Practice Matters articles

Practice Matters is a bi-monthly hard copy publication sent to all members of Chartered Accountants Ireland working in practice. It contains advice on technical, tax and regulatory issues, information about Chartered Accountants Ireland conferences and events relevant to members working in practice and updates on practice supports being offered by our Practice Consulting team.

Practice and Business Improvement

Coronavirus (COVID-19) updateAt the time of going to print, the situation regarding the Coronavirus (COVID-19) was evolving rapidly. Members and firms that require assistance are advised to consult the Institute’s website, where a special page has been set up containing advice and contact information: Accountants are key advisers to the business community, which is struggling to respond, to this fast-changing situation. The challenge is to stay ahead of events and stay in a position to give the best advice to clients.In spite of the range of demands facing  you, you should look to your own practice first. Make a plan for your own practice and plan to change it. Run scenarios that assume a progressively more or less restrictive environment going forward. Plan for staff non-availability due to illness or quarantine. Many practitioners and their staff are working from home. You may find that your systems were not designed to cope with the strains now placed on them, but now is the time to formulate new solutions and workarounds. Concentrate on what can be done and do it. Certain tasks may be impossible right now, but development work that had been put off can now be prioritised. Auditing can prove problematic, as in practical terms, it is typically carried out at clients’ premises, but also due to the greater risks and uncertainties to be dealt with. The FRC has issued guidance on this which is on its website. You are focused on cash flow because that is what suffers first in times of uncertainty. Again, start with a plan. Bring your financial information and accounts up to date so that you know where you stand. You may be doing less chargeable work and bringing in less cash. Identify what you can change to improve your own cash flow. Identify what cost can be cut and what expenditure you can defer. Are there sources of cash that can be drawn on? Engage with your lenders.  Clients expect and demand your advice and support right now, and your relationship as trusted adviser has never been so important. Clients should rapidly take stock of their situations, make plans for how to address issues and scenarios, and concentrate on protecting cash flow. The crisis affects clients in different ways and with different levels of severity. Your expertise, experience and judgement are now invaluable to them as your clients take their unique journeys through the crisis.  We will continue to engage and communicate with members in practice, with further and more detailed advice, as the situation develops. In the meantime, remember that your Institute and the Practice Consulting Team are here to help you.

Apr 01, 2020
Business law

Shane McAleer writes: “That would be an ecumenical matter!” The Ethics Research Report, published by Chartered Accountants Ireland in January 2019, reported that “94% of respondents have ‘observed or encountered’ some level of unethical behaviour during their professional career”. Due to the nature of their business, members working in practice can be more exposed to certain ethical dilemmas. In my experience, the following are two typical dilemmas that can arise and, unless appropriately managed, may potentially lead to unethical behaviour. Business & professional client relationship vs close personal friendship Over time, practitioners can develop a good professional relationship with their client. On some occasions this can develop into a closer personal friendship which, in some circumstances, can expose the practitioner to a threat to their professional ethics. The level of threat can vary. For example: Acting for two clients, both friends of the practitioner, on opposite sides of the same transaction can present a greater threat to independence (breach of objectivity) than perhaps having two bookkeeping clients who happen to be competitors Casually discussing a client’s affairs over a drink with a mutual friend can present a breach of confidentiality. There are safeguards in the Code of Ethics, or the Ethical Standard for Auditors, to help manage these. The ultimate safeguard is resignation, but only insofar as the threat arises between the client and the practitioner. Where the misconduct arises through an action of the client, then this can lead to specific professional responsibilities, e.g. whistleblowing or reporting suspicious transactions under Anti-Money Laundering legislation. Such scenarios can present an ethical dilemma where the practitioner is torn between the value of friendship and their professional obligations. For some, the dilemma can deepen where the client pleads for discretion. This segues to another typical dilemma, below. Expectations to deliver vs Undue pressure/influence from the client or management Situations can arise where practitioners are put under undue pressure/influence from the client to “turn a blind eye” on certain matters. This pressure may also come from management within the practice. In my experience as an insolvency practitioner, I have come across scenarios in companies where a potential ethical threat existed for the practitioner previously advising or auditing the company. In one scenario, a sole practitioner provided audit and tax advice to a large family company for many years. There was a good relationship with the client, given that the client had followed from a firm where the practitioner had previously worked. Over time, the owner/director amassed a significant director’s loan. The practitioner was aware of the loan but for several years it was not disclosed correctly in the accounts. The relevant taxes associated with the loan were not submitted. In another scenario, a practitioner prepared management accounts, showing a solvent position, for the purposes of providing these accounts to a secured lender. The practitioner was aware that the accounts were materially different from the actual position, i.e. an insolvent one. The client was insistent that failure to present a solvent position would result in financial support being withdrawn, with the potential loss of the business and jobs. The facts of the cases in scenario one and scenario two suggested that the practitioner had, perhaps inappropriately, succumbed to pressure from the client to agree with the client’s rationalisation that it was in the best interests of the company to account for matters in this way, and even that the company’s survival may depend upon it. Perhaps, the decision to accommodate the client was influenced out of a sense of loyalty. Perhaps it was out of fear of losing a client. Or, perhaps it was out of a lack of awareness of the relevant requirements! In addition to the safeguards outlined in the ‘Code of Ethics’, there are a number of supports available to all Members and their staff from the Institute, including the Ethics Resource Centre which contains a number of articles and publications to assist members to reach a decision. The Practice Consulting team will always be willing to advise members in practice in dealing with ethical issues and, in addition, CA Support is open to all members to assist them in times of difficulty. Shane McAleer is a director in Somers Murphy & Earl Corporate Services Limited. He is a member of Council, the Institute’s Ethics and Governance Committee, and the Members in Practice Committee. He is also a member of the CCAB-I Insolvency Committee.

