to arise. A duty of care is
Hungerfords (1997) difficult to establish unless the accountant intends to
71 A. L. J. R. 448. induce reliance on the work product by a nonclient.
Other factors, in addition to the intent to induce
reliance, may establish proximity. The High Court
outlined numerous policy factors to consider.
Canada Hercules The Supreme Court of Canada adopted the two-prong
Managements Ltd. v. Anns/Kamloops test for all types of negligent
Ernst & Young [1997] misstatement cases involving economic loss. The first
2 S. C. R. 165. prong requires: 1) that the accountant should reasonably
foresee that a third party will rely on the accountant’s
work product; and 2) that the nonclient’s reliance is
reasonable. The second part considers policy factors
that limit or negate any duty established.
New Boyd Knight v. Accountants owe no duty to present or future creditors
Zealand Purdue [1999] 2 who may be contemplating investing in a firm’s debt or
N.Z.L.R. 276. equity securities. Accountants owe a duty only to a
third person to whom they themselves show the
accounts, or to whom they know their client is going to
show the accounts. Any duty aplies only to those
transactions for which the auditors know their accounts
were required. A suing party must prove actual, specific
reliance on the auditor’s work product.
United Caparo Industries The House of Lords held that an auditor of a public
Kingdom PLC v. Dickman company, in the absence of special circumstances, owes
[1990] AC 605. no duty of care to an outside investor or an existing
shareholder who buys stock in reliance on a statutory
audit. The court fashioned a three-prong test for a duty
of care to arise: 1) foreseeability; 2) proximity; and 3) it
must be just and reasonable on a policy basis to impose
a duty. Accountant liability for negligent misstatements
is confined to cases in which it can be established that
the accountant knew his or her work would be
communicated to a nonclient, either as a member of a
limited class or individually, and the third party relied
on the work product in connection with a particular
transaction.
Arkansas Ark. Code Ann. §16- Statutory near privity rule that shields the accountant
114-302 (Michie from liability except to those third parties identified in
1998). writing by the accountant.
California Bily v. Arthur Young Restatement §552. The accountant must know, with
& Co., 834 P. 2d 745 substantial certainty, that the third party or the class to
(Cal. 1992) which the nonclient belongs will rely on the
accountant’s work product.
TABLE 1
(Continued)
Colorado Marquest Medical Restatement §552.
Products v. Daniel,
McKee, & Co., 791 P.
2d 14 (Colo. App.
1990).
Connecticut Near privity standard No appellate court decision has been reported. State
and Restatement §552. trial courts have split on the appropriate legal standard.
Delaware N/A No direct state court ruling or accountant liability
statute.
Florida First Florida Bank v. Restatement §552.
Max Mitchell & Co.,
558 So. 2d 9 (Fla.
1990).
Georgia Badische Corp. v. Restatement §552.
Caylor, 356 S. E. 2d
198 (Ga. 1987)
Hawaii Kohala Agriculture v. Restatement §552.
Deloitte & Touche,
949 P. 2d 141 (Haw.
Ct. App. 1997).
Idaho Idaho Bank & Trust Near privity standard (Credit Alliance rule).
Co. v. First Bancorp,
772 P. 2d 720 (Idaho
1989).
Illinois 225 ILL. COMP. Statutory near privity rule. Identical to the Arkansas
STAT. 450/30.1 statute but a court has held that a nonclient may state a
(1998). valid claim under the statute without a writing. If no
writing from the accountant exists, the nonclient must
prove the client’s intent and the accountant’s knowledge
of that intent.
Indiana N/A No direct state court ruling or accountant liability
statute.
Iowa Ryan v. Kanne, 170 Restatement §552.
N. W. 2d 395 (Iowa
1969); Eldred v.
McGladrey,
Hendrickson &
Pullen, 468 N. W. 2d
218 (Iowa 1991).
Kansas KAN. STAT. ANN. Statutory near privity rule.
§1-402 (1998).
Kentucky N/A No direct state court ruling or accountant liability
statute.
Louisiana La. Rev. Stat. Ann. Statutory near privity standard.
§37.91 (West 1999).
TABLE 1
(Continued)
Maine N/A No direct state court ruling or accountant liability
statute.
Maryland N/A No direct state or court ruling or accountant liability
statute.
Massachusetts Nycal Corp. v. KPMG Restatement §552.
Peat Marwick, 688
N. E. 2d 1368
(Mass. 1998)
Michigan MICH. COMP. Statutory near privity law.
LAWS §600.2962
(1998).
Minnesota Bonhiver v. Graff, 248 Expansive version of Restatement §552.
N. W. 2d 291
(Minn. 1976).
Mississippi Touche Ross v. Reasonable foreseeability rule.
Commercial Union
Insurance Co., 514
So. 2d 315 (Miss.
1987).
Missouri MidAmerican Bank & Restatement §552.
Trust Co. v.
Harrison, 851 S. W.
2d 563 (Mo. App.
1993)
Montana Thayer v. Hicks, 793 Near privity rule.
P. 2d 784 (Mont.
1990).
Nebraska Citizens National Near privity rule.
Bank of Wisner v.
Kennedy & Coe,
441 N. W. 2d 180
(Neb. 1989).
Nevada N/A No direct state court ruling or accountant liability
statute.
New Spherex, Inc. v. Restatement §552.
Hampshire Alexander Grant &
Co., 451 A. 2d
1308 (N. H. 1982);
Demetracopoulos v.
Wilson, 640 A. 2d
279 (N. H. 1994).
New Jersey N. J. STAT. ANN. Statutory near privity rule that is quite similar to the
§2A:53A–25 (West Credit Alliance standard.
1998).
New N/A No direct state court ruling or accountant liability
Mexico statute.
TABLE 1
(Continued)
New York Credit Alliance v. Near privity rule.
Arthur Andersen &
Co., 483 N. E. 2d 110
(N. Y. 1985).
North Raritan River Steel v. Restatement §552.
Carolina Cherry et al., 367 S.
E. 2d 609 (N. C.
1988)
North N/A No direct state court ruling or accountant liability
Dakota statute.
Ohio Haddon View Restatement §552.
Investment Co. v.
Coopers & Lybrand,
436 N. E. 2d 212
(Ohio 1982).
Oklahoma N/A No direct state court ruling or accountant liability
statute.
Oregon N/A No direct state court ruling or accountant liability
statute.
Pennsylvania Landell v. Lybrand, Privity rule.
107 A. 783 (Pa.
1919); Raymond
Rosen & Co. v.
Seidman & Seidman,
579 A. 2d 424 (Pa.
Super. Ct. 1990).
Rhode N/A No direct state court ruling or accountant liability
Island statute.
South M-L Lee Acquisition Restatement §552.
Carolina Fund v. Deloitte &
Touche, 463 S. E. 2d
618 (S.C. Ct. App.
1995), aff’d 489 S. E.
2d 470 (S. C. 1997).
South N/A No direct state court ruling or accountant liability
Dakota statute.
Tennessee Bethlehem Steel Corp. Restatement §552.
v. Ernst & Whinney,
822 S. W. 2d 592
(Tenn. 1991).
Texas Blue Bell, Inc. v. Peat, Expansive version of Restatement §552.
Marwick, Mitchell &
Co., 715 S. W. 2d 408
(Tex. App. 1986).
Utah UTAH CODE ANN. Statutory near privity rule.
§58-26-12 (1998).
TABLE 1
(Continued)
Vermont N/A No direct state court ruling or accountant liability
statute.
Virginia Ward v. Ernst & Privity rule.
Young, 435 S. E. 2d
628 (Va. 1993)
Washington Haberman v. Public Restatement §552.
Power Supply System,
744 P. 2d 1032
(Wash. 1987).
West First National Bank of Restatement §552.
Virginia Bluefield v. Crawford,
386 S. E. 2d 310 (W.
Va. 1989).
Wisconsin Citizens State Bank v. Reasonable foreseeability rule.
Timm, Schmidt &
Co., 335 N. W. 2d
361 (Wisc. 1983).
Wyoming WYO. STAT. ANN. Statutory near privity standard.
§33-3-201 (1998).
intends the information to benefit if (1) that person justifiably relies on the
information in a transaction that the accountant or client intends the information
to influence; and (2) such reliance results in a pecuniary loss for the person (Daley
& Gibson, 1994). No liability exists, however, to parties whom the accountant had
no reason to believe the information would be made available, or when the client’s
transaction, as represented to the accountant, changes so as to materially increase
audit risk.
The major difference between the primary benefit or Ultramares rule and the
Restatement standard is that the latter does not require the identity of specific
parties be known to the accountant, only that they be members of a limited group
known to the accountant (Gossman, 1988). The Restatement standard enlarges the
class of persons to whom the accountant owes a duty to intended identifiable
beneficiaries and to any unidentified members of the intended class of beneficia-
ries.
SysTrust practitioners should note that Minnesota and Texas have adopted
expansive versions of the Restatement standard. This means that appellate courts
in those states have applied the legal standard in such a broad fashion that the class
of third parties to whom an accountant owes a duty is almost as wide as the
reasonably foreseeable users’ rule (discussion follows) (Pacini & Sinason, 1998).
In general, the Restatement standard indicates that an accountant owes a duty
to any person or one of a limited group of persons who justifiably relies on
information in a transaction that the accountant or client intends the information
to influence. Although a SysTrust provider need not know the exact identity of a
SysTrust third-party user, a duty is owed only to those persons, or the limited class
of persons, whom the SysTrust provider is actually aware of will rely on the
SysTrust report. This could include all EDI partners that the client had identified
and, possibly, many Extranet users disclosed to the provider by the client. Thus,
the SysTrust provider could be liable to intended identifiable beneficiaries, but not
an unknown, large group of unidentified users of the SysTrust report.13 Moreover,
the SysTrust provider must actually be aware of the transaction or purpose for
which the SysTrust report will be used. The suing party must also justifiably rely
on the SysTrust report to be owed a duty by the provider. In Texas and Minnesota,
however, a SysTrust provider could owe a duty to a larger class of third parties
than in other Restatement jurisdictions.
In sum, more third parties have the legal right to sue the SysTrust provider
under the Restatement standard than the near-privity standard. However, potential
liability is circumscribed because the Restatement rule provides the SysTrust
practitioner with sufficient knowledge of which third parties will rely on the
SysTrust report to allow the practitioner to obtain liability insurance, set higher
fees, or adopt other protective measures.
Reasonable Foreseeability Rule
An expanded scope of accountant duty to nonclients was recognized in 1983

