CPAs play an important role in protecting investors, and their primary duty is to serve the public-that is, all "who rely on the objectivity and integrity of certified public accountants to maintain the orderly functioning of commerce," according to the AICPA Code of Professional Conduct (ET section 53.01). Prior to the enactment of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, the professional standards dealing with client confidentiality challenged a CPA's obligation to the public and created a significant dilemma for advisors who discovered attempted or actual fraud committed by a client or employer. But because the Dodd-Frank Act is a federal law, it preempts state laws that might have kept CPAs from reporting confidential information; thus, CPAs now have increased protections and can better fulfill their responsibilities to society.
The Dodd-Frank Act was a potent response to a series of corporate scandals-beginning with Enron and continuing through the current economic crisis-that defrauded countless investors and shook the financial markets. One of the Dodd-Frank Act's key provisions required the SEC to establish a whistleblower program offering significant protections and monetary awards to individuals who report possible violations of the federal securities laws, including misrepresenting or omitting important information in a company's financial disclosures, manipulating the market prices of securities, stealing customers' funds or securities, violating broker-dealers' responsibility to treat customers fairly, engaging in insider trading, selling unregistered securities, and bribing foreign officials.
Although CPAs might choose to settle issues internally, there might be times when they choose to report them to an external party in order to maintain professional integrity. In such cases, CPAs should remain cognizant of their potential eligibility to participate in the SEC's investorprotection program. The importance of CPAs coming forward, either internally or externally, cannot be overstated. They can provide businesses and law enforcement authorities with early and invaluable assistance in identifying the scope, participants, victims, and ill-gotten gains associated with corporate wrongdoing. With their help, more violations can be detected and violators can be stopped earlier, which will protect investors and businesses' reputations. The ensuing discussion provides practical guidance for CPAs on the responsibilities, rights, and risks involved in detecting possible securities violations in light of the whistleblower provisions of the Dodd-Frank Act.
Through the Securities and Exchange Act of 1934, the U.S. government effectively awarded a professional monopoly to CPAs, in return for their promise to protect the public by acting as independent watchdogs over publicly traded corporations. As a result, the public expects auditors to protect it, either by reporting significant illegal acts and suspected fraud or by compelling their clients to do so. Auditors serve as one of the last lines of defense for investors before regulators and lawyers get involved.
But despite a proliferation of new standards regarding auditor independence, as well as other efforts to ensure that auditors perform this gatekeeper role, a long and unbroken series of corporate scandals revealed that the securities enforcement status quo existing before Dodd-Frank was inadequate. In addition, some have argued that professional standards on client confidentiality promote the auditor-client relationship over the auditor-public relationship (Herbert W. Snyder, "Client Confidentiality and Fraud: Should Auditors Be Able to Exercise More Ethical Judgment?," Fraud Magazine, January/February 2011, pp. 28-30).
The Public Company Accounting Oversight Board (PCAOB) acts as the de facto regulator of professional standards for audits of public companies; for all other engagements, the AICPA's Code of Professional Conduct and GAAS both provide guidance. CPAs must assess the risk of material misstatements due to fraud and design audits to identify and assess those fraud risks (Auditing Standard [AS] 12, Identifying and Assessing Risks of Material Misstatement; Statement on Auditing Standard [SAS] 99, Consideration of Fraud in a Financial Statement Audit, AU section 316, "Consideration of Fraud in a Financial Statement Audit").
When auditors detect fraud or illegal acts and deem them material, they must report the misconduct to the audit committee or full board of directors (SAS 99, AU section 316; SAS 54, Illegal Acts by Clients, AU section 317, "Illegal Acts by Clients"). In addition, auditors should write up any fraud discovered and send it to the SEC in accordance with AU section 316.82-which makes it clear that although external reporting of fraud is not ordinarily the auditor's responsibility, a duty to externally disclose might exist in order for the auditor to comply with certain legal and regulatory requirements (e.g., the Dodd-Frank Act).
