The P7 exam and syllabus

The syllabus and study guide for P7 (INT) and P7 (UK), Advanced Audit and Assurance includes section
G1 (a) on professional and ethical developments which requires candidates to ‘discuss emerging
ethical issues and evaluate the potential impact on the profession, firms and auditors’ and G1 (b)
‘Discuss the content and impact of exposure drafts, consultations and other pronouncements issued
by IFAC and its supporting bodies.’ This article is intended to provide insight into recent developments
to the International Ethics Standards Board’s Code of Ethics for Professional Accountants (IESBA) in
relation to the auditor’s response to non-compliance with laws and regulations. The article is also
relevant to all other P7 exams.

Introduction

The International Ethics Standards Board (IESBA) issued their final pronouncement on Responding to
Non-Compliance with Laws and Regulations (NOCLAR) in July 2016. The pronouncement is an
examinable document from the exam year starting September 2017. In practice, the pronouncement is
effective from July 2017 with earlier adoption permitted. The new standard adds sections 225 and 360
to the IESBA’s Code of Ethics for Professional Accountants (the Code). The purpose of the new sections
is to address the responsibilities of Professional Accountants in Public Practice (including auditors) and
Professional Accountants in Business when they become aware of NOCLAR. The standard also contains
consequential and conforming amendments to a number of existing sections of the Code.

What is NOCLAR?

NOCLAR is defined by the new standard as comprising acts of omission or commission, intentional or
unintentional, committed by a client, or by those charged with governance, by management or by other
individuals working for or under the direction of a client which are contrary to the prevailing laws and
regulations.

The non-compliance which the standard addresses is concerned with laws and regulations which are
generally recognised to have a direct effect on the determination of material amounts and disclosures in
the client’s financial statements. It also addresses other laws and regulations which may be fundamental
to the operating aspects of the client’s business, to its ability to continue its business or to avoid
material penalties. It is worth noting that the standard does not include within its scope any matters
that are clearly inconsequential or any personal misconduct which is unrelated to the business activities
of the client or employer.

Background and aims

The NOCLAR project originated from an attempt to address concerns from the regulatory community
and other stakeholders that the Professional Accountant’s (PA’s) duty of confidentiality under the Code
was acting as a barrier to the disclosure of possible NOCLAR to appropriate public authorities. While
emphasising the binding nature of the duty of confidentiality, the existing Code identified general
circumstances where disclosure may be appropriate including when a PA considers it to be in the public
interest. The existing Code acknowledged that this is a difficult area to decide on and that as a result, it
will often be appropriate to take legal advice.
The new standard aims to raise the ethical bar for the global accountancy profession and to increase the
emphasis on PAs’ duties and responsibilities in this area. It importantly represents the first time that
accountants have been permitted to set aside the duty of confidentiality, which is a fundamental
principle in the Code, in order to disclose NOCLAR to appropriate public authorities in the circumstances
prescribed. The new standard is intended to sit alongside and supplement the existing guidance on this
area contained within the International Standards on Auditing (ISAs). It is noteworthy in this regard that
in October 2016, the International Auditing and Assurance Standards Board (IAASB) amended the ISAs in
order to enhance auditor focus on non-compliance with laws and regulations and to enable the ISAs to
be applied effectively alongside the IESBA Code by clarifying and emphasising key aspects of the IESBA
Code in the IAASB’s Standards. The most significant revisions have been to ISA 250 Consideration of
Laws and Regulations in an Audit of Financial Statements which now directly references the Code and
the additional responsibilities under law, regulation or relevant ethical requirements regarding an
entity’s non-compliance with laws and regulations. It acknowledges that these may differ from or go
beyond the ISA itself.

Concerns were also expressed that auditors were simply resigning from client relationships as a result of
suspected or identified NOCLAR without the matter being appropriately addressed. Moreover, it was
felt that there was a lack of guidance in the Code about the thought process and the relevant factors to
consider in determining how best to respond to potential NOCLAR in the public interest. While the
existing Code implicitly required PAs not to turn a blind eye to potential NOCLAR, there were no clear
and explicit requirements on how to respond. There was a risk that the duty of confidentiality would put
PAs in a conflict situation and confuse their response. NOCLAR enables PAs to override their duty of
confidentiality where there is a strong public interest in the matter.

The NOCLAR guidance therefore aims to ensure that PAs respond to identified or suspected NOCLAR on
a timely basis in order to rectify, remediate or mitigate its potentially adverse impact on stakeholders
and the general public. The increased emphasis on PAs’ duties and responsibilities in this area should
also serve to stimulate increased reporting of NOCLAR and even to act as a deterrent to non-compliance
by audited entities.

A differential approach

The NOCLAR guidance prescribes a differentiated approach for auditors, other PAs in public practice as
well as for senior level and other PAs in business. While the basic ethical principles are the same for all
PAs, the implementation of these principles differs according to their roles, levels of seniority, spheres of
influence and the different levels of public expectations. In the context of the P7 exam, however, we will
concentrate on the prescribed approach to NOCLAR for the auditing profession.

Responsibilities of auditors

The NOCLAR guidance provides a clear framework for auditors to follow when addressing an instance of
non-compliance or suspected non-compliance.