Feb 01, 2020

Akriti Gupta, Advocacy and Voice writes: There are less than eight weeks to go to the 31 October Brexit deadline. According to recent reports, 70 per cent of smaller businesses believe that Brexit will adversely impact their business, affecting not only on trade, but business sentiment and investment as well. Ireland is a small open economy, heavily reliant on the UK market as its trade-testing ground. Small businesses that trade with the UK will be affected by supply chain disruption, currency risk, trade tariffs and the requirement to operate within dual regulatory frameworks; the principal risk is the disruption of any continued trade post-Brexit. Practitioners need to liaise with their clients on Brexit-related issues now if they have not already done so. With Brexit timelines still not established and future business models remaining unclear, smaller businesses and their professional advisers are strongly advised to consider the following five points:  1. Assess and develop customs capacity We are encouraging businesses across Ireland and the UK which are currently trading with each other to ensure that they can continue to do so post-Brexit. To do this, they must understand the rules that will apply for importing and exporting. While some businesses have experience of the customs formalities required to import and export outside of the EU, for many, particularly the smaller business, it will be their first exposure to them. All business should first apply for a customs registration, i.e. an Economic Operator Registration and Identification Number (EORI). It takes between three and five minutes online to acquire this (see below). Statistics from Revenue and HMRC suggest that thousands of small businesses on the island of Ireland have not applied for one; such business should be encouraged to acquire this without delay. Regardless of whether customs duties apply to goods moving between Ireland and the UK and the UK and the EU, customs declarations must be submitted to Revenue and HMRC respectively. Businesses should also use the time between now and 31 October to improve their knowledge of customs procedures, and close off any gaps in their customs knowledge that could prevent them from completing customs returns and declarations necessary to keep goods moving. Businesses will need to have customs expertise and relevant software to file these declarations, or should hire an agent to do this on their behalf. It is important to remember that tax authority officials will check that the proper declarations are in place; goods will be detained at ports and borders if they are not. There are various government supports to help do all of this. 2. Review your supply chain and market Tariff barriers and border control will cause delayed investment and barriers to trade for small businesses. Businesses must conduct a SWOT analysis of their existing supply chain and consider alternative suppliers and markets outside the UK. We would also recommend speaking to all customs agents and goods transport services as there will also be changes to transportation and logistics between Ireland, the UK and other EU countries. Post-Brexit, businesses that use the “landbridge” will face new rules when using the customs transit procedure, causing delays that will especially impact goods with a short shelf-life. Businesses should consider applying to Revenue/HMRC to avail of customs supports which may allow goods to be moved in an easier manner.  3. Review all your certification, regulation and licencing It is essential that businesses check that their products or services are fully compliant with all relevant regulation for sale on the UK or EU market post-Brexit. Businesses in highly regulated sectors such as medical device manufacturing, construction and transportation must be particularly sure that their registrations, certifications and licensing are still valid. Where appropriate, they will need to ensure that their UK supplier has appointed an EU-based authorised regulator, as EU registrations issued to UK companies prior to Brexit may no longer be valid.  4. Manage currency and cash flow Volatility in currency markets, particularly around the euro/sterling exchange rate, will present a key challenge for businesses post-Brexit. It is imperative for both importers and exporters to assess their currency exposure. Both importers and exporters should hedge their future transactions to give themselves certainty and a concrete base from which to price their goods and services. Businesses should also be availing of government supports to help manage cash flow and mould their business plans accordingly. One such government support is the Brexit loan schemes; however, only ten per cent of these loan schemes have reportedly been accessed. The Irish Government is now communicating via emails, letters and customs workshops to smaller businesses to encourage them to avail of this facility in order to help them prepare. In the UK, HMRC has stated that it will issue EORI numbers to most VAT-registered businesses, while also making available additional funding to support businesses with the costs of making customs declarations. Businesses based in, or with a branch in, the UK can apply for this funding ahead of the UK leaving the EU. 5. Protect and inform staff The responsibility to check potential visa requirements for staff, and the recognition of professional qualifications and licences required to practice, remains with the employer. Where relevant, businesses must account for these requirements and keep their staff informed of any developments. With a talent shortage in many areas, businesses must invest in learning and development for staff as a priority. In addition to taking the above steps, smaller businesses and their professional advisers are strongly encouraged to attend all possible government events and working groups, and ensure that they are maximising government-run Brexit preparation programmes and supports. Read all our updates in our Brexit web centre at and our page dedicated to no-deal Brexit planning at