Besides these more specific requirements, the PCAOB requires auditors to act with integrity and to consider their duty to the public their primary responsibility. The AICPA Code of Professional Conduct puts it best: "members should act with integrity, guided by the precept that when members fulfill their responsibility to the public, clients' and employers' interests are best served" (ET section 53.02).
Congress has also gotten involved. Under the Sarbanes-Oxley Act of 2002 (SOX), each public company should have an audit committee that oversees and governs the integrity of financial reporting within the company. This committee should also oversee the company's internal and external auditors. Upon finding evidence of fraudulent accounting, external auditors are required under SOX section 404(B) to communicate their findings to the audit committee, or to the entire board of directors in the absence of an audit committee. For accelerated and larger filers, this requirement extends to findings by the external auditor of material weaknesses in the client's internal controls that put the client at risk of fraud. In addition, section 10A of the Exchange Act of 1934 sets forth mandatory procedures for the reporting of material fraud or other illegal conduct detected during an audit of an issuer's financial statements (see Exhibit 1 in PDF to the left.)
Despite the requirements of SOX and section 10A, auditor reporting and corporate self-reporting of significant possible securities violations occur infrequently (Francine McKenna, "Are Auditors Reporting Fraud and Illegal Acts? The SEC Knows But Isn't Telling," Feb. 22, 2012, http://retheauditors. com/2012/02/22/are-auditors-reportingfraud-and-illegal-acts-the-sec-knows-butisnt-telling/). For many reasons, auditing firms might choose to quietly resign from an engagement rather than report possible violations to the SEC. History has shown that whistleblowers (including those who do so as part of their professional obligation) can face several negative outcomes, including job loss, retaliation, emotional distress, and loss of future earnings. Prior laws, including SOX, did not adequately protect whistleblowers (Richard E. Moberly, "Unfulfilled Expectations: An Empirical Analysis of Why Sarbanes-Oxley Whistleblowers Rarely Win," William and Mary Law Review, vol. 49, no. 1, 2007, pp. 65-155), discouraging individuals from reporting possible fraud and securities violations. In many ways, the Dodd-Frank Act's whistleblower provisions address these weaknesses and provide new and significant protections and incentives for all individuals, including CPAs, to report possible violations of the securities laws to the SEC and other law enforcement or regulatory organizations.
With few exclusions or qualifications, any individual or group of individuals, regardless of citizenship, can make a whistleblower submission. Accountants are specifically permitted by both the Dodd-Frank Act and the rules established by the SEC to report any possible violation of the federal securities laws that has occurred, is ongoing, or is about to occur. The reported misconduct may occur anywhere in the world. International organizations and individuals that do business or have contacts with the United States may also be subject to this jurisdiction. Furthermore, the source of the information submitted to the SEC by an accountant whistleblower can be derived from independent knowledge or analysis of publicly available information. Significantly, accountant whistleblowers are permitted to report possible violations anonymously if represented by counsel.
The law is clear here: employers and accounting firms may not directly or indirectly discharge, demote, suspend, threaten, harass, or in any way discriminate against whistleblowers who provide information to the SEC under the rules of the program. These protections exist regardless of whether the alleged securities violations are proven, as long as submissions are made in good faith. In the event of retaliatory action, the legislation establishes significant remedies, including reinstatement with equivalent seniority, two-times back pay with interest, attorney fees, and other related expenses. These protections are triggered when a whistleblower makes a written submission to the SEC in accordance with the program's rules.
Furthermore, the Dodd-Frank Act requires the SEC to pay whistleblowers 10%-30% of the monetary sanctions collected as a result of a successful SEC enforcement action in excess of $1 million; this also applies to related enforcement actions brought by other law enforcement organizations. These awards can be substantial. In the 2011 fiscal year, the SEC collected monetary sanctions exceeding $3 billion, including several cases in which the sanctions exceeded $100 million. Under the circumstances described in the following sections, whistleblowers are authorized to receive monetary awards ( see Exhibit 2 in PDF to the left).