with the decision in Rosenblum v. Adler.14 The New Jersey Supreme Court
concluded that accountants have a duty to all those whom they should reasonably
foresee as receiving and relying on the accountant’s work product. However, the
duty extends only to those users whose decision is influenced by audited state-
ments obtained from the audited entity for a proper business purpose. Under
Rosenblum, the auditor owes a duty of care to all who obtain a firm’s financial
statements directly from the audited entity, but owes no such duty of care to those
who obtain them from an annual report in a library, government file, or other
source (Causey, 1987). The foreseeability criterion results in the broadest scope of
third-party liability for the accountant. As noted in Figure 1, only Mississippi and
Wisconsin apply the foreseeability rule, and no state has adopted it since 1987.
An argument can be made that an assurance provider could be liable to an
aggrieved SysTrust report user in most situations under a reasonable foreseeabil-
ity rule. This may include Internet users as well as EDI partners and Extranet
users. Under this standard, the SysTrust provider may be deemed to owe a duty
to all those whom the assurance provider should reasonably foresee as receiving
and relying on the SysTrust report. Presumably, the duty would extend only to
those report users whose decision to rely on the client’s information system is
influenced by a SysTrust assurance report.
Canada
The most significant case that could govern the negligence liability of
SysTrust providers to third parties is Hercules Managements Ltd. v. Ernst &
Young decided in 1997.15 Before this landmark decision, the law relating to
accountant liability for negligence had remained static since the Haig v. Bam-
ford16 decision in 1977 (Deturbide, 1998). Plaintiffs in Hercules were sharehold-
ers in Northguard Acceptance Ltd. (NGA) and Northguard Holdings Ltd. (NHL),
companies engaged in commercial and real estate lending. Ernst & Young (E&Y)
was originally hired by the Northguard firms to render annual financial statement
audits. In 1984, both Northguard companies went into receivership. In 1988, a
number of shareholders in the Northguard firms brought suit against E&Y
contending that the 1980 –1982 audit reports, on which they relied, were prepared
negligently.
The Supreme Court of Canada, in a unanimous decision, dismissed the
negligence claim. The court reached its finding by application of the two-pronged
Anns/Kamloops test.17 The first part of the test examines proximity, in which it is
decided whether the wrongdoer’s carelessness might reasonably cause damage to
the person harmed. If this question is answered affirmatively, part two of the test
analyzes policy considerations that could curtail or eliminate any duty of care
owed by the accountant to the plaintiff (Deturbide, 1998).
Significantly, the court endorsed the use of the Anns/Kamloops test for all
types of negligent misrepresentation actions regardless of the type of economic
loss or the nature of the defendant.18 The court rejected the proposition that
accountants should be subjected to a broader range of liability than other profes-
sionals (Rafferty, 1998). The unanimous opinion emphasized the need for some
control device, using the second prong of the Anns/Kamloops test, to combat the
danger of indeterminate liability for accountants and others (Rafferty, 1998).
With regard to the first prong of the test, CAs and CPAs should note that the
term “proximity” means that the assurance provider has an obligation to be
mindful of the SysTrust report user’s “legitimate interests.” Proximity can be said
to exist when the SysTrust provider:
1. Should reasonably foresee that a third party will rely on the SysTrust
report: and
2. Reliance by the third party is reasonable
The court noted, however, that even if the accountant knows that the third party
is relying on information supplied by the accountant, no duty of care will arise
unless it is reasonable for the nonclient to rely on the accountant under the
circumstances. In most instances involving SysTrust engagements, the CA would
probably be deemed to owe a duty to nonclients under the proximity test because
they are foreseeable.19
The crucial considerations, with regard to SysTrust provider liability, are

policy factors that could serve to curtail or eliminate any duty established.
Interestingly, the court indicated that a fundamental policy consideration is that
the alleged wrongdoer should not be exposed to “liability in an indeterminate
amount for an indeterminate time to an indeterminate class.”20 The court’s
concern with indeterminate liability reflects the opinion of the CICA (Deturbide,
1998).
The judges engaged in a lengthy discussion of the undesirable consequences
of imposing limitless liability on accountants. The Hercules Managements case
states that some of the consequences include an increase in liability insurance
premiums, a decrease in the supply of accounting and assurance services, an
increase in the cost of accounting services, and a negative effect on the timeliness
of accountant work product (as accountants would expend more time in the
performance of services to reduce the risk of litigation). Another consequence
would be a serious logjam of court cases. The court also noted that boundless
liability promotes “free ridership” on the part of relying third parties who lose
their incentive to exercise vigilance. In short, the court indicated that concerns
over indeterminate liability will serve to negate any duty owed to nonclients in
most cases (Deturbide, 1998). The Hercules Managements case resulted in
Canada adopting a restricted version of the limited class of users test (Pacini,
Martin, & Hamilton, 2000).21
Although Hercules does not directly address the negligence liability of a CA
to third parties for providing assurance services involving information systems,
the ruling can be applied to a SysTrust engagement. The court’s emphasis on the
public policy reasoning against the specter of limitless liability seems to indicate
that SysTrust providers will be insulated from liability to third-party users of
SysTrust reports in Internet situations. However, EDI and Extranet users might
fall into the category of a limited class of user who relies on a SysTrust report for
a known, specific purpose or transaction. This possibility points out the impor-
tance of SysTrust providers taking the necessary steps to minimize SysTrust
litigation risk.
Australia
Australia also has no reported case that addresses directly the liability of a
CA to third parties for performing negligent information system assurance ser-
vices. However, in 1997, the High Court of Australia issued a ruling in Esanda
Finance Corp. Ltd. v. Peat Marwick Hungerfords22 that could have a bearing on
the negligence liability of SysTrust assurance providers to third parties. Esanda
Finance provided financing to Excel Finance Corp. and a number of its subsid-
iaries. Excel guaranteed all debt financing provided by Esanda. When Excel went
into bankruptcy, Esanda filed suit against Peat Marwick claiming losses as a result
of a negligent audit.
In dismissing Esanda’s negligence claim, the High Court unanimously held

