In Brief

CPAs are charged with protecting the public from financial and corporate fraud; sometimes, that means blowing the whistle on clients or employers who are violating the law. CPAs who find themselves to be potential whistleblowers might be understandably worried about facing subsequent retaliation in the workplace. The authors examine the state of whistleblower protections for CPAs in the United States, focusing on federal, New York, and New Jersey law, as well as proposed AICPA guidance, illustrated by hypothetical case studies.

* * *

In 2016, the International Ethics Standards Board for Accountants (IESBA) adopted Responding to Noncompliance with Laws and Regulations, which is applicable to all accountants. The ethics interpretation requires accountants to respond to illegal acts they encounter in their work for an employer or client primarily through disclosure of the matter to appropriate parties. The IESBA sets standards in the International Code of Ethics for Professional Accountants (including International Independence Standards), and the International Federation of Accountants (IFAC) requires its member bodies, such as the AICPA, to adopt standards that are at least as stringent as IESBA standards.

In 2017, the AICPA’s Professional Ethics Executive Committee (PEEC) proposed adding a noncompliance with laws and regulations (NOCLAR) interpretation to the AICPA Code of Professional Conduct (see Cathy Allen and Lisa Snyder, “AICPA Raises the Ethical Bar,” The CPA Journal, March 2017, While similar to the IESBA’s interpretation, the PEEC’s proposal departed from the standard because most state accountancy boards and the AICPA Code of Professional Conduct do not permit a CPA to disclose NOCLAR without client or employer consent. Certain comments on the proposal, which is still under consideration, prompted recommencement of an evaluation of the Uniform Accountancy Act (UAA). A joint task force of the AICPA and the National Association of State Boards of Accountancy (NASBA) was set up to deliberate whether the UAA should permit accountants (when warranted) to divulge illegal acts to an outside party without employer or client consent.

When an accountant takes all appropriate measures but the NOCLAR remains unresolved, the IESBA standard provides factors to consider when deciding whether to disclose noncompliance to an “appropriate authority” (e.g., a regulatory body). One of these factors is “whether there exists robust and credible protection [for the accountant] from civil, criminal or professional liability or retaliation afforded by legislation or regulation, such as under whistleblowing legislation or regulation.” This factor encompasses two distinct sets of legal issues: 1) whether the CPA would be exposed to criminal, civil, or professional liability; and 2) whether there exist laws that would protect the CPA from retaliation, such as termination of employment or other adverse employment actions.

This article discusses the extent to which federal or state laws provide employment antiretaliation protections for a CPA who discloses NOCLAR to a governmental authority or regulator without an employer’s consent. After discussing the legal protections, it provides case studies that highlight the complexities of whistleblower protection.


Referred to as a “response framework,” the NOCLAR standard requires an accountant to respond to NOCLAR when, in the performance of professional services for a client or employer, the accountant discovers or is informed of noncompliance (or suspected noncompliance). Importantly, the standard does not require an accountant to seek out NOCLAR, and the responsibility for resolving NOCLAR rests entirely with management. An accountant should first understand NOCLAR and then, if the matter falls within the scope of the standard, disclose it to the appropriate parties in the organization, going up the chain of command as needed (up to and including the company’s governance body). NOCLAR is defined as an act of omission or commission (intentional or not) that is contrary to a prevailing law or regulation and that directly impacts the determination of material amounts and disclosures in the client’s financial statements or that is fundamental to operating aspects of the client’s business, to its ability to continue doing business, or to the avoidance of material penalties.

Importantly, the standard does not require an accountant to seek out NOCLAR, and the responsibility for resolving NOCLAR rests entirely with management.

Situations that are included in the scope of the NOCLAR standard include—

  • fraud, corruption, and bribery;
  • money laundering;
  • securities markets and trading;
  • banking and other financial products and services;
  • data protection;
  • tax and pension liabilities and payments;
  • environmental protection; and
  • public health and safety.