Discovery through audit . Monetary awards can be granted to a whistleblower if the violation was discovered through an audit of a company's financial statements (including quarterly reviews and annual audits, according to the SEC) and the whistleblower has reasonable basis to believe that-
- the disclosure is necessary to prevent the relevant entity from engaging in conduct that is likely to cause substantial injury to the entity or investors,
- the relevant entity's conduct will impede an investigation of the misconduct, or
- the whistleblower's submission would not otherwise be contrary to the requirements of section 10A of the Exchange Act of 1934.
In assessing this, the SEC is likely to consider whether the audit firm conducted an inquiry into the possible securities violation and the quality of that inquiry; the response to the allegation of an illegal act and whether the audit firm followed the requirements of section 10A; the whistleblower's position and any role played in the audit firm's violation; the whistleblower's role in the section 10A inquiry; and the timing of the whistleblower's submission.
Discovery during an engagement required by securities laws . A whistleblower can receive monetary compensation if the violation was discovered during an engagement required by securities laws (including annual audits of broker-dealers under Rule 17a-5 of the Exchange Act of 1934 and examinations to determine whether investment advisors are in compliance with the regulations governing custody of client funds), but not an audit of a public company's financial statements if-
- the whistleblower has a reasonable basis to believe that the disclosure is necessary to prevent the relevant entity from engaging in conduct that is likely to cause substantial injury to the entity or investors;
- the whistleblower has a reasonable basis to believe the relevant entity's conduct will impede an investigation of the misconduct; or
- the whistleblower reported the information to the relevant entity's audit committee, chief legal or compliance officer, the whistleblower's supervisor, or the whistleblower received the information under circumstances indicating that the aforementioned individuals were already aware of it, and more than 120 days have elapsed.
Discovery unrelated to auditing . If the violation was discovered by an accountant while representing an auditing client of the accountant's firm in an unrelated capacity, the whistleblower can receive a monetary award.
Potential wrongdoing by an auditing firm . Whistleblowers can obtain a monetary award if the violation involves potential wrongdoing by an accountant's auditing firm, including-but not limited to-failing to comply with the requirements of section 10A of the Exchange Act of 1934. Whistleblowers must make specific and credible allegations that their public accounting firm violated the federal securities laws or professional standards. Such an allegation must be made in good faith and is not a pretext for circumventing the requirements of section 10A. If a specific and credible allegation against an accounting firm is made and results in a successful SEC enforcement action against the engagement client, its officers, or employees, then the whistleblower can obtain a monetary award for that action as well.
Discovery by an accountant whose duties involve compliance or internal audit responsibilities . Monetary compensation can be awarded to accountants who discover wrongdoing in their own organization. The whistleblower must-
- have a reasonable basis to believe that the disclosure is necessary to prevent the relevant entity from engaging in conduct that is likely to cause substantial injury to the entity or investors;
- have a reasonable basis to believe the relevant entity's conduct will impede an investigation of the misconduct;
- have reported the information to the relevant entity's audit committee, chief legal or compliance officer, or the accountant's supervisor; or
- have received the information under circumstances that indicated that the aforementioned individuals were already aware of it, and more than 120 days have elapsed.
What are the risks of reporting suspected fraud? Most CPAs primarily fear violating client confidentiality rules and losing their state-issued licenses. Understandably, many accountants feel obligated to serve their clients first, and fear that disclosing client confidences to the SEC would undermine their relationship with those clients.
The AICPA Code of Professional Conduct (as well as SAS 107, Audit Risk and Materiality in Conducting an Audit, and SAS 114, The Auditor's Communication with Those Charged with Governance), adopted by the PCAOB as interim regulations, requires a CPA, upon the discovery of fraud or an illegal act, to evaluate whether it will have a material effect on the client's financial statements, and if so, to notify those charged with governance (i.e., the audit committee or the full board of directors). If the client then refuses to properly account for or disclose the act, the CPA should issue a qualified or adverse opinion. If the client refuses to accept the opinion, the auditor should withdraw from the engagement.
