Company controller Plony, CPA, prepared his employer’s 2007 financial statements knowing that they misstated revenues. The company’s CEO, who could fire Plony at will, “strongly urged” Plony to record sales at full invoice prices despite customers’ rights to return merchandise long after a normal return period. Plony’s brother-in-law, a company in-house lawyer, wrote the sales contracts and assured Plony that recording the full sales amounts was appropriate. After investigating the misstatement, the Illinois Department of Financial and Professional Regulation revoked Plony’s CPA certificate for “negligence in the preparation of financial statements” and “subordination of judgment” even though he was not in public practice.
In another ethics violation case, the California Board of Accountancy disciplined Hy Falutin & Co., CPAs, (the firm’s name and other facts have been modified) when it audited a bank’s financial statements while the firm’s consulting group concurrently sold the client’s debt consolidation services. The Board of Accountancy imposed a three-year CPA license probation plus frequent and costly peer reviews.
While the first example is a fictitious case intended to illustrate threats in the workplace, the second example is based on an actual situation that resulted in disciplinary action by the SEC and California Board of Accountancy. Attention to the AICPA’s Guide for Complying with Rules 102–505 could have helped these CPAs solve their ethical dilemmas and avoid violations of the AICPA Code of Professional Conduct. Using these two general examples, this article explains the guide’s “threats and safeguards” approach to achieving compliance with the AICPA Code of Professional Conduct and applies that approach to the above ethical dilemmas.
Acceptable level. A level where a reasonable and informed third party would likely conclude, weighing all specific facts and circumstances, that compliance with the rules is not compromised.
Threat. The risk that relationships or circumstances could compromise a member’s compliance with the rules.
Safeguards. Actions or other measures to eliminate threats or reduce them to acceptable levels.
The AICPA’s bylaws require all members (those providing services as employees, owners, volunteers or consultants; those in public practice, business, academia or government) to comply with the ethical requirements of the AICPA’s Code of Professional Conduct. The code’s Rules of Conduct govern members’ performance of professional services, and its interpretations and rulings provide authoritative guidance to apply those rules to specific situations.
Since the code’s rules, interpretations and rulings cannot address every possible ethically challenging relationship or circumstance, the AICPA issued on Nov. 10 A Guide for Complying with Rules 102–505 to help CPAs solve ethical dilemmas not explicitly addressed in the code. The guide’s use is not mandatory, and while it helps CPAs comply with the code in unusual ethical relationships or circumstances, the guide can never justify noncompliance with the code.
The guide’s approach to ethical dilemmas applies to all rules except Rule 101, Independence, for which the Conceptual Framework for AICPA Independence Standards (2006, AICPA, Professional Standards, vol. 2, ET sec. 100.01) provides authoritative guidance.
Rules of Conduct Covered by the Guide
The AICPA Code of Professional Conduct includes 11 rules (AICPA, Professional Standards, vol. 2, ET sections 100 to 500):
- Rule 101, Independence
- Rule 102, Integrity and Objectivity
- Rule 201, General Standards
- Rule 202, Compliance With Standards
- Rule 203, Accounting Principles
- Rule 301, Confidential Client Information
- Rule 302, Contingent Fees
- Rule 501, Acts Discreditable
- Rule 502, Advertising and Other Forms of Solicitation
- Rule 503, Commissions and Referral Fees
- Rule 505, Form of Organization and Name
The guide’s “threats and safeguards” approach can help members comply with the rules in situations not explicitly addressed in the code—an approach that the AICPA’s Professional Ethics Executive Committee also uses when developing the code’s interpretations and rulings.
The threats and safeguards approach identifies threats to compliance with the rules and evaluates the significance of those threats. If a threat is not at an “acceptable level” (see box, “Definitions”), members should determine whether safeguards can eliminate or reduce the threat to an acceptable level and, if so, apply such safeguards or, if not, avoid the situation that creates the threat. Members should evaluate in-the-aggregate a situation with multiple threats since the cumulative effect could be at an unacceptable level.
Identifying threats. Members often face risks of encountering relationships or circumstances that could compromise compliance with the rules (in other words, “threats”) in their duties or work environments.
The guide provides six threat categories to help members identify and develop sensitivity to potential threats:
- Self-review threat. The threat that a member will not appropriately evaluate the results of prior services performed by the member himself or herself, or by an individual in the member’s firm or employing organization.
- Advocacy threat. The threat that a member will promote a client or employer’s position to the point that his or her objectivity is compromised.
- Adverse interest threat. The threat that a member will not be objective because his or her interests are in opposition to those of a client or employer.
- Familiarity threat. The threat that because of a long or close relationship with a client or employer, a member will become too sympathetic to their interests or too accepting of their work.