The primary purpose of the disclosures is to prompt management to resolve the NOCLAR. An accountant may also bring the matter to the external auditor’s attention. In the most egregious cases, when management does not act to remediate, mitigate, or prevent NOCLAR, an accountant may determine that it would be appropriate and in the public interest to disclose the matter to an appropriate authority for investigation.

Overview of Anti-Retaliation Employment Protections

Protection against employment retaliation for CPAs varies widely and depends on several factors, including—

  • whether or not the company engaging in the legal violations is publicly traded on a U.S. exchange,
  • the state in which the CPA works,
  • whether the CPA is employed in an in-house capacity or works for an outside CPA firm, and
  • the specific nature of the legal violations uncovered by the CPA.

A CPA working in one state may be protected for reporting suspected violations to a government authority, while a CPA working 10 miles away in another state may have no protection for complaining to the same authority about the same conduct. Likewise, an in-house CPA may have antiretaliation protection for reporting conduct, while an outside CPA may have no protection for reporting the same conduct.

Federal law provides broad protection for CPAs who report securities law violations and certain other types of fraudulent conduct, but only with respect to publicly traded companies or where complaints are made directly to the SEC. For most other forms of whistleblowing, the level of protection depends upon state laws, which vary widely. New York and New Jersey illustrate each end of the spectrum in terms of whistleblower protections. New Jersey’s whistleblower protection law is one of the most far-reaching in the nation, at least when it comes to complaints about wrongdoing by a person’s direct employer. New York, on the other hand, offers extremely limited whistleblower protection for private sector employees.

Below is a general overview of the legal protections afforded by federal law, New York law, and New Jersey law to employees who report legal violations to state or federal agencies.

Protections under federal law.

The Sarbanes-Oxley Act of 2002 (SOX) provides whistleblower protection to employees of companies that are publicly traded on a U.S. exchange (including certain companies with securities traded over-the-counter) and covered by nationally recognized statistical rating organizations, together with their subsidiaries. It also applies to employees of outside contractors—such as accounting firms—when working for such companies and organizations. Under SOX, these employees are protected if they report to a federal regulatory or law enforcement agency conduct that they reasonably believe constitutes mail, wire, bank, or securities fraud; violations of any SEC rules or regulations; or violations of federal laws related to fraud against shareholders. The courts have interpreted the “mail and wire fraud” prongs of SOX to cover a wide array of frauds. For example, in one case these prongs were interpreted to protect whistleblowing when a multinational company failed to make foreign Social Security payments for U.S. employees it had transferred overseas. In that case, decision making occurred in the United States and was communicated by email to foreign executives.

Under certain circumstances, the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 also permits CPAs to disclose client or employer violations of the federal securities laws to the SEC through a whistleblower program and receive a monetary award for successful enforcement actions (where the SEC recovers more than $1 million), together with antiretaliation employment protection. Those with internal audit or compliance responsibilities, however, are usually only eligible after taking certain steps internally to try to address violations. Moreover, auditors of public companies have a separate set of legal obligations governing their actions and are subject to restrictions on their eligibility for SEC whistleblower awards.

Under certain circumstances, the Dodd-Frank Act of 2010 also permits CPAs to disclose violations of the federal securities laws to the SEC through a whistleblower program.

More than 20 other federal statutes protect whistleblowers in specific industries or with respect to violations of specific laws. These industry-specific statutes include protection for employees who report violations of food safety, airline, commercial motor carrier, motor vehicle safety, nuclear, pipeline, public transportation agency, railroad, and maritime laws. Protections for reporting violations of specific laws include violations of various workplace health and safety, consumer product, consumer financial protection, environmental, food safety, and health insurance reform laws.

For example, the Food Safety Modernization Act protects employees of food manufacturers, processors, distributors, packers, and transporters who report what they reasonably believe to be a violation of the Food, Drug, and Cosmetic Act (or a regulation promulgated thereunder) to the federal government. This protection would apply to a CPA employed in-house, but not to an outside CPA who reports violations by her firm’s client.

