THE CPA'S RESPONSIBILITY FOR CLIENT INFORMATION

By James D. Cashell and Ross D. Fuerman

Because of potential professional and monetary hazards, CPAs must be astute in their handling of client information. Although the general rule is to never reveal information without a client's consent, there are exceptions.

To mitigate problems with client information, CPAs need to understand the professional and legal issues involved and should know when it is prudent to consult legal counsel. Mere compliance with the AICPA professional standards is insufficient to ensure legal compliance. While courts have, for the most part, relied upon generally accepted auditing standards to establish a CPA's standard of care, they do not recognize such standards as law. At times, the courts have held CPAs to a higher standard. At other times they have deemed that failure to comply with professional standards is only evidence of negligence and does not, by itself, constitute negligence.

The Responsibility to Maintain Information Confidentiality

The CPA's professional responsibility for client information is primarily defined in Sec. ET-301 of the AICPA Professional Standards. The rule states that a member in public practice shall not disclose any confidential client information without the specific consent of the client. It also extends the obligation to maintain the confidentiality of information to other CPAs not directly involved with the client who obtain such information through practice reviews or sanctioned disciplinary hearings. The rule does provide certain exceptions that facilitate compliance with other professional and legal obligations.

The duty to maintain information confidentiality is a legal as well as a professional obligation. With some exceptions, the accountant-client relationship is one of confidentiality, and the failure to maintain a client's confidence could lead to a malpractice action against the accountant. Such was the case in Green v. Savin where the Court permitted punitive damages against an accountant for the unauthorized disclosure of information to the client's wife about his medical practice. The information was later used by the wife in a divorce proceeding.

Even where the intent has been to warn others of pending financial harm, the courts have held that CPAs must not divulge client information. In Wagenheim v. Alexander Grant & Co. (AG), for example, the court ruled AG improperly divulged confidential information about their client, Consolidata Data Services, Inc. (CDS), to other clients. CDS, an audit client of AG, performed payroll services for several of AG's other clients. Upon discovery that CDS was having financial difficulty, AG warned their other clients to stop doing business with CDS. AG argued the other clients would suffer financial damage without the warning. In ruling against AG, the court stated there was no proof that CDS was "irretrievably" insolvent and, therefore, AG had no legal right to alert third parties of CD's financial problems. In its discussion, however, the court indicated that AG's actions might have been justified if CDS either intended fraud by not disclosing its insolvency or did not intend to fulfill its contractual obligations with AG's clients.

General knowledge and expertise obtained through a client engagement is not considered confidential information. This is noted in ET-391.030, which states that knowledge and expertise gained from an engagement that results in a special competence in a particular field can be shared with others without violating the client's confidentiality provided the specific details of the engagement are not disclosed. This ruling has legal support as well, as noted in Agra Enterprises v. Brunozzi. In this case, Agra claimed the accountant violated information confidentiality by using the knowledge and expertise he developed, while employed by Agra, to set up a competing business. The court ruled that the accountant, in using only his general expertise gained through his employment and publicly available information to start his business, did not violate confidential information laws because such information was not confidential.

Several other professional standards besides ET-301 also address the responsibility for confidential information. The guidance provided by AU-561, "Subsequent Discovery of Facts Existing at the Date of the Auditor's Report," is presented in the section heading "Responsibility to Correct Previously Issued Information." Brief overviews of other significant professional standards are provided in Exhibit 1.

Exceptions to the Requirement to Maintain Confidentiality

Certain exceptions to the information confidentiality requirement are recognized in ET-301, which states the following:

This rule shall not be construed 1) to relieve a member of his or her professional obligations under rules 202 and 203, 2) to affect in any way the member's obligation to comply with a validly issued and enforceable subpoena or summons, or to prohibit a member's compliance with applicable laws and government regulations, (3) to prohibit review of a member's professional practice under AICPA or state CPA society or Board of Accountancy authorization, or (4) to preclude a member from initiating a complaint with, or responding to any inquiry made by, the professional ethics division or trial board of the Institute or duly constituted investigative or disciplinary body of a state CPA society or Board of Accountancy.

An additional exemption is provided in ET-301.4, which allows a CPA to review another CPA's practice as part of a possible purchase, sale, or merger provided all participants agree to maintain the confidentiality of any client information revealed during the review. More guidance on complying with ET-301 is provided in ET-391, "Ethics Rulings on Responsibilities to Clients." A summary of these rulings sorted by actions that generally are and are not acceptable without client permission is provided in Exhibit 2.