that mere reasonable foreseeability that third parties might rely on an accountant’s
work product was insufficient to give rise to a duty of care (Swanton & Mc-
Donald, 1997). Australian law requires both foreseeability of harm and a “rela-
tionship of proximity” for a duty of care to arise in cases of pure economic loss
(such as a SysTrust engagement). Such a relationship may exist in EDI or Extranet
business transactions with trading partners.
In Australia, the relationship of proximity can be established in a number of
ways. However, mere knowledge by a CA that his or her work product will be
communicated to a third party is insufficient to create a duty of care. The High
Court also refused to endorse the principle that liability of accountants should
extend to members of a class whom the accountant knows or ought to know will
rely on the work product. A duty of care to a nonclient, absent a CA’s response
to a request for information from a specific third party, is difficult to establish. The
CA must intend to induce reliance on his or her work product by a third party or
a limited class to which the third party belongs (as might be the case in EDI or
Extranet transactions) for a duty to arise.23 If the accountant knows the purpose
for which information is supplied to a nonclient and the information is, in fact,
used for that purpose (e.g., a specific transaction) then the third party’s reliance is
considered reasonable (i.e., intent to induce reliance is inferred). However, a lack
of intent to induce reliance is not necessarily fatal to establishing a duty of care
because other factors may exist that establish proximity.24
As well as analyzing proximity, the High Court outlined numerous policy
factors that should be weighed in deciding whether an accountant assurance
provider owes a duty of care to a nonclient. These factors include:
1. Liability insurance—the effect on the accountant’s ability to obtain lia-

bility insurance.
2. Supply of services—the likely reduction in the supply of accounting
services.
3. Standard of care—a reduction in the level of accountants’ due profes-
sional care because of cost-cutting measures implemented to keep fees
competitive.
4. Legal system—the potential adverse effects on the administration of
justice in the form of lengthy hearings clogging the court system if a duty
to a large number of third-party users is recognized.
5. Investors and creditors—the realization that many plaintiffs are sophisti-
cated and have other means of avoiding risks.
6. Cause of loss—the understanding that the accountant’s role in the third
party’s loss is secondary to that of the client’s.
7. Role of assurance report—a recognition that the third party is likely to be
influenced by a myriad of factors other than the assurance report.
8. Unlimited guarantee–the understanding that the imposition of a duty of

care would amount to the creation of an unlimited guarantee in favor of
nonclients for which assurance providers receive no payment.
In summary, the Esanda ruling gives some cause to expect that the trend in
Australian law will be toward contraction rather than expansion of the scope of
the negligence liability of assurance providers (Swanton & McDonald, 1997).
However, as in Canada, EDI and Extranet users might be considered a limited
class of user who relies on a SysTrust report for a known specific purpose or
transaction. Thus, assurance providers need to be aware of potential litigation risk
and adopt strategies to minimize that risk.
New Zealand
Again, we consider the law of accountant liability to nonclients for negli-

gence due to a lack of any specific court decision(s) dealing with third-party
liability for negligent information systems reliability assurance. The leading New
Zealand case is now Boyd Knight v. Purdue.25 In that case, a group of investors
purchased secured bonds from Burbery Mortgage Finance & Savings, Ltd.,
between July 1 and August 10, 1988. The purchases were made in response to an
offer made in a prospectus that contained a report signed by Boyd Knight, a firm
of chartered accountants. Burbery ultimately failed and the bond purchasers, as a
class, sued the auditors for negligently failing to detect fraud committed by the
CEO. Shareholders’ equity was overstated by $1.5 million (NZ) on the balance
sheet included with the prospectus. At the trial level, the plaintiffs were awarded
$375,000.
In addressing the issue of the accountant’s duty of care, the Court of Appeal
stated that accountants do not assume a responsibility to anyone other than their
corporate client, and through it, its shareholders. Accountants owe no duty to
present or future creditors or to those who may be contemplating investing, or
further investing, in the company’s debt or equity securities. Accountants owe a
duty only to a third person whom they, themselves, show their work product, or
to whom they know their client is going to show the work product, so as to induce
the third person to invest money or take some other action. Moreover, any duty
applies only to those transactions for which the accountants knew their work
product was required.
The Court of Appeal emphasized that actual reliance on an accountant’s
work product must be proven by the suing party for the accountant to owe a duty
of care to an aggrieved third party under a negligence theory. An accountant has
no obligation to a nonclient who has not read and relied on the accountant’s work
product. For a duty of care to arise, actual reliance refers to a “specific influence”
of the work product on the mind of the user not just a general reliance occasioned
by an assumption that an investment, purchase, or expenditure is sound because

a prospectus or other document contains information attested to by an accountant.
It is likely that the Boyd Knight case will make it more difficult for the
third-party user of a SysTrust report to have a legal right to sue an assurance
service provider. The SysTrust provider must be aware of the particular third party
or limited group of nonclients and actual reliance must be demonstrated by those
third parties for a duty of care to arise.
United Kingdom
No decided case exists in the United Kingdom on the liability of an assurance

provider to third parties for the negligent performance of system reliability
assurance services. However, one case that could govern the negligence decisions
of systems reliability assurance providers is Caparo Industries PLC v. Dickman.26
Caparo Industries owned shares in Fidelity PLC for which Caparo was consid-
ering a takeover bid. Caparo received a copy of the 1984 financial statements
audited by Touche Ross. In reliance on a reported profit of £1.3 million, Caparo
made a successful takeover bid for Fidelity. Subsequently, Caparo discovered that
Fidelity had actually lost £460,000. Caparo alleged that the audited financial
statements had been negligently prepared.
In a unanimous decision, the House of Lords, the highest court of law in the
United Kingdom, dismissed the negligence claim. The court ruled that an auditor
of a public company, in the absence of special circumstances (e.g., an audit report
commissioned on behalf of a party for a particular purpose), owes no duty of care
to an outside investor or an existing shareholder who buys stock in reliance on a
statutory audit (Nicholson, 1991). The court fashioned a three-prong test for an
auditor’s duty of care to arise (Murphy, 1996). First, foreseeability of the third
party must exist. Second, proximity must be present between the suing party and
the accountant. Third, it must be just and reasonable on a policy basis to impose
a duty of care on the auditor (Ivankovich, 1991).
The House of Lords’ legal analysis focused on “proximity,” the second prong
of the test. The following conditions must exist for proximity to arise: (1) the
accountant knew that his or her work product would be communicated to a known
third party or a known third-party class; (2) the third party suffered damage as a
result of relying on the accountant’s work product; and (3) the work product was
used for the purpose for which it was prepared (Marshall, 1990).27 The accoun-
tant’s knowledge includes not only actual knowledge, but such knowledge as
would be attributed to a reasonable person situated as the accountant (Morris,
1991). The knowledge requirement, however, must be met at the time the
accountant’s work is performed, not at some later date after an audit opinion,
SysTrust report, and so forth, is disseminated (Ivankovich, 1991). These three
requirements may be met in EDI and Extranet situations. Liability will attach
when the assurance provider knows the SysTrust report will be communicated to
a third party or known, limited, third-party class who suffered actual damage from
relying on such reports.
If applied to a SysTrust provider, the Caparo approach would limit any
potential negligence liability to third parties. An unknown user of a SysTrust
report would be outside the scope of an assurance provider’s duty of care because
the purpose of SysTrust is to increase the comfort of management and third-party
users with an entity’s information system(s). A SysTrust provider would have to
be aware of the actual reliance on a SysTrust report by a member of a known,
fixed, and definite class of third-party users for a specific purpose for a duty of
care to arise. It is possible that the Caparo standard can be satisfied in certain EDI,
Extranet, or Internet situations. Thus, assurance providers need to adopt litigation
risk minimization strategies at the onset of systems reliability assurance engage-
ments.
OTHER INTERNATIONAL CONSIDERATIONS
SysTrust presents a challenge to private international law because the use of