Oct 01, 2019
Information Technology

Gary McErlean of Quarter Chartered Accountants writes: The ancient saying that change is the only constant seems to be more true today than ever before. The pace of change in the accounting world, driven by continuous technological advances, has never been swifter, or more unforgiving. As a practice which has embraced and adopted the new technologies available, we at Quarter Chartered Accountants can confidently say that this has only been advantageous. There are various Cloud Accounting Software providers such as Xero, Surf, Quickbooks, Sage 1 etc. A few years ago, we decided to invest time with Xero, and I thought it would be useful to outline some of the areas where we have benefited from significant time (and ultimately cost) savings by utilising a Cloud Accounting System. Bank reconciliations still comprise a key component of the accounting process, with staff time requirements being quite significant with bank accounts comprising high numbers of transactions. Not any more – Cloud Accounting Systems have the ability to link directly to most banks, with all underlying transactions being posted within the accounting system automatically, and on a daily basis. Granted that, although such a system automatically records every single lodgement and payment going through the bank, it doesn’t necessarily know where to post the other side of the transaction. However, all the processer needs to do is click on each item and allocate it to the relevant nominal code etc. The time required to do this is a fraction of the time required to post the bank the old fashioned way. Furthermore, the system learns, or can be told, where certain recurring items should be posted and this can also be done automatically, saving even more time. Cloud Accounting Systems also link in with lots of different mobile phone/tablet apps. For example, there are apps that allow the user to take a photograph, on their mobile phone/tablet, of supplier invoices which are then automatically posted to the Cloud Accounting system, to which the app is linked. All you have to do is approve the transaction. Based on the above, it is therefore quite conceivable for all your bank transactions and your supplier invoices to be posted to your Cloud Accounting System before you have even opened it! Another prominent feature of Cloud Accounting Systems is that they can be accessed from anywhere with an internet connection. Gone are the days when all work was carried out in the office on a 9 to 5 basis. It is becoming increasingly common for people to work from home, or on the move, and with the ability to log in to their accounting system being as equally mobile, the business finances can be processed or monitored anywhere on a real time basis. Cloud Accounting Systems provide a platform for offering a more regular reporting service to clients, which is better for the firm as well as the clients. They allow practices to develop client relations and, in our experience, leads to additional revenue streams being generated. In summary, if I was to use one word to sum up the effects of these technological advances in Cloud Computing, it would be EFFICIENCY, and, in my opinion, those that want to survive and thrive in this ever changing world of technology need to embrace it. Gary McErlean is a Principal in Quarter Chartered Accountants, and is a member of the Members in Practice Committee of the Institute. The Members in Practice Committee represents the interests of smaller practices.

Jun 03, 2019
Practice and Business Improvement

The Property Services Regulatory Authority (PSRA) writes: The Property Services Regulatory Authority (PSRA) licences and regulates Auctioneers, Estate Agents, Management Agents and Letting Agents (licensees). The PSRA works to protect the interests of the public by ensuring that high standards are maintained in the delivery of property services by licensees. The PSRA considers the opinion of the Reporting Accountant, and the work leading to that opinion, on whether client moneys are managed in accordance with PSRA Client Moneys Regulations by a licensee as paramount in their assessment of licence renewal applications. In this regard, a licence renewal application must be accompanied by a signed accountant’s report relevant to the licence(s) held. The PSRA acknowledges the vital work undertaken by accountants in completing these reports effectively.   Accountants are required to review the books of account and records of the licensee and give an opinion on whether the licence holder has complied with the PSRA Client Moneys Regulations and to report where breaches of the Regulations have occurred. While the vast majority of reports received do not require the PSRA to request additional information, in some instances the PSRA is required to query the licensee’s application, including the content of the accountant’s report. By way of information, common issues encountered by the PSRA while reviewing licensees’ applications and accountant’s reports include: The most recent updated specified accountant’s report is not completed. Specified accountants reports are available at’s_report Accountants fail to complete Section 4 of Part I of the relevant renewal accountant’s report expressing an opinion as to whether the regulations have been complied with by the licensee. Incorrect calculation of the balance on the Balancing Statement. The name of the Client Account(s) does not match exactly with the name on the relevant bank statement. A client account must be in the name of the licensee and contain the word “client” in the title. Issues of greater concern to PSRA identified in 2018 include: Liabilities to clients reduced on the balancing statement (Appendix 3A of PSRA/S35 – Renewal ABC) by deducting moneys owed in, which were intended for clients, but had not yet been received or placed in the client account. An example includes: where a licensee pays money out of the client account to a landlord in advance of receipt of rent by the licensee from the tenant. In a small number of instances this transaction is not shown as a liability on the client account by the licensee when completing the balancing statement. Before giving an opinion, the accountant should be satisfied in respect of the statement in section 3.3 of the report, namely “I have obtained the client account balancing statement(s) prepared by the Licensee as set out in Appendix 3A and checked that the information therein is in agreement with the books of account and records of the Licensee”. Liabilities to clients are not reported on the balancing statement (Appendix 3A of PSRA/S35 – Renewal ABC). Before giving an opinion, the accountant should be satisfied in respect of the statement in section 3.3 of the report as noted above. Licensee using one account for all client and business transactions. This is a breach of the Client Moneys Regulations and is required to be included by the accountant at Appendix 2 of the accountant’s report. Instances where a deficit/surplus on the client account has been identified but not addressed by the licensee, despite confirmation in Appendix 3B that funds have been paid into/withdrawn from (as appropriate) the client account by the licensee and the signed accountant’s report being submitted as part of the licence renewal application. In these instances, the PSRA has by way of follow up confirmed that in such cases outstanding monies owed have not been repaid to the client account. The PSRA encourages that you consider whether there is evidence of any of the above issues arising when completing the accountant’s reports on behalf of licensees. The PSRA acknowledges the engagement of accountants with licensees and the cooperation extended to the PSRA in addressing queries. More information regarding accountant’s reports and the PSRA in general can be found on The PSRA may be contacted on 046 9033800 or by email at in relation to any query you may have when completing PSRA Accountant’s Reports. Members should refer to Technical Release (TR) 03/2018 ‘Licence applications under the Property Services (Regulation) Act 2011 and the Property Services (Regulation) Act (Client Moneys) Regulations 2012’ issued in June 2018.  