Although permitted by professional standards, caution should be applied when responding to a subpoena or summons, especially in a state that recognizes accountant-client privilege. In a relationship protected by privilege, one party generally cannot be forced, even by court summons or subpoena, to disclose information about the other party. CPAs should be aware of when such laws apply to avoid the potential legal risks of violating the privilege. An accountant may wish to obtain the advice of legal counsel on how to respond to any subpoena, especially if there is client objection to the disclosure or any question of whether a privilege can be asserted. Additionally, the accountant must inform the client about a subpoena and advise the client to seek legal counsel regarding the disclosure.

Although state law might grant accountant-client privilege, such laws do not usually extend to a summons or subpoena related to a Federal investigation by such agencies as the IRS or SEC. In Couch v. United States, the Supreme Court concluded no Federal accountant-client privilege exists and state-created privilege does not apply to Federal cases. However, before responding to a Federal agency such as the IRS, the CPA should make sure to only respond to a valid and enforceable subpoena. In Roberts v. Chaple, for example, the Appellate Court ruled the accountant violated Georgia's statutory accountant-client privilege because he provided information to the IRS without having been served a valid summons or subpoena.

State privilege laws could also affect the ability to release information pursuant to a review of a CPA's practice. As noted in PRP-3100.09, the reviewed firm is responsible for meeting client confidentiality obligations whenever state statutes do not clearly provide a confidentiality exemption for a peer review of a firm's practice. Legal counsel should be obtained if there is any question about the ability to participate in a peer review or a review for the purpose of a sale or merger.

The Responsibility to Warn Outsiders of Client Activities

Warning outsiders of client fraud is an area where CPAs need to be especially wary. Based on prior court cases, CPAs generally do not have an obligation to inform outsiders of fraud unless by remaining silent they themselves become culpable. In any situation, the decision to "blow the whistle" is risky. If an accountant notifies third parties that a client's financials are fraudulent and that claim proves to be false, the accountant could be sued for defamation and also for breach of the professional obligation of confidentiality. Because of the potential legal ramifications associated with both disclosure and nondisclosure of client fraud, it is advisable to seek legal counsel guidance when confronted with such a decision.

Duty to Disclose. Fund of Funds, Ltd. v. Arthur Andersen & Co. (AA), is an example of a case where the CPA was deemed to have had a duty to disclose. AA was the auditor for two clients, Fund of Funds (FF) and King Resources Corp. (KRC). KRC developed natural resource properties and agreed to be the sole vendor of such properties to FF at prices no higher than those charged KRC's industrial clients. AA learned the agreement was not being met but failed to inform FF. The court ruled AA should have disclosed this fact to FF because 1) they had knowledge of the overcharges, 2) they knew of the terms of the agreement that was being violated, and 3) the language of their engagement letter produced a contractual obligation to reveal such information.

No Duty to Disclose. While the above case illustrates where silence was deemed inappropriate, there are several cases that support the CPA's lack of obligation to disclose fraud to outsiders. One common characteristic in these cases is that the CPA was either not engaged to, or did not, report on the fraudulent financial information. Two such cases of note are Fischer v. Kletz and Gold v. DCL.

In Fischer v. Kletz, Peat, Marwick, Mitchell & Co. (PMM), subsequent to issuing its audit report on the 1963 annual financial statements of Yale Express System, Inc., discovered they were substantially false and misleading. PMM also discovered that several 1964 interim statements, with which PMM was not associated, were also false and misleading. PMM delayed disclosing its findings to the SEC and the public until May 1965.

One of the plaintiff's claims against PMM was that it aided and abetted Yale's scheme to defraud with respect to the interim statements. The court reasoned there was no basis in law for imposing a duty upon PMM to disclose its knowledge of the misleading interim statements since PMM was not associated with the statements.

The above discussion relates only to the court's ruling with respect to the interim financial statements. As discussed later in the section "Responsibility to Correct Previously Issued Information," PMM's motion to dismiss the claim with respect to PMM's failure to correct the audited 1963 financial statements was also denied.

In the second case, Gold v. DCL Inc., Price Waterhouse & Co. (PW) informed DCL in December 1971 that they intended to qualify their audit report on DCL's 1971 financial statements. DCL was in the business of leasing computers, and PW believed their ability to recover their computer equipment costs was impaired due to the impending release of a new line of more powerful computers by IBM. On February 8, 1972, DCL announced earnings without mentioning PW's concern, and on February 15, prior to issuing their opinion, PW was replaced.

In this case, the plaintiff claimed PW failed to inform the public that the financial information released by DCL on February 8 was, in its opinion, incomplete and misleading. The court, in dismissing this claim, ruled there is no basis in principle or authority for extending an auditor's duty to disclose beyond cases where the auditor is giving or has given some representation or certification, and the silence and inaction of the defendant auditors did not make them culpable. In holding the auditors had no duty to disclose, the court reasoned that because the auditors had issued no public opinion, rendered no certification, and in no way invited the public to rely on their financial judgment, there was no special relationship that imposed a duty of disclosure.

