In February 2017, the AICPA’s Professional Ethics Executive Committee (PEEC) agreed to propose modifications to the Code of Professional Conduct that would require certain actions when members learn of noncompliance with laws or regulations in connection with their engagement or employment. The proposed interpretation, “Responding to Non-Compliance with Laws and Regulations,” is based on the PEEC’s review of a new standard adopted by the International Ethics Standards Board for Accountants (IESBA) in April 2016. (The IESBA is an independent standards-setting board supported by the International Federation of Accountants (IFAC); the sidebar, Relevance of the IESBA Code, explains how its code applies to U.S. CPAs and impacts the AICPA code.)
The IESBA has provided a framework, dubbed Non-Compliance with Laws and Regulations (NOCLAR), to help accountants navigate the IESBA Code of Ethics for Professional Accountants—especially the conflict between communicating non-compliance to the right people and keeping the client or employer’s information private—when learning of illegal acts within the scope of the new standard. The AICPA proposal largely follows the IESBA framework, but there are also significant differences. For example, the IESBA standard would in certain cases permit disclosure of NOCLAR to an outside party, overriding confidentiality requirements. The AICPA code and most state accountancy laws prohibit, with very limited exceptions, disclosure of confidential information to an external party without the client or employer’s consent. The AICPA proposal generally excludes the IESBA provisions to consider disclosing NOCLAR to outside parties without consent unless required by law or regulation.
This article describes the scope and objectives of the IESBA standard, including its conceptual underpinnings (also detailed in the sidebar, Objectives and Underlying Principles of the IESBA Standard), and illustrates the steps in the NOCLAR framework with case studies. It emphasizes the significant differences between the IESBA standard and the AICPA-proposed standard when applicable. Otherwise, one may assume that the IESBA standard and AICPA proposal are substantially similar.
Scope of the Standard
NOCLAR is defined as an act of omission or commission, whether intentional or not, that is contrary to a prevailing law or regulation. To be considered NOCLAR, the law or regulation must either have direct impact on the determination of material amounts and disclosures in the client or company’s financial statements, or compliance with the law or regulation must be fundamental to the client or company’s operations, to its ability to continue its business, or to its avoidance of material penalties.
NOCLAR encompasses laws and regulations for matters such as the following:
- Fraud, corruption, and bribery
- Money laundering, terrorist financing, and proceeds of crime
- Securities markets and trading
- Banking and other financial products and services
- Data protection
- Tax and pension liabilities and payments
- Environmental protection
- Public health and safety.
The NOCLAR standard applies when a professional accountant (PA) is delivering a professional service to a client or carrying out professional activities for a company and becomes aware of or suspects NOCLAR has occurred or is going to occur. Note that the term “company” is used in this article to include all types of organizations, such as governmental bodies, private partnerships, commercial corporations, and not-for-profit entities.
Importantly, PAs are only expected to possess technical expertise and knowledge of laws and regulations required to perform the professional services or activities in which they are engaged. The IESBA acknowledged that the more removed an instance of NOCLAR is from the subject matter in which PAs specialize or with respect to which PAs perform professional services, the less likely it is that they will recognize it. The IESBA’s “Basis for Conclusions” uses the following example to illustrate the point: An assurance practitioner who specializes in performing assurance engagements on greenhouse gas emissions will be less likely to recognize NOCLAR related to tax laws applicable to the entity than a PA who provides tax services to the entity. Accordingly, the IESBA does not expect that PAs will necessarily be able to recognize NOCLAR related to all laws and regulations within the scope of the standard. If the information is brought to the PA’s attention, however, and it is within the scope of the standard, the PA should act.
NOCLAR can be committed by—
- the PA’s client (management or those charged with governance, or those working for the client), or
- the PA’s employer (management or those charged with governance, or those working for management).
Specifically excluded from the NOCLAR definition are—
- clearly inconsequential matters,
- personal misconduct that is unrelated to the client or employer’s business activities, and
- noncompliance by persons other than those listed above.
