How Valuable Is Client Confidentiality to You?
Available Languages: English | Russian
- How should professional accountants behave when they come across something that leads them to suspect that a client or an employer has breached or is about to breach a law or regulation?
- Is it in the public interest for professional accountants to break client confidentiality in serious cases, or could the unintended consequences of disclosure have implications that are contrary to the public interest?
These are some of the key questions that the International Ethics Standards Board for Accountants® (IESBA®) has been debating recently.
The IESBA first issued an Exposure Draft (ED) proposing changes to the IESBA Code of Ethics for Professional Accountants (the Code) to address these questions in August 2012. These proposals proved to be highly controversial and feedback was mixed. In view of the seriousness of the issues, the IESBA subsequently held a series of three roundtables during 2014 to solicit further views and input on the issues. The IESBA then published a significantly amended second Exposure Draft in May 2015. The comment period runs until September 4, 2015.
The issues involved are highly sensitive and complex, and potential unintended consequences also need to be considered. With regard to the IESBA’s current proposals, as is often the case, “the devil is in the detail.” While the majority of professional accountants will hopefully not have encountered serious instances of unlawful behavior by clients, certain aspects of the proposals have the potential to impact the entire profession in unintended ways.
In summary, we believe it is crucial to the entire profession that changes to the Code do not inadvertently damage the public’s confidence in the requirement for professional accountants to maintain strict professional secrecy (client confidentiality). While much of what the IESBA is currently proposing makes sense, the issue of breaking client confidentiality is one key issue that still warrants closer deliberation. In terms of practical application, there is a world of difference between the IESBA’s intentions and the current proposals. Contrary to the IESBA’s stated intent, the proposals as drafted will not leave an auditor “free to choose” when to disclose a serious instance of unlawful behavior on the part of a client to an external authority, but instead introduce a de facto requirement in specific circumstances and a great deal of uncertainty as to “if and when” this might be done in many other circumstances.
Consequently, this aspect of the IESBA’s current proposals—if unchanged—has the potential to ultimately affect the relationship of trust between auditors, and other professional accountants in practice, and their clients worldwide. SMPs are certainly concerned that this uncertainty may drive both audit and non-audit clients away from the profession.
We have summarized the main issues below, and we encourage all of those who read it to join the debate as there are some fundamental issues at stake. For the sake of brevity, this article concentrates on the auditor’s perspective, although many of the issues explored may apply equally to practitioners in public practice and professional accountants employed within industry. These proposals affect all SMPs who come across non-compliance with laws and regulations in their professional work.
What Is the Problem?
Surely no one who pays attention to the daily news can trivialize the potential scale of the impact that the illegal behavior of a relatively small minority can have on society as a whole.
Only those who gain from such acts would disagree that concerted action to stamp out this type of behavior is desirable in the interests of the public at large. However, for a multitude of reasons, combatting such behavior is no easy task.
Where Do Professional Accountants and Their Ethics Code Come In?
It is generally accepted the accountancy profession is entrusted with a public interest role. Thus, all professional accountants have to live up to certain expectations in this regard.
The IESBA has recently been debating the public interest role of the accountancy profession in the context of what it has termed NOCLAR (“non-compliance with rules and regulations”). It has concluded that misconduct, by a professional accountant’s clients or employers, poses an ethical issue and, consequently, professional accountants may not turn a blind eye when they come across instances of NOCLAR in their professional work.
This makes sense—professional accountants should certainly not act against their public interest mandate or allow themselves to become accessories to illegal behavior. However, deciding how the Code should be revised to deal with this specific issue has proven quite difficult thus far, and certain key aspects of the current proposals now demand detailed scrutiny, not least because they could lead to unintended consequences.
What Do Professional Accountants Do Currently When They Encounter NOCLAR?
During their daily work, professional accountants may come across apparent instances of questionable behavior within an accounting context. Following up on such suspicions and, when suspicions cannot be readily dispelled, talking to their client or employer is an obvious step for all professional accountants to take (see ISATM 250.19 for an example). The aim is to enable action to rectify, remediate, or mitigate the consequence of NOCLAR and to deter commission where NOCLAR has not yet occurred. For example, in an audit under the current ISA, besides assessing any impact on the financial statements and the auditor’s report, the auditor is required to alert the company’s officers to the situation, so that they can take appropriate action in line with their respective management and governance responsibilities within the company.
