April 17, 2017 | Memo
Auditing Standards for Clients Doing Business with Iran
Iran represents a heightened risk for companies considering doing business in this emerging market. Despite the lifting of nuclear-related sanctions under the Joint Comprehensive Plan of Action (JCPOA), the U.S. maintains a number of non-nuclear sanctions based on Iran’s continued support for terrorism, ballistic missile development, human rights abuses, and de-stabilizing activities in the Middle East.
- Both the U.S. and European Union maintain sanctions against Iran’s Islamic Revolutionary Guard Corps (IRGC), which is a dominant player in Iran’s economy, particularly in strategic sectors of primary interest to international companies and investors. Although the Treasury has only designated two dozen IRGC-linked companies, through open-source research, we have identified at least 667 companies with significant IRGC influence either through equity shares or positions on the board of directors.
- Iran remains designated as a jurisdiction of primary money laundering concern and subject to special measures under Section 311 of the USA PATRIOT Act.
- Iran remains on the Financial Action Task Force’s “blacklist” because of the illicit finance risks it poses to the integrity of the global financial system. This international anti-money laundering standards body urges its members “to advise their financial institutions to apply enhanced due diligence to business relationships and transactions with natural and legal persons from Iran.”
- First Deputy Managing Director at the IMF David Lipton warned that Iran’s “banking system needs to be able to effectively channel credit to the private sector. This will require addressing the high levels of nonperforming loans, bolstering bank capital, restructuring weak institutions, dealing with unlicensed financial institutions, and strengthening risk management systems and bank supervision.”
- The International Monetary Fund further noted, “Iranian banks suffer from weak asset quality and thin capitalization, in part because of government-mandated credit policies and limited enforcement power of banking supervisors. State influence in Iran’s banking system tends to weaken underwriting standards, which puts asset quality at risk.”
- Companies doing business in Iran have been subject to fines under the U.S. Foreign Corrupt Practices Act, the UK Bribery Act, and other anti-bribery laws for participating in corrupt practices as part of business activities in Iran. For example, French oil company Total S.A. paid $398 million in fines to U.S. authorities for paying for access to Iran’s oil fields; a Norwegian firm paid a $3.5 million fine to authorities for violating anti-bribery laws; and also been shown to have bribed Iranian officials for drilling rights.
- London-based hedge fund Sturgeon Capital estimates that only 10 percent of companies on the Tehran Stock Exchange are “sanctions-compliant,” not exposed to entities that were or continued to be sanctioned. Additionally, there are allegations of widespread insider trading.
- International risk, transparency, and competitiveness rankings:
- Iran ranks 150th out of 189 countries on the World Bank’s 2016 “Ease of Doing Business” Index on “protecting minority investors,” and 140th in “resolving insolvency.”
- It ranks 130th out of 168 countries on Transparency International’s Corruption Perceptions Index, and 101st out of 128 on the International Property Rights Index.
- The Basel Institute on Governance ranked Iran as the worst country in the world with regard to risks from money laundering and terrorism financing in its annual Anti-Money Laundering Index report.
- The World Economic Forum’s Global Competitiveness Index ranked Iran very low – 134/144 – for Financial Market Development on the World Economic Forum’s Global Competitiveness Index for 2015-2016, with a specific rank of 121 for soundness of banks, 122 for regulation of securities exchanges, 138 for ease of access to loans, and 125 for venture capital availability.
- Rated 6/7 on the 2016 OECD country risk, composed of transfer and convertibility risk (i.e. the risk a government imposes capital or exchange controls that prevent an entity from converting local currency into foreign currency and/or transferring funds to creditors located outside the country) and cases of force majeure (e.g. war, expropriation, revolution, civil disturbance, floods, earthquakes).
Mandatory professional guidelines define the duties and responsibilities of the external auditor in circumstances in which the audit client is engaged in activities where there is higher than normal risk, there is no legal certainty, or there may be activities linked to possible violations of laws either directly or indirectly by the client. The norms governing the professional duties of auditing accountants are based on the following sources, which are included as attached appendices:
- Audit standards of the Public Company Accounting Oversight Board (PCAOB), the professional supervisory body established in the United States to professionally oversee audit work as carried out by accounting firms. The PCAOB publishes standards governing audits and inspects the audits carried out by accounting firms.
- International audit standards of the International Auditing and Assurance Standards Board (IAASB).
- Directives of the Basel Committee on Banking Supervision, which operates in Switzerland under the Bank for International Settlements.
Given the special circumstances involved in business activities with Iran, including a higher than normal risk environment, an accountant’s professional duty includes, but is not limited to the following:
- A decision whether or not to accept or continue a client relationship taking into consideration the client’s integrity and reliability and the specific and general risks involved in providing services to the client.
- Adjustments to the audit procedures to identify and manage reporting risks including the nature and extent of the company’s internal controls with respect to financial reporting. These include:
- A thorough examination of the company and its business environment, including the regulatory and legal environment, business risks, and the company’s main activities and its ties with key customers, suppliers, distributors, and other business entities.
- Planning and implementation of the auditing of the internal controls involved in the company’s financial reporting.
- Thorough assessment of the effectiveness of internal controls that minimize the risks of error. These include: (a) company-level controls and risk assessment procedures; (b) activity and line of business controls; and, (c) special auditing procedures for emerging market activities anchored in Auditing Standard No. 8 of the PCAOB.
- Special auditing procedures for emerging market activities must:
- Correspond to the auditing account’s assessment regarding fraud and deception risks.
- Adjust the auditing procedures to the special risks associated with the possible concealment of related parties.
