Why you can’t turn a blind eye to non-compliance by a client

2 Mar 2018

7 min read time

At a glance

As young accountants, we have it instilled in us that it is critical to our relationship with clients to protect their confidentiality. While confidentiality will always remain a fundamental principle of our profession, changes to the global business landscape are now requiring a change to our professional thinking.

The significant impacts of money laundering and terrorism financing have been the catalysts by which the concept of confidentiality is being turned on its head.

New requirements in the Code of Ethics for professional accountants following revisions to the International Code of Ethics now allow accountants to set aside the principle of confidentiality and report client non-compliance with laws and regulations (NOCLAR) to an appropriate authority, provided that it is in the public interest and is, of course, compliant with the practitioner’s legal obligations.

The changes ensure practitioners respond in a timely way so that the adverse consequences to stakeholders and the general public are rectified, remediated or mitigated.

In short, while practitioners don’t have additional obligations to search for non-compliance, they can no longer turn a blind eye if they encounter or suspect non-compliance by their client.

Intent is irrelevant

It doesn’t matter whether the non-compliance is intentional or not. It may be any act of omission or commission by a client, including by management, those charged with governance, or by others working for or under the direction of the client, which is contrary to prevailing laws or regulations.

When you need to act:

If there is non-compliance at any client, regardless of size or significance.
Where non-compliance directly affects the determination of material amounts and disclosures in the financial statements.
Compliance that may be fundamental to the entity’s operations, business or where non-compliance may lead to material penalties (even if they don’t directly affect the financial statements) such as environmental protection or public health and safety.
Where non-compliance is encountered in the course of providing a professional service to a client.

When you do not need to act:

Where matters are clearly inconsequential, such as a company secretary providing shareholders one day less than the required notice period for the AGM.
Personal misconduct unrelated to the client’s business activities.
Non-compliance by another party who is not the client. Another party is someone who is not involved in governance or management of the business and is not an employee or someone working under the direction of the client.

What are the practical implications for you?

The Code provides different requirements for auditors and those in public practice but all are expected to take timely action.

The action taken depends on your understanding of the matter and the potential harm to the interests of the entity, investors, creditors, employees or the general public.

All practitioners who become aware of suspected non-compliance need to gain sufficient understanding of the matter to substantiate or dispel their concerns, which may mean consulting on a confidential basis with others within their firm, a network firm, CPA Australia or another professional body or with legal counsel.

If that understanding still indicates non-compliance, then you need to discuss the matter with management or the appropriate level of those charged with governance, depending on who may potentially be involved, to enable them to investigate and take action.

Practitioners’ obligations depend on their role

Practitioners providing non-audit services should communicate non-compliance to the audit engagement partner regardless of whether they are in the same firm.

Care needs to be taken as communication may not be appropriate if there are legal restrictions, prohibitions against “tipping off”, if the engagement is itself an investigation, the client has informed the external auditor or the matter is not material to the client or group audit.

Auditors are required to advise management to take appropriate and timely action to address the consequences, deter further non-compliance or disclose the matter to an appropriate authority where required by law or regulation or where necessary in the public interest.

Auditors may also consider discussing the matter with the internal auditors or management of any controlling entity.

Auditors will also need to consider legal or regulatory obligations to report to an appropriate authority, including whether those obligations stipulate a period within which reports are to be made, and any impact on the auditor’s report.

If the client is a component in a group audit, the auditor is required to communicate the NOCLAR to the group audit engagement partner, who in turn should communicate to the auditor of other components, if relevant.

Auditors must assess whether the client’s response is appropriate, including whether it was timely, the matter has been adequately investigated, action has been taken to rectify, remediate or mitigate the consequences and to deter any further non-compliance or reduce the risk of re-occurrence and adequate disclosure has been made.

All practitioners need to consider whether further action is warranted.

Action is likely to be necessary if the client’s response is inadequate, management is involved or there will be actual or potential substantial harm to the interests of the entity, investors, creditors, employees or the general public.

This may include disclosing the matter to an appropriate authority, even if not required by law, or withdrawing from the engagement and client relationship.

It may be appropriate to inform the client before disclosing the matter unless a breach is imminent, in which case the practitioner may need to immediately disclose the matter to an appropriate authority so it can intervene to prevent the breach occurring, if the breach would cause substantial harm to stakeholders.

Disclosure to an appropriate authority is not considered a breach of the duty of confidentiality under the Code of Ethics if the practitioner is acting in good faith. If withdrawing from the engagement, auditors should inform their proposed successor if requested, unless prohibited from doing so.

All practitioners should document, among other matters, courses of action considered, deliberations from consultation with experts, judgments made and decisions taken in relation to the non-compliance.

Must you disclose to an appropriate authority?

Not always. These are the “do’s and don’ts”:

Do understand that there is no obligation to disclose to an appropriate authority, unless there is a legal obligation to do so.
Don’t disclose to an appropriate authority if doing so would be contrary to law or regulation.
Don’t turn a blind eye; instead, consider whether disclosure to an appropriate authority is an appropriate course of action in the circumstances.
Do act in good faith and exercise caution.
Do understand that disclosure to an appropriate authority will not be considered a breach of confidentiality if you decide it is the right course of action in the circumstances.

What preparations do you need to make?

Even if you have not identified any non-compliance there are still steps that you can take to be prepared.

Update engagement letters to reflect obligations in relation to NOCLAR – see CPA Australia (non-audit) engagement letter template
Identify authorities relevant to the client. For example:
- Auditors must notify ASIC about significant contraventions of the Corporations Act 2001 as well as contraventions which will not be adequately dealt with by commenting on it in the auditor’s report or bringing it to the attention of the directors, contraventions of the National Consumer Credit Protection Act 2009 or a condition of a licensee’s Australian financial services licence.
- From 1 October 2018, accountants have obligations under the Anti-Money Laundering and Countering Financing of Terrorism Act to report prescribed transactions and suspicious transactions or activity to the Police Financial Intelligence Unit of the AFP.
For new engagements, communicate with the previous practitioner regarding any possible non-compliance before deciding whether to accept the engagement.

At the firm level:

Update your system of quality control to include clear assignment of responsibilities for staff and engagement partners in relation to NOCLAR and engagement acceptance procedures.
Raise awareness with staff and partners.