Apr 01, 2019
Business law

Orla McGahan writes: 1. Join a network “If you want to go fast, go alone; if you want to go far, go together.” There are 1,730 Chartered firms in practice in Ireland. Of that, around 950 are sole practitioners; and yet, there are only 40 listed networks. Even with an average of ten members per network, there are a lot of people out there going it alone. Don’t isolate yourself. The benefits of being part of a network are copious: A case study group – for those times when a case needs to be talked out.  A forum to benchmark – to benchmark fees, charge out rates, overheads, staff salaries, and so on, can be invaluable. Consider joining a network outside your geographical or competitive area if necessary.  Knowledge sharing – share experiences on dealing with Revenue, CRO and other areas. For that moment when you are just having a blank, being able to run it by a trusted colleague. Referrals – often within a network various members specialise in varying fields, industries or disciplines. This can lead to additional work through referrals. CPD and training – organising training by network offers more flexibility to custom make the course, attendees, and location, while gaining cost reductions. 2. Don’t underestimate the value of your work I was lucky enough to be shown early in my practice life (by a client!) that the value of your work is not the time it took to put together the relevant documents and submit them to the appropriate authority. But rather, and more importantly, your fee should reflect the time, effort, knowledge and experience you have gained over the years which gives you the technical and practical knowhow. For a lot of practitioners, our work revolves around solving problems or doing work our clients do not have the time, knowledge, skill or experience to do. Make sure the price you put on your work adequately reflects value to both you and your client. 3. Stock control - record your time How often do we criticize clients for inadequate stock control and yet how many of us, particularly partners, do not record our time? We sell time. Fact. And yet quite often we have no control over it. There are many good CRM packages available to practitioners offering time recording systems with simple reporting facilities. Invest in one and use it. It will pay for itself, and then some. Find the discipline to record your time, every day. 4. Organise your time and stick to it! As the saying goes – “Failing to plan is planning to fail.” If I were to pick one thing that will make a difference, it’s time management. This is crucial to creating and maintaining an easy (easier) practice life. Plan, systemise where possible, and stay on top of The annual return and compliance review - do this when it comes in or as it falls due; Anti-money laundering compliance; Engagement letters; Practice housekeeping – A Chartered Accountant I know, who runs a very successful practice, has developed the habit of spending the first hour of his day, every day, without fail, to practice housekeeping. And his success is testament that it works; CPD and your CPD record; Staff mentoring records. 5. Embrace technology and update your software regularly Efficiencies leading to higher profitability and better cash-flow can be achieved with regular investment in software and technology. Incorporate this cost as an ongoing overhead. 6. Value your staff I’m sure this is not the first time you have been told this, but your staff are your most valuable asset. “We are only ever as good as the people around us”. Invest in your staff. The cost of losing an experienced staff member goes far beyond the financial cost. Added to that, a new staff member will take at least six months to become comfortable and familiar with the position. The cost of this should never be underestimated. Invest in training, talk to your staff openly and regularly (maybe over a nice lunch) about the things that make a difference to their enjoyment of the position, and it’s not always about salary. Particularly in the current environment, taking care of your staff should be a high priority. 7. Self-care In the words of Stephen Covey (The 7 habits of highly effective people) – “sharpen the saw”. Take care of yourself, your health, your mental health and your private life. As a practitioner, the pressure to develop, to stay up to date technically, meet deadlines, manage staff, and still live your life can sometimes be overwhelming, not to mention managing the expectations of clients. We carry a huge responsibility. So take time out regularly and routinely to take care of yourself. 8. Get involved in your Institute For some members “The Institute” may seem like an anonymous entity from which they can feel somewhat disconnected. But the Institute has many more facets than members realise and offers many valuable services. In addition to the staff, many member volunteers are lobbying and working away for the interests of its members. Volunteers are always required in many areas. The benefit of involvement and having an active role is that you can help shape and change the world in which you work, influence policy and changes in legislation, education, membership and many other areas. And as an added bonus, involvement gives you a sense of belonging to the Institute of which you are a member. 9. Agree fees upfront and in writing When you make this routine a habit, it is second only to time recording in revolutionising your practice, your fee recovery and your cash flow. It focuses your mind in identifying exactly what service is required, what the client is willing to pay for that service, and the timing of when you will get paid. It opens the doors for a discussion on what work the client wants done, and identify any work they are willing to do themselves. Make a list of the steps involved in the work and use this as a template to assist in the conversation. The benefit is that it saves a lot of stress and bad feeling when you think you’ve done a great job only to find that the client does not appreciate it and is unwilling to pay for it. Orla McGahan is the principal of McGahan and Co, and is a member of the Members in Practice Committee of Chartered Accountants Ireland.  