Furthermore, the AICPA Code of Professional Conduct states that a "member in public practice shall not disclose any confidential client information without the specific consent of the client" (ET section 301.01). Similarly, CPAs who hold a certificate in management accounting or a certificate in internal auditing are generally bound by codes of conduct that prohibit external reporting of confidential client information. (See the Institute of Management Accountants' Statement of Ethical Professional Practice, which limits disclosure of confidential client information unless authorized or legally required, and the Institute of Internal Auditors, which limits disclosure unless there is a legal or professional obligation to do so.)
As the map in Exhibit 3 (in PDF to the left) shows, many states employ a code of conduct that closely follows that of the AICPA. State laws regarding client confidentiality represent a legitimate concern for CPAs because state licensing boards have the power to deactivate a professional from practice for violating its rules. In practice, however, CPAs are not at risk of violating any state confidentiality rules by making a whistleblower submission that complies with the SEC's rules. First, the AICPA Code of Professional Conduct expressly states that the rule does not "prohibit a member's compliance with applicable laws and government regulations" (ET section 301.01). Because the Dodd-Frank Act and the SEC's implementing rules broadly define a whistleblower and expressly permit accountants to participate in the program, a whistleblower who reports possible securities violations consistent with the program's rules would be acting in "compliance with applicable laws and government regulations" (ET section 301.01). Accordingly, the accountant would not be violating confidentiality rules.
Even if reporting to the SEC did violate a whistleblower's duty of confidentiality, the Dodd-Frank Act and the SEC's rules a would preempt any conflicting state confidentiality rules. Thus, state action is generally preempted by federal law and must be invalidated when it "stands as an obstacle to the accomplishment and execution of the full purposes and objectives of Congress" ( Hines v. Davidowitz, 312 U.S. 52, 67 ). Federal regulations that have been duly promulgated by a federal agency pursuant to a valid congressional delegation have the same preemptive effect as federal statutes. In this case, section 922(a) of the Dodd-Frank Act clearly and unequivocally manifests Congress's objective to permit and encourage whistleblowing by accountants, albeit in limited circumstances. The legislation lists several classes of persons who are excluded from participation, but this list does not include accountants. In addition, the SEC's implementing rules expressly permit accountant whistleblowers to fully participate in the program. Accordingly, any state disciplinary rule that would subject an otherwise qualifying whistleblower to potential disciplinary action would be preempted by the Dodd- Frank Act and would be considered invalid. In other words, even if a CPA's state board forbade release of confidential client information, the federal law would take precedence over the state restriction, removing the risk of losing one's license due to confidentiality violations.
Contrary to popular belief, accountants are not prohibited from reporting fraud and other violations externally; rather, under the Dodd-Frank Act, they are called upon to make ethical choices about what to do when they identify possible violations of the federal securities laws. Accordingly, what should a CPA do when considering whether to become an SEC whistleblower?
First, in most cases, potential whistleblowers should report possible securities violations to their employers or clients in accordance with relevant rules and regulations. After all, compliance with the federal securities laws is promoted when accountants and entities work together to uncover wrongdoing and ensure that those responsible are held accountable.
Second, a CPA's duties to the public and to investors should not be sacrificed in order to comply with nonbinding professional conduct standards.
Third, although the rules for the SEC whistleblower program only require a whistleblower to have a reasonable belief that a possible securities violation has occurred, is ongoing, or is about to occur, potential whistleblowers should attempt to confirm the existence of a violation before reporting to the SEC. This practical step will help prevent unnecessary external reporting and minimize the risk of any adverse determinations.
Fourth, when internal reporting is inappropriate (e.g., due to the nature of the alleged misconduct and those involved, including-but not limited to-exigent circumstances where significant investor harm is imminent or the organization is engaging in conduct that will impede an investigation of the misconduct) or has proven ineffective, potential whistleblowers should consult independent legal counsel regarding the risks and requirements (both ethical and procedural) associated with reporting possible securities violations to the SEC.
Finally, CPA whistleblowers who fear retaliation by their employers or clients should consider reporting possible securities violations anonymously to the SEC with the assistance of counsel.