In March 2022, the AICPA’s Professional Ethics Executive Committee (PEEC) officially released, “Responding to Noncompliance with Laws and Regulations.” Often referred to as NOCLAR, one version of the interpretation applies to members in public practice (see ET §1.180.010); another version applies to members in business (see ET section 2.180.010).

These new rules, which interpret the AICPA Code of Professional Conduct’s “Integrity and Objectivity Rule,” become effective on June 30, 2023, but members may apply them now.

This article provides a brief primer on the NOCLAR interpretations. It also identifies and provides links to related nonauthoritative guidance.

New Ethics Interpretations

By definition, NOCLAR is noncompliance with a law or regulation that is committed by either a member’s client or employer, including the client or employer’s governance body, management, and employees.

NOCLAR relates to laws or regulations that directly affect material amounts and disclosures in a client or an employer’s financial statements, where compliance with the law or regulation is fundamental to the client or employer’s business operations, or where compliance is key to avoiding material penalties.

NOCLAR excludes clearly inconsequential matters, personal misconduct unrelated to a company’s business, and misconduct by persons who are not included in the scope of the NOCLAR rules (for example, a client or employer’s vendor).

Laws and regulations include (among others) those relating to fraud, money laundering, securities trading, banking, data protection, tax liabilities, environmental protection, and public health and safety.

Key Requirements

Requirements under the new interpretation for a member in public practice depend on whether the member is performing financial statement audits or reviews or performing other services such as tax, consulting, financial statement compilations, or an other attest service.

Requirements under the new interpretation for a member in business depend on whether or not the member serves in a senior role for an organization.

A summary of the key requirements follows.

Member in Public Practice

Member provides financial statement audit or review services:  

• Upon becoming aware of credible information concerning an instance of NOCLAR (or suspected NOCLAR), the member should obtain an understanding of the matter.

• If the member identifies or suspects that NOCLAR has occurred or is likely to occur, the member should discuss the matter with the appropriate level of management. When appropriate, the member should also discuss the matter with those charged with governance (governance board).

• In these discussions, the member should advise the client to take appropriate and timely action.

• Subsequently, the member should evaluate the appropriateness of management and the governance board’s response to the NOCLAR.

• Based on the client’s response or failure to respond to the NOCLAR, the member should consider whether to withdraw from the engagement (if possible, under law or regulation).

• The member should document relevant details about the matter.

Member does not provide financial statement audit or review services:

• Upon becoming aware of credible information concerning an instance of NOCLAR (or suspected NOCLAR), the member should obtain an understanding of the matter.

• If the member identifies or suspects that NOCLAR has occurred or is likely to occur, the member should discuss the matter with the appropriate level of management. When appropriate, and where the member has access, the member should also discuss the matter with the client’s governance board.

• In these discussions, the member should advise the client to take appropriate and timely action.

• The member should also communicate the NOCLAR to the client’s auditor, if within the same firm, and consider whether to do so if the client’s auditor is within the same network as the member. The interpretation precludes the member from disclosing NOCLAR to an external auditor that is not the member’s firm or a firm in the member’s network.

• The member is encouraged to document the relevant details of the matter.

Member in business

Member serves in a senior role in an organization:

• Upon becoming aware of credible information concerning an instance of NOCLAR (or suspected NOCLAR), the member should obtain an understanding of the matter.

• If the member identifies or suspects that NOCLAR has occurred or is likely to occur, the member should discuss the matter with the member’s immediate supervisor, if any, to determine how to address the NOCLAR. If the supervisor was involved with the NOCLAR, the member should discuss the matter with the next higher level of authority.

• The member should take steps to inform the company’s governance board about the NOCLAR to obtain their concurrence regarding the appropriate actions to be taken.

• The member should determine whether disclosure to the company’s auditor, if any, is necessary and appropriate.

• Subsequently, the member should evaluate the appropriateness of management and the governance board’s response to the NOCLAR.

• Based on the company’s response or failure to respond to the NOCLAR, the member should determine whether to act further, as appropriate and in the public interest, (for example, resign from the company, inform the organization’s parent company about the NOCLAR, or report the NOCLAR to an appropriate authority, if permitted under law and regulation).

• The member is encouraged to document relevant details about the matter.

Member does not serve in a senior role in an organization:

• Upon becoming aware of credible information concerning an instance of NOCLAR (or suspected NOCLAR), the member should obtain an understanding of the matter.

• If the member identifies or suspects that NOCLAR has occurred or is likely to occur, the member should inform an immediate superior so that individual may determine how to address the NOCLAR. If the superior appears to be involved with the NOCLAR, the member should discuss the matter with the next higher level of authority.

• The member should determine whether disclosure to the company’s auditor, if any, is appropriate and necessary.

• Further action by the member may include reporting the NOCLAR to an appropriate authority, if permitted by law and regulation.

• The member is encouraged to document relevant details about the matter.

The PEEC also adopted conforming changes to the “Ethical Conflicts” interpretation, which applies to members in public practice (see ET sec. 1.000.020) and members in business (see ET sec. 2.000.020).

Nonauthoritative Guidance

The Code is the only authoritative source of AICPA ethics rules and interpretations; however, the Professional Ethics Division (Division) often publishes nonauthoritative guidance to help members and others understand and implement new and revised interpretations.

In 2022, the Division published an interactive “decision tree” that takes members step-by-step through the applicable NOCLAR interpretation. The tool guides users through the interpretation based on their responses to various questions. For example, “are you a member in public practice?” guides members to the appropriate interpretation. And “have you received credible information about an incident of NOCLAR or suspected NOCLAR?” advises the member to obtain an understanding of the matter and what that means in terms of compliance with the Code.  

The Division has also published frequently asked questions (FAQs) to help members apply the new interpretations. Section 90, “Responding to Noncompliance With Laws and Regulations (NOCLAR)” answers twenty-seven questions on the NOCLAR rules, including:

• Clarification that when a member learns of NOCLAR or suspected NOCLAR, the interpretation imposes specific requirements on the member (par. .01)

• As an ethics standard, the interpretations may require action(s) that go beyond the member’s legal or regulatory responsibilities for addressing NOCLAR (par. .02)

• Whether a member who becomes aware of NOCLAR prior to the interpretations’ effective date (6/30/23) should apply the new standards (par. .03)

• Whether a member who learns of NOCLAR after 6/30/23 should apply the new standards if the NOCLAR was committed before 6/30/23 (par. .04)

• Whether the interpretations apply when an entity other than the member’s client or employer commits NOCLAR (par. .06)

• Whether a member is required to detect NOCLAR committed by a client or employer (par. .08)

• Whether a member is expected to recognize NOCLAR in all instances (par. .11)

• Who is responsible for rectifying, remediating, or mitigating the adverse consequences of NOCLAR (par. .14)

• Addressing confidentiality agreements between members in public practice and their clients (par. .16)

• Communication of NOCLAR after a change of auditor (par. .25)

• Application of the interpretation to members performing services other than audits or reviews (pars. .26 - .27)

The material in this publication is provided with the understanding that the author and publisher is not engaged in rendering legal, accounting, or other professional services. If legal advice or other expert assistance is required, the services of a competent professional person should be sought. The author and publisher make no representations, warranties, or guarantees as to and assume no responsibility for the content or application of the material contained herein, and expressly disclaim all liability for any damages arising out of the use of, reference to, or reliance on such material. You may reprint material in this newsletter if it is unaltered and credited to the author and Audit Conduct. If being reproduced electronically, the following link must also be included: www.auditconduct.com. © Copyright 2023 – Audit Conduct, LLC. All Rights Reserved.