Obtaining an understanding of the matter

The first step in this framework is that the auditor should obtain a full and clear understanding of the
matter including the nature of the act and the circumstances in which it has occurred.
An auditor has always been required to obtain a good understanding of the environment in which a
client operates including any relevant laws and regulations. However, the auditor is not expected to be
an expert on a wide range of laws and regulations and the new standard does not specifically increase
the auditor’s responsibilities in this regard. Rather, the auditor is expected to apply their knowledge,
professional judgement and expertise but they are not expected to have a knowledge of laws and
regulations that is greater than that which is required to undertake the assignment in the first place.

In order to clarify whether an instance of non-compliance has occurred, the auditor should consider
consulting with other members of the firm on a confidential basis, with a network firm or relevant
professional body. The auditor should also consider taking legal advice. If the auditor suspects non-
compliance has occurred, they should discuss the matter with the appropriate level of management
and, where appropriate, those charged with governance in order to clarify understanding of the facts
and circumstances surrounding the matter together with its potential consequences. In assessing the
appropriate level of management, the auditor should consider any potential involvement or collusion in
the matter together with the ability of management to carry out investigations and take appropriate
action.

Addressing the matter

In discussing an instance of non-compliance or suspected non-compliance with management and, where
appropriate, those charged with governance (TCWG), the auditor should advise them to take timely and
appropriate actions in order to resolve the situation, to deter possible non-compliance or to disclose the
matter to an appropriate authority where it is required by law or regulation or it is considered necessary
in the public interest. The auditor must also ensure their own compliance with laws and regulations
together with the requirements under auditing standards. With respect to auditing standards, the
auditor should have particular regard to those relating to:

 Identifying and responding to non-compliance, including fraud.

 Communicating with those charged with governance.

 Considering the implications of the non-compliance or suspected non-compliance for the

auditor’s report.

Communication with respect to groups

In the context of a group audit, the auditor should consider their responsibilities to report instances of
non-compliance or suspected non-compliance to the group engagement partner unless prohibited from
doing so by law or regulation.

Determining whether further action is needed

The auditor should assess the appropriateness and effectiveness of the response of management and
TCWG to the matter, including the timeliness of the response and the extent of investigation and
remedial action, and in the light of this response, the auditor must determine objectively if further
action is needed in the public interest. This will involve the exercise of professional judgement and the
auditor must take into account whether a reasonable and informed third party would, after weighing all
of the specific facts and circumstances, be likely to conclude that the auditor has acted appropriately in
the public interest.
Where the auditor decides that further action is necessary, it might include, for example, disclosing the
matter directly to the appropriate authority and withdrawing from the engagement and client
relationship. In response to the concerns that auditors were simply resigning from client relationships as
a result of suspected or identified NOCLAR without the matter being appropriately addressed, however,
the guidance clarifies that withdrawing from an engagement should not be a substitute for taking other
actions which may be needed to achieve the auditor’s objectives. The standard does though recognise in
this regard that in some jurisdictions there may be limitations on the further actions which the auditor is
able to take and acknowledges that withdrawal may be the only available course of action. Following
withdrawal, the outgoing auditor is required to co-operate with the proposed successor auditor and on
request, to provide all of the facts and information concerning the identified or suspected non-
compliance which the latter needs to be aware of.

Determining whether to disclose the matter to an appropriate authority

The determination of whether to disclose the identified or suspected non-compliance to an appropriate
authority, assuming such disclosure is not precluded by law or regulation, depends on the nature and
extent of the actual or potential harm which might be caused to investors, creditors, employees or the
general public. The guidance gives examples of indicative situations where disclosure might be
appropriate and of external factors to consider. These examples include references to an entity being
involved in bribery and tax evasion or to breaches of regulation which might impact adversely on
operating licences, financial markets or public health and safety. The standard also clarifies that in
exceptional circumstances where the auditor believes there may be an imminent breach of a law or
regulation, they may need to disclose the matter immediately. The decision to disclose will always be a
matter for the auditor’s judgement and where the disclosure is made in good faith, it will not constitute
a breach of the duty of confidentiality under Section 140 of the Code. This latter clarification, in
particular, should serve to increase the auditor’s confidence in their ability to breach the principle of
confidentiality where they deem it to be necessary under the NOCLAR guidance. This should also help to
resolve the potential conflict for the auditor between their ethical duty of confidentiality and their
professional duty of disclosure in the public interest.

Documentation
The auditor is required to document the process of compliance with the NOCLAR guidance including the
response of management and those charged with governance, the courses of action considered, the
judgements made and the decisions taken.

The need for support

The IESBA acknowledges that the accountancy and auditing profession will not resolve the NOCLAR issue
in isolation and that it requires the support and co-operation of other professions together with
governments, legislators and regulators. In particular it is hoped that governments will introduce and
strengthen legislation addressing NOCLAR and will provide protection for whistle blowers and to
auditors and other PAs who implement the standard. The ultimate success of the project is also
dependent on governmental authorities acting appropriately in response to the NOCLAR reports which
they will receive under the requirements of the standard.