RELEVANCE OF THE IESBA CODE
The IESBA Code of Ethics for Professional Accountants provides a global benchmark that serves as the foundation for codes of ethics for IFAC’s member organizations around the world. The IESBA code applies to professional accountants performing services under the IFAC’s professional standards. For example, audits performed under the International Standards on Auditing require that the auditor comply with relevant ethical requirements, which consist of the IESBA code together with any national ethical requirements that are more restrictive. IFAC comprises over 175 members and associates in more than 130 countries and jurisdictions. Its members include certain international networks of firms and professional bodies like the AICPA that agree to adopt requirements that are not less stringent than the IESBA requirements. The AICPA’s Professional Ethics Executive Committee (PEEC) monitors IESBA’s standards-setting activities for possible additions or revisions to the AICPA Code of Professional Conduct, although jurisdictional legal and regulatory constraints can limit the PEEC’s ability to fully converge with certain IESBA provisions.
If legal or regulatory provisions in a jurisdiction address NOCLAR, PAs should comply with those provisions, whether they are different from or go beyond the requirements in the IESBA framework. For example, the SEC requires an auditor to take certain actions if illegal acts are discovered.
A company’s management, or those charged with governance, is ultimately responsible for acting to resolve or deter NOCLAR. The standard is designed so that a PA brings the matter to the appropriate parties’ attention, which allows management or those charged with governance the opportunity to resolve or deter the noncompliance.
Once a PA becomes aware of NOCLAR that has or will occur, he has an ethical responsibility to act. Ignoring the NOCLAR is an abdication of a PA’s ethical responsibility, which goes beyond the responsibilities of a member of the general public. PAs who are auditors in public practice have different responsibilities under the standard due to the nature of their work and public interest role. Other PAs in public practice still have responsibilities, but their role, relationship with the client, and access to those charged with governance is inherently different than the auditor’s. Similarly, a senior PA in business (director, officer, or senior employee) has greater responsibilities under the standard than a lower-level employee with significantly less influence in the company.
Thus, the IESBA’s NOCLAR framework is tailored to four distinct types of PAs: 1) those in public practice who are auditors, 2) those in public practice who are not auditors, 3) those in business with senior roles, and 4) those in business with nonsenior roles. Unlike the IESBA framework, the AICPA proposal does not bifurcate the standard for members in public practice.
The standard does not require a PA to seek out this information—that is, a PA has no duty, in addition to her current responsibilities, to seek out and find NOCLAR. For example, auditing standards require an auditor to design procedures that help identify fraudulent activity that materially mis-states the financial statements, but a PA’s audit responsibilities are separate and apart from the IESBA NOCLAR requirements.
The lengths to which a PA should go to respond to NOCLAR under the framework are largely driven by the PA’s assessment that the NOCLAR is likely to cause substantial harm to the company, its creditors, employees, investors, and customers, or the public. The AICPA proposal recognizes state board and other prohibitions on disclosure to outside parties without client or employer consent and further limits certain actions. Depending upon a PA’s role, however, other actions, such as withdrawal, internal disclosure, or disclosure to the company’s auditor, would still be considered suitable under the AICPA’s proposal.
Case Studies: A Walk through the Framework
The framework comprises a series of sequential steps with relevant factors to consider. Consultation with others, within the bounds of confidentiality constraints and any legal or regulatory restrictions, is integral to the process. In addition, while the IESBA standard may require communication to certain parties and evaluation of the NOCLAR’s impact, it does not require a PA to report a NOCLAR to an outside party; one must use professional judgment to make that decision.
Consultation with others, within the bounds of confidentiality constraints and any legal or regulatory restrictions, is integral to the process.
To illustrate how the IESBA standard may apply to accountants in different forms of practice, consider the following fictional case studies. Significant differences from the AICPA proposal are highlighted; in all other instances, the IESBA standard and AICPA proposal are substantially similar.
Mary Patterson is the partner responsible for her firm, Wayne, Jiminez, and Patterson (WJP)’s audit of Community Bank Corp; her team is in the planning stages for this year’s audit. One evening, Charles Landers, a manager in the bank’s residential mortgage division, asks to speak to Mary in confidence. He says that to bolster the bank’s bottom line, the bank’s Chief Lending Officer (CLO) has been pressuring Charles and his loan officers to issue mortgages that do not comply with federal lending regulations. He and his staff have granted a few mortgages to borrowers who were unqualified and are nervous that borrowers who cannot afford their loans will lose their homes, significantly increase the bank’s risk profile, and subject the bank and its staff to regulatory actions and penalties.
