The AICPA’s Code of Professional Conduct covers the U.S. auditor’s ethical responsibilities for integrity, public interest, loyalty, independence and due care.
The CPA performs audits by using professional skepticism. The continuous and updated detailed auditing standards from the various authorities—including the PCAOB—have increased the responsibilities on the outside CPA firms at the same time pricing pressure on the audit has made the audit profession challenging.
Coupling this pressure is the retirement of older CPAs and the lack of a pipeline of younger generations entering the field, which have created cost and time pressure on the CPA performing audits. With the latest round of PCAOB audits, we are seeing more deficiencies in the audit workpapers and especially in the testing documentation.
The AICPA’s NOCLAR interpretations (ET Sec. 1.180.010 and ET Sec. 2.180.010) have the objective to harmonize the international rules with the U.S. rules and to clarify the process for the auditor after finding non-compliance at the audit client. The tension is not about the ideological goal of the NOCLAR proposal, but the practical application and additional pressure on the auditor in the field.
The intent of NOCLAR interpretation is that the auditors would not just withdraw from an engagement when a noncompliance item is found.
This article uses two examples to show how the Interpretations might be implemented in near real-life examples. These are not authoritative application of the interpretations but illustrations to promote thoughtful consideration of how NOCLAR could affect your practice as a CPA.
It’s important to note that while providing services to clients or as an employee and you encounter an issue of noncompliance, you should seek guidance regarding your responsibilities under professional standards, state board rules and potentially seek legal advice as well. Currently, state boards may not have adopted the interpretations and there may other issues regarding client confidentiality. There may also be other prohibitions in laws and regulations, which potentially creates a trap for the unwary.
If you are reporting to the appropriate authority, it should be considered an exceptional circumstance with consideration of whether this would not be a breach of confidentiality but a good faith acting in the public interest.
Example No. 1: Theranos
Let’s take a hypothetical audit of Theranos as an example of how NOCLAR’s requirements could have played out with a client that had a product failure that was noncompliant with the FDA rules.
The auditors are to take the following steps:
Identification and assessment
Internal reporting
Documentation and consultation
Potential third-party reporting
During the audit, the audit staff member, John, notices significant discrepancies between the reported capabilities of Theranos’ blood-testing technology and the actual performance results from test samples. He also identifies unusual financial transactions and revenue figures that do match with typical industry practices.
John conducts a preliminary assessment and gathers evidence of misrepresentation and potential fraud. He reviews internal documents, emails and performance reports, and compares them with industry benchmarks. John raises his concerns with the audit engagement partner and the audit firm’s risk management team. He documents the findings and highlights the potential for significant non-compliance and fraud.
The audit engagement partner escalates the issue to Theranos’ management and the audit committee, insisting on a more thorough investigation. John meticulously documents all findings, communications and actions taken regarding the suspected non-compliance. This includes detailed notes from meetings, emails and copies of relevant financial and performance reports.
The audit firm seeks guidance from its legal team and consults with external experts in medical technology and fraud detection to understand the implications and appropriate actions. John ensures that all actions taken align with professional auditing standards and the International Ethics Standards Board for Accountants (IESBA) Code of Ethics.
The audit firm decides to perform additional audit procedures, including more in-depth testing of the technology and financial transactions. An independent review by specialists in medical technology and forensic accounting is initiated to validate the findings.
The audit firm communicates its concerns and findings to Theranos’ management and the audit committee and recommends immediate corrective actions.
Depending on the severity and the response from Theranos, the audit firm may consider disclosing the matter to regulatory authorities such as the SEC and FDA. The audit firm has a policy to protect employees who report non-compliance. John is assured of protection against any retaliation for his disclosures. He ensures that information is shared only with those who need to know, balancing the duty of confidentiality with the requirement to act in the public interest.
In this hypothetical audit, the hope is that the NOCLAR rules would cause an independent review and additional audit procedures confirming significant fraud and misrepresentation in Theranos’ technology and financial performance.
Regulatory authorities, informed by the audit firm’s findings, take appropriate action against Theranos, including fines, sanctions and criminal charges against responsible executives. The audit firm issues a modified audit opinion, clearly stating the identified issues and the potential impact on financial statements.
The case serves as a wake-up call for the entire industry, leading to stricter regulations and oversight in medical technology and financial reporting.
The problem with this example can be at the beginning and all the processes along the way. The client was infamous in their secrecy and were zealots in litigation against dissenters. The identification and assessment would probably fool John in the accuracy. Theranos had investors in that took blood samples and watched them go into the machine, then ate lunch and came back for the results from the machine after lunch. In the meantime, the blood was taken out and run on different machines in the basement.
The right answer was given to the investors.
If John was included or had a demo like this, there would be nothing that came to his attention. In reality, Theranos did not have audited financials since the audit firms had concluded that the books and records were not ready for an audit. Not having an audit did not stop this type of fraud.
In a standard audit, John would not be a Columbo-type investigator with a notepad wandering around the company asking key questions to find out from divergent responses what the likelihood that the client is lying about the efficacy of their product. The auditor would be out of the scope of their technical expertise and would not have the time and budget to fund this type of investigation.
Example No. 2: Wells Fargo
Based on what has been reported there was a history of fraudulent account creation and a problematic culture of noncompliance with rules and regulations with the bank.
The whistleblower lines showed the issues to the client and the client defended its high number of issues by saying that they encouraged reporting. The outside auditor saw the noncompliance and made the professional judgement that Wells
Fargo Bank was working on fixing the isolated problems.
The idealistic goal is that this noncompliance would have been sorted out by the auditor escalating it or refusing to complete the audit. Historically, if the auditor made a professional judgement based on management’s representations that it only had a minor impact, then why would the outcome be different after implementing NOCLAR?
The management and audit committee may show the plan for sorting out the issues and the auditor consider this a normal business issue. There are no perfect businesses that have perfect compliance on all matters. The auditor is always looking at a business that is a work in process with shifting priorities and strategic challenges.
Conclusion
Companies can have compliance officers and fill out checklists and answer inquiries regarding their compliance with rules and regulations. These additional procedures will increase cost and time for the company to complete and increase administrative burden for any new products or operation expansions. The cost of the audit and the time frame for reporting would increase. And the burden on the auditors may accelerate the number of CPAs retiring and deter more potential accounting candidates from the audit field.
One of the challenges with the NOCLAR interpretations is the auditor’s requirement to address and resolve noncompliance issues. Historically this was not clearly an auditor’s responsibility outside the scope of being a CPA.
Legal and regulatory compliance outside of the financial statements is outside of the auditor’s professional competence and would require outside experts. In addition, the auditor relies on the company for disclosure of legal and regulatory issues and the magnitude of the potential financial outcomes.
The outside auditor can test for reasonableness, but businesses fail all the time for inherent risks that they did not attend to properly or just changes in the economic environment. Having an outside financial audit does not guarantee that the business does not have fraud or other problematic issues with their products or processes. The NOCLAR interpretations burden the outside auditor with responsibilities that properly belong to the company.
Suzan Dennis, CPA is managing partner at Dennis & Dennis, LLP, CPA.