Dec 01, 2018
Business law

Jeremy Twomey writes: With autumn’s arrival, it is timely to look back at the key events thus far in 2018 that have impacted accountancy practitioners. As in previous years, regulatory and legislative change has continued apace, including: The General Data Protection Regulation (GDPR) came into force across Europe on 25 May, resulting in the largest change to the Irish & UK Data Privacy regimes in over a generation, with wide ranging effects on all businesses, including accountants; and The Companies (Statutory Audits) Act 2018 was signed into Irish law in late July, with its resulting principal changes for practitioners outlined in a dedicated article in Technical Signpost below. It is fair to say that achieving compliance with these new requirements presents a challenge for practitioners, especially so soon after the introduction of the Small and Micro Company regimes in ROI via the Companies (Accounting) Act 2017, as well as the new and separate Auditing Frameworks for Ireland and the UK early last year. 2018 has thus far also been a very busy year for the Institute’s Practice Consulting team, as we work to assist our members across the island in meeting the challenges they face. Our Training courses in the areas of Auditing, Financial Reporting and GDPR are proving particular popular. We have developed these three courses to address the practical needs of our members, providing clear examples of how to address the issues in each respective area that both you and your clients face each day. An example from our Financial Reporting course includes how to meet the various financial statements note disclosure requirements under the Small & Micro Company regimes. We use the experience that we have gained from numerous compliance assignments at practices over the years, together with the knowledge garnered from developing our practice aids such as Pro Forma Financial Statements, Procedures for Quality Audit (PQAs) and our recent comprehensive GDPR guidance and related templates. Marrying these with insights from the Institute’s Professional Standards Department on key regulatory compliance issues that they see at firms as part of their monitoring role, our courses help to ensure that both you, and your clients, stay ahead of emerging issues and meet your regulatory requirements. Feedback that we have received over recent months on these courses has been very positive and each carries a 3 hours CPD credit. Looking ahead, our upcoming courses during the autumn months include courses on Auditing and Financial Reporting in five regional centres across the island (Belfast, Cork, Galway, Limerick and Sligo), as well as Dublin. We typically provide both of these courses in one day at each centre, allowing participants to attend both courses, should they wish. Further details on the dates and times during November and December for each course/location, as well as booking details, are available on the Professional Development area of the Institute website. The option of availing of these three courses in-house at your firm also continues to be very much in demand. This option allows you to tailor a particular course to your firm/staff’s specific needs, while having one of our consultants provide a course at your practice is a particularly cost efficient way to meet CPD requirements for both you and your staff. One very popular example of such an in-house course over recent months is our half day GDPR consultation, where one of our team can visit your firm and offer practical advice and guidance on how to tailor your procedures, make progress on your GDPR journey, and meet key compliance milestones. Other courses that we are running during October and November at the Institute include two courses focused on regulated areas. The first in late October focuses on Accounting and Auditing for Charities and Not-for-Profit Entities, while the second in late November concentrates on other Regulated Entities such as Insurance Brokers, Auctioneers, Owners’ Management Companies, Occupational Pension Schemes and Solicitors. If you are providing accounting or audit services to any of these organisations, then these courses may be for you, as we provide practical updates on the recent key changes in the standards, regulations and legislation affecting these sectors. As you prepare for the remaining busy months of the year, and indeed for 2019, it may be worthwhile taking some time now to consider your current CPD requirements and how best to tackle these needs. As ever, my colleague Conal Kennedy and I are available to contact (see contact points below) on any of your practice related training needs over the coming months.