- Undue influence threat. The threat that a member will subordinate his or her judgment to that of an individual associated with a client, employer or other relevant third party because of the individual’s (1) reputation or expertise, (2) aggressive or dominant personality, or (3) attempts to coerce or exercise excessive influence over the member.
- Self-interest threat. The threat that a member will act in a manner that is adverse to the interests of his or her firm, employer, client or the public, as a result of the member or his or her close family member’s financial interest in or other relationship with a client or the employer.
Evaluating the significance of a threat. The existence of a threat does not necessarily mean noncompliance with the rules; rather, members should evaluate a threat’s significance by considering whether a reasonable and informed third party, weighing all quantitative and qualitative facts and circumstances, would likely conclude that the threat would compromise the member’s compliance with the rules. If this evaluation finds that the threat would not compromise a member’s compliance, the threat is at an acceptable level, requiring no further evaluation under the guide. If the evaluation finds the threat at an unacceptable level, the member should identify and apply appropriate safeguards.
Identifying and applying safeguards. Required or prohibited actions and internal control measures can serve as safeguards to eliminate or reduce threats to acceptable levels. The profession, legislation and public regulations create some safeguards for all members. Employers implement other safeguards in the specific work environment. Members in public practice also may consider their client’s safeguards when evaluating the significance of a threat.
Below are examples of safeguards and associated threats they might reduce:
- Peer reviews (actions required by the profession) that consider appropriate reliance on external evidence in attest engagements reduce undue influence threats.
- Periodic rotations of senior members on an attest engagement (actions required by Sarbanes-Oxley legislation or a firm’s internal controls) reduce familiarity threats.
- Limitations of services to clients whose billings would be significant to the firm (actions prohibited by a firm’s internal controls) reduce undue influence and self-interest threats.
- Avoiding joint ventures with a client (actions prohibited in a firm’s internal controls) reduces advocacy and self-interest threats.
- Corporate governances that restrict certain services by the corporation’s external auditors (actions prohibited by the client’s internal controls) reduce self-review threats.
- Corporate policies that stress ethical behavior and provide channels to discuss ethical issues without fear of retribution (workplace internal controls, “tone at the top”) reduce undue influence threats.
Determining which safeguard to apply requires judgment, since a safeguard’s effectiveness can vary from one environment to another. Members should analyze a particular situation’s facts and circumstances, identify significant threats and then design safeguards, considering:
- The safeguard’s objective.
- Parties who will be subject to the safeguard.
- How the safeguard will be applied (for example, uniformly, consistently, objectively).
- Who will apply the safeguard (for example, a third party, a supervisor, a computer).
A threat is reduced to an acceptable level if, after applying safeguards, a reasonable and informed third party would likely conclude that compliance with the rules is not compromised.
What if there are no effective safeguards? A threat may be so significant that no safeguard can eliminate or reduce it to an acceptable level. If so, providing the specific professional or employee service will likely cause noncompliance with the rules. While declining or discontinuing the service would prevent a rules violation, the member should also consider the stronger response of resigning from the client or employment position.
Before pursuing a course of action to resolve ethical dilemmas, a member may want to consult with legal counsel, applicable professional bodies, and appropriate firm or employer personnel. The AICPA provides an ethics hotline to assist members in this and other ethics issues. Inquiries can be made by phone, 888-777-7077 (menu option 5, followed by menu option 2), or via e-mail at firstname.lastname@example.org. Members may be well-advised to document the ethical conflict’s substance, details of discussions and suggested decisions.
Members may confront ethical conflicts due to internal or external work-environment pressures or conflicts within professional standards unrelated to threats described above. For example, a member may encounter a fraud and feel ethically bound to report it; but reporting the fraud could breach Rule 301’s mandate to maintain client confidentiality. To resolve such ethical conflicts and comply with the rules, the guide recommends that members:
a. Recognize and consider all relevant facts and circumstances, including applicable rules, laws or regulations,
b. Consider the ethical issues involved,
c. Consider established internal procedures, and then
d. Formulate alternative courses of action.
After weighing the consequences of each course of action, the member should select the course that best enables compliance with the rules.
Before pursuing the selected course of action, the member may want to consult with legal counsel, applicable professional bodies (see sidebar, “Seek Advice”) and appropriate firm or employer personnel. If the conflict remains unresolved after pursuing the selected course of action, the member should consider further consultation with those advisers to review the process and reach a different resolution. Members may be well-advised to document the ethical conflict’s substance, details of discussions and suggested decisions.
What if there is no effective resolution? If, after exhausting all reasonable possibilities, the ethical conflict remains unresolved, members will probably not be in compliance with the rules if they remain associated with the matter creating the conflict. In this case, members should consider withdrawing from the engagement team or specific assignment, and perhaps consider the stronger response of resigning from the client or employment position.
