“All that is necessary for the triumph of evil is that good men do nothing.” (Edmund Burke)
Fraud, corruption, bribery, insider trading, tax evasion, terrorist financing….What is an accountant’s obligation when he or she learns that an illegal act has or may occur? What is the public’s expectation? Does it matter whether the accountant works in industry or is in public practice? As an auditor or a consultant on a project? Member of a company’s management vs. a junior accountant?
In April 2016, the International Ethics Standards Board for Accountants (“IESBA” or “the Board”), a standard-setting body of the International Federation of Accountants (“IFAC”), unanimously approved a new ethics standard entitled, Responding to Non-Compliance with Laws and Regulations. The new standard was recently incorporated into the 2016 version of the IESBA Code of Ethics for Professional Accountants (“IESBA Code”) and is effective July 15, 2017, with early application permitted. This article analyzes the new standard, and discusses the steps involved and its conceptual underpinnings, why it was adopted, and the 6-year-long rulemaking process that led to issuance of this controversial standard.
Why did IESBA undertake this project?
The Board cited concerns among regulators and others about a lack of guidance in the Code to help accountants navigate between the duty of client confidentiality and protection of the public’s interests when the accountant learns of – or suspects – noncompliance with laws or regulations. The accountant’s duty of confidentiality – to not disclose confidential client information without the client’s permission – has been a longstanding principle in the profession, and in the IESBA Code. Some feared that auditors were resigning in these cases without appropriate steps being taken to address the issue and there was a sense that the Code was working against, not with, accountants in these matters. The Board approved a project to address the issues in late 2010. Initially, the IESBA focused on auditor responsibilities but later expanded its project to consider other professional accountants (“PAs”) in public practice and PAs in business, (“PAIBs”), e.g., corporate controllers and internal auditors, including those in government, education, and the not-for-profit organizations.
A long road led to issuance of the final standard. After almost two (2) years of internal discussions, in August 2012 the Board issued its first proposed standard, Responding to a Suspected Illegal Act. Commenters supported the overall concepts in the proposal but raised numerous concerns about the scope of the requirements, their operability, and potential for unintended consequences. That led IESBA to expand its discussions to include three (3) global roundtables in 2014 to obtain viewpoints from diverse stakeholders from around the world. The Board met frequently with the IESBA’s Consultative Advisory Group (“CAG”), and other bodies such as IFAC’s International Auditing and Assurance Standards Board (“IAASB”) and Public Interest Oversight Board (“PIOB”) observed the Board’s meetings. Based on all this feedback and consultation, in May 2015 the IESBA released a second proposal, Responding to Non-Compliance with Laws and Regulations, in the form of a “response framework,” designed to set forth the PA’s responsibilities when they encountered NOCLAR and guide them in their thoughts and actions in responding to NOCLAR. To reflect PAs’ differing roles and responsibilities, the framework spoke to four (4) different groups of PAs on that basis, that is:
PAs in Public Practice:
- PAs in Public Practice who are not Auditors
PAs in Business:
- PAIBs in Senior Roles in Companies
- PAIBs in Non-Senior Roles in Companies
The Board received 77 comment letters on the second proposal and also met with members of the regulatory community, policy-makers, national standard-setters, investor groups, the Forum of Firms, the IAASB and others in working towards a final standard that would strike a proper balance.
A Basis for Conclusions document captures the more significant comments raised in the second exposure draft and memorializes the Board’s rationale for its positions in light of those comments. IESBA also worked very closely with the IAASB to synchronize the new standard with the International Standards on Auditing (“ISA”) No. 250, Consideration of Laws and Regulations in an Audit of Financial Statements.
Scope of the Standard
What is NOCLAR?
A term currently used in the ISAs, NOCLAR is a(n) act of omission or commission, whether or not intentionally done, which is contrary to a prevailing law or regulation.
NOCLAR includes laws and regulations for such things as:
- Fraud, corruption and bribery
- Money laundering, terrorist financing, and proceeds of crime
- Securities markets and trading
- Banking and other financial products and services
- Data protection
- Tax and pension liabilities and payments
- Environmental protection
- Public health and safety
Who commits NOCLAR?
- PA’s Client (management or those charged with governance – “TCWG”), or those working for the client, or
- PA’s Employer (management or TCWG, or those working for management)
When does the NOCLAR standard apply?
