Responding to non-compliance with laws and regulations (NOCLAR)

A guide to the IESBA pronouncement

The P7 exam and syllabus

The syllabus and study guide for P7 (INT) and P7 (UK), Advanced Audit and Assurance includes section G1 (a) on professional and ethical developments which requires candidates to ‘discuss emerging ethical issues and evaluate the potential impact on the profession, firms and auditors’ and G1 (b) ‘Discuss the content and impact of exposure drafts, consultations and other pronouncements issued by IFAC and its supporting bodies.’ This article is intended to provide insight into recent developments to the International Ethics Standards Board’s Code of Ethics for Professional Accountants (IESBA) in relation to the auditor’s response to non-compliance with laws and regulations. The article is also relevant to all other P7 exams.


The International Ethics Standards Board (IESBA) issued their final pronouncement on Responding to Non-Compliance with Laws and Regulations (NOCLAR) in July 2016. The pronouncement is an examinable document from the exam year starting September 2017. In practice, the pronouncement is effective from July 2017 with earlier adoption permitted. The new standard adds sections 225 and 360 to the IESBA’s Code of Ethics for Professional Accountants (the Code). The purpose of the new sections is to address the responsibilities of Professional Accountants in Public Practice (including auditors) and Professional Accountants in Business when they become aware of NOCLAR. The standard also contains consequential and conforming amendments to a number of existing sections of the Code.

What is NOCLAR?

NOCLAR is defined by the new standard as comprising acts of omission or commission, intentional or unintentional, committed by a client, or by those charged with governance, by management or by other individuals working for or under the direction of a client which are contrary to the prevailing laws and regulations.

The non-compliance which the standard addresses is concerned with laws and regulations which are generally recognised to have a direct effect on the determination of material amounts and disclosures in the client’s financial statements. It also addresses other laws and regulations which may be fundamental to the operating aspects of the client’s business, to its ability to continue its business or to avoid material penalties. It is worth noting that the standard does not include within its scope any matters that are clearly inconsequential or any personal misconduct which is unrelated to the business activities of the client or employer.

Background and aims

The NOCLAR project originated from an attempt to address concerns from the regulatory community and other stakeholders that the Professional Accountant’s (PA’s) duty of confidentiality under the Code was acting as a barrier to the disclosure of possible NOCLAR to appropriate public authorities. While emphasising the binding nature of the duty of confidentiality, the existing Code identified general circumstances where disclosure may be appropriate including when a PA considers it to be in the public interest. The existing Code acknowledged that this is a difficult area to decide on and that as a result, it will often be appropriate to take legal advice.

The new standard aims to raise the ethical bar for the global accountancy profession and to increase the emphasis on PAs’ duties and responsibilities in this area. It importantly represents the first time that accountants have been permitted to set aside the duty of confidentiality, which is a fundamental principle in the Code, in order to disclose NOCLAR to appropriate public authorities in the circumstances prescribed. The new standard is intended to sit alongside and supplement the existing guidance on this area contained within the International Standards on Auditing (ISAs). It is noteworthy in this regard that in October 2016, the International Auditing and Assurance Standards Board (IAASB) amended the ISAs in order to enhance auditor focus on non-compliance with laws and regulations and to enable the ISAs to be applied effectively alongside the IESBA Code by clarifying and emphasising key aspects of the IESBA Code in the IAASB’s Standards. The most significant revisions have been to ISA 250 Consideration of Laws and Regulations in an Audit of Financial Statements which now directly references the Code and the additional responsibilities under law, regulation or relevant ethical requirements regarding an entity’s non-compliance with laws and regulations. It acknowledges that these may differ from or go beyond the ISA itself.

Concerns were also expressed that auditors were simply resigning from client relationships as a result of suspected or identified NOCLAR without the matter being appropriately addressed. Moreover, it was felt that there was a lack of guidance in the Code about the thought process and the relevant factors to consider in determining how best to respond to potential NOCLAR in the public interest. While the existing Code implicitly required PAs not to turn a blind eye to potential NOCLAR, there were no clear and explicit requirements on how to respond. There was a risk that the duty of confidentiality would put PAs in a conflict situation and confuse their response. NOCLAR enables PAs to override their duty of confidentiality where there is a strong public interest in the matter.

The NOCLAR guidance therefore aims to ensure that PAs respond to identified or suspected NOCLAR on a timely basis in order to rectify, remediate or mitigate its potentially adverse impact on stakeholders and the general public. The increased emphasis on PAs’ duties and responsibilities in this area should also serve to stimulate increased reporting of NOCLAR and even to act as a deterrent to non-compliance by audited entities.

A differential approach

The NOCLAR guidance prescribes a differentiated approach for auditors, other PAs in public practice as well as for senior level and other PAs in business. While the basic ethical principles are the same for all PAs, the implementation of these principles differs according to their roles, levels of seniority, spheres of influence and the different levels of public expectations. In the context of the P7 exam, however, we will concentrate on the prescribed approach to NOCLAR for the auditing profession.

Responsibilities of auditors

The NOCLAR guidance provides a clear framework for auditors to follow when addressing an instance of non-compliance or suspected non-compliance.