computer communication networks, such as value-added networks (VANs) (for
EDI) and the Internet, are transcendent of spatial boundaries (Gosnell, 1998).
Computer communication networks flow indiscriminately across international
boundaries as easily as they flow across the street. Thus, the legal uncertainty
faced by SysTrust providers is increased by potential liability from breaking other
nations’ laws. For example, foreign nations usually can assert jurisdiction over
nonresidents when the exercise of that jurisdiction is “reasonable” (Wilske &
Schiller, 1997). Circumstances that have been found in the past to be reasonable
include:
1. Regularly conducting business in a foreign country.

2. Engaging in an activity outside the foreign country that had a substantial,
direct, and foreseeable effect within the particular country.
3. An activity that is the subject of court action being owned, possessed, or
used in the foreign country (American Law Institute, 1987).
Conceivably, a court in another country could deem it reasonable to exercise

jurisdiction over an accounting firm that provided a SysTrust assurance report
regarding an information system relied on by a company within that nation’s
borders in an international transaction.
Once a SysTrust provider becomes subject to the power of a foreign court,
the question becomes what nation’s law would be applied to the transaction in
dispute. Wilske and Schiller (1997) indicate that a foreign court could apply the
law of the country of the SysTrust provider or its own nation’s law. The choices
of applicable law in international disputes involving accountants’ liability are
blurred and lack uniformity (Ebke, 1984). Foreign courts have significant leeway
in deciding which body of law to apply to an American or Canadian accounting
firm. Being subjected to the application of another country’s laws in that nation’s
courts, however, may not pose as much risk to a U.S., Canadian, Australian, New
Zealand, or U.K. accounting firm as it would to a firm subjected to American law
in an American court (Miller & Young, 1997).
Various procedural aspects of foreign law may make a foreign court more
hospitable to a SysTrust provider than an American court. First, as a general rule,
except in Canada, class action lawsuits may not be filed under the laws of most
other nations (Ebke, 1984). This is a significant procedural deterrent to the filing
of a claim against a SysTrust provider by a group of aggrieved third parties
composed of suppliers, customers, trading partners, and/or other third parties.
Contingent fees (i.e., fees dependent on a particular outcome) are not permitted in
most countries outside of the U.S. and Canada (Silva, 1993). The absence of
contingent fees means that one who files a legal claim against a SysTrust provider
must pay his or her lawyer out-of-pocket as the case progresses (regardless of
outcome). Third, many countries, as in Canada and the UK, follow the “English
rule” with regard to the payment of legal fees (Hill, Metzger, & Schatzberg,
1993). Under this rule, the loser must pay the winner’s legal fees. Such a rule is
a disincentive to the filing of frivolous lawsuits. Also, accountant liability lawsuits
outside the U.S. do not offer the prospect of large jury awards because most
foreign jurisdictions do not permit jury trials or punitive damage awards (Smit,
1996; Ebke, 1984). In Canada, punitive damage awards are possible, although no
such cases were found involving accountants as defendants.
Even if a business or other entity or consumer obtains a judgment in a foreign
court against an American or Canadian SysTrust provider, however, the judgment
often must be enforced in an American or Canadian court. Such enforcement is
necessary if a foreign business, other entity or consumer seeks to levy on assets
in the U.S. or Canada owned by the SysTrust provider. Foreign judgments are
usually enforced in American or Canadian courts (Potter, 1997; Ivankovich,
1994), but an additional court proceeding increases the burden on a foreign
business suing in a foreign jurisdiction.
STEPS TO MINIMIZE LITIGATION RISK
As suggested by the AICPA’s Litigation Risk Model for Assurance Services

(AICPA, 1998), the first step SysTrust providers should take is to determine
whether to perform the assurance service. Firm partners should consider the effect
of the SysTrust engagement on the firm’s overall litigation risk exposure as well
as the standards to which they will be held. The firm first must have a good grasp
of the risk posed by the services it already offers and consider the additional
overall risk of SysTrust engagements by:
1. Identifying the risks—Who are the parties that can bring suit? What are
the legal grounds for bringing suit?
2. Evaluating the risks—What are the costs and benefits to be derived? and
3. Quantifying the risks—What is the likelihood of loss and what are the
dollar ranges of loss?
If, after evaluating all service offerings, the accounting firm decides the potential
litigation risk posed by the SysTrust service is acceptable, then client acceptance/
rejection decisions must be made.
The importance of the decision to accept a SysTrust client or continue to
offer the service to an existing client is reflected in the inclusion of acceptance and
continuance of clients as one of the five quality control elements for U.S. CPA
firms (AICPA, 1997). The steps involved in the SysTrust engagement evaluation
process include:
1. Evaluating the integrity of management.

2. Identifying special circumstances and unusual risks.
3. Assessing the firm’s competencies to perform SysTrust engagements.
4. Evaluating independence.
5. Determining the accountant’s ability to use due care.
6. Preparing an engagement letter.
Many American and Canadian accounting firms enter into written engage-
ment agreements with audit clients. A firm should make a comparable arrange-
ment with a SysTrust client. Some of the more important provisions that should
be considered in a SysTrust engagement letter include:
1. The objective of a SysTrust engagement is the expression of an opinion

on the client’s conformity with the SysTrust criteria for a given informa-
tion system.
2. Management is responsible for establishing and maintaining compliance
with the SysTrust standards for accessibility, maintainability, integrity,
and security.
3. Management is responsible for making all required information necessary
to complete the engagement available to the SysTrust provider.
4. At the conclusion of the engagement, management will provide the
SysTrust provider with a letter that confirms certain representations made
by management during the engagement.
5. The use of a loss-limiting clause or hold-harmless provision.
A loss-limiting clause is a contractual provision that requires the client to be

limited to a specified amount it can claim from the accountant (for example, fees
paid) for losses caused by services delivered. Alternatively, these clauses might
specify that the client will indemnify the SysTrust provider against claims by third
parties. In short, such a clause or provision attempts to limit the amount for which
a CPA can be sued. (However, gross negligence and intentional misrepresentation
by the SysTrust provider nullify such agreements).
Currently, an AICPA ethics interpretation allows a practitioner to add loss-
limiting clauses to engagement letters to cover situations in which a loss arises
from an intentional misrepresentation by the client (AICPA, 1999c). However,
AICPA guidelines are silent on whether a loss-limiting clause impairs a CPA’s
independence in an audit engagement. The SEC, however, considers a loss-
limiting clause as an impairment to independence (AICPA, 1998). Moreover, the
legal effect of such clauses may vary by country. In sum, loss-limiting clauses
present the SysTrust provider with a means to control litigation risk, but their use,
at best, is quite restricted. CPAs/CAs offering SysTrust services should consult
legal counsel before using a loss-limiting clause or hold-harmless provision in an
engagement agreement.
Another option is to consider including an alternative dispute resolution
(ADR) provision in the engagement letter. ADR refers primarily to arbitration
(in which the decision of an arbitrator is binding) and mediation (in which a
mediator assists in reaching a settlement). The courts and legislatures of
leading countries have enunciated strong public policy favoring the resolution
of international commercial disputes by arbitration (Marinelli, 1998). How-
ever, ADR is aimed at disputes with clients, not third parties. Primary benefits
of ADR are avoidance of uncertainties (for example, deciding in which venue
a dispute will be heard), and reduction of delays and the expense of the
judicial system. A disadvantage of ADR is that its low cost may encourage
grievances by clients who would not otherwise commence litigation. Accoun-
tants should check their insurance because some insurance policies limit use
of ADR. ADR does have its limitations, so the SysTrust provider should
consult legal counsel before using an ADR clause.
CONCLUSION
The AICPA/CICA have developed a new and promising assurance ser-

