Client Confidentiality and Fraud

Should auditors be able to exercise more ethical judgment?

By Herbert W. Snyder, Ph.D., CFE

 Herbert W. Snyder, Ph.D., CFE


JanFeb-confidentiality-fraudImagine an external auditor in this situation. In the course of a financial statement audit, unequivocal evidence of a fraud is uncovered. The auditor confronts the client with evidence; the client admits to the fraud and agrees to make the requisite adjustments in the firm’s financial statements. The auditor also notifies the client’s audit committee of the fraud. However, the committee comes to the decision that no further action is necessary. Despite that the client attempted to commit fraud (a fact that might be relevant to investigators or regulators), the adjustments remove any material misstatements. The auditor, at this point, has no further recourse but to issue an unqualified opinion.

Has the accounting profession created a situation in which the auditors’ ethical behavior is impaired by their professional obligations? The audit profession has come under significant criticism during the past decade about the ethical conduct of auditors and their roles in abetting (or, at least, failing to prevent) a variety of financial scandals, such as Enron, Tyco and WorldCom. The heightened attention has led to the creation of the Sarbanes-Oxley Act of 2002 (SOX) and revised professional standards, such as SAS No. 99, which provide better guidance for the consideration of fraud during an audit. However, at the same time that legislators and the audit profession are attempting to guide auditors’ behavior, the profession’s standards of client confidentiality might be working to limit the ethical choices of accountants.

The restricted nature of audit opinions, together with the American Institute of Certified Public Accountants’ (AICPA) client confidentiality rule, places the auditor in the position of having to choose between earning a livelihood or making a proper ethical choice. Professional codes for U.S. accounting ethics are more restrictive than those of most professional associations, even those for which the client-practitioner privilege is well-recognized. Moreover, the concept of accountant-client privilege has never been supported by the federal courts including a number of U.S. Supreme Court decisions, which failed to find such a right. Changes in professional standards regarding confidentiality are necessary to better serve the public and the investors whose interests are unprotected by current statements of responsibility.

This is not to say that client confidentiality should be abolished. On the contrary, pledges of confidentiality are critical when gathering full disclosures of company information, which can be sensitive and/or proprietary. However, disclosure in limited circumstances, such as when a fraud is discovered, might help to prevent future harm without compromising the quality of financial audits.


Accountants have traditionally asserted the right of confidentiality, which is articulated most plainly in Rule 301 of the AICPA Code of Professional Conduct (Confidential Client Information): A member in public practice shall not disclose any confidential client information without the specific consent of the client. (AICPA, 1993, Section 301) 

The same principle of confidentiality is invoked by auditors when fraud is uncovered during an audit. SAS No. 99 states that disclosure of fraud to parties other than the client and its audit committee “… would be precluded by the auditor’s ethical and legal obligations of confidentiality.” Although the protection of a client’s private disclosures is an important tenet of the profession, the assertion of a privileged accountant-client relationship is difficult to justify, particularly in the audit function. Moreover, even if we assume such a privileged relationship exists between accountants and their clients when a financial crime is uncovered, but not reported, it is difficult to justify the protection of confidentiality – either in the broader context of privileged information or, more specifically, in the context of accounting.

Privileged communication grows out of common law and the belief that certain relationships (e.g., spouses, clergy, legal counsel, and physicians) would be irreparably damaged if those seeking advice were at risk of having their confidences revealed in testimony. Similar claims are sometimes made for “accountant-client” privilege.

Normally, courts use four criteria – the so-called “Wigmore test” – to determine whether claims of privilege apply to persons in a given relation. According to J. Wigmore’s “A Treatise on the System of Evidence in Trials at Common Law, including the Statutes and Judicial Decisions of All Jurisdictions of the United States, England, and Canada,” the four criteria are: 1) the communications must originate in a confidence that they will not be disclosed 2) this element of confidentiality must be essential to the full and satisfactory maintenance of the relation between the parties 3) the relation must be one that, in the opinion of the community, ought to be sedulously fostered 4) the injury that would inure to the relation by the disclosure must be greater than the benefit thereby gained for the correct disposal of litigation. In general, the situation must address all four criteria for privilege to apply.

Using such criteria, the federal government has failed consistently to recognize any privilege between accountants and their clients. The U.S. Supreme Court has made compelling arguments against accountant-client privilege in both Couch v. United States (1973) and United States v. Arthur Young & Co. (1984), noting in the latter that an accountant’s “public watchdog” function demands that the accountant maintain total independence from the client at all times and requires complete fidelity to the public trust. Following the second criterion set forth in Wigmore’s test, there’s reason to question whether complete confidentiality is essential to the accountant-client relationship. Indeed, given the public reporting nature of public accountancy, the accountant’s primary duty is to protect the public from improper reporting rather than to protect the client from disclosure of wrongdoing.