CPA Plony, whose boss urged him to record transactions contrary to GAAP and whose brother-in-law analyzed GAAP for him, should have referred to Interpretation 102-4 (ET section 102.05) that prescribes potentially confrontational actions when a member’s interpretation of GAAP differs from those of his or her supervisors.
However, with the guide’s “threats and safeguards” approach, the unwelcomed need to invoke Interpretation 102-4 might have been avoided, as in this scenario: Plony recognized the CEO’s authority to fire him at-will as an “undue influence threat” and his brother-in-law’s legal counsel as a “familiarity threat.” Plony wrote a memo to his files discussing both threats and his belief that a reasonable and informed third party, weighing all the facts and circumstances, would likely conclude that the threats—separately and in the aggregate—compromise his compliance with rules 102, 201 and 202.
He considered actions or policies that might reduce the two threats to acceptable levels and wrote to the company’s audit committee suggesting safeguards to protect his objectivity: (1) an officer’s employment termination should require a due process hearing before an independent arbitrator, allowing the officer to respond to allegations; and (2) staff preparing financial statements cannot be related to staff generating transactions or related documents. The audit committee adopted the due process personnel policy and assigned Plony’s brother-in-law to other legal matters. Plony properly deferred revenue recognition on the dubious sales in accordance with the provisions of FASB Statement no. 48.
The guide also could have helped Hy Falutin & Co., as in this revised sequence of events: Two audit team members familiar with the AICPA’s threats and safeguards approach knew that the firm’s consulting group was negotiating a client-firm joint marketing venture and wrote memos identifying a “self-review threat,” “advocacy threat,” “self-interest threat” and independence issues. Their memo labeled the threats “severe and urgent.” The lead partner found that no safeguards could adequately reduce the threats to acceptable levels, and the firm immediately withdrew from the nonaudit activities.
All AICPA members must comply with rules 102–505 of the AICPA’s Code of Professional Conduct. The recently issued AICPA Guide for Complying with Rules 102–505 provides a prudent, though not required, “threats and safeguards” approach to help members solve ethical dilemmas in situations not explicitl addressed in the code’s rules, interpretations or rulings. The guide defines six categories of threats to complying with the rules and analyzes strategies for identifying and applying safeguards to eliminate or reduce threats to acceptable levels. The guide also discusses “ethical conflict resolution” for situations where members encounter obstacles to following appropriate courses of action.
When no safeguard can reduce a significant threat to an acceptable level or when an ethical conflict remains unresolved, members will probably not comply with the rules, requiring them to consider declining or discontinuing the service, withdrawing from the engagement team or specific assignment, or even resigning from the client or employment position.
Examples of Threats to Compliance With AICPA Rules of Conduct
Situation: As part of an attest engagement, a member uses consulting work previously done by his firm.
Threat: Self-review and self-interest threats to compliance with rules 102 and 201.
Situation: A member has charged his employer with violating certain labor laws.
Threat: Adverse interest threat to compliance with Rule 102.
Situation: An employer pressures a member to be associated with misleading information.
Threat: Undue influence threat to compliiance with rules 102 and 201.
Situation: A member is directed to complete a task within an unrealistic time frame.
Threat: Undue influence threat to compliance with rules 102 and 201.
Situation: Revenue received from a single client is significant to the firm.
Threat: Self-interest threat to compliance with Rule 102.
The AICPA recently issued a guide to help CPAs comply with rules 102–505 of its Code of Professional Conduct, affecting members in public practice, business, academia and government.
The guide, while not an authoritative standard, provides an approach to help solve CPAs’ ethical dilemmas. The approach involves identifying and evaluating ethical “threats” and, if a threat is more than trivial, applying “safeguards” to eliminate or mitigate the threat.
A “threat” is the risk that relationships or circumstances could compromise a member’s compliance with rules of the AIPCA Code of Professional Conduct.
“Safeguards” are actions or other measures that eliminate threats or reduce them to acceptable levels.
Facing nontrivial threats and lacking effective safeguards, members should usually decline or discontinue the services creating the threats or consider resigning from the client or employing organization.
Martin A. Leibowitz, CPA, Ph.D., is a faculty member of the Sy Syms School of Business at Yeshiva University in New York City, and Alan Reinstein, CPA, DBA, is the George R. Husband Professor of Accounting at Wayne State University in Detroit. Their e-mail addresses, respectively, are email@example.com and firstname.lastname@example.org.
Guide for Complying with Rules 102—505, http://tinyurl.com/34hxm4
Real World Business Ethics: How Would You React?, a CPE self-study course (#731685)
Selected Topics in Professional Ethics, a CPE self-study course (#158384)
For more information or to place an order, go to www.cpa2biz.com or call the Institute at 888-777-7077.
Ethics for CPAs: Meeting Expectations in Challenging Times, by Dan M. Guy, D.R. Carmichael and Linda A. Lach; John Wiley & Sons, 2003.