A professional accounting committee has opened a can of worms with a proposal to revise its code of ethics addressing how accountants should respond when they stumble upon illegal activity.

When an accountant learns of some act that may be illegal, should they contact a supervisor? Communicate it to client management? Report it to an outside authority? Consult an attorney? A proposed revision to the ethics code at the American Institute of Certified Public Accountants has touched off a sensitive ethical and legal debate.

The Public Company Accounting Oversight Board has its rules for auditors who are performing audits on public company clients. It points out auditors are not legal experts, so they can’t know in an instant if a particular rotten apple they’ve sniffed out might indeed be an illegal act.

Given that, the standard for auditors tells them to consider a number of possible actions, depending on what they’ve found. They need to consider the information within the context of their role as the independent external auditor, and they may need to consult legal counsel. Is it something that might be material to the company’s financial statements? Does it affect financial statement assertions?

The guidance for auditors gives them a course of action that involves discussing the matter with the audit committee and possibly issuing an adverse opinion on financial statements or even quitting the audit engagement. For auditors, those are big sticks to wield. Companies that are listed need a clean audit opinion to remain in the good graces of securities regulators, so an auditor’s actions along those lines is more likely to spur action within the company to address the matter.

But what if the accountant is an inside accountant or is engaged by the firm for a service other than an audit of financial statements? That individual can’t hold a required audit opinion over management’s head. 

“This could broaden the obligations of accountants and potentially put [accountants] in the position of having to engage in the unauthorized practice of law. This could also heighten their exposure to lawsuits for failing to detect fraud and failing to advise the client to take appropriate remedial action.”

Andrew Fuchs, Litigation Associate, Skadden, Arps, Slate, Meagher & Flom

The first logical step is still to report the matter internally and let those with the authority to do so take action. If the information is not acted upon, however, or the situation remains unresolved, what’s the accountant’s next move? That’s what the AICPA proposal, put forth by its Professional Ethics Executive Committee, is trying to determine. The Institute of Management Accoutants recently addressed similar questions as well.

The AICPA project began as a convergence effort to decide whether to conform U.S. ethics standards to international ethics standards, says Lisa Snyder, who until very recently was the senior director in the professional ethics division at the AICPA.

The International Ethics Standards Board for Accountants issued a new standard on noncompliance with laws and regulations taking effect this summer, so the AICPA’s PEEC considered whether a similar standard was in order for AICPA members. “Anytime the IESBA issues a standard, we look at it for possible convergence, but we often need to tailor it to make it appropriate for the U.S. practice environment,” she said.

In this particular case, the U.S. needs differed in some key ways because the United States has such a different legal system and litigation environment than many other countries. The whistleblower provisions instituted by the Securities and Exchange Commission under Dodd-Frank, for example, are very different from rules in place in other countries.

The key difference between the IESBA code and the U.S. proposal centers on confidential information. How should accountants respond when they are bound by professional standards to keep confidential client information in confidence, yet they learn through the course of their work of some instance of noncompliance with laws or regulations?

That’s where the international and U.S. standards needed to part ways. “Under the AICPA proposal, because of confidentiality laws, members would not be permitted to disclose a suspected NOCLAR to an outside authority unless required to do so by law or with the client’s consent,” says Snyder. “Under the IESBA standard, a member might be able to override confidentiality and disclose a NOCLAR to an authority. It depends on various circumstances and factors to consider.”

One of those key factors, says Snyder, is whether or not there are any protections from liability or retaliation, either through whistleblower legislation or regulation or other legal provisions. As an example, Section 10A of the Securities Exchange Act of 1934 requires auditors of public companies to make disclosures to the SEC regarding certain illegal acts of their clients, but it also provides protection for the auditor against legal actions, says Snyder. “Part of the controversy is when is it appropriate to override client confidentiality if you believe the public interest may be threatened?”


Below, the AICPA proposal explains the responsibilities of senior professional accountants in business.
When responding to a NOCLAR, members in business are required to consider protocols and procedures that may exist within the members’ employing organizations. Because of the role and sphere of influence of senior professional accountants in business, there is a greater expectation for them to take whatever action is appropriate in the public interest to respond to a NOCLAR. For purposes of the interpretation, senior professional accountants in business are directors, officers or senior employees able to exert significant influence over, and make decisions regarding, the acquisition, deployment and control of the employing organization’s human, financial, technological, physical and intangible resources.
If a member who is a senior professional accountant in business discovers a NOCLAR, the member should obtain an understanding of the matter. The member should discuss the matter with the member’s immediate superior to determine how the NOCLAR should be addressed. If the immediate superior is suspected of involvement, the member is required to discuss the matter with the next higher level of authority.
The interpretation requires certain steps be taken by a member who is a senior professional accountant, including having the matter communicated to those charged with governance to obtain concurrence regarding the appropriate actions to take to enable them to fulfill their responsibilities.
In responding to a NOCLAR, the member who is a senior professional accountant is required to determine whether disclosing the matter to the employing organization’s external auditor is necessary, pursuant to the member’s duty or legal obligation to provide all information necessary to enable the auditor to perform the audit.Source: AICPA

The ideal path for any accountant who discovers instances of noncompliance would be for the accountant to report the information through internal channels to those charged with governance and they would address it. That would spare the accountant the moral and legal conflict over whether to breach confidentiality and disclose to an outside authority. But if the accountant follows that course and the matter is left unaddressed or unresolved, what’s the accountant’s next move?

The issue for standard setters to decide is this: If an accountant has no legal requirement to report the instance, no consent from the client to report it, and no legal protections by law or regulation, should accountants be permitted to override client confidentiality? That’s the legal/moral conundrum that PEEC is trying to navigate.

The National Association of States Boards of Accountancy, which license accountants at the state level, said they’d like to see the standard land closer to the IESBA requirements, which compel accountants to a higher level of discloser. “The AICPA’s efforts on NOCLAR should be integrated with efforts of other regulators to provide better public protection,” says Ken Bishop, president and CEO of NASBA. He notes the Uniform Accountancy Act governing all accountants doesn’t prohibit CPAs from “compliance with applicable laws, government regulations, or PCAOB requirements.”

So what happens when there are no specific requirements? Some accountants fear the proposal would essentially deputize accountants, making them more responsible for sniffing out and chasing down potential acts of noncompliance.

“I don’t think anyone is really taking issue with the idea of communication to the client that you found something, but there’s a little concern around is it something we have qualifications as accountants to determine what’s noncompliant,” says Shelly Van Dyne, a partner at RSM.

Wendy Garrett, managing director in the area of independence at Grant Thornton, echoes Van Dyne’s concern. “We’re sensitive to the exposure that could be put in place by placing more requirements on members in the profession,” she says. Whatever might be required of accountants, “it should fall within the scope of our normal work.”

Andrew Fuchs, a litigation associate at law firm Skadden, Arps, Slate, Meagher & Flom, says it goes so far as to potentially put accountants in the position of practicing law.

“Whether an act constitutes compliance with a law or regulation is a legal determination beyond the accountant's typical professional expertise, yet this may require an accountant to actually make such a determination,” he says. “This could broaden the obligations of accountants and potentially put them in the position of having to engage in the unauthorized practice of law. This could also heighten their exposure to lawsuits for failing to detect fraud and failing to advise the client to take appropriate remedial action.”

AICPA’s PEEC is expected to revisit the issue further before making any final determinations.