vice for CPAs/CAs to offer clients–SysTrust. This assurance service is de-
signed to increase the comfort of management, customers, suppliers, and
business partners with the systems that support a business or other entity. An
accountant who wishes to offer SysTrust should understand the litigation risk
environment before proceeding to perform SysTrust engagements. Accoun-
tants often become defendants in lawsuits filed by disgruntled third parties
because accountants are perceived as “deep pockets.” Moreover, the potential
liability of SysTrust providers is significant given the growing use of EDI,
Extranets, and the Internet.
Presently, no United States, Canadian, Australia, New Zealand, or United

Kingdom court decision has been reported that addresses directly the liability
of accountants to third parties for negligently performing system reliability
assurance services. In Canada, Australia, New Zealand, and the United King-
dom, present law regarding accountant liability indicates that a SysTrust
practitioner would owe third-party SysTrust report users a duty under limited
sets of circumstances (e.g., when the practitioner knows a SysTrust report will
be shown to a third party who is a member of a known, limited class of persons
and the third party relies on the report in a known, specific transaction). In the
United States, the results of existing court cases and application of accountant
privity statutes offer encouragement in some states, especially those that
follow a privity or near-privity standard. In the 18 states that follow the
traditional Restatement standard, the SysTrust provider has liability exposure
to more third parties than under the privity or near-privity standard, but it still
is limited to known, fixed, limited groups of SysTrust report users. In Texas,
Minnesota, Mississippi, and Wisconsin, however, the SysTrust practitioner
faces a higher degree of litigation risk. Under the reasonable foreseeability
rule (or expansive interpretation of the Restatement standard), many third-
party SysTrust report users would have a legal right to sue the assurance
provider. The SysTrust practitioner’s legal exposure in those 13 states without
a direct court ruling or accountant privity statute is highly uncertain. Accoun-
tants who exercise caution and common sense will likely find the SysTrust
service to be a profitable long-run addition to their list of services.
Acknowledgments: We would like to thank two anonymous reviewers

for their suggestions.
NOTES
1. There are differences between the CPA/CA SysTrust service and the CPA/CA WebTrust.
These differences relate to both the nature of the systems being addressed and the nature of
the assurance being provided. WebTrust focuses only on Internet-based systems; SysTrust
applies to numerous types of systems (Boritz, Mackler, & McPhie, 1999). CPA/CA WebTrust
is designed to instill confidence in consumers and entities that conduct business over the
Internet. Increased consumer trust and confidence in e-commerce is to be achieved by CPAs
and CAs evaluating and monitoring business website practices, procedures, and controls.
SysTrust, on the other hand, focuses specifically on the reliability of systems themselves
(Boritz, Mackler, & McPhie, 1999).
2. In the U.S., in 1993, the Big 6 (now Big 5) accounting firms’ expenditures for settling and
defending lawsuits were $1.1 billion or 11.9% of domestic auditing and accounting revenue
(Dalton, Hill, & Ramsay, 1994). In 1994, the Big 6 firms claimed that a tidal wave of liability
lawsuits threatened their existence (Marino & Marino, 1994). Large settlements have contin-
ued in the U.S. including a $125 million payment by Price Waterhouse Coopers and Ernst &
Young stemming from the collapse of the Bank of Credit and Commerce International (Trapp,
1999) and a $335 million payment by Ernst & Young to shareholders of CUC International
over the audit of that firm (Peel, 1999). In the United Kingdom, the Big 6 accounting firms
faced 627 outstanding legal cases claiming damages of £20 billion by mid-1994 (Beckett,
1994). The largest firms in the U.K. are paying as much as 8% of their auditing and accounting
fee income on professional liability insurance (Napier, 1998). UK accountants are concerned
that they could be heading toward an environment as litigious as the U.S. (Peel, 1999). By
1994, at least $1.3 billion (Canadian) of unresolved claims were pending against Canadian
accountants (Jeffrey, 1994). In Australia, accountants have faced an unprecedented litigation
problem (Cooper & Barkoczy, 1994). It is estimated that the total amount of negligence claims
that have been brought against Australian accountants accumulated to approximately A$8
billion (Miller, 1999). In New Zealand, a significant number of accounting firms have faced
litigation and the cost of defending such lawsuits has been recognized as a major business
problem (Lepper, 1992; Porter, 1993).
3. The degree to which accounting rules are legislated can affect the nature of an accounting
system. In code law countries, laws stipulate minimum requirements, and accounting rules
tend to be highly prescriptive and procedural. In common law countries, laws establish limits
beyond which it is illegal to venture, and within those limits experimentation is encouraged
(Meek & Saudagaran, 1990).
4. SysTrust services are performed in the United States under the AICPA’s Statement on
Standards for Attestation Engagements No. 1 (AT §100)(AICPA 1999a). In Canada, SysTrust
services are conducted under the CICA’s Standards for Assurance Engagements (§5025)
(CICA, 1999). Moreover, in the U.S. quality control standards apply to SysTrust engage-
ments. Quality control standards assure that attestation standards are applied to covered
engagements. Statement on Quality Control Standards No. 2, “System of Quality Control for
a CPA Firm’s Accounting and Auditing Practice,” requires that a firm have a comprehensive
and suitably designed quality control system, encompassing the firm’s organization structure,
internal policies, and procedures. The four Commonwealth nations also have quality standards
that apply to SysTrust services.
5. One prime example of such a situation occurred in Performance Motorcars v. Peat Marwick,
643 A.2d 39 (N. J. Super., 1994). Performance Motorcars, Inc., a New York business, sued
Peat Marwick in a New Jersey court, alleging that it suffered losses after one of its customers,
Coated Sales, Inc., went bankrupt. Performance conceded that if New York law applied, it
would not be able to sue Peat Marwick. Ultimately, an appeals court held that New Jersey law
applied giving Performance a legal right to sue under New Jersey law applicable at the time
of the suit. In 1995, the New Jersey legislature passed a statute that changed state law to a
stricter standard (i.e., near privity) than the one applied in Performance Motorcars (i.e.,
reasonable foreseeability rule) for determining the scope of an accountant’s duty to nonclients.
6. 107 A. 783 (Pa. 1919)
7. 174 N. E. 441 (N.Y. 1931)
8. 483 N. E. 2d 110 (N.Y. 1985)
9. The eight states include Arkansas, Illinois, Kansas, Louisiana, Michigan, New Jersey, Utah,
and Wyoming.
10. The four states are Idaho, Montana, Nebraska, and New York
11. 284 F. Supp. 85 (D. R. I. 1968)
12. Restatements of the Law are a product of attorneys working under the aegis of the American
Law Institute. Restatements are not binding authority on courts but represent a synthesis of
common law rules.
13. Badische Corp. v. Caylor, 356 S. E. 2d 198 (Ga. 1987)
14. 461 A. 2d 138 (N. J. 1983)
15. [1997] 2 S. C. R. 165
16. [1977] 1 S. C. R. 466
17. Anns v. Merton London Borough Council, [1978] A. C. 728; Kamloops v. (City of) Nielson,
[1984] 2 S. C. R. 2.
18. The two-stage approach has been applied by the Supreme Court of Canada in the context
of various types of negligence actions, including cases involving claims for different
forms of economic loss. It was endorsed implicitly in the context of an action for
negligent misrepresentation in Edgeworth Construction Ltd. v. N. D. Lea & Associates
Ltd. [1993] 3 S. C. R. 206.
19. Some Canadian legal commentators urge that foreseeability of harm cannot be the sole
determinant of liability. The predication of liability upon pure foreseeability of economic
harm is incompatible with a competitive economic system. A free market system treats many
types of losses as legitimate and even beneficial; the economically inefficient deserve to incur
certain losses. Once foreseeability of harm is established, to answer the duty question in any
given situation really involves an inquiry into two broad areas. First, does it make economic
sense to shift this type of loss? Second, what do community expectations have to say about
whether the plaintiff is reasonably entitled to rely on the accountant or other defendant to
protect him or her from harm in the particular situation? Such questions are unavoidable and
are matters of policy (Cherniak & Stevens, 1992). This argument points out the overriding
importance of the second prong of the Anns/Kamloops test.
20. The quoted language is from Justice Cardozo’s famous opinion in Ultramares v. Touche, 174
N. E. 441 (N.Y. 1931). The Supreme Court of Canada cited Ultramares with approval.
21. The “limited class of users test” requires the accountant to have actual knowledge of the
limited class of users who will use and rely on the accountant’s work product. The Supreme
Court of Canada first applied an expanded version of the test to accountant liability in Haig
v. Bamford [1977] 1 S. C. R. 466. One of the most important considerations in application of
the limited class of users test is the nature of the intended transaction(s) that are the subject
of the accountant’s work product (Ish, 1977). It is one thing, in a relatively simple situation,
to identify a small and discreet group of individuals who are or can be identified as relying
directly on the judgments of professionals (e.g., a SysTrust provider) with whom they have no
direct contractual or fiduciary relationship. It is another question altogether, in more complex
cases, to contemplate the dimensions of the liability for negligence that may arise where it is
known that the opinions of an accountant or other professionals are to be widely disseminated
and relied on by a broad class of persons (Brown, 1977).
22. (1997) 71 A. L. J. R. 448
23. One Australian legal commentator has argued that it will be seldom, if ever, that an accountant
will perform services intending to induce third parties to rely on them or have any reason for
wanting third parties to so rely (Davies, 1991).
24. Certain factors may be identified by the fact that the High Court stressed their absence from
pleadings in the case. These factors are: (1) The maker of a statement may possess skill and
competence in the area that is the subject of communication; (2) The maker of a statement has
an interest in the recipient of the statement acting in a certain way; or (3) The provider of
information may warrant the correctness of the information supplied to a third party (Swanton
& McDonald, 1997).
25. [1999] 2 N. Z. L. R. 276
26. [1990] 2 A. C. 605
27. The three conditions that must be met to satisfy the proximity element make the Caparo test
quite similar to the U.S. Restatement standard. The one aspect of the Caparo test not formally
outlined in the Restatement standard is imposing liability from a policy standpoint on a “just
and reasonable” basis. Ironically, U.S. courts often engage in open policy discussions when
addressing the scope of an accountant’s duty to third parties for negligence.
Appendix A. Overview of SysTrust Criteria

