Legal Duties and Responsibilities
Introduction
CPAs face legal liability from multiple sources: common law (contracts and torts), federal securities statutes, and state regulatory proceedings. The scope of liability, the parties who can bring claims, and the defenses available all depend on which legal theory applies. This chapter examines the framework of CPA liability to clients, third parties, and the public, and the key defenses practitioners should understand.
Common Law Liability to Clients
A CPA's liability to clients arises primarily from three theories:
Breach of Contract
A client may sue the CPA for breach of the engagement agreement. Common claims include:
- Failure to complete the engagement on time
- Failure to detect errors or fraud that should have been discovered under the terms of the engagement
- Failure to follow agreed-upon procedures
The client must prove the existence of a contract, the CPA's breach, and resulting damages.
Example: Gies Co. engages a CPA firm to complete its corporate tax return by the March 15 filing deadline. The CPA firm misses the deadline, and Gies Co. incurs $25,000 in late-filing penalties. Gies Co. may recover those penalties as breach-of-contract damages.
Negligence
To establish a negligence claim, the client must prove four elements:
- Duty of care — the CPA owed a duty to perform with the skill and competence of a reasonable CPA
- Breach — the CPA failed to meet that standard (e.g., violated GAAS or GAAP)
- Causation — the CPA's breach was the proximate cause of the client's loss
- Damages — the client suffered actual financial harm
The standard of care for CPAs is based on what a reasonably competent CPA would have done under similar circumstances — not perfection. A CPA is not a guarantor against all errors.
Fraud (Intentional Misrepresentation)
Fraud requires proof that the CPA:
- Made a material misrepresentation of fact
- With knowledge of its falsity (scienter) or reckless disregard for the truth
- With intent to induce reliance
- The client justifiably relied on the misrepresentation
- The client suffered damages as a result
Unlike negligence, fraud can result in punitive damages in addition to compensatory damages. Fraud also eliminates many contractual defenses, such as limitation-of-liability clauses.
Common Law Liability to Third Parties
CPAs may also face liability to third parties (such as creditors or investors) who rely on the CPA's work. Three primary tests have emerged:
Primary Benefit Test (Ultramares Doctrine)
Under this traditional and most restrictive approach, a CPA is liable to a third party only if the CPA knew the engagement was being performed for the primary benefit of that specific third party.
Example: A CPA audits MAS Inc.'s financial statements. First National Bank later relies on those statements to extend a $2 million loan. Under the Ultramares approach, the CPA is liable to the bank only if the CPA knew at the time of the engagement that the audit was being conducted specifically for First National Bank's benefit.
Foreseen Users / Restatement Approach
Under the Restatement (Second) of Torts approach (adopted by a majority of states), a CPA is liable to:
- Persons or classes of persons the CPA knew would receive the financial statements
- Even if the CPA did not know the specific identity of each user
Example: The CPA knows that MAS Inc. intends to use the audited financial statements to apply for bank financing, though the specific bank has not yet been selected. Under the Restatement approach, any bank that extends credit in reliance on those statements is a foreseen user and may sue the CPA.
Foreseeable Users (Rosenblum Approach)
Under this broadest approach, a CPA is liable to any person the CPA could reasonably foresee might obtain and rely on the financial statements.
| Test | Scope of Liability | Key Requirement |
|---|---|---|
| Ultramares (Primary Benefit) | Narrowest | CPA knew the specific third party |
| Restatement (Foreseen Users) | Moderate | CPA knew the class of users |
| Rosenblum (Foreseeable Users) | Broadest | CPA could foresee any user |
:::tip Exam Tip
The Restatement (foreseen users) approach is the most commonly tested and is the majority rule. Know all three approaches and be able to distinguish them based on the facts presented.
:::
Statutory Liability Under Federal Securities Laws
Securities Act of 1933 — Section 11
Section 11 imposes liability on anyone who signs a registration statement (including accountants who certify financial statements included in the registration) if the statement contains material misstatements or omissions.
