Blame the bug

There have been various predictions made concerning possible claimsd. against accountants in the event of year-2000 failures. McKinsey research from July last year suggests that customer/vendor disputes and lawsuits may cost as much as twice the $600bn outside experts are predicting will be spent remedying the Y2K issue in the first place.

Potentially at least, Y2K represents the accountancy profession’s biggest single area of threat in terms of foreseeable future claims. What precisely is their exposure, however, and why should auditors and accountants be held liable?

Auditors’ legal duties

A company’s auditors’ responsibilities are in general limited to the carrying out of their statutory duties. Auditors have a right of access to the books and to such information and explanation as they think necessary to enable them to perform their duties – as set out in the 1985 Companies Act.

Auditors will tell you that the approach to auditing has undergone a fundamental change over the last 15 years. Box ticking is now out, and a statistically based analysis of clients’ systems and controls is a fundamental part of the audit procedure. An auditor will strive to understand the nature and demands of an audit client’s business with a view to identifying risk areas – in other words – areas in the client’s business which lend themselves to having a material impact on the financial statements.

In practice, this means that auditors will need to get a grasp of clients’ internal controls over both IT systems and the staff who operate them.

Both the English ICA and the Auditing Practices Board have issued guidance on these matters (see box).

But how are auditors to assess the quality of a client’s IT staff? By their CVs? By their work? By their impressions of them as professionals? What if their CVs are a little thin, does this mean that the auditors in effect have to vet their work? Can they place any reliance on the work, and where are the boundaries?

If the auditors are not satisfied by the quality of the client’s impact analysis, what sort of qualification do they put on the audit report? If they wish to avoid qualifying the report, it appears, according to the English ICA technical release, that they may have to produce their own impact analysis. What then if their own analysis is wrong, are they negligent even though they may be handicapped by insufficient information?

As for drawing the wrong conclusions, consider the following. The provision of Y2K warranties is commonplace. To what extent will auditors be entitled to assume such warranties are good for the money without checking to see, for example, that the company providing the warranty is Y2K-compliant?

Conversely, does a warranty provided by an audit client represent a large contingent liability? It is not enough for an auditor to check the wording of warranties without looking at related documents, such as the related supply contract which may cut down the effectiveness of the warranty by clauses limiting or excluding the nature or scope of the work undertaken by the supplier.

All this adds up to an extremely worrying picture for auditors. Although, as the technical release stresses, the primary obligation to cure Y2K problems lies with management, the auditors are obliged to make sufficient enquiries to identify Y2K issues that may affect the balance sheet, and to report on those issues to management in certain circumstances.

What is particularly worrying is the fact that auditors may well be reliant on in-house (or outsourced) IT specialists who may feel it is in their personal interests to cover up Y2K problems because they will be criticised if these problems are revealed.

If the company falls into severe financial difficulties as a consequence of the failure to detect defects in the system which have been covered up, the auditors are likely to come under intense scrutiny; one of the burning issues will be whether they should have been alerted to the possibility of a cover-up.

Further, the high-profile nature of Y2K issues on the one hand helps auditors in that they are far less likely to overlook something, but on the other hand increases the onus on the auditor to spot errors arising from those same issues.

If he does nothing to assess the impact of Y2K on the client’s business the auditor is almost certainly negligent.

If he does assess the impact by making appropriate enquiries of management, he may still be criticised if he failed to make those enquiries competently or draws the wrong conclusions.

Non-audit tasks

The general duties of an auditor may be expanded by the terms of the contract of the auditor’s engagement. Thus, in the context of Y2K, if the auditor agrees to report on specific internal controls, if the internal controls turn out to be hopelessly defective and they do not report on this, the auditors are likely to be liable for breach of contract.

In the present, highly competitive market, it will be tempting for accountants to expand their areas of work to take responsibility for the review of certain client Y2K problems. The accountant may not be aware of the responsibility that he is assuming, however, particularly if he has insufficient control over the operators of the computer systems that he is examining.