Mary should determine whether the IESBA standard applies by considering two questions: first, would the noncompliance have a direct and material impact on the bank’s financial statements? Second, are the lending regulations fundamental to the bank and its operations, or to its ability to carry on business or avoid material penalties? A “yes” to either question means the situation is within the scope of the standard. Because federal lending regulations are integral to the bank’s operations, Mary should proceed in applying the NOCLAR framework, keeping in mind that some of her responsibilities under the framework may differ from, or overlap with, her audit responsibilities.
Mary should obtain an understanding of the regulations and their applicability to the situation described, the persons involved, and the timing and nature of the noncompliance. After conferring with others in her firm and the firm’s legal counsel, as well as a follow-up conversation with Charles to confirm her understanding of the facts, she should discuss the matter with the bank’s management and governing board and advise those parties to take timely, appropriate action to address the NOCLAR. If the bank is part of a consolidated entity, Mary should communicate the matter to the group audit partner, unless law or regulation precludes disclosure. Similarly, if Mary is the group audit partner, she should consider whether to disclose the matter, if relevant, to any component’s audit partners, unless disclosure is prohibited. (Under the proposed AICPA standard, Mary’s responsibilities under a group audit would apply to all group attest engagements, whereas the IESBA standard only addresses group audits.)
Mary informs the bank’s Chief Operating Officer (COO) about what she has learned. He promises to discuss the matter with the bank’s CLO. Two weeks pass, and Charles informs her in an e-mail that the pressure to issue loans to unqualified borrowers continues. She approaches the COO, explains her concerns in detail again, and urges him to immediately curtail these activities. He replies that he’s been especially busy with other matters and will tend to the issue in the future. Unsure that the COO will take any action, Mary then meets with Don Medlin, the CEO and chairman of the bank’s board of directors, to explain the situation. Noticing the irritated expression on Don’s face as she describes the NOCLAR and her experience with the COO, Mary becomes concerned. Don gives no indication that he will act on the information, which leads Mary to request a meeting with the board’s audit committee. Don tells Mary that he is authorized to speak for the full board and that the audit committee is unavailable for the next three months. At this point, management’s attitude and lack of action and cooperation convinces Mary that they are part of the problem.
OBJECTIVES AND UNDERLYING PRINCIPLES OF THE IESBA STANDARD
When responding to NOCLAR, a professional accountant’s (PA) objectives are to—
- comply with the fundamental principles of integrity and professional behavior; and
- alert management or, where appropriate, those charged with governance of the client, to—
- enable them to rectify, remediate, or mitigate the consequences of the identified or suspected noncompliance; or
- deter the commission of the noncompliance where it has not yet occurred; and
- take further action as appropriate in the public interest.
Integrity (Section 110) requires PAs to be truthful and honest and to avoid any association with false or misleading information.
Professional Behavior (Section 150) requires PAs to comply with laws and regulations and avoid any activities that discredit the profession. In doing so, PAs should consider whether a reasonably informed third party would consider the act to diminish the accounting profession’s good reputation.
Confidentiality (Section 140) requires PAs to hold client and employer information in confidence unless the client or employer consents to its release. Prior to adoption of the NOCLAR standard, unless a law or regulation required a PA to report
NOCLAR, the PA could not do so without violating the IESBA Code. This conflict was one of the primary drivers for the NOCLAR initiative.
The NOCLAR framework requires Mary to evaluate management’s actions, including whether it took appropriate action and whether further action is warranted. Clearly, management could have acted on the matter but chose not to; in fact, it appears to be obstructing Mary’s actions. She should consider whether a reasonable and informed third party would conclude that she had acted in the public interest given her knowledge that employees are under pressure to skirt banking regulations.