Availability Illustrative Controls
The entity has defined and ● Procedures exist to identify and document authorized
communicated performance system users and their availability requirements.
objectives, policies, and standards for ● Procedures exist to log and review requests from
system availability. authorized users for changes and additions to system
availability objectives, policies, and standards.
● A formal process exists to identify and review
contractual, legal, and other service level agreements
and applicable laws and regulations that could impact
system availability objectives, standards, and policies.
● The items noted above are properly documented and
communicated to appropriate personnel and/or system
users.
The entity utilizes procedures, people, ● System availability features are regularly tested and
software, data, and infrastructure to variances are recorded.
achieve system availability objectives ● A risk assessment is prepared and reviewed on a
in accordance with established regular basis and considers fire, flood, dust,
policies and procedures. excessive heat, humidity, and labor problems.
● Vendors warranty specifications are complied with
and tested.
● Disaster recovery and contingency plans are
documented and tested.
● Backup data processing capability is available. Data
and software are regularly backed up offsite.
● Physical and logical security controls exist to reduce
unauthorized actions by users.
● Competent personnel responsible for availability
have relevant experience and receive training.
The entity monitors the system and ● The internal audit function includes system
takes action to achieve compliance availability reviews in its annual audit plan.
with system availability objectives, ● Problem logs are reviewed and trends are analyzed
policies, and standards. to identify impact on system availability.
● Procedures exist for the documentation, resolution,
and review of problems.
● System component changes are assessed for impact on
system availability, objectives, policies, and standards.
Security Illustrative Controls
The system security requirements of ● Objectives, policies, and standards exist that support
authorized users, and system security the implementation, operation, and maintenance of
objectives, policies, and standards are security measures.
identified, documented, and ● Security levels are defined for each of the data
communicated to users. classifications identified above the level of “no
protection required.”
● A risk assessment approach has been established that
focuses on an examination of elements of risk such
as threats, vulnerabilities, safeguards and consequences.
Appendix A. Continued
● A security awareness program communicates the
information technology security policy to each user.
Documented system security ● A formal process exists to identify and review

objectives, policies, and standards are contractual, legal, and other service legal agreements
consistent with system security and applicable laws and regulations that could impact
requirements defined in contractual, system security objectives, policies, and standards.
legal, and other service level
agreements and applicable laws and
regulations.
Responsibility and accountability for ● Responsibility for the logical and physical security
system security have been assigned. of the entity’s information assets is assigned to
appropriate individuals.
The entity utilizes procedures, people, ● The access control and operating system facilities
software, data and infrastructure to have been appropriately installed, including
achieve system security objectives in implementation of parameters to restrict access in
accordance with established policies accordance with policies.
and standards. ● The operators, users, and custodians of system
components implement and comply with procedures
and controls that meet security objectives, policies,
and standards.
There are procedures to identify and ● All paths that allow access to significant information
authenticate all users authorized to resources are controlled by the access control system
access the system. facilities.
● Unique user IDs are assigned to individual users.
Passwords are used to validate IDs.
● Data owners are responsible for authorizing access to
data and systems, and proper segregation of duties is
considered in granting authorization.
● Access to utility programs that can read, add,
change, or delete data or programs is restricted to
authorized individuals.
There are procedures to restrict access ● Processing outputs and off-line storage media are
to computer processing output and files stored in an area that reflects information classification.
on off-line storage to authorized users.
There are procedures to protect ● If connection to the Internet or other public networks
external access points against exist, adequate firewalls or other procedures are
unauthorized logical access. operative to protect against unauthorized access.
There are procedures to protect the ● There are periodic checks of the entity’s computers
system against infection by computer for unauthorized software.
viruses, malicious codes, and
unauthorized software.
There are procedures to segregate ● An assignment of responsibility is maintained that
incompatible functions within the ensures that no single individual has the authority to
system and to protect the system read, add, change, or delete an information asset
against unauthorized physical access. without an independent review.
● Access to computers, disk, and tape storage devices,
communications equipment, and control console is
restricted to authorized personnel.
The entity monitors the system and ● The internal audit function includes system security
takes action to achieve compliance reviews in its annual audit plan.
with system security objectives,
policies, and standards.
Environmental and technological ● A risk assessment has been prepared and is reviewed
changes are monitored and their on a regular basis or when a significant change
impact on system security is occurs in either the internal or external environment.
periodically assessed on a timely
basis.
Integrity Illustrative Controls
The entity has defined and ● Procedures exist to identify and document authorized
communicated performance users of the system and their integrity requirements.
objectives, policies, and standards for
system processing integrity.
Documented system processing ● Procedures exist to log and review requests from
integrity objectives, policies, and authorized users for changes to system processing
standards have been communicated to integrity objectives, policies, and standards.
authorized users.
The entity utilizes procedures, people, ● System processing integrity features are regularly
software, data, and infrastructure to tested and variances are recorded and followed up.
achieve system processing integrity ● Hardware and software acquisitions and
objectives. implementations are subjected to extensive testing
prior to acceptance in production
● Input form design should help assure that errors and
omissions are minimized.
● The entity has procedures that all authorized source
documents are complete and accurate, properly
accounted for, and transmitted in a timely manner.
● Transaction data entered for processing are subjected
to a variety of controls to check for accuracy,
completeness, and validity.
There are procedures to ensure that ● There is an appropriate segregation of incompatible

