ICYMI | Opinion: AICPA Proposal Raises the Ethical Bar

Auditor.

Mary Patterson is the partner responsible for her firm, Wayne, Jiminez, and Patterson (WJP)’s audit of Community Bank Corp; her team is in the planning stages for this year’s audit. One evening, Charles Landers, a manager in the bank’s residential mortgage division, asks to speak to Mary in confidence. He says that to bolster the bank’s bottom line, the bank’s Chief Lending Officer (CLO) has been pressuring Charles and his loan officers to issue mortgages that do not comply with federal lending regulations. He and his staff have granted a few mortgages to borrowers who were unqualified and are nervous that borrowers who cannot afford their loans will lose their homes, significantly increase the bank’s risk profile, and subject the bank and its staff to regulatory actions and penalties.

Mary should determine whether the IESBA standard applies by considering two questions: first, would the noncompliance have a direct and material impact on the bank’s financial statements? Second, are the lending regulations fundamental to the bank and its operations, or to its ability to carry on business or avoid material penalties? A “yes” to either question means the situation is within the scope of the standard. Because federal lending regulations are integral to the bank’s operations, Mary should proceed in applying the NOCLAR framework, keeping in mind that some of her responsibilities under the framework may differ from, or overlap with, her audit responsibilities.

Mary should obtain an understanding of the regulations and their applicability to the situation described, the persons involved, and the timing and nature of the noncompliance. After conferring with others in her firm and the firm’s legal counsel, as well as a follow-up conversation with Charles to confirm her understanding of the facts, she should discuss the matter with the bank’s management and governing board and advise those parties to take timely, appropriate action to address the NOCLAR. If the bank is part of a consolidated entity, Mary should communicate the matter to the group audit partner, unless law or regulation precludes disclosure. Similarly, if Mary is the group audit partner, she should consider whether to disclose the matter, if relevant, to any component’s audit partners, unless disclosure is prohibited. (Under the proposed AICPA standard, Mary’s responsibilities under a group audit would apply to all group attest engagements, whereas the IESBA standard only addresses group audits.)

Mary informs the bank’s Chief Operating Officer (COO) about what she has learned. He promises to discuss the matter with the bank’s CLO. Two weeks pass, and Charles informs her in an e-mail that the pressure to issue loans to unqualified borrowers continues. She approaches the COO, explains her concerns in detail again, and urges him to immediately curtail these activities. He replies that he’s been especially busy with other matters and will tend to the issue in the future. Unsure that the COO will take any action, Mary then meets with Don Medlin, the CEO and chairman of the bank’s board of directors, to explain the situation. Noticing the irritated expression on Don’s face as she describes the NOCLAR and her experience with the COO, Mary becomes concerned. Don gives no indication that he will act on the information, which leads Mary to request a meeting with the board’s audit committee. Don tells Mary that he is authorized to speak for the full board and that the audit committee is unavailable for the next three months. At this point, management’s attitude and lack of action and cooperation convinces Mary that they are part of the problem.

The NOCLAR framework requires Mary to evaluate management’s actions, including whether it took appropriate action and whether further action is warranted. Clearly, management could have acted on the matter but chose not to; in fact, it appears to be obstructing Mary’s actions. She should consider whether a reasonable and informed third party would conclude that she had acted in the public interest given her knowledge that employees are under pressure to skirt banking regulations.

Under the IESBA standard, Mary should consider whether to report the NOCLAR to an outside authority due to the likelihood of substantial harm to the public interest. The standard requires such consideration even if her firm’s legal counsel concluded that existing laws and regulations do not require her to report the matter. The purpose of disclosure would be to enable a public authority to investigate the matter and act as needed to protect the public. If Mary practices in a jurisdiction that allows the disclosure and she concludes that credible evidence exists that the NOCLAR could cause substantial harm to the bank or various parties, she would not breach her duty of confidentiality under the IESBA code by reporting the matter to a banking regulator. This type of reporting is an extreme action, however, and should follow a thorough vetting of the situation, including possibly a confidential discussion with a regulator or professional body and legal counsel. (See the sidebar, Selected Considerations for Disclosing NOCLAR to an Authority, for common considerations on this requirement.) State board, AICPA, and other rules preclude these actions unless disclosure is required by law or the client consents to the disclosure—the latter being highly unlikely under the circumstances. Therefore, this part of the IESBA standard was not included in the AICPA proposal.

Mary discusses the matter with her firm partners, and they agree that the bank’s management is not acting to prevent illegal acts by its employees (and in fact, the CLO is actively encouraging noncompliance). They no longer wish to be associated with the client, and the firm resigns as auditor. If contacted by the successor auditor, Mary should disclose facts about the NOCLAR to the successor auditor if she believes the successor needs the information in deciding whether to accept the engagement and such disclosure is not prohibited by law or regulation. Due to state board, AICPA, and other rules on client confidentiality, the AICPA proposal does not include a similar provision regarding disclosure to a successor, and she would need to obtain the client’s permission to discuss the matter with the new auditor. If the client refuses to permit Mary to discuss all matters freely with the new auditor, the successor is then on notice of a potential problem.