Obtaining an understanding of the matter
The first step in this framework is that the auditor should obtain a full and clear understanding of the matter including the nature of the act and the circumstances in which it has occurred.

An auditor has always been required to obtain a good understanding of the environment in which a client operates including any relevant laws and regulations. However, the auditor is not expected to be an expert on a wide range of laws and regulations and the new standard does not specifically increase the auditor’s responsibilities in this regard. Rather, the auditor is expected to apply their knowledge, professional judgement and expertise but they are not expected to have a knowledge of laws and regulations that is greater than that which is required to undertake the assignment in the first place.

In order to clarify whether an instance of non-compliance has occurred, the auditor should consider consulting with other members of the firm on a confidential basis, with a network firm or relevant professional body. The auditor should also consider taking legal advice.  If the auditor suspects non-compliance has occurred, they should discuss the matter with the appropriate level of management and, where appropriate, those charged with governance in order to clarify understanding of the facts and circumstances surrounding the matter together with its potential consequences. In assessing the appropriate level of management, the auditor should consider any potential involvement or collusion in the matter together with the ability of management to carry out investigations and take appropriate action.

Addressing the matter
In discussing an instance of non-compliance or suspected non-compliance with management and, where appropriate, those charged with governance (TCWG), the auditor should advise them to take timely and appropriate actions in order to resolve the situation, to deter possible non-compliance or to disclose the matter to an appropriate authority where it is required by law or regulation or it is considered necessary in the public interest. The auditor must also ensure their own compliance with laws and regulations together with the requirements under auditing standards. With respect to auditing standards, the auditor should have particular regard to those relating to:

  • Identifying and responding to non-compliance, including fraud.
  • Communicating with those charged with governance.
  • Considering the implications of the non-compliance or suspected non-compliance for the auditor’s report.

Communication with respect to groups
In the context of a group audit, the auditor should consider their responsibilities to report instances of non-compliance or suspected non-compliance to the group engagement partner unless prohibited from doing so by law or regulation.

Determining whether further action is needed
The auditor should assess the appropriateness and effectiveness of the response of management and TCWG to the matter, including the timeliness of the response and the extent of investigation and remedial action, and in the light of this response, the auditor must determine objectively if further action is needed in the public interest. This will involve the exercise of professional judgement and the auditor must take into account whether a reasonable and informed third party would, after weighing all of the specific facts and circumstances, be likely to conclude that the auditor has acted appropriately in the public interest.

Where the auditor decides that further action is necessary, it might include, for example, disclosing the matter directly to the appropriate authority and withdrawing from the engagement and client relationship. In response to the concerns that auditors were simply resigning from client relationships as a result of suspected or identified NOCLAR without the matter being appropriately addressed, however, the guidance clarifies that withdrawing from an engagement should not be a substitute for taking other actions which may be needed to achieve the auditor’s objectives. The standard does though recognise in this regard that in some jurisdictions there may be limitations on the further actions which the auditor is able to take and acknowledges that withdrawal may be the only available course of action. Following withdrawal, the outgoing auditor is required to co-operate with the proposed successor auditor and on request, to provide all of the facts and information concerning the identified or suspected non-compliance which the latter needs to be aware of.

Determining whether to disclose the matter to an appropriate authority
The determination of whether to disclose the identified or suspected non-compliance to an appropriate authority, assuming such disclosure is not precluded by law or regulation, depends on the nature and extent of the actual or potential harm which might be caused to investors, creditors, employees or the general public. The guidance gives examples of indicative situations where disclosure might be appropriate and of external factors to consider. These examples include references to an entity being involved in bribery and tax evasion or to breaches of regulation which might impact adversely on operating licences, financial markets or public health and safety. The standard also clarifies that in exceptional circumstances where the auditor believes there may be an imminent breach of a law or regulation, they may need to disclose the matter immediately. The decision to disclose will always be a matter for the auditor’s judgement and where the disclosure is made in good faith, it will not constitute a breach of the duty of confidentiality under Section 140 of the Code. This latter clarification, in particular, should serve to increase the auditor’s confidence in their ability to breach the principle of confidentiality where they deem it to be necessary under the NOCLAR guidance. This should also help to resolve the potential conflict for the auditor between their ethical duty of confidentiality and their professional duty of disclosure in the public interest.

The auditor is required to document the process of compliance with the NOCLAR guidance including the response of management and those charged with governance, the courses of action considered, the judgements made and the decisions taken.

The need for support

The IESBA acknowledges that the accountancy and auditing profession will not resolve the NOCLAR issue in isolation and that it requires the support and co-operation of other professions together with governments, legislators and regulators. In particular it is hoped that governments will introduce and strengthen legislation addressing NOCLAR and will provide protection for whistle blowers and to auditors and other PAs who implement the standard. The ultimate success of the project is also dependent on governmental authorities acting appropriately in response to the NOCLAR reports which they will receive under the requirements of the standard.


In practice auditors will often have to deal with instances of non-compliance with laws and regulations and the IESBA’s NOCLAR standard provides important additional guidance and clarification of their duties and responsibilities in this key area. In the context of the P7 Advanced Audit and Assurance exam, candidates need to be prepared to discuss the recent developments outlined in this article as well as to consider the new guidance in their answer points to scenario based exam questions.

Written by a member of the P7 examining team