system processing is complete, duties with regard to handling of production data and
accurate, timely, and authorized. within the information services function.
Integrity Illustrative Controls
● Files received from users are balanced to control
totals, record counts, etc. and are subject to the same
edit and validation checks as on-line submissions.
● The entity ensures that adequate protection from
unauthorized access, modification and misaddressing
of sensitive information is provided during
transmission and transport.
● All new personnel are subjected to background
checks, validation, etc.
There are procedures to enable ● System logs record all system-related events with a
tracing of information inputs from unique transaction identifier.
their source to their final disposition
and vice versa.
takes action to achieve compliance processing integrity reviews in the annual audit plan.
with system processing integrity ● Problem logs are reviewed and include tests of data
objectives, policies, and standards. acceptance and validation routines to identity
potential sources of corrupt data.
Environmental and technological ● The entity maintains an R&D group whose charter is
changes are monitored and their impact to assess the impact of emerging technologies.
on system processing integrity is
periodically assessed on a timely basis.
Maintainability Illustrative Controls
The entity has defined and ● There is routine and periodic hardware maintenance
communicated performance to reduce the frequency and impact of performance
objectives, policies, and standards for failures.
system maintainability.
Documented system maintainability ● There is a “help” desk function that provides user
objectives, policies, and standards are support.
communicated to authorized users. ● There is a budget allocation for emergency or
unanticipated maintenance requirements.
The entity utilizes procedures, people, ● Hardware and infrastructure requirements are
software, data, and infrastructure to periodically evaluated to provide adequate resources
achieve system maintainability for maintenance activities.
objectives in accordance with ● Procedures exist to initiate, review, and approve
established policies and standards. change requests.
● Changes to system infrastructure and software are
developed and tested in a separate development/test
environment prior to implementation.
● Correct software elements are distributed to the right
place, with integrity, in a timely manner, and with
adequate audit trails.
Maintainability Illustrative Controls
There are procedures to ensure that ● A segregation of duties is maintained between these
only authorized, tested, and functions: operation, network management, system
documented changes are made to the administration, system development, change
system and related data. management, and security administration.
● There is adequate off-site storage of maintenance
resources, particularly program libraries, to enable
reconstruction in the event of on-site loss.
● An assignment of responsibility is used that ensures no
single individual has the authority to read, add, change,
or delete an information asset without review.
takes action to achieve compliance maintainability reviews in an annual audit plan.
with maintainability objectives, ● Problem logs are reviewed and trends are analyzed
policies, and standards. to identify the potential impact on system
maintainability objectives.
● At least annually, users are involved in assessing
whether specific systems meet their current and
anticipated needs.
Environmental and technological ● Internal audit periodically prepares reports that