Even assuming that accountant-client privilege has merit, it’s difficult to assert that it would preclude an auditor from reporting an instance of financial crime to proper, outside authorities.
The fourth criterion in Wigmore’s test notes that there are balancing interests in society between confidentiality and societal harm. Thus, the law recognizes cases in which the damage to members of society outweighs client confidentiality. Physicians and other health-care workers, for example, are required to report cases of suspected child abuse. Similarly, mental health professionals have an obligation to report client information to law enforcement personnel if they have reason to believe the client will engage in actions that could result in injury – either to the client or others.

This isn’t to suggest that fraud is as heinous a crime to society as child abuse or murder. However, the willful misstatement of public financial statements is probably the most serious breach of trust within the context of the accounting practice. Given the seriousness of the crime in this context and the “ultimate allegiance” to investors and creditors asserted by the court, accountants would be hard-pressed to demonstrate that greater damage results from breaching client confidentiality than from reporting a suspected fraud to outside parties.


It’s common, however, to hear strong protests from practitioners against changing client confidentiality standards, even in cases of client fraud. Proponents of complete confidentiality normally assert one or more of the following arguments:

1. Breaching client confidentiality in matters of fraud will undermine the willingness of clients to cooperate.

2. Faced with the possibility of exposure, clients will engage in yet more devious methods to hide the fraud, which the auditors will be unable to find.

3. The damage to firms that are suspected of fraud, but later found not to be responsible, will be significant and unwarranted either as a result of the accusation.

The seriousness of financial crimes and confidentiality breaches requires us to consider these objections in some detail.

Loss of client cooperation 

There’s no question that an audit requires the examination of large amounts of material that the client provides willingly. Lacking subpoena power, there’s no other way an auditor could obtain this material. However, to suggest that clients would fail to cooperate if confidentiality wasn’t required ignores the reality of the audit process. Publicly traded companies by law must be audited and CPAs are the only professional group allowed by law to conduct audits. Companies have no option but to comply with auditors’ requests; otherwise, no opinion would be issued. Moreover, because most clients are honest and auditors will still be strongly constrained concerning the information they can release, the majority of audits should be unaffected.

This professional monopoly protects the accounting profession and obligates it to consider the well-being of society while exercising its duties. Indeed, the granting of a professional monopoly is a recognition of the profession’s expertise in a given arena, but in return society expects a pledge of ethical behavior.

More devious audit schemes 

This argument that changing confidentiality standards will result in frauds that are more difficult to detect seems to be based on two principles. The first is that firms that are engaged in fraud aren’t making their best efforts to avoid detection. The second is that if firms are forced to become better at fraud, auditors will be unable to detect it. These assertions are difficult to justify logically and ethically.

First, if firms are engaged in fraud, it behooves them to be as secretive and competent as possible. The consequences of fraud extend beyond adverse audit opinions to job loss, fines and jail time. And the means of discovery can include employee whistle-blowers, audits and irate creditors.

Second, allowing clients to commit illegal acts without consequences, simply because those acts were easy to detect and correct, is ethically bankrupt. We might actually encourage clients to attempt fraud if the potential gains are high and there aren’t adverse consequences if the attempts are discovered.

Finally, this mindset says little about the audit profession’s competence (particularly in light of SAS No. 99 and other standards) if practitioners doubt their ability to uncover fraud. Some highly complex and collusive frauds might go undetected, but auditors are granted their monopoly based on their superior expertise in these matters. If auditors are truly unable to deal with the schemes of dishonest clients (which seems unlikely), then the profession needs to reexamine why it has been granted the exclusive right to conduct audits, or indeed what the value of an independent audit is.

Damage to clients suspected of fraud 

There’s no question that damages resulting from a reported financial crime are significant, and these reports shouldn’t be made frivolously. Specific guidelines for auditors reporting financial crime are beyond the scope of this article. However, there’s ample evidence that such guidelines can be created. Numerous professions (e.g., medicine, law, and clergy) with significantly more stringent confidentiality mandates have developed workable criteria for reporting crimes uncovered in the line of service.

These specific objections notwithstanding, many auditing professionals cite the passage of SOX as a remedy for reporting financial misconduct discovered during audits. Although SOX deals with a variety of ethical issues, such as auditor independence and the composition of audit committees, its ability to deal with conflict between client confidentiality and an auditor’s ethical decisions is problematic. 


In July 2002, SOX was signed into legislation. The act addresses matters of auditor independence and oversight and makes changes in reporting responsibilities for management, auditors, and the audit committee. SOX is notable (among numerous provisions) for mandating both the creation of competent audit committees and disclosing fraud to those committees. While we can assume that this will deal effectively with some (or even most) financial misconduct, there are still two obvious gaps in the process: 1) The auditor never makes his or her determination of suspected fraud available to anyone outside the audit committee. Deficiencies in internal control will no doubt be noted in the auditor’s report, but the disclosure is indirect and passive. The initiative to follow up and investigate further is left to the consumers of the opinion. 2) The audit committee isn’t required to pursue the fraud charges with regulatory or law enforcement organizations. We might expect such a course of action from an independent party; however, this is open to question, given the small percentage of corporate crime that’s actually reported.

