Auditor liability: ‘fair and reasonable’ punishment?
The issue of auditor’s liability is included in the syllabus for Advanced Audit and Assurance (AAA). Candidates need to understand and apply the principles of establishing liability in a particular situation, as well as being able to discuss the ways in which liability may be limited. The specific learning outcomes can be found in the Syllabus and study guide for the AAA examination.
This article focuses on the issue of auditor’s liability in the UK, and therefore contains references to the UK Companies Act 2006, as well as UK-specific legal cases. Candidates other than those attempting the UK adapted paper are not expected to have UK-specific knowledge. The concepts discussed in this article, however, are broadly relevant and will help candidates to understand why this is an important issue within the auditing profession.
Over the past two decades the bill for fines issued by audit regulators of Big Four audit firms alone has run into millions of pounds. Examples include KPMG’s 2023 settlement of £21million regarding its audit of the collapsed outsourcer, Carillion. The FRC found the audit work had not been completed ‘with an adequate degree of professional scepticism’. PwC’s fines on the inadequate scrutiny of long-term contracts at the construction companies Kier and Galliford Try totalling £5million were issued in 2022. These fines are increasingly concerning, both in terms of audit quality and the reputation of the profession but also in terms of the cost to the industry and the barriers this creates to competition within the audit market.
This article considers the current legal position of auditors in the UK. It also discusses the impact on the competitiveness of the audit market and some of the methods available to limit exposure to expensive litigation.
Auditors are potentially liable for both criminal and civil offences. The former occur when individuals or organisations breach a government imposed law; in other words criminal law governs relationships between entities and the state. Civil law, in contrast, deals with disputes between individuals and/or organisations.
Like any individual or organisation auditors are bound by the laws in the countries in which they operate. So under current criminal law auditors could be prosecuted for acts such as fraud and insider trading.
Audit is also subject to legislation prescribed by the Companies Act 2006. This includes many sections governing who can be an auditor, how auditors are appointed and removed and the functions of auditors.
One noteworthy offence from the Companies Act is that of ‘knowingly, or recklessly causing a report under s.495 (auditor’s report on company’s annual accounts) to include any matter that is misleading, false or deceptive in a material particular’ (s.507).
This means that auditors could be prosecuted in a criminal court for either knowingly or recklessly issuing an inappropriate audit opinion.
There are two pieces of civil law of particular significance to the audit profession; contract law and the law of tort. These establish the principles for auditor liability to clients and to third parties, respectively.
Under contract law parties can seek remedy for a breach of contractual obligations. Therefore shareholders can seek remedy from an auditor if they fail to comply with the terms of an engagement letter. For example; an auditor could be sued by the shareholders, which was the case in the PwC settlement to Tyco shareholders referred to above.
Under the law of tort auditors can be sued for negligence if they breach a duty of care towards a third party who consequently suffers some form of loss.
The application of the law of tort in the auditing profession, and the way in which auditors seek to limit their exposure to the ensuing liabilities, has been shaped by a number of recent landmark cases. The most notable of these are Caparo Industries Plc (Caparo) v Dickman (1990) and Royal Bank of Scotland (RBS) vs Bannerman Johnstone MacLay (Bannerman) (2002).
In the first case Caparo pursued the firm Touche Ross (who later merged to form Deloitte & Touche) following a series of share purchases of a company called Fidelity plc. Caparo alleges that the purchase decisions were based upon inaccurate accounts that overvalued the company. They also claimed that, as auditors of Fidelity, Touche Ross owed potential investors a duty of care. The claim was unsuccessful; the House of Lords concluded that the accounts were prepared for the existing shareholders as a class for the purposes of exercising their class rights and that the auditor had no reasonable knowledge of the purpose that the accounts would be put to by Caparo.
It was this case that provided the current guidance for when duty of care between an auditor and a third party exists. Under the ruling this occurs when:
In the second case RBS alleged to have lost over £13m in unpaid overdraft facilities to insolvent client APC Ltd. They claimed that Bannerman had been negligent in failing to detect a fraudulent and material misstatement in the accounts of APC. The banking facility was provided on the basis of receiving audited financial statements each year.
In contrast to Touche Ross, who had no knowledge of Caparo’s intention to rely upon the audited financial statements, Bannerman, through their audit of the banking facility letter of APC, would have been aware of RBS’s intention to use the audited accounts as a basis for lending decisions. For this reason it was upheld that they owed RBS a duty of care. The judge in the Bannerman case also, and crucially, concluded that the absence of any disclaimer of liability to third parties was a significant contributing factor to the duty of care owed to them.
The guidance for when an auditor may be liable, either under criminal or civil law, appears to be clear and largely uncontroversial. The same cannot be said of the nature of the fines and settlements, which remains a hotly debated issue.
Before discussing this, it is worth making the point that auditors are only found liable in cases where they have breached their responsibilities to perform work with professional competence and due care and to act independently of their clients. There is therefore little argument that they should face the penalties of their own failures and that parties that have suffered as a result should be able to seek adequate compensation.
The main criticism of the current system is that the penalties incurred by the audit profession are unfairly high. This arises from the civil law principle of ‘joint and several liability’ enforced in the UK (as well as the US). This means that even if there are multiple culpable parties in a negligence case the plaintiff may pursue any one of those parties individually for the entire damages sought.
So for example, if a director fraudulently misstates the financial statements, the company’s management fail to detect this because of poor controls and the auditor performs an inadequate audit leading to the wrong audit opinion, it would be fair to say all three parties are at fault. Shareholders seeking compensation for any consequent losses, however, could try and recover the full loss from only one of those three parties.