Under the IESBA standard, Mary should consider whether to report the NOCLAR to an outside authority due to the likelihood of substantial harm to the public interest. The standard requires such consideration even if her firm’s legal counsel concluded that existing laws and regulations do not require her to report the matter. The purpose of disclosure would be to enable a public authority to investigate the matter and act as needed to protect the public. If Mary practices in a jurisdiction that allows the disclosure and she concludes that credible evidence exists that the NOCLAR could cause substantial harm to the bank or various parties, she would not breach her duty of confidentiality under the IESBA code by reporting the matter to a banking regulator. This type of reporting is an extreme action, however, and should follow a thorough vetting of the situation, including possibly a confidential discussion with a regulator or professional body and legal counsel. (See the sidebar, Selected Considerations for Disclosing NOCLAR to an Authority, for common considerations on this requirement.) State board, AICPA, and other rules preclude these actions unless disclosure is required by law or the client consents to the disclosure—the latter being highly unlikely under the circumstances. Therefore, this part of the IESBA standard was not included in the AICPA proposal.
Mary discusses the matter with her firm partners, and they agree that the bank’s management is not acting to prevent illegal acts by its employees (and in fact, the CLO is actively encouraging noncompliance). They no longer wish to be associated with the client, and the firm resigns as auditor. If contacted by the successor auditor, Mary should disclose facts about the NOCLAR to the successor auditor if she believes the successor needs the information in deciding whether to accept the engagement and such disclosure is not prohibited by law or regulation. Due to state board, AICPA, and other rules on client confidentiality, the AICPA proposal does not include a similar provision regarding disclosure to a successor, and she would need to obtain the client’s permission to discuss the matter with the new auditor. If the client refuses to permit Mary to discuss all matters freely with the new auditor, the successor is then on notice of a potential problem.
Lastly, Mary should document the matter, including information that was brought to her attention; her discussions with the bank’s management and the governing board and their inaction regarding the NOCLAR; options she considered under the framework; the rationale for her actions, including consideration of the “reasonable and informed third-party view”; and how she met the NOCLAR standard’s objectives.
Jeremy Mays is a WJP consultant providing cybersecurity advisory services to Community Bank Corp. Assume Mary Patterson is still the company’s audit partner, but instead of informing Mary, Charles Landers speaks to Jeremy about the pressure being exerted on staff to grant loans to applicants in contravention of regulatory requirements.
Jeremy is providing advisory services to Community Bank and has been made aware of information that indicates potential NOCLAR, so the standard applies. Jeremy should seek to obtain as complete an understanding as possible before proceeding. Information gathering may require discussions within his firm, further research, and discussions with the informant and legal counsel. The framework recognizes that PAs providing nonaudit services might be limited in their ability to access information or have discussions with those charged with governance as compared to PAs who provide audit services.
Jeremy should discuss the matter with the COO and, if he feels it is appropriate and has access, the CEO/chairman of the board. Since he is providing nonaudit services to his firm’s audit client, Jeremy should communicate the matter within WJP or the firm’s network (unless law or regulation disallows) in accordance with firm protocols. If no protocol exists, he should discuss the matter directly with Mary. The standard states that disclosing the matter to Mary does not mean that Jeremy has no further responsibilities under the standard; for example, Jeremy should still perform some follow-up, as described below.
Withdrawing from the engagement and the client relationship is another possible outcome to discuss with his firm and legal counsel.
If the bank is an audit client of another firm in WJP’s network, Jeremy should consider whether to disclose the matter to that auditor. The AICPA proposal expands on the IESBA requirement to also include financial statement review clients; thus, if the bank is a review (rather than an audit) client, he should consider disclosing the NOCLAR to the review partner.
Under the IESBA standard, if the bank is not an audit client, Jeremy should consider disclosing the matter to the external auditors. This would be prohibited under most state board laws and regulations (and the AICPA code), unless he obtained the client’s permission. Thus, this provision is not included in the AICPA’s proposed standard.
Jeremy should consider whether further actions would be warranted in the circumstances, discuss with Mary the actions she has taken as auditor, and consider whether the matter has been appropriately addressed and resolved.