Oct 01, 2018
Business law

Jeremy Twomey writes: Meeting General Data Protection Regulation (GDPR) compliance requirements has become a top priority for Irish businesses over recent months and accountancy practices are no different. Recognising that GDPR implementation presents both specific challenges and opportunities for accountants in practice, the Practice Consulting team has also been busy both offering advice and providing practical guidance in this area for our members. This guidance can be found at and includes the following: GDPR 8 Step Guide; Explanation of GDPR terms; GDPR Template Outline Procedures to be tailored and used by an accountancy firm; and Example paragraphs for a client engagement letter addressing GDPR and a template privacy statement. From talking with our members in practice over recent weeks, it is evident that practitioners are at different stages on their journey to GDPR compliance. While it may appear a daunting exercise at the outset, the process of becoming GDPR ready can be broken down into a few key practical steps. With this in mind, in this article, I am going to outline the key points to achieve GDPR implementation from our 8 Step Guide: 1.  Raise GPPR awareness As a starting point on your GDPR journey, the partners and staff at your firm need to be fully aware of the Regulation, the work to be undertaken to ensure compliance, the likely problems that may arise and any budgetary implications. A basic step that can be undertaken in-house at your firm is a GDPR awareness presentation for all the staff. Your clients also have to comply with GDPR, so it is worthwhile checking that they are aware of these changes, to tell them of their GDPR obligations and how your processes may be changing. Such support may be an ‘added value’ opportunity for your firm to assist your clients. 2.  Appoint someone senior to oversee the process & resource this appropriately Your firm should appoint someone internally to take control of understanding GDPR and how it will affect your practice. It is essential that this a senior member of staff who will take responsibility for overseeing the GDPR compliance process at your firm. While it is expected that the majority of the work in relation to meeting the requirements of GDPR can be undertaken internally, a project team may be required, which may include external support and assistance on certain issues. Hence, it is vital that reasonable funding and resources are set aside to achieve your GDPR requirements. It is currently envisaged that most accountancy firms will not be required to appoint a Data Protection Officer (DPO). It is, however, recommended that you still appoint someone to be responsible for data protection within the firm going forward, but give them a title other than DPO (i.e. “Data Privacy Lead”). 3.  Review and update existing information and cyber security measures Having comprehensive levels of information and cyber security is a key step towards building a resilient organisation and ensuring GDPR compliance. It is therefore recommended that members should review their existing security measures and update as necessary. Both controllers and processors are required under the Regulation to implement “appropriate technical and organisational measures” to ensure a level of security appropriate to the risks that are presented by the processing of personal information. Such measures are described as including: Pseudonymisation and encryption of data (The use of secure portals to share documents is also of benefit); The ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services; The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and A process for regularly testing, accessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. Detailed listings of examples of both practical physical and technical security measures to aid GDPR compliance at your firm are included in the full version of our 8 Step Guide as published on the Institute website. It is important to remember that managing cyber risk is not simply about managing data within your firm. Therefore, it becomes necessary to document the security risks from your supply chain (e.g. cloud service provider), as well as your own organisation. 4.  Map your data With the many potential pitfalls of non-compliance to GDPR, taking action to map any gaps in relation to the personal data your firm holds is critical. The first step is to get started by scoping the problem and mapping the data flows associated with your firm. It involves identifying, understanding and mapping out the data flows into and out of the organisation. As the data map evolves, you should be able to identify the flow of data, as well as gaps in required contracts and consents for processing data under the GDPR, and risks in security measures etc. that will need to be prioritised and resolved to ensure compliance. This requirement for data mapping is quite far reaching when you think about it. A typical accountancy practice possesses the following: accounting and tax software, audit software, payroll software, practice management systems, network drives and, of course, paper accounting, tax, company secretarial and audit files. This review will also need to extend to the many individual devices on which information is stored (e.g. laptops, desktops, tablets, phones and memory sticks). Finally, it is important to emphasise that, when completing your data mapping, GDPR compliance is only required for personal data that you hold. Company data is, for example, beyond the scope of the regulation, however your data mapping exercise may have an added benefit of identifying efficiencies that you can implement at your firm for non-personal data as well. 5.  Review your contracts with clients and suppliers As the GDPR imposes new obligations on data controllers and data processors, you will need to make sure you understand your status and your responsibilities with regard to both client data and firm data. At the very least, firm contracts will need to be updated to reflect the requirements of the GDPR. Accountancy firms should review their existing contracts with their clients, suppliers and sub-contractors to identify whether the accountancy firm is the data controller or data processor of any personal data it processes under the different contracts. This involves identifying which party ultimately determines the purpose and means of processing data. It is of vital importance that you satisfy yourself that your firm is correctly assigned the role of either data controller or processor (with matching appropriate requirements/liabilities) before signing any contract with your client or supplier. Remember that entering into a contract on the wrong basis may potentially open both you and your firm to unnecessary requirements/liabilities that may be difficult to overturn. More detailed guidance on each of these areas is included in the full 8 Step Guide, while Section 5 of our Outline Policies and Procedures provides advice on your firm’s likely status as either a Data Controller or Processor for a variety of possible assignments that you may undertake. Both of these documents can be found on the Institute website under GDPR resources. 6.  Employment contracts & information for your employees As with existing legislation in this area, under GDPR, certain information must be supplied to employees before their personal data is collected and processed by your firm. The information will typically be provided in the form of a notice to job candidates, and a further privacy policy will be supplied to successful job applicants as part of their on-boarding induction to the firm (typically included in an Employee Handbook along with other firm policies). It is also important to remember that, for the processing of employees’ personal data, where possible, the employer should rely on performance of the employment contract as the legal basis for processing, rather than consent. Consent is a weaker legal basis for such processing, as it can for example be easily withdrawn by the data subject Finally, do not forget to review (and redraft as necessary) employment contracts to update any data protection references or sections to comply with GDPR. 7.  Draft/update data protection policies and controls to meet the new requirements The GDPR introduces the principle of ‘accountability’. This means that all organisations must not only ensure they are compliant with the GDPR, but be in a position to prove this too. The best way to prove this is to document your data protection policies and procedures. We suggest that your firm’s GDPR policies and procedures should include, but not be limited to, the following (Outline policies in several of these areas are included in “Outline GDPR Policies and Procedures” on our website): Who is responsible for GDPR at your firm and what are the reporting lines? Data Processing Your policies in this area should detail the categories of personal data collected by your firm and the purpose for which it is collected. In addition, these policies should detail your firm’s role as a Data Controller and also instances when you act as a Data Processor, together with your responsibilities in fulfilling these roles. Data Subject Rights Your firm will need to have specific policies and procedures in place to ensure the rights of your data subjects are upheld under GDPR and that you have adequate processes and resources to meet the requirements of the Regulation. Specific subject rights areas requiring defined policies and procedures include: Data Subject Access Requests (DSARs); Right of erasure (Right to be forgotten); The right to restrict processing; The right to object to processing; and The right to data portability Some of these rights may not be enforceable by the data subject where data is held under legitimate purpose.   Data Governance Example areas of data governance to be considered for inclusion in your GDPR related policies and procedures include the following: Data Protection Impact Assessments (DPIAs), Privacy by Design and Privacy Notices, Document Retention, Security and Breaches. 8.  Staff training and ongoing compliance While not all staff will need to understand the GDPR in its entirety at your firm, each of your staff should at least be aware that data protection is an issue for everyone. For staff who do not deal with personal data, training can be limited to an annual (refresher) course on information and cyber security. On the other hand, for staff who regularly deal with personal data, training should focus on security over data, plus an awareness of the firm GDPR policies and procedures on a regular basis (at a minimum annually or more often if the need arises). Again this can be tailored to their particular role and responsibilities. Ongoing testing Testing in the areas of IT Security and other key aspects of GDPR compliance (e.g. audits of records held for constant compliance) should be formalised into a regular ongoing programme of work at your firm, as well as outsourced providers. Cyber security is a rapidly evolving area. Meeting best practice in May 2018 does not mean you will maintain compliance over the months and years ahead; you will need to keep this area under review. Conclusion At first glance, the process to ensuring GDPR compliance may appear to be a massive undertaking and a drain on resources for your firm. It is important to bear in mind that most accountancy firms and small businesses are in the same boat as you, and that by breaking down the required steps into clear manageable stages as above, you too can achieve GDPR Compliance in a timely manner. Should you need further assistance, Practice Consulting has also developed a half day consultation offering. One of our consultants can visit your firm and offer practical advice and guidance on how to tailor your procedures, make progress on your GDPR journey, and meet key compliance milestones. If you have any question in relation to GDPR, please feel free to contact either Conal Kennedy or myself in Practice Consulting.