Potential claims

The auditor owes a duty of care to his client in respect of work he is obliged to carry out under statute (in his capacity as auditor) and under contract (because he agreed to do something). Consider the following scenarios where a claim might be made:

– Where auditors (contrary to the guidance contained in the technical release) ‘assume responsibility’ to the audit client for resolving Y2K issues, there may be losses resulting from their negligent failure to resolve Y2K IT-related problems. For example, investment in additional non-Y2K-compliant software.

– Where, as part of their assessment of the client’s Y2K impact analysis, the auditors negligently fail to report on a key supplier’s lack of Y2K-compliance, they could face a claim for the lost orders resulting from that supplier’s failure to supply on time due to problems caused by the supplier’s Y2K problems.

– Where the company expands and increases its debt level based upon a ‘clean audit’, and subsequently finds it cannot service its new levels of debt when faced with Y2K issues which the auditors negligently failed to report upon; the auditors could face a claim for the losses directly arising from the increase in debt levels.

Although this would be an unusual claim, theoretically, claims could emerge from audit clients which suffered loss as a result of auditors negligently overstating the adverse effects of Y2K issues on the company and possibly unjustifiably qualifying the audit report.

It is not just audit which may present problems. Accountants taking part in investigations of a company on behalf of banks or institutional investors before money is loaned or invested may also run into difficulties.

It is hard enough for the company itself to assess the likely impact of Y2K on its business; how much more so, then, for outside third parties, such as banks. If assessing Y2K issues forms part of the auditors’ duties, how tempting will it be for third parties to try to obtain some measure of comfort from the auditors on the issue?

Consider the following situations which may result in claims being made:

– Lost investment based upon due diligence reports prepared on a target company, which are inaccurate due to incomplete or misleading information obtained from the auditors which fails sufficiently to address Y2K issues.

– The subsequent loss of a client’s investment in the target company may result in a claim against both the auditors and the due diligence team.

– Lenders or investors relying on an ‘unqualified’ audit report which fails to report on the impact of material Y2K issues on the financial statements.

In both, the investor would have to prove that the auditor had ‘assumed responsibility’ to the investor for the accuracy of the audit work; the whole ‘duty of care issue’ is well-trodden ground and is the subject of numerous recent cases, such as Caparo, McNaughton, ADT v Binder Hamlyn, BCCI v E&Y and so on.

Firms will need to address possible liability where there is fraud or where the auditor is the victim of deception.

The auditors may be actively misled by managers, particularly IT staff, of the client.

This is a very real problem.

The difficulty is that IT staff may perceive their jobs or positions to be at risk if they admit to past errors which have created Y2K problems.

To the author’s certain knowledge, the IT section of a large international company is presently investing the equivalent of #2m into a system which has been described as Y2K-compliant by a senior IT manager, but has been discovered to ‘crash’ when Y2K-tested by a junior assistant.

To what extent is the auditor liable when he is misled? Auditors are not automatically at fault if fraud or deception leads to materially inaccurate financial statements. On the other hand, the auditors’ duty is to check the financial statements and the mere fact they have been lied to will not exclude liability.

The court’s position on detecting deception is perhaps reflected in Lord Justice Leggatt’s comments in Barings v Coopers & Lybrand (1997) which emphasised the importance of sound audit procedures which would ‘normally’ bring to light fraud, particularly the audit practice of pointing out weaknesses in internal controls.

The judge commented that ‘an auditor’s task is so to conduct the audit as to make it probable that material mis-statements in financial documents will be detected’. The latter approach is reflected in the profession’s guidelines (SAS 110). Failure to adhere to professional guidelines is regarded as prima facie evidence of negligence.

Claims prognosis

We do not know whether the year-2000 date change will turn out to be a paper dragon, or alternatively turn into an apocalypse for computer systems worldwide. Future claims against auditors and accountants will also be driven by whether there is an economic downturn which, linked to Y2K issues, leads to corporate failure. There are enough doomsday predictions around to satisfy the morbid.