Audits are now more likely to uncover fraud, but unless such information is made available to investors and regulators, accounting will face continued criticism that it favors clients to the detriment of the investing public. Moreover, the nature of the accountant-client relationships and the grievous harm that results to investors when financial misconduct is allowed to occur make it difficult to support the profession’s claim of confidentiality in the face of fraud.

At the very least, the accounting profession needs to reexamine the balance between client confidentiality and public trust. We can be sure that in the absence of serious self-examination and industry regulation, legislators are willing to act. The result, such as SOX, is likely to be more onerous and less informed than what the accounting profession would choose for itself.

The author's views aren't necessarily those of the ACFE, its management or employees. - ed.  

Herbert W. Snyder , Ph.D., CFE, is an associate professor at North Dakota State University in Fargo. He’s the recipient of the 2010 Educator of the Year Award.


American Bar Association. 2004. “American Bar Association Standards of Practice For Lawyers Representing a Child in Abuse and Neglect Cases.” Available online at:

American Institute of Certified Public Accountants (AICPA). 1973. “Objectives of Financial Statements.” New York: AICPA.

AICPA. 1993. “Code of Professional Conduct.” New York: AICPA.

AICPA. 1996. “Statement of Auditing Standards No. 82: Consideration of Fraud in a Financial Statement.” New York: AICPA.

AICPA. 2002. “Statement of Auditing Standards No. 99: Consideration of Fraud in a Financial Statement.” New York: AICPA.

Auditing Practices Board (APB). “Statement of Auditing Standard 110: Fraud and Error.” London, UK: APB.

Bologna, J. 1993. “The Accountant’s Handbook of Fraud and Commercial Crime.” New York: John Wiley & Sons.

Boynton, W., Johnson, R., and Kell, W. 2001. “Modern Auditing.” 7th ed. New York: John Wiley & Sons.

Collins, A., and Schultz, N. 1995. “A critical examination of the AICPA Code of Professional Ethics.” Journal of Business Ethics. 14(1). 31-46.

Couch v. United States. 409 U.S. 322 (1973).

Frankel, M. 1989. “Professional Codes: Why, How and with What Impact?” Journal of Business Ethics. 8. 109-115.

Herlihy, B., and Sheeley, V. 1988. “Privileged Communication in Selected Helping Professions: A Comparison among Statutes.” Journal of Counseling and Development. 65(9). 479-483.

International Federation of Accountants (IFAC). 2003. “Proposed Revised International Standard on Auditing 240: The Auditor’s Responsibility to Consider Fraud in an Audit of Financial Statements.” New York: IFAC.

Jamal, K. 2004. “After Seven Decades of Regulation, Why is the Audit Profession in Such a Mess?” University of Minnesota Ethics in the Financial Services after Sarbanes-Oxley Conference. (April 17, 2004).

Manisero, T. 1999. “Accountant-Client Privilege: Opportunities and Limitations” from “The Trusted Professional.” New York: New York State Society of CPAs. Available online at:

National Adoption Information Clearinghouse. 2003. “2003 Child Abuse and Neglect State Statute Series Ready Reference: Reporting Laws: Clergy as Mandatory Reporters.” Available online at:

Power, M. 1997. “The Audit Society.” New York: Oxford University Press.

Public Oversight Board (POB). 2000. “Panel on Audit Effectiveness: Report and Recommendations.” Stamford, Conn.: POB.

Smith, K. 2003. “Mandatory reporting of child abuse and neglect.” Obtained online at:

United States v. Arthur Young & Co., 465 U.S. 805, 816-18 (1984).

Weinberg, R. 1967. “Confidential and Other Privileged Communication.” Dobbs Ferry, NY: Oceana Press.

Wigmore, J. 1905. “A treatise on the system of evidence in trials at common law, including the statutes and judicial decisions of all jurisdictions of the United States, England, and Canada.” Boston, Mass.: Little, Brown and Company.

Zavarel, F. 1999. “Private Accountant-Client Relationship In Jeopardy.” Issue Paper, 8-1999. Denver, CO: Independence Institute.

Zavaral, F. and Koppel, D. 2003. “Accounting For Privacy Lost.” Opinion Editorial (March 6, 2003). Denver, CO: Independence Institute.

The Association of Certified Fraud Examiners assumes sole copyright of any article published on or ACFE follows a policy of exclusive publication. Permission of the publisher is required before an article can be copied or reproduced. Requests for reprinting an article in any form must be e-mailed to: .