Given that many of the cases arise when companies are facing financial difficulties, as with the examples cited above, and that any individuals involved are unlikely to possess sufficient assets to settle the liabilities, the audit firm, who may be asset rich and possess professional indemnity insurance, is often the sole target for financial compensation.
Regardless of the perceived fairness, this situation does create a number of challenges for the profession, namely:
With regard to the final point, auditor liability is not the sole reason for the lack of competition in the audit of listed entities but it is a significant barrier to entering that market. In the UK, there are continuing proposals to encourage more ‘mid tier’ audit firms to audit FTSE 350 companies. However, the size of the teams and the resources and experience required have traditionally been barriers to new entrants.
There are a number of ways in which audit firms can manage their exposure to claims of negligence. Perhaps the most obvious is not being negligent in the first place. In practical terms this means rigorously applying International Standards on Auditing and the IESBA’s International Code of Ethics for Professional Accountants and paying close attention to the terms and conditions agreed upon in the engagement letter.
Of course, improvements in quality management have been strengthened by the issue of the revised suite of International Standards on Quality Management and an upgraded ISA 220 (UK) (Revised) Quality Management for an Audit of Financial Statements. These have stressed a change in mindset, moving from an individual engagement risk and quality assessment, to one which is looking at the culture of quality at a firmwide level. The aim of this is to incorporate the management of quality throughout the whole firm, embedding it within the work, the employees and, most significantly, at a leadership and management level. . However, there is still significant pressure to reduce audit fees, and many companies who are audited by the large firms are facing a more challenging economic forecast. Stakeholders, such as corporate and individual investors are seeking more certainty and increasingly wanting assurance over non-financial issues, such as those relating to sustainability and corporate responsibility. With the introduction of the sustainability disclosure standards and the need for further upskilling by auditors, there are likely to be more challenges on the horizon.
Disclaimers of liability
One of the outcomes of the Bannerman case was the potential exposure of auditors to litigation from third parties to whom they have not disclaimed liability. As a result it became common to include a disclaimer of liability to third parties in the wording of the audit report.
Disclaimers may not entirely eliminate liability to third parties but they do reduce the scope for courts to assume liability to them. It should be noted that whilst this should reduce the threat of litigation in the UK, this protection may not extend overseas because the disclaimer is based on a ruling from a UK court case. It also provides no protection from the threat of litigation from clients under contract law.
There are also critics of the ‘Bannerman Paragraph,’ who believe that its presence devalues the audit report. They argue that the disclaimer acts as a barrier to litigation, which reduces the pressure to perform good quality audits in the first place. It is plausible that this reduces the credibility of the audit report in the eyes of the reader.
Liability Limitation Agreements
Since 2008 auditors have been permitted, under the terms of the Companies Act, to use Liability Limitation Agreements (LLAs) to reduce the threat of litigation from clients. LLAs are clauses built into the terms of an engagement that impose a cap on the amount of compensation that can be sought from the auditor. These must be approved by shareholders annually and be upheld by judges as ‘fair and reasonable’ when cases arise.
Whilst this may sound straightforward it has created problems, including how to define the cap (ie as a fixed monetary amount, a multiple of the fee, proportionate liability on a case by case basis). It is also difficult to decide what is fair and reasonable when setting the terms of the engagement because this is done before any potential litigation, or the scale of potential litigation, is known to the auditor and the client. This is therefore open to the interpretation of the courts. At which point the level of compensation may as well lie at the discretion of the courts in the first place.
Another problem lies with the shareholders; what motivation do they have for agreeing to terms that could potentially reduce their ability to recover any losses they incur due to the negligence of other parties? Once again this may be perceived as a barrier to litigation that audit firms can hide behind, reducing the pressure to perform good quality audits. Indeed, if the company and the audit firm enter into an auditor liability limitation agreement, the company must disclose within the financial statements the extent to which it is limited (Companies (Disclosure of Auditor Remuneration and Liability Limitation Agreement) Regulations 2008). The directors themselves may also be exposed to a breach of their fiduciary duty to act in the interests of the shareholders if they recommend the limitation agreement.
Under this proposal the audit firm would accept their proportion of the blame in a negligence case and would pay that proportion of the compensation. This system, as introduced in Australia in 2004, would ensure a fair outcome for the plaintiff without placing the entire financial burden upon the audit profession.
This is still being debated in the UK, but its advocates say that it would help to reduce the financial barriers for entry into the FTSE 350 audit market by reducing insurance premiums.
There is an increasing trend of litigation that is costing the audit profession millions of pounds. The potential costs and risks of auditing large, listed businesses may now be prohibitive for any firm of willing auditors outside of the top ten audit firms. In more recent years, there are an increasing number of non-Big Four firms, namely Grant Thornton, BDO and Mazars, who have become statutory auditors of public interest companies in the UK.
The UK government is increasingly seeking to reform audit by undertaking a number of significant reviews, such as the Kingman Report. This gave the FRC stronger powers, which will eventually lead to the establishment of a strong regulatory body Audit, Reporting and Governance Authority (ARGA). Further recommendations have been put to the government in its white paper published by the Department for Business, Energy and Industrial Strategy (BEIS). Currently no further developments have occurred due to delays in legislation following the 2020 impact of the COVID-19 pandemic. The FRC are issuing heavier fines and challenging poor quality audits with greater capacity than in previous years.
Auditors can reduce their exposure to litigation by adopting the revised quality management standards established by the IAASB, ensuring training of all staff on key risk assessment areas and employing a firmwide culture of quality and best practice.
1. Auditing: Commission Issues Recommendation on Limiting Audit Firms’ Liability, European Commission, 6 June 2008
Updated by a member of the AAA Examining Team (Oct 2023)