Being mindful of Timing, Information and Communication
Some key issues for any internal investigation will include:
Timing
- Is the self-report or notification mandatory or does a trigger point need to be determined;
- Do the facts require consideration of evaluative judgments and principles as opposed to a yes/no/binary/prescriptive application of a rule; and
- Is the timing for the self-reporting obligation prescribed and what standard is to be applied?
Information
- Is sufficient information already available or is further investigation required before making a notification; and
- Who will be responsible for gathering and assessing the standard of information and how limited should that circle of people be?
Communication
- Consideration of legal privilege and how best to preserve it;
- The importance of the avoidance of unnecessary evaluative statements in writing; and
- The avoidance of any speculation on the position, facts, or outcome while the investigation is ongoing.
The regulatory context – Accountants and Auditors
The conduct and pattern of any internal investigation will almost inevitably be shaped by the relevant overseeing regulatory body or bodies and applicable guidance, procedures, and practices. It is therefore useful to understand the regulatory context in which auditors currently operate (and how that is evolving).
I. The ICAEW
The Institute of Chartered Accountants in England and Wales (ICAEW) has specific guidance on members and member firms’ “Duty to report misconduct”. The guidance is clear that members are as responsible for reporting their own conduct as they are for reporting the conduct of others (paragraph 15).
- The threshold test is a high one. The report must be in the “public interest” and involve a “serious breach” of specified regulations. The guidance specifically points out that it is not enough to merely have a suspicion that a member has been guilty of misconduct.
- The ICAEW has made it clear that members are not liable to disciplinary action for every mistake or omission – only in the circumstances listed in disciplinary by-law 1(b) and, even then, only where the circumstances evidence serious incompetence.
- By way of incentives, the ICAEW’s guidance states that in the event of disciplinary proceedings, the fact of the self-reporting will count in the member’s favour and is therefore considered a mitigating factor (paragraph 15).
- The ICAEW has sought to allay doubts that members might have around self-reporting by providing them with an opportunity to consult the ICAEW’s Ethics Advisory Service, if necessary on a no-name basis, for guidance (paragraph 24).
II. The Financial Reporting Council (FRC) and the Audit Enforcement Procedure (AEP)
All new investigations fall under the AEP for matters relating to the statutory audit of public interest entities (PIEs) or under the Accountancy Scheme (the latter remains the disciplinary scheme for the accounting profession).
- The threshold test for conduct capable of attracting sanction is as follows:
- For the AEP, it is the lower one (that is, a breach of a relevant requirement, including breach of audit and ethical standards); and
- For the Accountancy Scheme, it remains the higher one of misconduct (that is, an act or omission which falls significantly short of the standards reasonably to be expected).
- Under the Accountancy Scheme, the FRC is only able to obtain material on a voluntary basis.
- Under the AEP, the FRC can compel PIE audited entities to provide it with information and documentation (and to attend physical interviews to provide evidence to the FRC).
- In the Sanctions Policy document accompanying the AEP, the FRC lists various aggravating and mitigating factors to be taken into account when making decisions on sanctions. These include self-reporting.
- Aggravating factors (paragraph 67(a)) include whether:
“the Statutory Auditor or Statutory Audit Firm failed to bring the breach of the Relevant Requirements to the attention of the FRC (or to the attention of another appropriate regulatory, disciplinary or enforcement authority) quickly, effectively or completely”.
- Among the mitigating factors, the Sanctions Policy includes the mirror image of this, namely (at paragraph 68(a)) whether:
“the Statutory Auditor or Statutory Audit Firm [has] brought the breach to the attention of the FRC (or to the attention of another appropriate regulatory, disciplinary or enforcement authority) quickly, effectively and completely”.
Practical tips
- Matters disclosed to one regulator (whether pursuant to a request or on a voluntary basis) may, ultimately, end up in the hands of the other.
- In practice, where one regulator shares information with another, our experience is that one tends to be informed rather than asked about it.
- Where one has a regulatory obligation in one context, one will have a trigger point on other regulatory relationships to consider carefully.
- Given the FRC’s wide powers to request information and documentation, in many cases, firms will be in a better place if they self-report matters of relevance to an investigation before being asked or compelled to provide it.
- Self-reporting provides an opportunity to better control the timing of disclosure (though it is clear that material delays will need to be explained). It also therefore provides an opportunity to explain the circumstances and context of the matters that are the subject of the self-reporting before the regulator formulates its own view (or imposes upon you a wholly unrealistic timetable for compliance).
- It is vital that firms control information flows. Evaluative and conclusory statements by internal stakeholders in non-privileged communications can be detrimental to the firm and the individual’s position.
- Firms should remain mindful that conflicts of interest may arise with the employees being investigated or relevant to the investigation, and separate representation should be considered where necessary.
III. The FCA and (where appropriate) the PRA
- Both the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) specify a number of instances where self-reports or notifications must be made. They prescribe certain matters including instances of fraud or other financial irregularities as requiring an immediate mandatory self-report by the regulated firm. For simplicity, we refer in this note to FCA requirements.
- The clear difference between the FCA and ICAEW regimes is that with the FCA, a reasonable suspicion is all that is required to trigger disclosure obligations.
- The FCA also maintains certain key principles for businesses, which sit extant from any specific detailed rules. In this context, Principle 11 is paramount. In particular:
- Principle 11 states that a regulated firm must notify the FCA of anything related to the firm which the firm believes the FCA would reasonably expect notice of.
- This necessarily requires careful consideration and which may result in the firm putting itself in harm’s way based on what is sometimes considered to be basic information.
- If a firm, in the FCA’s estimation, fails to make a notification in a timely manner or in sufficient detail, the FCA may take action against the firm for a breach of Principle 11.
- Such action often also translates into an enforcement investigation and/or Supervisory-based attention being placed on relevant individuals making the decision to inform the FCA in compliance with a duty to report.
- Unlike the ICAEW, the FCA does not have an ethics hotline. In the absence of such a facility, the general rule of thumb is to be prudent – if it is very hard work trying to justify why something is not disclosable, then it probably is.
- The FCA has the power to compel regulated firms, individuals, and third parties to provide it with information and documentation and to attend physical interviews to provide evidence to the FCA. It routinely exercise these powers and acts on information received.
- In the context of Enforcement outcomes, the FCA has a range of detailed factors that assist in determining the relative level of seriousness of particular matters. In practice, the FCA and PRA have unlimited fining ability, may curtail the scope of permission of a regulated firm and/or may prohibit individuals from ever holding certain responsible functions in the future.
- While a degree of cooperation by firms and/or individuals is seen by the FCA as a relevant factor, it explicitly is not a mitigating feature. Conversely in an enforcement context, regulators view cooperation as the bare minimum that a firm is expected of those under investigation or responding to information requirements imposed by the FCA.
If you have any questions about this article please contact us.
The recording of this webinar can be found at reedsmith.com.
Client Alert 2019-271