Richard Highley is a partner in Davies Arnold Cooper’s Professional Indemnity Accountancy Unit


What precisely are the auditor’s Y2K responsibilities? The English ICA’s technical release, issued in September 1997, provides official guidance to auditors on their approach to Y2K audit issues, bolstered by the guidance issued by the Auditing Practices Board in June 1998.

The release deliberately deflects responsibility for Y2K issues away from auditors onto the audit client directors, and stresses that a failure to adhere to the guidelines does not amount to ‘audit failure’. Speaking as a litigator, however, I can safely predict that any prospective plaintiff will seek to argue that a breach of the guidelines is prima facie evidence of negligence.

So, what do the guidelines say?

They identify specific matters which an auditor will wish to be sure are reflected in the financial statements, and they highlight areas which, in the Y2K context, may require the auditors to make further enquiries in order to satisfy themselves that there are no particular Y2K issues which are not, and should be, reflected in the financial statements.

The release stresses that the responsibility of ensuring the company addresses Y2K issues remains with the directors and that auditing standards have not changed – and the responsibilities are outlined in statute. It also makes the following points:

– ‘The auditors need to make appropriate enquiries to obtain a sufficient understanding of any material impact on the financial statements’ being audited.

– ‘The guidance is advisory, not mandatory and non-compliance does not indicate an audit failure.’ If meant as some form of legal protection, this statement is meaningless. A court will decide whether in any given circumstances non-compliance with the release amounts to negligence.

Although the release stresses that it is management’s responsibility to ensure the impact of Y2K issues are reflected in the financial statements, in doing so it highlights a number of areas which the auditors will clearly have to address themselves:

– Has there been a proper writedown of software/hardware which may be rendered inoperable?

– Has there been proper disclosure of foreseeable costs and foreseeable commitments relating to Y2K issues?

– Has there been disclosure of contingent liabilities, such as liabilities under warranties, or in respect of litigation or compensation?

– Have taxation adjustments been dealt with correctly?

– There will be a risk that account balances will be mis-stated as a result of errors in the client’s computer systems caused by Y2K issues (for example stock being over or understated). Has the risk of such mis-statements been properly assessed and what impact does this have on the accuracy of the financial statements?

Audit planning

As part of their audit planning, and as part of their assessment of the risk of mis-statement caused by Y2K issues, auditors will need to consider these questions:

– How do the company’s computers impact on business operations, and what ‘date sensitive’ operations are there?

– To what extent would the failure of third-party computer systems (such as suppliers, customers and outsourcers) affect the client’s business?

The auditors would, of course, be reliant on management/directors of the client to provide this information. The relevance of these enquiries to the audit would be to assess the increase in risk of error in accounting information, and to assess the potential impact of such issues on the ‘going concern basis’ (that is, solvency) and on the content of the financial statements including the possible need to make disclosures.

Leading on from this, the auditors may need to obtain information on the directors’ detailed plans to deal with Y2K issues and to modify their audit to adopt, for example, a more ‘substantive approach’ (testing of individual items rather than reliance on the client’s internal controls).

The release states that the auditors ‘will need to make sufficient enquiries to allow them to assess (the) reliability’ of the client’s methods of gathering of this information (described as ‘impact analysis’) in order to judge the risk of material mis-statement to the financial statements, and identifies the following enquiries:

– How systematic was the client’s impact analysis and was it of sufficient quality?

– Are all significant business units covered by the impact analysis?

– What information has been obtained from IT suppliers including packaged/outsourced systems?

– What is the skill/knowledge/experience of the client’s staff involved in the ‘impact analysis’?

As regards any detailed plans of the directors to deal with problems:

– Are staff with experience involved?

– What resources have been committed?

– What timescales are involved?

– What monitoring of progress will be undertaken?

– What happens when there is slippage?

If there are problems with any of the above, there is a ‘higher risk’ of unreliability of information.

Auditors are also warned they may have to make similar enquiries of auditors of subsidiary companies and that there may be a duty to report to management on material weaknesses in internal control, or to warn them of the significance of other concerns which the auditors have identified as presenting possible Y2K problems for the company.

Related reading