Sec. 10(b) of the Exchange Act. Both of the above cases involved allegations of aiding and abetting violations of Sec. 10(b) of the Securities Exchange Act of 1934. Recently, in their April 19, 1994, Central Bank of Denver v. First Interstate Bank of Denver decision, the U.S. Supreme Court eliminated this theory of accountant liability. It ruled an implied right of action for aiding and abetting violations of Sec. 10(b) did not exist.

In the wake of Central Bank, it appears the risk of a lawsuit against a CPA alleging the duty to warn third parties of a client's fraud has been significantly reduced. The actual impact of Central Bank on cases where it is alleged the accountant remained silent while witnessing a client's fraud, however, is unclear for two reasons. First, the case has no impact on primary liability [i.e., the liability for directly violating Sec. 10(b)]. Since the Central Bank decision, courts have, in Adam v. Silicon Valley Bancshares, for example, denied accountants' motions to dismiss on the basis the accountants may have directly violated Sec. 10(b). Second, the case has no direct impact on most state law. If its impact on Federal securities law proves to be significant, there may be a migration of this kind of litigation against accountants based on state law to state courts.

Congressional Action. CPAs should be alert to probable future changes in this area of the law. On March 8, 1995, the U.S. House of Representatives passed H.R. 1058, the Securities Litigation Reform Act of 1995 and on June 28, 1995, the Senate passed S. 240, the Private Securities Litigation Reform Act of 1995. Both pieces of legislation contain provisions for auditor's of public companies to notify the SEC of certain illegal acts if the companies have not taken appropriate remedial action. It remains for a conference committee of both houses to produce a reform bill that will pass Congress and be enacted into law.

The Responsibility to Correct Previously Issued Information

Another situation where information might have to be disclosed without the client's consent is when it is learned an audit report was incorrect at the time of issuance. The professional guidance for such a situation is provided in AU-561, "Subsequent Discovery of Facts Existing at the Date of the Auditor's Report." In general, when the auditor becomes aware of information that would have been investigated had it been known prior to issuing the audit report, there is an obligation to investigate its reliability and whether it existed at the date of the report. If the investigation finds the financial statements or report would have been affected had the information been known earlier and it is believed there are persons currently relying or likely to rely on the financial statements who would attach importance to the information, the auditor should advise the client to make appropriate disclosure of the newly discovered facts.

Information confidentiality becomes an issue in the above situations when the client refuses to cooperate with the investigation or to make appropriate disclosure. If the client refuses to cooperate, the auditor should notify each member of the board of directors of such refusal and of the fact that, unless the client makes appropriate disclosure, the auditor will take action to prevent future reliance upon his report. If this fails to garner client cooperation, the auditor is directed to notify a) the client that the auditor's report is no longer to be associated with the financial statements, b) the appropriate regulatory agencies that the auditor's report should no longer be relied upon and, where practical, c) any persons actually known to be relying on the financial statements that the auditor's report should no longer be relied upon. Because such notifications could be construed as the unauthorized disclosure of information to nonclients, AU-561.02, states the auditor would be well advised to consult with an attorney regarding the specific action to be taken.

AU-561.09 provides guidance on the specific content of the disclosures made to outside persons. If the reliability of the information cannot be investigated, the disclosure should merely indicate the client has not cooperated in attempting to substantiate information that, if true, would cause the auditor to believe the audit report must no longer be relied upon or be associated with the financial statements. If the information is judged to be reliable and the client refuses to take appropriate corrective actions, the disclosure should describe its nature and effect on the financial statements, and how it would have affected the auditor's report had the failure to properly reflect it in the financial statements been known. The disclosure should only provide information reasonably necessary to accomplish the purpose and should contain no comments concerning the conduct or motives of any person.

As noted in the earlier discussion of Fischer v. Kletz, the responsibility to correct an audit report that was incorrect at the time of issuance is a legal as well as a professional obligation. In fact, the professional obligation adopted in AU-561 was a result of this case. Peat, Marwick, Mitchell & Co. (PMM) had reported on financial statements it later discovered were incorrect at the time they were issued. PMM argued their duty ended once the audit report was issued. A key factor in the court's denial of PMM's motion to dismiss the claim was that the representations were false at the time of issuance.

Period Involved. An important issue with respect to the responsibility to correct is that the duty does not necessarily end with the passage of time but rather when there is no longer anyone relying on the work, as was noted in Summer v. Land and Leisure, Inc. Summer claimed reliance on a June 1971 prospectus for eight separate stock purchases from June 1971 through January 1973. No other financial information had been issued by Land & Leisure during that time. In their defense, Arthur Young & Co. (AY) argued that due to the passage of time, the prospectus became stale and, as a matter of law, Summer could not rely on it for stock purchases after July 1972. In denying AY's motion to dismiss the complaint, the court stated the duty to correct cannot be avoided by alleging that due to the passage of time reliance on the information was no longer justified.