Lastly, Mary should document the matter, including information that was brought to her attention; her discussions with the bank’s management and the governing board and their inaction regarding the NOCLAR; options she considered under the framework; the rationale for her actions, including consideration of the “reasonable and informed third-party view”; and how she met the NOCLAR standard’s objectives.

Nonauditor.

Jeremy Mays is a WJP consultant providing cybersecurity advisory services to Community Bank Corp. Assume Mary Patterson is still the company’s audit partner, but instead of informing Mary, Charles Landers speaks to Jeremy about the pressure being exerted on staff to grant loans to applicants in contravention of regulatory requirements.

Jeremy is providing advisory services to Community Bank and has been made aware of information that indicates potential NOCLAR, so the standard applies. Jeremy should seek to obtain as complete an understanding as possible before proceeding. Information gathering may require discussions within his firm, further research, and discussions with the informant and legal counsel. The framework recognizes that PAs providing nonaudit services might be limited in their ability to access information or have discussions with those charged with governance as compared to PAs who provide audit services.

Jeremy should discuss the matter with the COO and, if he feels it is appropriate and has access, the CEO/chairman of the board. Since he is providing nonaudit services to his firm’s audit client, Jeremy should communicate the matter within WJP or the firm’s network (unless law or regulation disallows) in accordance with firm protocols. If no protocol exists, he should discuss the matter directly with Mary. The standard states that disclosing the matter to Mary does not mean that Jeremy has no further responsibilities under the standard; for example, Jeremy should still perform some follow-up, as described below.

If the bank is an audit client of another firm in WJP’s network, Jeremy should consider whether to disclose the matter to that auditor. The AICPA proposal expands on the IESBA requirement to also include financial statement review clients; thus, if the bank is a review (rather than an audit) client, he should consider disclosing the NOCLAR to the review partner.

Under the IESBA standard, if the bank is not an audit client, Jeremy should consider disclosing the matter to the external auditors. This would be prohibited under most state board laws and regulations (and the AICPA code), unless he obtained the client’s permission. Thus, this provision is not included in the AICPA’s proposed standard.

Jeremy should consider whether further actions would be warranted in the circumstances, discuss with Mary the actions she has taken as auditor, and consider whether the matter has been appropriately addressed and resolved.

The IESBA standard also requires Jeremy to consider whether to report the matter to an appropriate authority to protect the public interest. As previously stated, the AICPA proposal does not include this provision.

Withdrawing from the engagement and the client relationship is another possible outcome that Jeremy should discuss with his firm and legal counsel. He may also wish to have a confidential discussion with a professional body or regulator. Under the AICPA proposal, Jeremy should apply professional judgment and consider, based on the relevant facts, whether a reasonable and informed third party would conclude that he has acted in the public interest.

Jeremy is encouraged to document the matter, including his discussions with management and Mary, how management responded, the courses of action he considered, and his conclusion that he met the standard’s objectives. The AICPA proposal, if adopted, would require Jeremy to document the matter, as unlike the IESBA, the AICPA did not differentiate between auditors and others in public practice on this point.

As an interesting wrinkle to the above, assume Community Bank engages Jeremy to perform a forensic engagement to identify possible noncompliance with federal lending regulations, and he uncovers the NOCLAR while performing his forensic procedures. In that case, he would likely be performing the same responsibilities under his engagement as under the NOCLAR standard, but disclosure to an authority would generally not be made, since the purpose of the engagement was to identify noncompliance so that management could take appropriate action. (Because the AICPA proposal does not contemplate disclosure to external parties, forensic services were not specifically addressed.)

Senior accountant in business.

Francesca Lindsay is the Finance Director of Millian Radiology, Inc., a supplier of medical imaging equipment and private company. Millian Radiology maintains a large team of sales agents who are paid in accordance with a complicated formula involving base salary, commissions, and various forms of incentive pay. Francesca’s understanding from discussions with the company’s pension administrator is that the calculation of the sales agents’ pay for their participation in the company’s pension plan complies with applicable national and local regulations. Over time, however, Francesca begins to suspect that the company’s actions do not meet federal pension guidelines and the company is not sufficiently crediting the sales force in its benefit calculations. She suspects the shortfall in these employees’ pension benefits would be considered material and expose the company to significant penalties and litigation.

As finance director, Francesca would be considered a senior professional accountant and therefore would be required to apply the NOCLAR framework once she suspects noncompliance with a law or regulation falling within the scope of the standard. Francesca should obtain an understanding of the matter, including the nature of the issue, the circumstances in which it is occurring, application of the relevant regulations, and potential consequences to company stakeholders and the wider public. In doing so, she should consult on a confidential basis with an expert at her professional body.

