Failure to assess non-compliance under NOCLAR and report RIs
It was found that auditors often do not assess non-compliance as required.

This is a two-stage, escalating obligation:
NOCLAR per Section 360 of the IRBA Code:
Requires auditors to identify, evaluate, and respond to actual or suspected non-compliance with laws and regulations (NOCLAR). Non-compliance may have a material effect on the financial statements, or may be fundamental to the entity’s business (e.g. fraud, bribery and environmental breaches).

Reportable Irregularity (RI) per APA Section 45:
This is a specific, more severe subset of NOCLAR. An RI is defined in the APA as any unlawful act or omission committed by any person responsible for the management of an entity, which:
(a) has caused, or is likely to cause material financial loss to the entity or to any partner, member, shareholder, creditor or investor of the entity, in respect of his, her or its dealings with that entity
(b) is fraudulent, or amounts to theft
(c) represents a material breach of any fiduciary duty owed by such person to the entity or any partner, member, shareholder, creditor or investor of the entity under any law applicable to the entity or the conduct or management thereof.

Common failures identified in files:
Auditors are consistently failing in their role as financial gatekeepers by:
• Getting the timing wrong: Section 45 of the APA Act states, ‘An individual registered auditor referred to in section 44(l)(a) of an entity that is satisfied, or has reason to believe that a reportable irregularity has taken place, or is taking place, in respect of that entity must, without delay, send a written report to the Regulatory Board.’
‘Without delay’ means without even discussing it with management first. It must be reported when the suspicion arises, not when it is confirmed. The suspicion is confirmed during the 30 days the auditee has to dispel the suspicion.
NOCLAR requires the reporting of breaches of legislation. In many cases, it is too late to correct the situation to avoid reporting.
•  Not investigating red flags: ‘Treating symptoms of fraud or non-compliance (e.g. unusual related-party transactions, breaches of the Company’s Act, Tax Act, VAT Act, labour laws, the Financial Advisory and Intermediary Services Act) as mere accounting errors without additional investigation. In various cases, the required NOCLAR/RI assessment is not on file.
•  Misplaced loyalty to management: Prioritising client relationships over user interest, leading to private discussions with management that result in ‘corrective action’, but no formal reporting. Often, the process is not explained to the client in a way that they can understand that, as the auditor, it is your legal duty to report it, and it is not a reflection on the relationship, and management will have 30 days to address the issue.
•  Misapplication of the materiality threshold: For RIs, materiality is defined by the nature of the act (unlawful) and its effect on third parties, and not just quantitative materiality. Auditors often incorrectly dismiss unlawful acts as ‘not material’ in financial terms.
• Failure to evaluate the impact on the audit report: Where NOCLARs/RIs were identified, auditors fail to evaluate the impact on the audit report. RIs need to be addressed in the audit report. With the correct wording, the impact of an RI reported, which has since been appropriately addressed, may be beneficial, rather than damaging to the report.

Corrective action:
• The IRBA Code (Revised November 2024), Section 360, provides clear guidance on how the auditor should respond to NOCLAR.
• The Auditing Profession Act 2025, Section 45, outlines the duty to report on irregularities.
• Considerations need to be documented in sufficient detail for an independent auditor to be able to reperform the procedure and come to the same conclusion as the auditor.
• SAAPS 3 provides clear examples of audit reports where RIs have been reported.

Consequence:
Failure to act discredits the profession and harms its reputation. Prior relevant matters investigated by the IRBA led to fines and even permanent disqualification from registration with the IRBA.