The NOCLAR standard applies when in delivering a professional service to a client, or carrying out professional activities for a company, a PA becomes aware of – or suspects – NOCLAR has occurred or is about to occur. The standard does not apply when the PA has no client or employer relationship with the company in question.
The law or regulation either:
- Has a direct impact on the determination of material amounts and disclosures in the client’s or company’s financial statements, or
- Compliance with the law or regulation is fundamental to the client’s or company’s operations, to its ability to continue its business, or avoid material penalties
* Note: the term “company” is used in this article to include all types of organizations, such as governmental bodies, partnerships, commercial corporations, and not-for-profit entities.
What is NOT included in NOCLAR?
Specifically excluded from the definition of NOCLAR is:
- Clearly inconsequential matters
- Personal misconduct that is unrelated to the client or employer’s business activities
- Noncompliance by persons other than those listed above
Where may NOCLAR occur?
The standard addresses NOCLAR (or suspected NOCLAR) the PA discovers at a company, whether or not the company is a “public interest entity” (e.g., public or listed company), that is the PA’s client or employer.
Three of the Code’s principles underlie the new pronouncement. Integrity (Section 110) requires the PA to be truthful and honest, and to avoid any association with false or misleading information. Professional Behavior (Section 150) requires the PA to comply with laws and regulations and avoid any activities that discredit the profession. In doing so, PAs should consider whether a reasonably informed third party would consider the act to diminish the accounting profession’s good reputation.
The principle of confidentiality (Section 140) requires the PA to hold client and employer information in confidence unless the client or employer consents to its release. Therefore, prior to adoption of the new standard, unless a law or regulation required a PA to report NOCLAR, the PA could not do so without violating the Code. As noted, this conflict was one of the primary drivers for the NOCLAR initiative.
Objectives of the Standard
The PA’s objectives under the standard are three-fold:
- Comply with the fundamental principles of integrity and professional behavior, and
- Alert management or TCWG (as appropriate) of NOCLAR so they may rectify or deter the NOCLAR, and
- Take further actions, as appropriate, in the public interest.
The new standard may be viewed as being based on several fundamental premises, which underpin the requirements. They are:
Management or TCWG are Responsible for Identifying and Addressing the Noncompliance
A company’s management or TCWG are ultimately responsible for taking action to resolve or deter NOCLAR. The PA’s job is to bring the matter to the appropriate parties’ attention and follow-up as required under the framework.
Ethical Responsibility to Act
Once the PA becomes aware of NOCLAR that has or will occur, he/she has an ethical responsibility to address it by following the framework. Ignoring the NOCLAR is an abdication of the PA’s ethical responsibility. As a member of the accountancy profession, the PA’s obligation goes beyond the responsibilities of a member of the general public.
No Requirement to Search for and Identify NOCLAR
A PA may come across, or be made aware of, information that indicates NOCLAR. However, the standard does not require the PA to seek out this information – that is, the PA has no additional duties, in addition to their current responsibilities, to find NOCLAR. So, for example, an auditor has responsibilities under the relevant auditing standards to design procedures to help identify fraudulent activity that materially misstates the financial statements, but the PA’s audit responsibilities are separate and apart from the requirements imposed under this new IESBA standard.
The Law or Regulation is within the PA’s Sphere of Knowledge and Technical Expertise
The PA is only expected to have technical expertise in regards to the professional services or activities in which the PA engages. That is, a PA is not expected to have a level of knowledge of laws and regulations greater than that required to perform the engagement or perform professional activities as a company employee. The Board’s Basis for Conclusions document acknowledges that PAs will not be expected to recognize the laws and regulations that fall into all of the categories of NOCLAR included in the scope of the standard.
Responsibilities Vary Based on the PA’s Role
PAs who are auditors in public practice have different responsibilities under the standard due to the nature of their work and perception as public “watchdogs” or protectors of the public interest. Other PAs in public practice, whether they perform tax or consulting work for clients, still have responsibilities but they differ from those of the auditor in that their relationship with the client and access to TCWG is inherently different from the auditor’s.
A senior PAIB is a director, officer, or senior employee able to exert significant influence over the acquisition, deployment, and control of a company’s human, financial, physical, technological, and intangible resources. Senior PAIBs are responsible for a company’s “tone at the top” and for setting appropriate policies and procedures (in part) designed to help prevent NOCLAR. Their ability to influence the company enables them to respond to NOCLAR more effectively than more junior employees. Therefore, their responsibilities under the standard reflect their greater abilities.