First, Francesca should consider any policies and procedures Millian has in place to address NOCLAR; for example, an ethics hotline or whistle-blowing protocol. The company has an ethics hotline, but being a senior member of management, Francesca decides to address the matter by discussing it with her immediate superior, Shelly Marcos, the chief financial officer (CFO), who she expects will bring in Rob Hennessey, the pension administrator. The CFO listens to her concerns but refutes her assessment and says she has little time or patience for discussing the matter further. On Francesca’s insistence, the CFO grudgingly arranges a meeting between herself, Francesca, and Rob to discuss Francesca’s concerns. At that meeting, Rob vehemently disagrees with Francesca’s assessment that calculation of the sales agents’ salaries does not comply with pension regulations. At the end of the meeting, Shelly says she remains unconvinced that there is a problem.

Francesca begins to worry that both may be avoiding the matter. The standard requires she continue up the chain of command, so Francesca then meets with the CEO and the board of directors. That meeting goes well and she, the CEO, and the board’s chair agree to engage a pension consultant to assess the company’s compliance with the applicable regulations.

Francesca should also consider her obligation to disclose the matter to the company’s auditor, which allows the auditor to be fully informed about the suspected noncompliance and fulfill its professional obligations under the auditing standards. Although this is technically disclosure to an outside party, the AICPA proposal includes such provision, as the current Code of Professional Conduct requires members in business to be candid and disclose all material facts to their company’s auditor when dealing with the auditor (see ET section 2.130.030, “Obligation of a Member to His or Her Employer’s External Accountant”). ET section 2.400.070, “Confidential Information Obtained From Employment or Volunteer Activities,” similarly permits disclosure of an employer’s information when there is a professional responsibility to do so.

After a reasonable period, Francesca should determine that appropriate actions were taken to resolve the NOCLAR and prevent its reoccurrence in the future. In determining whether further action is needed, she should consider whether a reasonable and informed third party would conclude that she acted in the public interest. If Francesca concludes that the CEO and board did not take appropriate actions, she should determine whether further action is needed in the public interest: for example, she should consider disclosing the matter to management of the company’s parent entity or an appropriate authority, unless law or regulation disallows. Disclosure to an authority, if warranted after she considers various factors and the extent of actual or potential damage to the company’s stakeholders or the public, would not breach her duty of confidentiality under the IESBA Code. The AICPA proposal does not require members in business to consider such disclosure, as most state accountancy boards, CPA societies, and the AICPA prohibit reporting the matter to an outside authority without the company’s consent.

Resigning from the company, which may not be the last step in the process, may be appropriate in extreme cases. Within 10 days of her discussion with management, Francesca learns that the consultant agreed with her assessment about the company’s application of federal pension regulations. The CEO appoints an internal team, which includes Francesca, to work with the consultant and resolve the noncompliance. Rob resigns from the company, and the board of directors reprimands Shelly for failing to act on the information that was brought to her attention.

The NOCLAR standard encourages Francesca to document the matter, including her discussions with management, how management and the board responded, the courses of action she considered, and her conclusion that she met the standard’s objectives.

Junior accountant in business.

Samir Gupta works as an accounting manager in the controller’s office of Millian Radiology under the same fact pattern as above. One of the company’s sales agents convinces Samir that he and other sales agents’ earnings are not being properly credited under the company’s pension plan. Samir is familiar with the pension calculations being performed, does some research, and becomes concerned that the company might not be complying with federal pension regulations.

Samir should ensure that he has an adequate understanding of the matter, including the nature and circumstances of the noncompliance. Having performed his own research, he should also consult confidentially with technical experts and others as needed to confirm his understanding of the regulations and the facts before proceeding. Samir should inform his immediate superior, the controller, to enable him to take appropriate actions. If the controller appears to be involved in the matter, Samir should discuss this matter with the next higher level of authority in the company, up to the board of directors if necessary.

In truly exceptional circumstances, and only if the applicable laws and regulations allow, Samir may disclose the matter to an appropriate authority. He should exercise extreme caution and act in good faith when taking such action; legal assistance is advised. No such action would be expected under the AICPA proposal; however, if dealing with the company’s auditor, Samir should consider his obligation to make full disclosure to the auditor.

Samir is encouraged to document the matter, including his discussions with management, how management and the board responded (if applicable), the courses of action he considered, and his decisions.

What if Samir becomes aware that one of Millian’s suppliers has committed NOCLAR? Does this change the application of the NOCLAR standard? Yes. Because the standard only requires action when a PA knows of or suspects that management, those charged with governance, or persons working for management or those charged with governance committed the NOCLAR, the standard would not apply in this instance.