The IESBA standard also requires Jeremy to consider whether to report the matter to an appropriate authority to protect the public interest. As previously stated, the AICPA proposal does not include this provision.
Withdrawing from the engagement and the client relationship is another possible outcome that Jeremy should discuss with his firm and legal counsel. He may also wish to have a confidential discussion with a professional body or regulator. Under the AICPA proposal, Jeremy should apply professional judgment and consider, based on the relevant facts, whether a reasonable and informed third party would conclude that he has acted in the public interest.
Jeremy is encouraged to document the matter, including his discussions with management and Mary, how management responded, the courses of action he considered, and his conclusion that he met the standard’s objectives. The AICPA proposal, if adopted, would require Jeremy to document the matter, as unlike the IESBA, the AICPA did not differentiate between auditors and others in public practice on this point.
As an interesting wrinkle to the above, assume Community Bank engages Jeremy to perform a forensic engagement to identify possible noncompliance with federal lending regulations, and he uncovers the NOCLAR while performing his forensic procedures. In that case, he would likely be performing the same responsibilities under his engagement as under the NOCLAR standard, but disclosure to an authority would generally not be made, since the purpose of the engagement was to identify noncompliance so that management could take appropriate action. (Because the AICPA proposal does not contemplate disclosure to external parties, forensic services were not specifically addressed.)
Senior accountant in business.
Francesca Lindsay is the Finance Director of Millian Radiology, Inc., a supplier of medical imaging equipment and private company. Millian Radiology maintains a large team of sales agents who are paid in accordance with a complicated formula involving base salary, commissions, and various forms of incentive pay. Francesca’s understanding from discussions with the company’s pension administrator is that the calculation of the sales agents’ pay for their participation in the company’s pension plan complies with applicable national and local regulations. Over time, however, Francesca begins to suspect that the company’s actions do not meet federal pension guidelines and the company is not sufficiently crediting the sales force in its benefit calculations. She suspects the shortfall in these employees’ pension benefits would be considered material and expose the company to significant penalties and litigation.
As finance director, Francesca would be considered a senior professional accountant and therefore would be required to apply the NOCLAR framework once she suspects noncompliance with a law or regulation falling within the scope of the standard. Francesca should obtain an understanding of the matter, including the nature of the issue, the circumstances in which it is occurring, application of the relevant regulations, and potential consequences to company stakeholders and the wider public. In doing so, she should consult on a confidential basis with an expert at her professional body.
First, Francesca should consider any policies and procedures Millian has in place to address NOCLAR; for example, an ethics hotline or whistle-blowing protocol. The company has an ethics hotline, but being a senior member of management, Francesca decides to address the matter by discussing it with her immediate superior, Shelly Marcos, the chief financial officer (CFO), who she expects will bring in Rob Hennessey, the pension administrator. The CFO listens to her concerns but refutes her assessment and says she has little time or patience for discussing the matter further. On Francesca’s insistence, the CFO grudgingly arranges a meeting between herself, Francesca, and Rob to discuss Francesca’s concerns. At that meeting, Rob vehemently disagrees with Francesca’s assessment that calculation of the sales agents’ salaries does not comply with pension regulations. At the end of the meeting, Shelly says she remains unconvinced that there is a problem.
SELECTED CONSIDERATIONS FOR DISCLOSING NOCLAR TO AN AUTHORITY
- The entity is engaged in bribery
- The entity is regulated and the matter threatens its ability to operate
- The entity is engaged in a tax evasion scheme
- Existence of a whistleblowing law or regulation to protect one from civil, criminal, or professional liability as well as retaliation
Francesca begins to worry that both may be avoiding the matter. The standard requires she continue up the chain of command, so Francesca then meets with the CEO and the board of directors. That meeting goes well and she, the CEO, and the board’s chair agree to engage a pension consultant to assess the company’s compliance with the applicable regulations.