Jun 01, 2018
Business Law NI

Jeremy Twomey writes: Billed as the most important change in data privacy regulation in over 20 years, and with its enforcement deadline of 25 May 2018 fast approaching, ensuring General Data Protection Regulation (GDPR) compliance has become a top priority for the majority of Irish businesses. Over the last year, the Institute has been helping its members to prepare for GDPR in a number of ways. For example, we have provided guidance via articles in recent issues of Accountancy Ireland, while in the last few weeks we have run a series of half day roadshows and courses in a number of towns and cities across Ireland. In addition, the Practice Consulting team has been busy preparing detailed practical guidance in this area, explaining what the changes resulting from GDPR will mean for accountants and their clients. This guidance will be available under the Knowledge Centre section of the Institute website, and is designed to answer the GDPR-related questions that members have contacted us on over recent months. While preparing this guidance, it became evident that a number of “myths” have developed over the last couple of years surrounding the implementation of GDPR. In this article, I am going to address a few of these and try to help you ensure that you do not fall foul of these, as you prepare to achieve GDPR compliance at your firm. Myth 1 - GDPR Compliance is a once off project to be achieved by 25 May With so much hype surrounding the regulation, one should remember it is not a once off event or test for compliance. Unlike planning for the Y2K deadline in 1999, GDPR preparation doesn’t end on 25 May; it requires ongoing effort. It’s an evolutionary process for organisations; 25 May is the date that GDPR will be enforced but no business stands still. You will be expected to continue to identify and address emerging privacy and security risks in the weeks, months and years beyond May of this year. GDPR will require ongoing governance of data, as organisations migrate to new systems or apply their customer data to new markets and trends. Initial compliance is the first heavy lift, but ongoing governance is the long-term reality! All entities falling under GDPR should endeavour to be fully compliant by the implementation day, although this may not be possible in all instances. In such circumstances it is important that you address the essential elements of compliance at your firm as soon as possible, and can demonstrate your ongoing efforts in this regard in a comprehensive documented plan of work. Myth 2 - GDPR is only for large firms, a small accountancy practice or company is not expected to have the time or resources to achieve compliance You will have to comply with GDPR, regardless of your size, if you process personal data. Small accountancy practices do not escape the demands of compliance. GDPR needs to be prioritised by all firms, regardless of size. The vast majority of businesses across Ireland are small businesses and it is important to remember these firms often process a lot of personal data, and their data protection reputation and liability risks are just as real as for larger entities. Myth 3 - With Brexit, entities located in the UK, including Northern Ireland, will not have to comply with GDPR GDPR will apply to all EEA countries and any individual or organisations trading with them. As it comes into force on 25 May 2018 (before the UK is due to leave the EU), UK individuals & organisations must ensure compliance with the new regime by then. The British government has confirmed that the UK’s decision to leave the EU following Brexit will not affect the commencement of GDPR. Post Brexit, it is envisaged that if a UK organisation or individual processes personal data, then they will have to do this in accordance with GDPR. To ensure that the UK will be GDPR-compliant post Brexit, the new Data Protection Bill (currently going through Parliament in London) incorporates all of the GDPR. Myth 4 - GDPR is a completely new approach to Data Protection It is vital to remember that GDPR builds upon the existing legislation in this area. It is an update, not a wholesale revision, to meet the changes in technology and data use over the last twenty years or so. As a result of these changes, consumers’ privacy and data were not by now as well protected as they could be. GDPR rectifies this by increasing the responsibility on organisations to use personal data appropriately and to hold it securely. Although GDPR is not a completely new approach, it is more stringent in its application and the fines for non-compliance have been considerably increased. This means that doing nothing is not an option, although GDPR does allow organisations to take a risk based approach, based on your size and circumstances. Many organisations struggle to assess where they should start in preparing for GDPR. It is helpful to remember that we have had data protection legislation in both the UK and the Republic of Ireland for a number of decades and therefore, firms who have taken data protection compliance seriously are already in good shape for beginning to meet GDPR’s increased compliance standards. Myth 5 - GDPR is just more bureaucracy and work for small firms, with no potential  benefits When legislation of this nature is announced, one can take either a positive or negative view of the task at hand. If you take a negative view, you will see GDPR as more bureaucracy and cost to your firm. If you take a positive view, on the other hand, you will view GDPR as a necessary strengthening of the rights of individuals, and indeed a potential  opportunity. As accountants position themselves as strategic advisers to clients, GDPR is also an opportunity for firms to demonstrate to clients that they can securely hold and process information in accordance with data requirements, and that protection of client data is a priority for the practice. As a result, clients are likely to see their accountants as trusted professionals with whom they can partner to drive their business forward. Therefore, being a leader in this area may enhance your practice and its reputation. In addition, as trusted business advisors to your clients, you must have sufficient knowledge of this new legislation to be able to provide sound advice. SMEs need to be ready when the new law comes into force, but they may struggle to know where to start. Chartered Accountants in practice can help these small businesses bridge the gap to GDPR compliance and, in the process, win new business. Myth 6 - Outsourcing GDPR compliance will be a quick fix for me and my firm There is no quick fix to GDPR compliance. No one piece of software or outsourced service provider is going to provide everything you need to comply with GDPR. For accountancy practices, GDPR will impact on how you manage and store data across your entire firm (e.g. client, prospective client, contact, supplier and staff data). You cannot outsource your responsibility for this information, and compliance with GDPR will require considerable time and preparation from all levels within your practice. With the implementation date of 25 May approaching quickly, it is important to start sooner rather than later on this. Myth 7 - GDPR only applies to Digital Processing Under GDPR, data processing covers both automated personal data and manual filing systems. Manual/paper records are included if they are part of a ‘relevant filing system’. This means papers stored systematically, for example, in a filing cabinet are probably included, but ad hoc paper files may not be. Members should ensure that they apply the same levels of diligence to paper records as they do digital records and that any decisions made regarding the lawful basis for processing, adhering to data protection principles and upholding data subjects’ rights include paper records held. Myth 8 - Under GDPR, accountants will only be seen as Data Processors and hence avoid much of the responsibility that falls on Data Controllers in this new regulation The UK Information Commissioner’s Office (ICO) has previously advised that it considers that an accountancy firm providing accountancy services acts as a data controller. The firm’s status as a data controller in relation to clients arises because the firm has flexibility over the manner in which it provides services to its clients and will not be simply acting on their instructions. In addition to this, the firm has its own professional responsibilities regarding record-keeping and confidentiality. Therefore, because an accountant “determines what information to obtain and process in order to do the work”, firms act as “controllers in common” with clients. Under GDPR, member firms will also be data controllers with regard to their firm data (e.g. employee information). If there is any doubt regarding your status as a processor or controller in relation to your firm’s activities, you should take legal advice. Going forward, firms will need to ensure that client terms and conditions reflect this reality, potentially extending engagement terms as appropriate. No doubt, for many accounting practitioners, much work remains to be done to fully meet GDPR compliance requirements. Between now and the end of May, firms new  to the process will need to examine their existing data processing, review their data protection policies, procedures & controls, and identify any gaps that need to be addressed. Following on from this, firms will need to implement any changes required in a structured documented manner to meet the needs of GDPR and continue to show full compliance long after the implementation date. The Institute will continue to assist members on your GDPR compliance journey, with ongoing updates to our available guidance in this area and, should you have a specific query in this area, please feel free to contact the Practice Consulting Team.

