By Laura Hay, CPA, CAE, executive vice president
Reading an ethical dilemma in a professional responsibilities course, the answers often seem obvious, and the observer’s choices clear. We question the person who fell for a thin rationalization or personal pressure, and think we would decide differently. But the stories repeat themselves.
“We judge ourselves by our intentions and others by their behavior.”
– Stephen M.R. Covey
Although different specific rules apply regarding the CPA’s responsibilities
when suspecting an illegal act by a client or employer depending on the type of engagement, they all follow a similar path:
The CPA receives information that might indicate fraudulent or other illegal activity. At that point the CPA should:
1. Obtain an understanding of the activity (which may require permissible professional consultation – see client confidentiality)
2. Inform management of the concern and management’s responsibilities
3. Consult with legal counsel regarding obligations to report to third parties and what laws or rules supersede among potentially contradictory requirements
4. Consult with legal counsel regarding whether the CPA can continue to be associated with the client or employer
Each stage of that process presents challenges.
Receiving information about an inappropriate activity
You have long expected that your Schedule C client has some “blurred lines” regarding personal and business expenses. However, the expenses don’t appear to be material, and you don’t have specific information about an inappropriate charge to the company. You are, after all, just preparing the returns with the information the client provided.
Your employee benefit plan audit client inadvertently did not include bonuses in compensation eligible for a 401(k) deduction or match. When you inform the client of the error, rather than depositing make-up contributions and reporting the error, they decide to make the employees whole by grossing up additional compensation in the current year.
Your not-for-profit employer instructed you to record contributions in a manner that may not be 100% consistent with apparent donor restrictions, but tells you they have authoritative support for the accounting treatment, and there’s no need to contact the auditors.
Compliance testing in your peer review client’s A-133 audit turned up questioned costs or other non-compliance with laws, regulations, contracts or grants. Yellow Book and Single Audit guidance specifically state that materiality is not a consideration in reporting requirements, but the client wants to correct the reporting prospectively due to immateriality.
In the real situation, it can be difficult to be objective in the face of personal risk. And the CPA may not know where they can go for help assessing the circumstances without potentially violating client confidentiality or employer fiduciary responsibilities.
The real CPA (not the one reading the article) rationalizes:
• This doesn’t meet the “gut test” for me, but who is harmed in this situation?
• When does something cross the threshold into fraud or an illegal act?
• I’m not the person responsible for the potentially inappropriate decision, and at this point, I haven’t obtained enough information to know for sure that this is wrong.
• Don’t I have a confidentiality requirement? Can I even ask someone outside the organization this question?
Statement on Standards for Tax Services No. 6, Knowledge of Error: Return Preparation and Administrative Proceedings, states that “A member should inform the tax payer promptly upon becoming aware of an error in a previously filed return, an error in a return that is the subject of an administrative proceeding, or a taxpayer’s failure to file a required return. A member also should advise the taxpayer of the potential consequences of the error and recommend the corrective measures to be taken. Such advice and recommendation may be given orally. The member is not allowed to inform the taxing authority without the taxpayer’s permission, except when required by law.”
Auditing standards discuss:
• The evaluation of audit evidence to determine if there is any reason to conclude fraud has occurred, the impact on the ability to continue the engagement, responsibilities for reporting to higher levels of management and governance, and reporting to regulatory and enforcement authorities (including a statement that legal responsibilities may, in some cases, override the professional duty to maintain confidentiality of client information.) [AU-C 240.34-.42, .A56 -.A74]
• Non-compliance with laws and regulations, essentially applying the same framework and mirroring the guidance in AU-C 240 above. [AU-C 250.17-.27] AU-C 260, The Auditor’s Communication With Those Charged With Governance, further discusses what and how to communicate to clients.
Confidentiality versus responsibilities to report to third parties
The AICPA and OSCPA Codes of Professional Conduct [Section 1.700.001], and the Accountancy Board of Ohio administrative rules [OAC 4701- 11-02] state that the member/licensee shall not disclose any confidential client information without the specific consent of the client.
The rules provide specific exceptions for:
• A validly issued and enforceable subpoena.
• Compliance with applicable laws and governmental regulations.
• Compliance with peer review or a professional ethics investigation.
In addition, the AICPA/OSCPA Codes have added a section about confidential information obtained as a result of employment or volunteer activities [Section 1.400.070.] A member would be considered to be in violation of the Acts Discreditable rule [1.400.001] if the member discloses or uses any confidential employer information without employer consent, unless disclosure is required by law.
“Unless disclosure is required by law.” Here’s the rub. From auditing standards, “Whether an act is, in fact, illegal is a determination that is normally beyond the auditor’s professional competence… The auditor’s training, experience, and understanding of the client and its industry may provide a basis for recognition that some client acts coming to his attention may be illegal. However, the determination as to whether a particular act is illegal would generally be based on the advice of an informed expert qualified to practice law or may have to await final determination by a court of law.”
Likewise, legal counsel is necessary to determine if other legal or regulatory requirements supersede the CPA’s requirement for client confidentiality, such as a criminal law obligation to report a felony, or an obligation to report under the Private Securities Litigation Reform Act of 1995. Legal counsel can also advise on civil exposure or potential whistleblower protections.
Walking is the hardest part
The final step in the above process is assessing whether you can continue to be associated with the client or employer. For a CPA firm, the firm’s quality control document should address acceptance and continuation criteria for a client who has elected not to follow legal or regulatory requirements. The assessment, at a minimum, should consider the ability of the firm to rely upon management representations given or other observed actions. In both cases, legal consultation is recommended throughout the standards to assess one’s personal or organizational exposures and risks. Sorting out potentially conflicting priorities of federal and state laws, regulatory requirements, state accountancy board statutes and rules, and AICPA/OSCPA Codes of Professional Conduct is a responsibility we assume as guarantors of trust in the economy.
The above references are by no means complete or all-inclusive. Because of that trust the public places on this profession, clients, employers and courts have held CPAs to a standard of what we “should have known” in an ethical dilemma. It’s a responsibility that can be difficult, but is the most fundamental value we provide in serving the public interest.
Laura Hay, CPA, CAE, is executive vice president of The Ohio Society of CPAs and staff liason to the Accounting & Auditing Committee. She can be reached at firstname.lastname@example.org or 614-321-2241