However, like many other professions, such as law and medicine, a key feature of the accountancy profession is the requirement for professional accountants to maintain strict professional secrecy (client confidentiality) and not discuss their clients’ affairs with others. It is generally accepted that without strict adherence to confidentiality, the very clients that the professional is seeking to help may withhold vital information, thus limiting the professional’s ability to provide them with high-quality service. The ISA currently require auditors to determine whether they have a “responsibility to report an identified or suspected non-compliance to parties outside the entity.” The accompanying guidance in ISA 250.A19 and A20 refers to the auditor’s legal responsibility, or obligation, in a public sector context.
Indeed, laws and regulations governing matters such as money laundering, bribery, and corruption already exist in many, but not all, jurisdictions. One recent legal initiative is the EU audit policy regulation, which introduces new provisions for auditors of public interest entities to report certain matters externally when their client refuses to investigate a matter the auditor has drawn to their attention. Such laws usually clearly define the subject matter, set thresholds, and specify provisions to prevent tipping-off perpetrators and to protect whistle-blowers, as well as requiring all those with potential knowledge of such instances to play a role—including bankers, lawyers, accountants, and so on—lifting client confidentiality requirements solely for these specific instances. Thus, laws and regulations generally aim to provide a concerted approach to combatting specific acts, assign a clear role to professional accountants, and provide legal certainty for all parties concerned.
What Did the IESBA Originally Propose, and What Is the IESBA Now Proposing?
The IESBA noted that professional accountants have both an ethical duty and a public interest mandate to address instances, or suspected instances, of NOCLAR and determined that changes were needed to the Code in order to clarify the public interest connotations. Interestingly, the IESBA has taken a different stance from certain other international standard setters in this context: while other standard setters generally use an approach whereby compliance with the standard means that the professional accountant is deemed to have acted in the public interest, the IESBA is proposing the introduction of a “public interest test” in the Code. In practice, this approach is likely to be problematical as there is no common understanding as to what constitutes the public interest.
The IESBA’s proposals include separate sections for professional accountants performing audits of financial statements, professional accountants in public practice providing services other than audits of financial statements, and professional accountants in business.
Several aspects of the original proposals have been revised. In particular, the IESBA has now decided not—as originally had been proposed—to include a direct requirement within the Code for professional accountants to break client confidentiality and report certain suspected and identified instances of illegal acts to a relevant external authority. This particular aspect was highly controversial for a variety of reasons. Legal opinion subsequently obtained by the IESBA underscored the concerns raised by many professional accountants, and, in particular, highlighted “significant unintended consequences of the professional accountant becoming a quasi-investigator or prosecutor in relation to NOCLAR.” Pages 14 et seq. of the Explanatory Memorandum to the current Exposure Draft provide further details as to the various issues involved.
While much of what the IESBA is currently proposing makes sense, the issue of breaking client confidentiality is one issue that still warrants closer deliberation. The IESBA’s current proposals still seek to extend the professional accountant’s current role in certain, albeit relatively rare, circumstances for instances of NOCLAR that are deemed potentially substantially harmful to the wider public, including to investors, creditors, or employees. In the Explanatory Memorandum, the IESBA states that its intention is to allow professional accountants to take such further action as may be needed in the public interest, and for the professional accountant to be free to disclose confidential information outside the entity, i.e., to be allowed (and not required) to do so, even when disclosure is not required by law or regulation.
As explained in the next paragraph, the current proposals contain a de facto requirement for auditors to break client confidentiality in certain circumstances where substantial harm may be involved and disclosure is deemed to be in the public interest. For other professional accountants, there is more flexibility proposed than for auditors, although this area is still likely to be highly contentious.