Francesca should also consider her obligation to disclose the matter to the company’s auditor, which allows the auditor to be fully informed about the suspected noncompliance and fulfill its professional obligations under the auditing standards. Although this is technically disclosure to an outside party, the AICPA proposal includes such provision, as the current Code of Professional Conduct requires members in business to be candid and disclose all material facts to their company’s auditor when dealing with the auditor (see ET section 2.130.030, “Obligation of a Member to His or Her Employer’s External Accountant”). ET section 2.400.070, “Confidential Information Obtained From Employment or Volunteer Activities,” similarly permits disclosure of an employer’s information when there is a professional responsibility to do so.
After a reasonable period, Francesca should determine that appropriate actions were taken to resolve the NOCLAR and prevent its reoccurrence in the future. In determining whether further action is needed, she should consider whether a reasonable and informed third party would conclude that she acted in the public interest. If Francesca concludes that the CEO and board did not take appropriate actions, she should determine whether further action is needed in the public interest: for example, she should consider disclosing the matter to management of the company’s parent entity or an appropriate authority, unless law or regulation disallows. Disclosure to an authority, if warranted after she considers various factors and the extent of actual or potential damage to the company’s stakeholders or the public, would not breach her duty of confidentiality under the IESBA Code. The AICPA proposal does not require members in business to consider such disclosure, as most state accountancy boards, CPA societies, and the AICPA prohibit reporting the matter to an outside authority without the company’s consent.
Resigning from the company, which may not be the last step in the process, may be appropriate in extreme cases. Within 10 days of her discussion with management, Francesca learns that the consultant agreed with her assessment about the company’s application of federal pension regulations. The CEO appoints an internal team, which includes Francesca, to work with the consultant and resolve the noncompliance. Rob resigns from the company, and the board of directors reprimands Shelly for failing to act on the information that was brought to her attention.
The NOCLAR standard encourages Francesca to document the matter, including her discussions with management, how management and the board responded, the courses of action she considered, and her conclusion that she met the standard’s objectives.
Junior accountant in business.
Samir Gupta works as an accounting manager in the controller’s office of Millian Radiology under the same fact pattern as above. One of the company’s sales agents convinces Samir that he and other sales agents’ earnings are not being properly credited under the company’s pension plan. Samir is familiar with the pension calculations being performed, does some research, and becomes concerned that the company might not be complying with federal pension regulations.
Samir should ensure that he has an adequate understanding of the matter, including the nature and circumstances of the noncompliance. Having performed his own research, he should also consult confidentially with technical experts and others as needed to confirm his understanding of the regulations and the facts before proceeding. Samir should inform his immediate superior, the controller, to enable him to take appropriate actions. If the controller appears to be involved in the matter, Samir should discuss this matter with the next higher level of authority in the company, up to the board of directors if necessary.
The AICPA’s proposed standard strives for a similar framework that balances the duty to maintain confidentiality with acting in the public interest.
In truly exceptional circumstances, and only if the applicable laws and regulations allow, Samir may disclose the matter to an appropriate authority. He should exercise extreme caution and act in good faith when taking such action; legal assistance is advised. No such action would be expected under the AICPA proposal; however, if dealing with the company’s auditor, Samir should consider his obligation to make full disclosure to the auditor.
Samir is encouraged to document the matter, including his discussions with management, how management and the board responded (if applicable), the courses of action he considered, and his decisions.
What if Samir becomes aware that one of Millian’s suppliers has committed NOCLAR? Does this change the application of the NOCLAR standard? Yes. Because the standard only requires action when a PA knows of or suspects that management, those charged with governance, or persons working for management or those charged with governance committed the NOCLAR, the standard would not apply in this instance.
A Call to Action
In “The Ethical State of the CPA Profession” (The CPA Journal, December 2016, http://bit.ly/2mjh8jE), Professor Steven Mintz remarked, “It’s one thing to know something is wrong; it’s another thing to act on it.” The IESBA NOCLAR standard, effective July 15, 2017, provides a valuable framework for acting when something is wrong and guides professional accountants in their thought processes so they may discharge their ethical responsibilities more effectively when facing NOCLAR. (For additional information, see http://bit.ly/2m98Xax.)
The AICPA’s proposed NOCLAR standard strives for a similar framework that balances the duty to maintain confidentiality with acting in the public interest. If adopted by the PEEC, the new standard will become effective one year after its adoption.