Feb 01, 2018
Financial Reporting

Conal Kennedy writes: In the past few years, accountants in practice have had to deal with a wave of change that has washed over them, including the new accounting frameworks in the UK and Republic of Ireland. In both jurisdictions, small and micro company regimes have been introduced which are generally welcome, but like any change in standards, can present challenges in just getting it right first time. In Practice Consulting we have given assistance and support to a large number of members and firms as they applied the new frameworks. Most of the firms that we have encountered have been successful in the transition process. However, we thought that you would be interested in a list of some of the more common issues that we have encountered, with a view to avoiding them, of course! OK, so here’s what we have observed… Directors’ remuneration disclosures. In ROI, including the directors’ remuneration information on the face of the profit and loss account does not mean it can be omitted from the abridged financial statements.  Section 353 of the Companies (Accounting) Act (‘2017 Act’) specifically requires this information to be included in the abridged financial statements filed with the CRO. Mixing and matching. Care should be taken when early adopting the ‘specified provision’ of the 2017 Act. For instance, we came across some ROI companies preparing statutory financial statements under the small companies regime but using the old abridging rules. Departure from FRS 102 or Company Law. This is expected to be rare and only to arise in very unusual circumstances.  We have seen instances where preparers departed from legislation or standards to account for relatively straightforward transactions and balances. Non-disclosure of critical accounting judgements and estimates. FRS 102, when applied in full, requires these to be disclosed in the notes to the financial statements.  Section 1A of FRS 102 encourages entities applying the small companies regime to disclose critical accounting judgements (but not estimates).  We have seen cases where these disclosures were omitted altogether, or where standard boilerplate wording was used, not reflecting the circumstances of the preparing entity. Connected entity or connected person loans. Under FRS 102, loans which are interest free or are low interest may be required to be classified as financing transactions and valued at the present value of future payments discounted at a market rate of interest if they are due after more than one year. This is a difficult area and some preparers have struggled to apply the accounting standard correctly. In some instances, a loan whose terms were undocumented was mistakenly treated as being due after more than one year. A loan whose terms are undocumented may be considered to be repayable on demand, notwithstanding the intentions of the parties to repay it over a longer period. The solution: if the loan is repayable on demand, then, unless there is an impairment issue, it should be carried at the original transaction price with no adjustment, and as an amount due in less than one year. In ROI, reference may also need to be made to the Evidential Provisions in Sections 236 and 237 of the Companies Act. See also the new concession applying to small entities for loans from persons who are within a director’s group of close family members (including the director), when that group contains at least one shareholder in the entity - for details, please see the Amendments to FRS 102 publication issued by FRC in December 2017 (this publication is also mentioned later in Technical Signpost). We hope that this article will prove useful in identifying issues. Naturally, it is not a comprehensive list in part because we have concentrated on errors which are completely new and particular to the new frameworks. The article has been written in general terms, and should be viewed as a pointer towards issues that may have been overlooked and should not be relied upon.

Feb 01, 2018

Have a query?

If you have a query, please refer to our Support & Services page and contact the relevant department with your query.

Was this article helpful?