In February 2022, the Professional Ethics Executive Committee adopted two new interpretations under the "Integrity & Objectivity Rule" (ET §1.100.001) of the AICPA Code of Professional Conduct (AICPA Code). The "Responding to Noncompliance With Laws and Regulations" interpretation (ET §1.180.010) applies to all members in public practice; ET Section 2.180.010 (under the same title) applies to all members in business. The interpretations establish a member's responsibilities when, in performing professional services, he or she encounters or is otherwise informed of a client's or employer's noncompliance with laws and regulations (NOCLAR) and guide the member on how to respond to such information. The new interpretations are effective June 30, 2023, and early implementation is allowed.
This article summarizes the key requirements that will apply to you as a member in public practice. (See this article to learn more about the responsibilities of members in business regarding NOCLAR.)
What is NOCLAR?
NOCLAR is noncompliance with a law or regulation committed by a client, including the client's governance body, management, employees, or others working under the client's direction. "Client" refers to a person or entity that engaged you or your firm to perform professional services (engaging entity) and also a person or entity with respect to which you or your firm performed professional services (subject entity). NOCLAR does not include misconduct by other persons (such as a client's supplier), clearly inconsequential matters, or personal misconduct that is unrelated to your client's business.
Members should consult the interpretation for guidance when encountering noncompliance with (1) a law or regulation that directly affects material amounts and disclosures in a client's financial statements or (2) your client's compliance with the law or regulation is fundamental to its business and operations, or to avoid material penalties.
Examples of laws and regulations addressed by the interpretation include those that deal with the following types of matters:
- Fraud, corruption, and bribery.
- Money laundering.
- Securities markets and trading.
- Banking and other financial products and services.
- Data protection.
- Tax and pension liabilities and payments.
- Environmental protection.
- Public health and safety.
The interpretation does not apply to the following types of engagements:
- Engagements to perform due diligence on another entity and the NOCLAR was committed by that other entity.
- Litigation or investigation engagements as defined in AICPA Statement on Standards for Forensic Services No. 1.
- Engagements whose primary purpose is to identify, reach a conclusion regarding, or respond to a known or potential NOCLAR.
- Engagements pursuant to which the protections set forth in Internal Revenue Code Sec. 7525 or any comparable state or local statutes apply.
- Engagements where compliance with the interpretation would cause a violation of law or regulation.
If you encounter or are made aware of noncompliance (or suspected noncompliance) that falls within the interpretation's scope, you should act timely to comply with it. You are expected to apply knowledge, professional judgment, and expertise commensurate with your engagement, but, ultimately, a court or other appropriate body would determine whether noncompliance occurred. You must comply with applicable laws, regulations, and applicable requirements under professional standards, as addressed in the "Compliance With Standards Rule" (ET §1.310.001). You should also comply with the "Confidential Client Information Rule" (ET §1.700.001), i.e., not disclose NOCLAR to a third party without the client's consent unless expressly permitted under the rule.
What is required?
The requirements that apply to you under this interpretation depend on whether you are performing a financial statement audit or review or another service — whether attest or nonattest — for a client. The requirements for both situations are summarized below:
a) For CPAs performing financial statement audit or review
When you perform financial statement audit or review services and become aware of credible information regarding an instance of NOCLAR (or suspected NOCLAR), the following requirements apply:
Understand. First, you should obtain an understanding of the matter, which includes understanding the nature of the act and the circumstances in which the NOCLAR occurred or is likely to occur. Then, you should discuss the matter with the appropriate level of your client's management and, when appropriate, those charged with governance.
Advise. In discussing the matter with management and/or those charged with governance, you should advise them to take appropriate and timely action, as addressing the NOCLAR is their responsibility.
Communicate. If a group audit is being performed and you audit a component in the group, you should communicate the NOCLAR to the group audit partner. If you are the group audit partner, you should consider whether the NOCLAR is relevant to one or more components in the group audit and, if so, communicate the pertinent information to any partner(s) responsible for the component(s).
Withdraw. You should evaluate the appropriateness of management's response to the NOCLAR and, based on that response, consider whether to withdraw from the engagement (unless prohibited by law or regulation). The interpretation provides relevant factors you should consider when evaluating management's response and considering whether to withdraw from the engagement.
Document. You should document all relevant details about the matter, including the results of discussions with management and/or those charged with governance, how management and/or those charged with governance responded, and any judgments you made and actions you took.
b) For CPAs performing service other than financial statement audit or review (other attest, tax, or advisory)
When you perform other attest, tax, or advisory services and become aware of credible information regarding an instance of NOCLAR (or suspected NOCLAR), the following requirements apply:
Understand. First, you should seek to obtain an understanding of the matter. Then, you should discuss the matter with the appropriate level of management, as addressing the NOCLAR is their responsibility. When appropriate, and if you have access to them, you should discuss the matter with those charged with governance.
Advise. In discussing the NOCLAR with management and/or those charged with governance, you should advise them to take appropriate and timely action.
Communicate. If your firm audits the client, you should communicate the NOCLAR in accordance with your firm's protocols or, lacking those, inform the audit partner. If a firm in your network is the auditor, you should consider whether to disclose the NOCLAR to that firm in accordance with that firm's protocols. Otherwise, you are precluded from disclosing the NOCLAR to your client's auditor (if one exists) unless you are required to do so under law or regulation.
Withdraw. You should consider whether to withdraw from the engagement. The interpretation provides relevant factors you should consider when making this decision.
Document. You are encouraged to document the relevant details of the matter, including results of discussions with management and (if relevant) those charged with governance, how management and/or those charged with governance responded, and any judgments you made and actions you took.
It is the responsibility of all CPAs to be vigilant regarding NOCLAR. Here is a helpful interactive decision tree to guide you through the steps you need to take when encountering NOCLAR. You have support from the AICPA. Reach out to the Ethics Hotline at 1-888-777-7077 and review the resources provided to help.
— Cathy Allen, CPA, is the managing member of Audit Conduct LLC (auditconduct.com), which provides customized self-study courses on auditor independence and professional ethics for CPA firms and other organizations. She has been a member of the AICPA Professional Ethics Executive Committee (PEEC) since May 2020. To comment on this article or to suggest an idea for another article, contact Courtney Vien at Courtney.Vien@aicpa-cima.com.