Protections under New York law.

With regard to employees in the private, for-profit sector, New York law offers only very limited protection from retaliation for whistleblowing. Section 740 of the New York Labor Law is the primary whistleblower protection law, but it protects employees from retaliation only if they complain about violations of law that create a substantial danger to public health or safety or that constitute health care fraud. Section 215 of the Labor Law also protects employees who complain to the state Department of Labor or any other public authority regarding conduct by their employer that they reasonably believe violates a provision of the Labor Law.

Employees of not-for-profit corporations that have at least 20 employees and more than $1 million in annual revenues receive substantially greater protection. Under section 715-b of New York’s Not-For-Profit Corporation Law, these employees are protected against retaliation for reporting conduct they suspect to be illegal or fraudulent. Nevertheless, none of these protections under New York law would apply to an outside CPA whose firm retaliated against him because he reported suspected legal violations by a client rather than by his direct employer.

Section 75-b of New York’s Civil Service Law offers far greater protection for public sector whistleblowers; however, this protection is limited to employees of a state or municipal government or public authority.

Protections under New Jersey law.

New Jersey’s Conscientious Employee Protection Act (CEPA) provides very broad protection for employees against retaliation because of the employee’s disclosure of actions or practices of her employer that she reasonably believes are in violation of a law, or a rule or regulation promulgated pursuant to law, or are otherwise fraudulent or criminal. The extent to which CEPA would protect a CPA who is fired by her firm for reporting to authorities a violation of law by a client is, however, unclear.

Case Study 1: Fraudulent Billing in Healthcare Company

Derek Snyder, CPA, is the director of finance for Sentinel Healthcare, a private company that provides walk-in medical services in several stand-alone clinics. While analyzing the company’s financial information, Derek comes across some unusually large but vague transactions. After extensive digging, he finds evidence that seems to show that Sentinel is billing Medicaid for services that were not performed in any of its clinics.

Derek calls a meeting with Sentinel’s CFO, Munisha Nanda, to seek her guidance and recommend a course of action to determine whether fraud is occurring in the company. Munisha takes offense when Derek tells her about his findings and denies that anyone at Sentinel would or could defraud the government under her watch. Livid at the accusation, she asks CEO Dave Leary to join them. Dave sides with Munisha and accuses Derek of slander. Suspicious of their strong reactions, Derek asks to meet with the full board. The meeting takes place, but the other board members agree that Sentinel would never engage in fraudulent activity and curtly request that Derek drop the matter. They also remind him that evaluations and recommendations for end-of-year bonuses are being determined in the next few weeks, implying consequences for Derek if he continues to probe. Derek decides that it will be futile to pursue the matter further internally and is considering reporting the fraud to the Centers for Medicare and Medicaid Services; however, he wants to know whether or not he would be protected from retaliation (including being fired) by Sentinel if he does so. In this case, Derek would be protected regardless of whether he worked in New York or New Jersey because both states’ laws offer protection to whistleblowers in circumstances involving healthcare fraud.

New Jersey’s Conscientious Employee Protection Act provides very broad protection for employees against retaliation.

Case Study 2: Underpaying Unemployment Contributions

Gemini Corporation, a private manufacturer located in New York, has a staff of 160. In January 2017, Gemini hires Barbara Alba as controller to oversee a group of six accountants and report to the CFO. In her second year on the job, Barbara discovers that Gemini has underreported wages for purposes of its state unemployment insurance contributions. She speaks with the CFO, then management, and urges them to correct the problem, which goes back to 2014. Management agrees to correctly report wages going forward but resists alerting the state unemployment fund about past underpayments or making payments for past periods, citing cash flow problems. Barbara is concerned that her employer’s failure to pay the proper past amounts may result in significant penalties under New York labor laws. She meets with the company’s owners and board, reiterating her concerns and telling them that Gemini can probably seek a payment plan with New York, but to no avail. Barbara is very uncomfortable being associated with such blatant misconduct and is considering making a complaint to the Department of Labor. In this case, she would be protected from employment retaliation because her actions would be protected under the New York Labor Law.