Key features of Section 11:
| Element | Rule |
|---|---|
| Who can sue | Any purchaser of the security |
| Plaintiff's burden | Must prove material misstatement or omission and damages; need not prove reliance, negligence, or fraud |
| CPA's defense | Due diligence — the CPA, after reasonable investigation, had reasonable grounds to believe the financial statements were accurate |
| Standard | Negligence standard; no scienter required |
Example: Illini Entertainment issues stock through an IPO. The registration statement contains financial statements audited by a CPA firm. The financial statements materially overstate revenue. A purchaser of the stock can sue the CPA firm under Section 11 without proving the CPA firm acted negligently — the CPA firm must prove it conducted a reasonable investigation (due diligence defense).
Under Section 11, the burden of proof shifts to the defendant. The CPA must affirmatively prove due diligence — the plaintiff does not need to prove negligence.
Securities Exchange Act of 1934 — Section 10(b) and Rule 10b-5
Section 10(b) and Rule 10b-5 create liability for fraud in connection with the purchase or sale of any security (not just newly registered securities).
| Element | Rule |
|---|---|
| Who can sue | Purchasers or sellers of the security |
| Plaintiff's burden | Must prove: (1) material misstatement or omission, (2) scienter (intent to deceive), (3) reliance, (4) connection with purchase or sale, (5) damages |
| CPA's defense | Lack of scienter (no intent to deceive or reckless disregard) |
| Standard | Fraud standard — scienter is required |
:::tip Exam Tip
The critical distinction: Section 11 (1933 Act) requires only negligence and applies only to registration statements. Section 10(b)/Rule 10b-5 (1934 Act) requires scienter but applies to all securities transactions. Memorize this distinction — it is heavily tested.
:::
Comparison of Section 11 and Section 10(b)
| Feature | Section 11 (1933 Act) | Section 10(b) / Rule 10b-5 (1934 Act) |
|---|---|---|
| Applies to | Registration statements only | Any purchase or sale of securities |
| Scienter required | No | Yes |
| Reliance required | No (presumed) | Yes |
| Burden of proof | Shifts to defendant (due diligence) | Plaintiff bears full burden |
| Privity required | No | No |
| Damages | Measured by decline in value | Out-of-pocket losses |
Key Defenses
Due Diligence Defense (Section 11)
To establish the due diligence defense, a CPA must show that after reasonable investigation, the CPA had reasonable grounds to believe — and did believe — that the statements in the registration statement were true and that no material facts were omitted.
Lack of Scienter (Section 10(b))
A CPA can defeat a Rule 10b-5 claim by demonstrating the absence of scienter — meaning the CPA did not act with intent to deceive, manipulate, or defraud. Mere negligence is not sufficient to establish scienter.
Example: A CPA firm audits Kingfisher Industries and fails to detect a material inventory overstatement due to inadequate sampling procedures. Under Rule 10b-5, investors must prove the CPA firm intentionally or recklessly disregarded evidence of the overstatement — ordinary negligence would not be enough.
Working Papers: Ownership and Confidentiality
Ownership
Working papers prepared by the CPA during an engagement are the property of the CPA, not the client. However, the CPA may not withhold client records (e.g., general ledgers, journals, tax returns) to enforce payment of fees.
Confidentiality
CPAs have a duty to maintain the confidentiality of client information. Exceptions under the AICPA Code of Professional Conduct include:
- Compliance with a valid subpoena or enforceable legal process
- An authorized peer review
- Response to an ethics investigation
- Compliance with GAAS (e.g., successor auditor communications)
Privileged Communication
Under federal law, there is generally no CPA-client privilege. The tax practitioner privilege under IRC §7525 is limited:
- Applies only to tax advice (not preparation of tax returns)
- Applies only before the IRS and in noncriminal federal tax proceedings
- Does not extend to corporate tax shelters
- Does not apply in criminal matters
Many states grant some form of CPA-client privilege under state law, but no such privilege exists under federal common law. Do not confuse state privilege statutes with the limited federal privilege under IRC §7525.
Summary
| Topic | Key Rule |
|---|---|
| Negligence (clients) | CPA must exercise reasonable care; client must prove four elements |
| Fraud | Requires scienter; may result in punitive damages |
| Third-party liability | Three tests: Ultramares, Restatement (majority), Rosenblum |
| Section 11 (1933 Act) | No scienter required; CPA must prove due diligence |
| Section 10(b) / Rule 10b-5 | Scienter required; plaintiff bears burden of proof |
| Working papers | Owned by CPA; client records must be returned |
| Privileged communication | No federal CPA-client privilege; limited IRC §7525 privilege |