In late September 2016, Andrew Ceresney, Director of Enforcement of the Securities and Exchange Commission (“SEC”), signaled the SEC’s renewed focus on the key role played by audit committee members and external auditors as the “gatekeepers” of the financial reporting process.1 While stating that the SEC would not second-guess the good faith actions of auditors, he pledged that auditors and audit committee members who failed to reasonably carry out their responsibilities under applicable accounting standards would be held to task.2 In addition, just days before Mr. Ceresney made these remarks, the SEC made good on this promise by bringing its first enforcement action for an audit failure against a Big Four firm in nearly seven years, and its first ever independence-related action against auditors for maintaining overly close relationships with their clients.3 At the same time that the SEC was preparing this case, the International Ethics Standards Board for Accounting (“IESBA”) issued new enhanced standards for when a professional accountant should report wrongdoing by a client, even when there is no legal or regulatory requirement to do so. These developments highlight how regulators and industry groups, worldwide, expect accountants and auditors to serve as gatekeepers in preventing and reporting violations of law and securities regulations.

Audit Failures: Maintaining Professional Skepticism

On October 18, 2016, Ernst & Young LLP (“E&Y”) agreed to pay more than $11.8 million to settle charges that it failed to adequately conduct an audit of its client, Weatherford International (“Weatherford”), permitting Weatherford to inflate its earnings and issue false financial statements in violation of U.S. Generally Accepted Accounting Principles (“GAAP”).4

The SEC alleged that E&Y did not follow audit and professional care standards established by the Public Company Accounting Oversight Board (“PCAOB”) and, as a result, failed to detect that Weatherford had overstated its earnings by use of deceptive non-GAAP intercompany tax accounting practices.5 These standards require, as part of the planning and execution of an audit, that auditors continually exercise professional skepticism with “a questioning mind and a critical assessment of audit evidence.”6 Despite these standards—and regular reminders from E&Y’s own National Office that expanded procedures were necessary to comply with PCAOB standards for audits of income tax accounting—the E&Y audit team failed to question numerous suspicious tax adjustments that were brought to its attention and instead relied completely on the client’s explanation of them.7 According to the SEC, E&Y’s blind acceptance of the client’s unrealistic explanations also violated the PCAOB’s principles of professional skepticism that warn that “an auditor should not be satisfied with less than persuasive evidence because of a belief that management is honest.”8

Lack of Independence: Too Close for Comfort

About a month before the E&Y audit failure settlement related to Weatherford, E&Y also settled the first ever enforcement actions for auditor independence violations stemming from partner-client relationships.9 The SEC charged that the auditor-client relationships of two partners—one romantic—ultimately affected their independence.10 The SEC not only faulted the partners involved in the improperly close relationships but also the firm itself for failing to perform a reasonable inquiry or raise concerns about the relationships despite awareness of facts suggesting impropriety.11

Two separate actions were filed against two separate engagement teams—both involving independence impeding conduct stemming from too-close client-auditor relations. The first action involved a romantic relationship between the engagement partner and the Chief Accounting Officer of the client. The SEC noted that their relationship was “marked by a high level of personal intimacy, affection and friendship, near-daily communications about personal and romantic matters (as well as work-related matters), and the occasional exchange of gifts of minimal value on holidays such as Valentine’s Day and birthdays.”12 The second action occurred because of a client-auditor relationship that the SEC deemed to be excessively friendly.13 The conduct involved the relationship partner and Chief Financial Officer of the client taking frequent, overnight out-of-town trips, sporting events and socializing to “an excessive degree.”14

In both of the independence failure actions, the SEC highlighted the auditor’s role in protecting the public trust, and emphasized that it is the “auditor’s opinion that furnishes investors with critical assurance that the financial statements have been subjected to a rigorous examination by an objective, impartial, and skilled professional, and that investors, therefore, can rely on them.”15

International Focus on Gatekeepers

Outside the United States, IESBA recently issued a framework for auditors and other public accountants for responding to findings of Non-Compliance with Laws and Regulations (“NOCLAR”).16 These standards aim to clearly set out what steps professional accountants should take “in the public interest when they become aware of a potential illegal act,” and moves all professional accountants—not just auditors—onto the front lines “to protect shareholders and the general public from substantial harm that may stem from breaches of law and regulations.” [17]

Beyond existing legal and regulatory provisions governing how accountants should address NOCLAR, the new IESBA standards suggest that professional accountants may need to disclose illegal acts to appropriate authorities “even when there is no legal or regulatory requirement to do so.”18 Such reporting obligations will require careful and in-depth legal analysis of complicated and competing duties of the professional accountant—protecting the public interest and maintaining confidentiality. Indeed, these standards require that the accountant consider the legal and regulatory framework in the jurisdiction when responding to illegal acts, including examining whether the entity is in violation of anti-corruption and anti-bribery laws, is a systemic threat to financial markets, and even whether the entity is selling products that are harmful to the public health and safety.19 The expanded duty imposed on professional accountants by these standards necessitates involvement of legal counsel to determine close calls on legality and reporting.

In the United States, auditors have a responsibility to respond to illegal acts that are uncovered during the course of an audit. Section 10A of the Securities Exchange Act of 1934 requires that auditors report findings of illegal acts to the client’s management.20 After reporting, the auditor must assess the effectiveness of management’s remediation of the illegal act, and if the remediation is insufficient or ineffective, the auditor has a duty to report the illegal act to the client’s board of directors.21 Within one business day of the auditor’s report to the board, the directors have an obligation to inform the SEC of the report and also notify the auditor that the SEC has been informed.22 If the entity does not meet this reporting obligation, the auditor must resign from the engagement and has a duty to directly inform the SEC.23

The new IESBA standards provide for a similar procedure for auditors to run detected illegal acts up the flagpole but now are more expansive and clear and apply to all professional accountants (i.e., Certified Public Accountants, Chartered Accountants).24 The standards provide for direct reporting to a regulator of detected NOCLAR for professional accountants engaged in services other than audits of financial statements and make it clear that reporting illegal acts directly to regulators in good faith, and after the exercise of professional judgment, is not considered a breach of the accountant’s duty of confidentiality.25

Although the IESBA does not have an enforcement mechanism for its regulations, many of its standards later are adopted by other accounting regulatory bodies, such as the American Institute of Certified Public Accountants, and also are incorporated into laws and regulations in many jurisdictions. The new NOCLAR standards are likely to make their way into standards from legal and regulatory bodies in many jurisdictions.

Conclusion

All professional accountants and auditors should be aware of their legal and ethical responsibilities with respect to reporting discovery of an illegal act, conducting a routine audit and ensuring a commitment to independence. Corporations—especially those with extensive international operations—should be aware of the expansion of ethical and reporting obligations that are being placed upon its auditors and other professional accountants to proactively and diligently investigate any reports of NOCLAR. This includes monitoring adoption of IESBA ethics rules in all jurisdictions in which it operates any accounting or financial function or where its internal or external auditors may be involved. Professional accountants and auditors have always been on the front lines in their roles as public watchdogs and gatekeepers of the financial reporting process. Going forward, the SEC and IESBA’s actions signal a renewed focus on ensuring that they are fulfilling these roles and acting as the first line of defense against violations of securities laws and other related regulations.