The Responsibility for Information in Fiduciary Relationships

In addition to owing good faith, loyalty, and honesty to the principal, a fiduciary must fully disclose all material facts relevant to its agency to its principal. In Allen Realty v. Holbert, for example, an accountant, acting in the capacity of an agent, failed to disclose certain purchase offers on real property that Allen later sold for less than the undisclosed offers. In reversing and remanding the case back to the trial court, the Supreme Court of Virginia stated that the failure to provide full disclosure was a breach of fiduciary duty by Holbert.

The problem with a fiduciary relationship is that the CPA might be put in the position of having a fiduciary duty to divulge confidential information about other clients to the principal. This dilemma is recognized in ET-191.71 (also repeated in ET-391.06), which addresses a CPA also serving as a bank director. The ruling says a CPA may serve as a bank director but should carefully consider the implications if other clients are customers of the bank. This is because the member may be caught between the duty to maintain confidential information of a client and a fiduciary duty to divulge such information to the bank. The ruling goes on to say the CPA shall not disclose any confidential information without the client's permission even when the failure to do so would constitute a breach of the fiduciary duty as a bank director. There is no implication, however, that following this directive provides a legal defense for violating the fiduciary duty. In such case, legal guidance should be obtained. *

James D. Cashell, PhD, CPA, is on the accounting faculty at Miami University, Oxford, Ohio. Ross D. Fuerman, JD, CPA, is a PhD student at the University of Cincinnati.

EXHIBIT 1

SUMMARY OF GUIDANCE ON CONFIDENTIAL INFORMATION IN SELECTED SECTIONS OF AICPA PROFESSIONAL STANDARDS

AU-315: Communications Between Predecessor and Successor Auditors

The successor should attempt to communicate with the predecessor auditor before accepting the engagement. This communication requires client permission. Both the successor and predecessor must maintain confidentiality of information exchanged. If the predecessor chooses to limit a response to an inquiry, the successor should be informed. If the successor learns of information that might necessitate a revision in the financial statements or report issued by the predecessor, the successor should attempt to notify the predecessor. Such notification requires client permission.

AR-400: Communications Between Predecessor and Successor Accountants (Accounting and Review Services)

Same as AU-315, except the communication between the predecessor and successor is optional.

PRP-3100: Performing and Reporting on Quality Reviews

All persons involved with the review program must maintain the confidentiality of information obtained pursuant to the review service about the reviewed firm, its clients, or personnel, including the review findings. Also, the reviewed firm is responsible for meeting client confidentiality obligations whenever state statutes or state boards of accountancy rules do not clearly provide a confidentiality exemption for peer reviews. The AICPA maintains a list of states where such an exemption is not clearly provided.

TX-162 & TX-172: Knowledge of Errors (Statements on Responsibilities in Tax Practice)

The CPA should immediately notify a client when aware of an error in a previously filed tax return or a tax return that is the subject of an administrative proceeding. The IRS should not be informed of such errors without the client's permission except where required by law.

Disclosures or actions where client permission is required:

* Release of profit and loss percentages from client's reports to trade associations.

* Revealing the discovery of irregularities in a client's tax return to a successor auditor when such discovery led to the engagement withdrawal. Attorney consultation is recommended.

* When employed by a municipality to determine whether a business has declared the proper amount of personal property tax, all parties must realize that the CPA is prohibited from disclosing confidential information.

* The terms of a feasibility study engagement with a client should specify that the confidences of outside nonclient sources will not be divulged regardless of whether pertinent to the outcome of the engagement whenever there is an understanding with the nonclient outside source that the information and its source will not be disclosed (actually falls under rule 501 "discreditable acts" since the situation deals with confidentiality of nonclient information).

Disclosures or actions where client permission may not be necessary:

* Use of an outside service bureau for processing a client's tax return provided to the CPA ensures that client information confidentiality will be maintained.

* Use of a record-retention agency to store working papers, etc. provided CPA ensures that client information confidentiality will be maintained.

* Disclosing a client's name, whether a private or public entity, unless such disclosure also infers other information about the client (e.g., if CPA only deals with bankruptcies, revealing a client's name would also provide information that the client has financial problems).

* Reservations about a feasibility study based on work conducted for another client if the reservations are based on general knowledge and expertise the CPA has developed in the field--such reservations should not be disclosed without permission if based on information that is sensitive to the former client and if its origin would be known.

* Tax information from a joint return to either party even if one party requests the information not be provided to the other party.

* Release of documents containing confidential information to a liability insurance carrier if used solely to assist with the CPA's defense against an actual or potential claim in situations where the carrier requires prompt notification of such claims and has requested the documents.

SEPTEMBER 1995 / THE CPA JOURNAL