Auditors Beware

Lee Shih explains a significant case on auditors’ duties.
The Court of Appeal in CIMB Investment Bank Bhd v Ernst & Young & Another Appeal [2014] 6 CLJ 438 held that in carrying out statutory audits under the Securities Industry Act 1983 (“SIA”), the auditors of a fund management company owed a duty of care to the company’s investors.
This appellate decision is significant as it confirms the tests to be applied to ascertain whether auditors owe a duty of care to the company’s investors. On the facts of this case, the auditors’ agreement to conduct an SIA audit for a fund manager created a special relationship between the auditors and the company’s investors which gave rise to a common law duty of care on the part of the auditors to undertake a proper audit in the course of carrying out their statutory duty.
SJ Asset Management Sdn Bhd
The appeal centred on SJ Asset Management Sdn Bhd (“SJAM”), a licensed fund management company under the SIA and the Capital Markets and Services Act 2007 (“CMSA”). The appellants in one appeal were clients, or in other words investors, of SJAM. In the second appeal, the appellant had caused its clients to invest in SJAM. SJAM held, administered and managed various investments of the appellants.
SJAM had engaged the respondent auditors to perform the necessary statutory audits under the Companies Act 1965 (“CA”) and under the SIA. Pursuant to their engagement, the auditors produced audit reports.
Following complaints against SJAM, the Securities Commission (“SC”) investigated SJAM, revoked its capital market services license and eventually wound up SJAM.
The appellants, in turn, appointed their own accountants to investigate the accounts of SJAM. Based on their accountants’ findings of fraud in the management of the funds of the clients, the appellants commenced the High Court action against the auditors based on negligence. The appellants’ contentions were that they had relied on the auditors’ audit reports to make, advise on or facilitate investments in SJAM.
Preliminary Issues for Determination by the High Court
In the High Court action (reported in CIMB Investment Bank Bhd v Ernst & Young and Another Case [2014] 3 CLJ 322), the Court heard an application for the determination of the issue on whether the auditors owed a duty of care to the appellants in the two situations that arose in this case.
The first situation was when the auditors were carrying out the statutory audits in accordance with the CA for SJAM and issuing the CA audit reports. The second situation, and what was more significant in this appeal, was when the auditors were carrying out the statutory audits in accordance with the SIA for SJAM and issuing the SIA audit reports.
The High Court decided in favour of the auditors and found that the auditors owed no duty of care to the appellants in both situations. For the CA audit reports, it was held that CA audit reports were not intended for the appellants, as investors of the company, but were meant for SJAM and its shareholders in the general meeting. As for the SIA audit reports, it was held that they were not meant for making investment decisions but to enable SJAM to furnish such information to the SC.
Therefore, the appellants’ claims were dismissed. The appellants appealed to the Court of Appeal.
Guiding Principles on Establishing a Duty of Care
The Court of Appeal was guided by the Federal Court decision in The Co-operative Central Bank Ltd v KGV & Associates Sdn Bhd [2008] 2 CLJ 545 in accepting the guidelines laid down by the House of Lords in Her Majesty’s Commissioners of Customs and Excise v Barclays Bank [2007] 1 AC 181.
The Federal Court in Co-operative Central Bank acknowledged that three general tests could be used to determine whether a duty of care existed in cases that involved economic loss.
The first is the ‘assumption of responsibility’ test as to whether the defendant assumed responsibility for what he said and did vis-à-vis the claimant, or is to be treated by the law as having done so. The second is the threefold test: whether loss to the claimant was a reasonably foreseeable consequence of what the defendant did or failed to do; whether the relationship between the parties was one of sufficient proximity; and whether in all the circumstances it was fair, just and reasonable to impose a duty of care on the defendant towards the claimant. The third is the incremental test.
Against this backdrop, the Court of Appeal found that the High Court had determined the existence of the duty of care solely on the basis of the threefold test. In applying this test, the High Court had ruled that the appellants had failed to satisfy the ‘sufficient proximity’ element. The Court of Appeal held that instead, the High Court should have applied the guidelines in Barclays Bank, in particular, the first test of assumption of responsibility.
Duty of Care on the Part of the Auditors
The application of the assumption of responsibility test would mean that:
  1. reliance on the auditors’ report is no longer an essential ingredient to establish a duty of care;
  2. no anterior relationship between the appellants and the auditors is necessary to satisfy the ingredients of foreseeability and proximity; and
  3. the ingredient relating to proximity is satisfied so long as the assumption of responsibility may be inferred by reason of the existence of a special relationship.
The Court of Appeal drew a distinction between the CA audit and the SIA audit and found that Parliament could not have intended for both audits to be for the same purpose. There would be a difference in the scope and approach of the SIA audit as compared to the CA audit.
The focus of the SIA audit included the safeguarding of the assets of the appellants held by SJAM. The report by the auditors would serve to alert the SC and/or the relevant government authority to take such further action as is required. If in the course of the audit, the auditors come across a transaction or an accounting entry that does not comply with the provisions of Division 3 of Part VII of the SIA, the auditors had a duty to look deeper. The auditors could not ignore the irregularity or breach. Therefore, the SIA audit framework is a critical means of both ensuring compliance and detecting non-compliance by SJAM in relation to the management of the appellants’ assets.
The Court of Appeal also disagreed that any breach of the SIA provisions could only be enforced by the SC. Further, this was an appropriate case where the legislative framework in the SIA could be a basis to found the claim for breach of the common law duty of care arising from the careless performance of a statutory duty.
In concluding that the auditors owed a duty of care, the Court of Appeal stressed that the appellants were in an unusual situation whereby their funds and investments were in the hands of a trustee fund manager (SJAM) but over which funds they had no control. The auditors’ agreement to conduct the SIA audit for SJAM with knowledge or imputed knowledge of the unusual situation in which the appellants were placed, gave rise to a duty on the part of the auditors to undertake a proper audit in the course of carrying out their statutory duty. This obligation created a relationship between the auditors and the appellants so as to give rise to a common law duty of care.
If the auditors had not breached their duty of care, the SIA audit reports would have been qualified and the irregularity in the accounts of SJAM would have been reported to the SC. Such a report to the SC, in turn, would have caused the SC to take the appropriate action thereby causing SJAM to cease trading and consequently, diminish the losses of the appellants. However, because the audit reports that were produced by the auditors were ‘clean’, the SC took action much later and the ensuing winding up of SJAM was correspondingly delayed, thereby causing substantially more losses to the appellants.
The Court of Appeal therefore ruled that the auditors owed a common law duty of care to the appellants. The Court of Appeal ordered that the matters be remitted to the High Court for the trial on the issue of the liability of the auditors, if any, to the appellants.
This decision is significant in confirming that auditors who carry out a statutory audit under the SIA for a fund management company owe a duty of care to the investors of that company. Although the SIA has been repealed and replaced by the CMSA, it is likely that a similar duty of care on the part of the auditors would arise under the CMSA.
It is also likely that the Court would still impose such a duty in favour of the investors of the company even if the auditors build disclaimers into such a statutory audit (whether under the SIA or CMSA) to exclude liability or obligations to third parties.