Gain an Understanding
PAs should gain the best understanding of a matter possible before acting, which may require appropriate consultation. The ultimate arbiter of noncompliance is the courts or other authoritative bodies; however the PA should apply knowledge and expertise to the matter and obtain appropriate counsel as needed – on a confidential basis. Advice and counsel may come from within the PA’s employer, a regulator, professional body, or their own legal counsel.
No “Passing the Buck”
The standard requires PAs (non-auditors) and Senior PAIBs to consider communicating NOCLAR to the company’s auditor (if any). However, the PA may not then consider the matter to have been “passed off” to the auditor (rather, the information is intended to assist the auditor in fulfilling his or her auditing responsibilities). The PA making the disclosure should continue to apply the steps in the framework. Communication to the appropriate parties is integral to achieving the objectives of the standard but the PA still has responsibilities of his/her own.
Resignation from the Client or Company May Not Fully Resolve the NOCLAR
While a PA may feel the need to resign from a client or employer due to NOCLAR, the PA’s responsibilities under this standard do not end there – i.e., there may be, depending on the facts and applicable laws and regulations, more actions the PA will be required to take.
Communicate with the Appropriate Parties
Communication is key – whether to management, TCWG, the auditor, counsel, a regulatory body, or in severe cases a public authority. The standard provides relevant factors to help the PA determine which persons should be apprised of the NOCLAR so that those persons may fulfill their professional responsibilities.
The Framework Does Not Mandate Disclosure Outside of Management
Since the standard is principles-based, the PA will apply professional judgment in considering the factors and subsequent actions under the framework, including whether disclosure to anyone outside of management is appropriate. The framework does not dictate disclosure to persons or groups beyond management. The PA makes those decisions.
Consider Legal and Regulatory Requirements
The PA should comply with any reporting obligations under law or regulation (e.g., reporting a matter to a regulatory body) within the indicated timeframe(s) and consider whether applicable laws or regulations prohibit disclosure to a public authority or the auditor. If the PA plans to disclose NOCLAR to a public authority, “anti-tipping off” legislation (i.e., barring the PA from alerting a client or employer prior to the disclosure) may apply.
Consider the Reasonable, Informed “Third Party” View and the Public Interest
In determining whether to disclose NOCLAR to an appropriate authority, PAs must consider the views of a reasonable and informed third party about the PA’s obligation to protect the public interest in light of various factors. For example, in considering whether to disclose a matter to a public authority, a PA would consider factors such as:
- the strength and credibility of evidence that the NOCLAR would substantially harm the public or others,
- whether sufficient protection from legal liability or retaliation exists (such as under whistleblower legislation or regulation),
- the PA’s confidence in management’s integrity, and
- whether the PA’s physical safety would be put at risk.
Exercising the Right to Disclose
In cases where the PA concludes that management and TCWG have not responded appropriately and there is a strong public interest in disclosing NOCLAR to a public authority, the PA is free to release information about the client or employer without client or employer consent and without violating the IESBA Code’s principle of confidentiality. However, disclosure of the matter to an appropriate authority would still be precluded if doing so would be contrary to law or regulation. For example, most US state accountancy boards have strict confidentiality rules that would prohibit disclosure in these instances.
Walking through the Framework
A series of sequential steps and relevant factors comprise the Framework. Consultation with others, within the bounds of confidentiality constraints (unless waived by the standard) and any legal or regulatory restrictions, are integral to the process. The sequence, at a very high level, for PAs in public practice follows:
The sequence, at a very high level, for PAs in business follows:
IESBA Tools and Aids
The IESBA “NOCLAR” site includes various educational tools e.g., videos, fact sheet, “at a glance” and basis for conclusion documents on the new standard. According to the site, the staff plans to issue other tools and aids, including FAQs and PowerPoint Slides, to help IFAC member bodies and PAs implement the new standard.
Convergence Plans -- AICPA Code of Professional Conduct
The AICPA Professional Ethics Executive Committee has formed a task force charged with reviewing the NOCLAR pronouncement and recommending possible amendments to the AICPA Code.
As IESBA’s “At a Glance” document notes; in jurisdictions lacking laws and regulations that require PAs to report NOCLAR, the Code’s new response framework can help fill those gaps. In other jurisdictions, such as the US, where a robust regulatory framework already exists, the Code complements those frameworks by guiding PAs in their thought processes so they may discharge their ethical and regulatory responsibilities when faced with NOCLAR more effectively.