changes are monitored and their impact compare actual maintenance and updating
on system maintainability is requirements to budgeted requirements, and analyzes
periodically assessed on a timely basis. the results.
Source: AICPA
REFERENCES
American Institute of Certified Public Accountants (AICPA). 1997. System of quality control for a
CPA firm’s accounting and auditing practice. New York: AICPA.
. 1998. Assurance service liability. Http://www.aicpa.org/assurance/scas/majtheme/svcliab.
. 1999a. Statements on standards for attestation engagements. New York: AICPA.
. 1999b. SysTrust principles and criteria for systems reliability. Http://www.aicpa. org/
assurance/stintro.htm.
. 1999c. AICPA professional standards, Vol. 2, ET §191.188. New York: AICPA.
American Law Institute. 1987. Restatement (third) of the foreign relations law of the United States
§421. New York: American Law Institute.
Ayers, S., Frownfelter-Lohrke, C., & Hunton, J. 1999. Opportunities in electronic commerce
assurance for information systems auditors. IS Audit & Control Journal, VI: 34 –39.
Beckett, M. 1994. Accountants debate move to limited liability. Daily Telegraph, 28 (June): 28.
Boritz, E., Mackler, E., & McPhie, D. 1999. Reporting on systems reliability. Journal of Accoun-
tancy, 188 (5): 75– 87.
Bournellis, C. 1995. Internet ’95. Internet World, 6 (November): 47–50.
Boynton, W., & Kell, W. 1996. Modern auditing. New York: John Wiley & Sons, Inc.
Brecht, H. D. 1989. Auditors’ duty of care to third parties: A comment on the judicial reasoning
underlying US cases. Accounting and Business Research, 19: 175–178.
Brown, R. D. 1977. Haig v. Bamford. Osgoode Hall Law Journal, 15 (2): 474 – 484.
Canadian Institute of Chartered Accountants (CICA). 1999. CICA handbook, Section 5025. Toronto,
Canada: CICA.
Causey, D. 1987. Accountants’ liability in an indeterminate amount for an indeterminate class: An analysis of
Touche Ross & Co. v. Commercial Union Ins. Co. Mississippi Law Journal, 57: 379–416.
Cherniak, E., & Stevens, K. 1992. Two steps forward and one step back? Anns at the crossroads in
Canada. Canadian Business Law Journal, 20: 164 –179.
Cooper, B. J., & Barkoczy, M. L. 1994. Third-party liability: The auditor’s lament. Managerial
Auditing Journal, 9 (5): 31–36.
Daley, B. A., & Gibson, J. M. 1994. The delineation of accountants’ legal liability to third parties:
Bily and beyond. St. John’s Law Review, 68 (Summer): 609 – 641.
Dalton, O., Hill, J., & Ramsay, R. 1994. The big chill. Journal of Accountancy, (November): 53–56.
Davies, M. 1991. The liability of auditors to third parties in negligence. UNSW Law Journal, 14 (1):
171–197.
Deturbide, M. 1998. Liability of auditors. Canadian Bar Review, 77 (March/June): 260 –264.
Ebke, W. F. 1984. In search of alternatives: Comparative reflections on corporate governance and
the independent auditor’s responsibilities. Northwestern University Law Review, 79 (Novem-
ber): 663–720.
Eddy, A. 1999. Tabcorp bets off as computer fails. Australian Business Intelligence, 2 (October): A3.
Fleming, C. 1998. After Kripps and Hercules. Accountancy, 12 (February): 62– 64.
Godsell, D. 1991. Auditors’ legal liability and the expectation gap. Australian Accountant, 61
(February): 22–28.
Gonzalo, J. 1997. The role, the position, and the liability of the statutory auditor within the European
Union. Accounting Horizons, 11 (March): 164 –172.
Gormley, R. 1984. The foreseen, the foreseeable, and beyond–Accountants’ liability to nonclients.
Seton Hall Law Review, 14: 528 –572.
Gosnell, C. 1998. Jurisdiction on the net: Defining place in cyberspace. Canadian Business Law
Journal, 29: 344 –363.
Gossman, T. 1988. 1988. The fallacy of expanding accountants’ liability. Columbia Business Law
Review, 1: 213–241.
Hickley, M. 1999. Hi-tech hitch makes sales go to pot for Doulton. Daily Mail, 11 (November): 20.
Hill, J., Metzger, M., & Schatzberg, J. 1993. Auditing’s emerging legal peril under the National
Surety doctrine: A program for research. Accounting Horizons, 7 (March): 1–28.
Ish, D. 1977. Liability arising out of negligent misrepresentation. Saskatchewan Law Review, 42 (1):
147–153.
Ivankovich, I. F. 1991. Accountants and third-party liability–Back to the future. Ottawa Law
Review, 23: 505–531.
. 1994. Enforcing U.S. judgments in Canada. Northwestern Journal of International Law &
Business, 15 (Fall): 491–524.
Jeffrey, G. 1994. Accountants want relief from legal nightmare. Financial Post, 29 (April): 12.
Lepper, J. 1992. NZ auditors straining under litigation threat. Accountant, (March): 8.
Marinelli, A. 1998. Choice of law and alternative dispute resolution in international contracts.
Journal of Legal Studies in Business, 6 (1): 79 – 88.
Marino, S., & Marino, R. 1994. An empirical study of recent securities class action settlements involving
accountants, attorneys, or underwriters. Securities Regulation Law Journal, 22: 115–174.
Marshall, P. 1990. Auditors’ duties: A narrow approach. Lloyd’s Maritime and Commercial Law
Quarterly, (November): 478 – 481.
Meek, G., & Saudagaran, S. 1990. A survey of research on financial reporting in a transnational
context. Journal of Accounting Literature, 9: 145–213.
Miller, M. 1999. Auditor liability and the development of a strategic evaluation of going concern.
Critical Perspectives in Accounting, 10: 355–375.
Miller, R., & Young, M. 1997. Financial reporting and risk management in the 21st century.
Fordham Law Review 65, (April): 1987–2064.
Morris, G. 1991. The liability of professional advisers: Caparo and after. Journal of Business Law, 36–48.
Murphy, J. 1996. Expectation losses, negligent omissions, and the tortious duty of care. Cambridge
Law Journal, 55 (March): 43–55.
Napier, C. 1998. Intersections of law and accountancy: Unlimited auditor liability in the United
Kingdom. Accounting, Organizations and Society, 23: 105–128.
Nelson, E., & Ramstad, E. 1999. Hershey’s biggest dud has turned out to be its new technology.
Wall Street Journal, 29 (October): A1.
Nicholson, K. 1991. Third-party reliance on negligent advice. International and Comparative Law
Quarterly, 40: 551–582.
Pacini, C., Hillison, W., & Sinason, D. 2000. Three’s a crowd: An examination of state statutes and
court decisions that narrow accountant liability to third parties for negligence. Advances in
Accounting, 17: 151–185.
Pacini, C., Martin, J., & Hamilton, L. 2000. At the interface of law and accounting: An examination
of a trend toward a reduction in the scope of auditor liability to third parties for negligence in
the common law countries. American Business Law Journal, 37 (2): 171–235.
Pacini, C., & Sinason, D. 1998. Gaining a new balance in accountants’ liability to nonclients for negligence:
Recent developments and emerging trends. Commercial Law Journal, 103 (Spring): 15–66.
Pacini, C., Sinason, D., & Peltier-Rivest, D. 1999. Assurance services and the electronic frontier:
The international legal environment of the CPA/CA WebTrust. Advances in International
Peel, M. 1999. Auditors find lawsuits no laughing matter. Financial Times, 21 (December): 26.
Porter, B. 1993. An empirical study of the audit expectation-performance gap. Accounting and
Business Research, 24: 49 – 68.
Potter, R. 1997. The role of ADR clauses in avoiding foreign litigation entanglements. Canadian
Business Law Journal, 28: 415– 429.
Primoff, W. 1998. Electronic commerce and webtrust. The CPA Journal, (November): 14 –22.
Rafferty, N. 1998. Recent professional negligence decisions from the Supreme Court of Canada.
Professional Negligence, 14 (2): 67–74.
Salter, S., & Doupnik, T. 1992. The relationship between legal systems and accounting practices: A
classification exercise. Advances in International Accounting, 5: 3–22.
Schwartz, K., & Menon, K. 1985. Auditor switches by failing firms. The Accounting Review, 60
(April): 248 –261.
Silva, E. J. 1993. Practical views on stemming the tide of foreign plaintiffs and concluding
mid-Atlantic settlements. Texas International Law Journal, 28 (Summer): 479 – 499.
Smit, H. 1996. The explosion in international litigation. Metropolitan Corporate Counsel, (Octo-
ber): 59 – 65.
Swanton, J., & McDonald, B. 1997. Common law–The reach of the tort of negligence. Australian
Law Journal, 71 (November): 822– 829.
Trapp, R. 1999. PWC faces pounds 400m lawsuit over Maxwell failure. The Independent 3 (February): 16.
Ward, B. 1999. Auditors’ liability in the UK: The case for reform. Critical Perspectives in
Willekens, M., Steele, A., & Miltz, D. 1996. Audit standards and auditor liability: A theoretical
model. Accounting and Business Research, 26 (3): 249 –264.
Wilske, S., & Schiller, T. 1997. International jurisdiction in cyberspace: Which states may regulate
the Internet? Federal Communications Law Journal, 50 (December): 117–176.
Witmer, R. 1996. SEC’s Wallman describes view of technology’s impact on accounting. Securities
Regulation and Law Reporter, 28: 1531–1532.
Woodyard, C., & Hansen, B. 1999. When computers fail. USA Today, 7 (December): A1.
Yvonne, M. 1999. Computer fault stops legal-aid money. The Press, (Christchurch), 22 (October): 3.

Auditing Pacini 2000

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Auditing Pacini 2000

Uploaded by

Copyright:

Available Formats

At the Interface of the Electronic Frontier and the

Law: The International Legal Environment for

In response to concerns about unreliable information systems, the American Institute of

Key Words: SysTrust; Assurance Liability; Accountant Liability; Negligence; Information

an attestation/assurance report on whether management maintained appropri-

Typical means of access to an entity’s information system(s) include Elec-

1. Availability—The system is available for operation and use at times set

Criteria are set forth to allow a practitioner to judge whether an information

1. Communications—The entity has defined and communicated perfor-

An information system must satisfy all of the SysTrust criteria to be deemed

OVERVIEW OF LEGAL SYSTEMS

RESEARCH AND METHODOLOGY

A starting point of the research was evaluation of prior literature related to

PRESENT LAW AND SYSTRUST

Presently, no reported legal case has yet addressed directly accountants’

liability to third parties for negligent misrepresentation.

The Restatement Standard

In 1968, a federal district court in Rhode Island first expanded accountant

Reasonable Foreseeability Rule

An expanded scope of accountant duty to nonclients was recognized in 1983

The crucial considerations, with regard to SysTrust provider liability, are

In dismissing Esanda’s negligence claim, the High Court unanimously held

1. Liability insurance—the effect on the accountant’s ability to obtain lia-

8. Unlimited guarantee–the understanding that the imposition of a duty of

Again, we consider the law of accountant liability to nonclients for negli-

by an assumption that an investment, purchase, or expenditure is sound because

No decided case exists in the United Kingdom on the liability of an assurance

OTHER INTERNATIONAL CONSIDERATIONS

SysTrust presents a challenge to private international law because the use of

1. Regularly conducting business in a foreign country.

Conceivably, a court in another country could deem it reasonable to exercise

STEPS TO MINIMIZE LITIGATION RISK

As suggested by the AICPA’s Litigation Risk Model for Assurance Services

1. Evaluating the integrity of management.

1. The objective of a SysTrust engagement is the expression of an opinion

A loss-limiting clause is a contractual provision that requires the client to be

The AICPA/CICA have developed a new and promising assurance ser-

Presently, no United States, Canadian, Australia, New Zealand, or United

Acknowledgments: We would like to thank two anonymous reviewers

Appendix A. Overview of SysTrust Criteria

Documented system security ● A formal process exists to identify and review

There are procedures to ensure that ● There is an appropriate segregation of incompatible

Environmental and technological ● Internal audit periodically prepares reports that

You might also like