- Adjust the auditing procedures to the risks associated with illegal activities in which the audited client may be involved.
- Auditing standard AS2405 lists the duties of the auditor in an auditing process where there is a possibility that the client has carried out illegal activity.
- Auditing standard AS2505 lists the rules governing ties with the auditing client’s lawyers in the assessment of contingent liabilities. The developing industry of opinions supporting foreign companies undertaking business in Iran requires the accountant to be particularly careful of an overreliance on these opinions.
- The lack of transparency regarding ownership and control ties in Iran’s economy, including by still designated entities such as Iran’s Islamic Revolutionary Guard Corps, underscores the accountant’s duties in the auditing process linked to business with related parties. This is anchored in auditing standard AS2410.
- An accountant engaged in auditing clients involved in business with Iran may have to rely on the assessments and opinions of other accountants. The auditing rules governing this reliance are anchored in auditing standard AS1205.
The principles of the international audit standards of the International Auditing and Assurance Standards Board (IAASB) and the Basel Committee on Banking Supervision that govern the external audits of banks are based on the U.S. professional approach and follow a similar approach to the key issues discussed above.
 Emanuele Ottolenghi, Saeed Ghasseminejad, Annie Fixler, and Amir Toumaj, “How the Nuclear Deal Enriches Iran’s Revolutionary Guard,” Foundation for Defense of Democracies, October 2016. (https://s3.us-east-2.amazonaws.com/defenddemocracy/uploads/documents/IRGC_Report.pdf)
 In the report cited in footnote 1, we noted that our research revealed at least 229 companies. Since then, we have identified another 438 companies; Information on Treasury’s designations is available via the “Sanctions List Search” database, at http://sdnsearch.ofac.treas.gov/.
 Federal Register / Vol. 76, No. 228 / Monday, November 28, 2011, page 72878. (https://www.gpo.gov/fdsys/pkg/FR-2011-11-28/pdf/2011-30331.pdf); U.S. Department of the Treasury, “Fact Sheet: New Sanctions on Iran,” November 21, 2011. (https://www.treasury.gov/press-center/press-releases/Pages/tg1367.aspx)
 Financial Action Task Force, “Public Statement – 21 October 2016,” October 21, 2016. (http://www.fatf-gafi.org/publications/high-riskandnon-cooperativejurisdictions/documents/public-statement-october-2016.html)
 David Lipton, “Iran — Achieving its Potential in the Global Economy,” Central Bank of Iran, May 17, 2016. (https://www.imf.org/external/np/speeches/2016/051716.htm)
 International Monetary Fund, “Regional Economic Outlook: Middle East and Central Asia,” October 2015. (http://www.imf.org/external/pubs/ft/reo/2015/mcd/eng/pdf/mreo1015.pdf)
 Jonathan Schanzer and Amir Toumaj, “Opinion: Why Boeing shouldn’t do business with Iran,” Market Watch, July 12, 2016. (http://www.defenddemocracy.org/media-hit/schanzer-jonathan-opinion-why-boeing-shouldnt-do-business-with-iran/)
 Ladane Nasseri, Samuel Potter, and Golnar Motevalli, “What Investors Need to Know About Entering Iran’s Stock Market,” Bloomberg, January 17, 2016.(http://www.bloomberg.com/news/articles/2016-01-17/what-investors-need-to-know-about-entering-iran-s-stock-market)
 “Doing Business 2016: Ease of Doing Business in Iran, Islamic Republic,” World Bank Group, accessed July 8, 2016. (http://www.doingbusiness.org/data/exploreeconomies/iran/)
 Corruption by Country/Territory: Iran,” Transparency International, accessed February 12, 2016. (https://www.transparency.org/country/#IRN); “Iran,” The International Property Rights Index 2016, accessed October 24, 2016. (http://internationalpropertyrightsindex.org/country?c=IRAN)
 “Basel AML Index 2016 Report,” Basel Institute on Governance, July 27, 2016. (https://index.baselgovernance.org/sites/index/documents/Basel_AML_Index_Report_2016.pdf )
 World Economic Forum, “Iran, Islamic Rep.,” The Global Competitiveness Report 2015-2016, accessed October 27, 2016. (http://www3.weforum.org/docs/gcr/2015-2016/IRN.pdf)
 “Country Risk Classifications of the Participants to the Arrangement on Officially Supported Export Credits ,” Organisation for Economic Co-operation and Development, June 24, 2016. (http://www.oecd.org/tad/xcred/cre-crc-current-english.pdf); “The country risk classifications are meant to reflect country risk. Under the Participants’ system, country risk is composed of transfer and convertibility risk (i.e. the risk a government imposes capital or exchange controls that prevent an entity from converting local currency into foreign currency and/or transferring funds to creditors located outside the country) and cases of force majeure (e.g. war, expropriation, revolution, civil disturbance, floods, earthquakes). The country risk classifications are not sovereign risk classifications and should not, therefore, be compared with the sovereign risk classifications of private credit rating agencies (CRAs). Conceptually, they are more similar to the “country ceilings” that are produced by some of the major CRAs. … The final country risk classifications are achieved through a thorough discussion amongst experts and a consensus-building process. The group of country risk experts meet several times a year. These meetings are organised so as to guarantee that every country is reviewed whenever a fundamental change is observed and at least once a year. Although the meetings and details of the CRAM are confidential and no official reports of the deliberations are made publicly available, the list of country risk classifications is published after each meeting.” “Country Risk Classification,” Organisation for Economic Co-operation and Development, accessed October 27, 2016. (http://www.oecd.org/tad/xcred/crc.htm)