According to the current proposals, the auditor is to be required explicitly to determine if further action is needed, and implicitly to determine the nature of that action. These determinations are also reinforced by a reasonable and informed third-party test. Specifically, the auditor is required to take into account whether a reasonable and informed third party, weighing all the specific facts and circumstances available to the professional accountant at the time, would be likely to conclude that the professional accountant has acted in the public interest, a challenging task in practice. In clear-cut cases, the lists of factors proposed as applicable in the given situation will dictate this determination (e.g., if all the factors clearly speak for further action). Consequently, in the event that specific circumstances exist, an auditor is not “free to choose” but subject to a de facto requirement. The lack of precise criteria, including the absence of any guidance as to how various factors interrelate with one another adds uncertainty as to when, in relation to what, and how client confidentiality might be broken beyond the aforementioned clear-cut cases.
This aspect of the current proposals gives considerable cause for concern on two fronts. Firstly the uncertainty surrounding if, what, how, and to whom auditors (and to a lesser extent other professional accountants) might break client confidentiality could—despite the IESBA having drawn back on its original proposals—ultimately affect the relationship of trust between auditors and other professional accountants in practice and their clients, which may limit their ability to provide high-quality services. Secondly, a de facto requirement for auditors in the manner proposed places them “between a rock and a hard place,” because if they disclose a matter that turns out to be unwarranted, the alleged perpetrators may seek recourse, whereas if they do not disclose what they should have done so, they will be open to claims for damages.
What Are the Possible Implications of This and Are These in the Public Interest?
If this aspect of the proposals is reflected in the final change to the Code, the impact on public expectations will likely be twofold. On one hand, the current expectations gap will increase, as the public will potentially expect professional accountants to disclose a variety matters beyond current practice and beyond national legislation, unless that legislation upholds client confidentiality. On the other hand, the uncertainty surrounding exactly when professional accountants may break client confidentiality may prove to be ultimately not in the public interest.
The lack of certainty on several fronts may cause clients to become reticent about providing full information to professional accountants, thus impacting their ability to uphold the quality of their services. For auditors, this could have serious unintended consequences in terms of audit quality along the lines already mentioned in the Explanatory Memorandum. Surely, measures that have the potential to impact audit quality on such a scale cannot be in the public interest. SMPs are certainly concerned that this uncertainty may drive both audit and non-audit clients away from the profession. For example, it could have significant impacts on decisions regarding voluntary audits. Even if this does not happen, any lack of full cooperation and complete information may affect SMPs’ ability to provide high-quality services. Surely, such unintended consequences are not in the public interest.
In conclusion, perhaps the real issue that should be debated is whether the IESBA Code is the appropriate medium for “allowing/de facto requiring” professional accountants to break client confidentiality. Laws and regulations in many parts of the world already allocate a role to professions, including the accountancy profession, in the fight against certain specific crimes. To the extent that these are needed elsewhere in the world, we are not convinced that it is the IESBA who should assume this role on behalf of the profession. The potential for the IESBA’s proposals to negatively impact the entire profession and its range of services, especially in the SMP sector, might actually outweigh the benefits of any additional reporting to external parties. From an SMP perspective, it may be appropriate for the IESBA to take a similar stance to the EU Commission and limit this aspect of the proposals to certain entities, rather than extending the provisions to all audits and all services provided by professional accountants in public practice. This would go a long way toward alleviating the uncertainty and its potential consequences.
What Do You Think about This Complex Issue?
Breaching client confidentiality in the way currently proposed, particularly without legal certainty or support, is a critical issue as far as SMPs are concerned.
The IESBA is seeking comments on its proposals until September 4, 2015.
How would you feel about breaking client confidentiality? Is the IESBA the appropriate body to deal with this in the manner proposed? Do you believe that this particular aspect would more appropriately be addressed as part of a “comprehensive legal package”? Do you believe this particular aspect of the proposals should be limited to listed entities or to entities of public interest, if at all?
We also note that in July 2015, the International Auditing and Assurance Standards Board® (IAASB®) proposed changes to amend the current requirement for auditors to determine whether they have a “responsibility to report an identified or suspected non-compliance to parties outside the entity” to a “legal or ethical duty or right to report an identified or suspected non-compliance to parties outside the entity” (see ED ISA 250.28). Depending on your views on the IESBA’s proposals, you may also be interested in looking at what the IAASB is proposing.
Whatever your views, we would encourage you to share them with the IESBA and perhaps also the IAASB!