Case Study 3: Discovering Embezzlement

While reconciling various accounts, Ben Marker, a longtime accountant at Olympia LLP, finds invoices from a vendor he does not recognize. He learns that someone is creating these invoices, which do not appear to be legitimate, and directing the proceeds into the account of Josef Weber, Olympia’s controlling shareholder. These transactions go back several months and rise in significance over time. Ben is unsettled and confides in Olympia’s CFO, Alyssa Franco, who agrees that the evidence shows that Josef is embezzling money from the company and his fellow shareholders. Alyssa warns Ben, however, that the CEO has a very close business and social relationship with Josef and has on prior occasions covered up evidence of wrongdoing by Josef. She also warns him that Josef controls the board of directors and that it would therefore be futile to take the issue to the board.

Six weeks later, Ben continues seeing the fraudulent invoices being paid. He is uncomfortable letting the fraud continue and is considering taking the matter to state law enforcement authorities. He wants to know whether he would be legally protected from being fired or otherwise being retaliated against in his employment. In this case, if Ben worked in New Jersey he would be protected under the state’s CEPA law; however, if he worked in New York he would have no such legal protection against retaliation.

Case Study 4: Managing Director Uncovers Fraud at Audit Client

Casey Stuart, a managing director with a large CPA firm, is working on a consulting engagement for Olsen Music Centers, a public company audit client of the firm. One of Olsen’s senior staff members informs Casey about accounting fraud being perpetrated that has materially affected the company’s financial statements. The informant provides documentation to corroborate his assertion and asks Casey to share the information with the audit team. Concerned, Casey alerts Tom Schober, Olsen’s audit partner, and shares the documents with him. Tom thanks her but says little and is noncommittal as to what he will do with the information.

Two weeks later, the staff person says he has not heard from the audit partner. When Casey again speaks with Tom, he informs her that Olsen Music is an important client to the firm and that she should forget about the “unsubstantiated” allegation. Casey counters that they have evidence that revenue is being materially distorted, and says they should, at a minimum, speak with management and perhaps the board of directors about the matter. Tom says he alone will make that call and implies that if she does not back off, he may contact the firm’s managing partner to report her insubordination. Casey persists, and before she can initiate discussions with the client, the firm removes her from the consulting engagement. Casey is convinced that nothing will be done about the fraud and is considering reporting it to the SEC; however, she is very concerned that she will be fired if her firm finds out.

The inconsistent nature of antiretaliation laws is an important factor that the profession should consider as it continues to deliberate a NOCLAR standard.

In this case, Casey would be legally protected from retaliation under SOX because she works for a contractor to a publicly traded company. In addition, depending on the type of engagement Casey was performing for Olsen Music, she may be eligible to report the violations through the SEC’s whistleblower disclosure program and receive a whistleblower award, as well as protection against retaliation.

An Uncertain Environment

The IESBA standard allows an accountant, when determining whether to disclose unresolved NOCLAR to a regulatory body, to consider whether applicable laws or regulations protect against retaliation and other negative consequences of making the disclosure. The AICPA’s proposal, which is still under consideration, does not resolve the matter of disclosure to outside parties, so it does not mention whether an accountant may consider the existence of whistleblower protections. As illustrated above, U.S. legal protections vary widely depending on such matters as the type of company employing the accountant (e.g., public, private, government, not-for-profit) and the employment jurisdiction. Thus, the inconsistent nature of antiretaliation laws and regulations in the United States is an important factor that the profession should consider as it continues to deliberate a NOCLAR standard that would allow disclosure to outside parties without consent.

Catherine R. Allen, CPA is an ethics consultant and founder of Audit Conduct, Rocky Point, N.Y.
David N. Mair is an attorney and a partner at Kaiser Saurborn & Mair P.C., New York, N.Y.