Jeremy Twomey writes: Meeting General Data Protection Regulation (GDPR) compliance requirements has become a top priority for Irish businesses over recent months and accountancy practices are no different. Recognising that GDPR implementation presents both specific challenges and opportunities for accountants in practice, the Practice Consulting team has also been busy both offering advice and providing practical guidance in this area for our members. This guidance can be found at  https://www.charteredaccountants.ie/knowledge-centre/guidance/gdpr/gdpr-resources and includes the following: GDPR 8 Step Guide; Explanation of GDPR terms; GDPR Template Outline Procedures to be tailored and used by an accountancy firm; and Example paragraphs for a client engagement letter addressing GDPR and a template privacy statement. From talking with our members in practice over recent weeks, it is evident that practitioners are at different stages on their journey to GDPR compliance. While it may appear a daunting exercise at the outset, the process of becoming GDPR ready can be broken down into a few key practical steps. With this in mind, in this article, I am going to outline the key points to achieve GDPR implementation from our 8 Step Guide: 1.  Raise GPPR awareness As a starting point on your GDPR journey, the partners and staff at your firm need to be fully aware of the Regulation, the work to be undertaken to ensure compliance, the likely problems that may arise and any budgetary implications. A basic step that can be undertaken in-house at your firm is a GDPR awareness presentation for all the staff. Your clients also have to comply with GDPR, so it is worthwhile checking that they are aware of these changes, to tell them of their GDPR obligations and how your processes may be changing. Such support may be an ‘added value’ opportunity for your firm to assist your clients. 2.  Appoint someone senior to oversee the process & resource this appropriately Your firm should appoint someone internally to take control of understanding GDPR and how it will affect your practice. It is essential that this a senior member of staff who will take responsibility for overseeing the GDPR compliance process at your firm. While it is expected that the majority of the work in relation to meeting the requirements of GDPR can be undertaken internally, a project team may be required, which may include external support and assistance on certain issues. Hence, it is vital that reasonable funding and resources are set aside to achieve your GDPR requirements. It is currently envisaged that most accountancy firms will not be required to appoint a Data Protection Officer (DPO). It is, however, recommended that you still appoint someone to be responsible for data protection within the firm going forward, but give them a title other than DPO (i.e. “Data Privacy Lead”). 3.  Review and update existing information and cyber security measures Having comprehensive levels of information and cyber security is a key step towards building a resilient organisation and ensuring GDPR compliance. It is therefore recommended that members should review their existing security measures and update as necessary. Both controllers and processors are required under the Regulation to implement “appropriate technical and organisational measures” to ensure a level of security appropriate to the risks that are presented by the processing of personal information. Such measures are described as including: Pseudonymisation and encryption of data (The use of secure portals to share documents is also of benefit); The ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services; The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and A process for regularly testing, accessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. Detailed listings of examples of both practical physical and technical security measures to aid GDPR compliance at your firm are included in the full version of our 8 Step Guide as published on the Institute website. It is important to remember that managing cyber risk is not simply about managing data within your firm. Therefore, it becomes necessary to document the security risks from your supply chain (e.g. cloud service provider), as well as your own organisation. 4.  Map your data With the many potential pitfalls of non-compliance to GDPR, taking action to map any gaps in relation to the personal data your firm holds is critical. The first step is to get started by scoping the problem and mapping the data flows associated with your firm. It involves identifying, understanding and mapping out the data flows into and out of the organisation. As the data map evolves, you should be able to identify the flow of data, as well as gaps in required contracts and consents for processing data under the GDPR, and risks in security measures etc. that will need to be prioritised and resolved to ensure compliance. This requirement for data mapping is quite far reaching when you think about it. A typical accountancy practice possesses the following: accounting and tax software, audit software, payroll software, practice management systems, network drives and, of course, paper accounting, tax, company secretarial and audit files. This review will also need to extend to the many individual devices on which information is stored (e.g. laptops, desktops, tablets, phones and memory sticks). Finally, it is important to emphasise that, when completing your data mapping, GDPR compliance is only required for personal data that you hold. Company data is, for example, beyond the scope of the regulation, however your data mapping exercise may have an added benefit of identifying efficiencies that you can implement at your firm for non-personal data as well. 5.  Review your contracts with clients and suppliers As the GDPR imposes new obligations on data controllers and data processors, you will need to make sure you understand your status and your responsibilities with regard to both client data and firm data. At the very least, firm contracts will need to be updated to reflect the requirements of the GDPR. Accountancy firms should review their existing contracts with their clients, suppliers and sub-contractors to identify whether the accountancy firm is the data controller or data processor of any personal data it processes under the different contracts. This involves identifying which party ultimately determines the purpose and means of processing data. It is of vital importance that you satisfy yourself that your firm is correctly assigned the role of either data controller or processor (with matching appropriate requirements/liabilities) before signing any contract with your client or supplier. Remember that entering into a contract on the wrong basis may potentially open both you and your firm to unnecessary requirements/liabilities that may be difficult to overturn. More detailed guidance on each of these areas is included in the full 8 Step Guide, while Section 5 of our Outline Policies and Procedures provides advice on your firm’s likely status as either a Data Controller or Processor for a variety of possible assignments that you may undertake. Both of these documents can be found on the Institute website under GDPR resources. 6.  Employment contracts & information for your employees As with existing legislation in this area, under GDPR, certain information must be supplied to employees before their personal data is collected and processed by your firm. The information will typically be provided in the form of a notice to job candidates, and a further privacy policy will be supplied to successful job applicants as part of their on-boarding induction to the firm (typically included in an Employee Handbook along with other firm policies). It is also important to remember that, for the processing of employees’ personal data, where possible, the employer should rely on performance of the employment contract as the legal basis for processing, rather than consent. Consent is a weaker legal basis for such processing, as it can for example be easily withdrawn by the data subject Finally, do not forget to review (and redraft as necessary) employment contracts to update any data protection references or sections to comply with GDPR. 7.  Draft/update data protection policies and controls to meet the new requirements The GDPR introduces the principle of ‘accountability’. This means that all organisations must not only ensure they are compliant with the GDPR, but be in a position to prove this too. The best way to prove this is to document your data protection policies and procedures. We suggest that your firm’s GDPR policies and procedures should include, but not be limited to, the following (Outline policies in several of these areas are included in “Outline GDPR Policies and Procedures” on our website): Who is responsible for GDPR at your firm and what are the reporting lines? Data Processing Your policies in this area should detail the categories of personal data collected by your firm and the purpose for which it is collected. In addition, these policies should detail your firm’s role as a Data Controller and also instances when you act as a Data Processor, together with your responsibilities in fulfilling these roles. Data Subject Rights Your firm will need to have specific policies and procedures in place to ensure the rights of your data subjects are upheld under GDPR and that you have adequate processes and resources to meet the requirements of the Regulation. Specific subject rights areas requiring defined policies and procedures include: Data Subject Access Requests (DSARs); Right of erasure (Right to be forgotten); The right to restrict processing; The right to object to processing; and The right to data portability Some of these rights may not be enforceable by the data subject where data is held under legitimate purpose.   Data Governance Example areas of data governance to be considered for inclusion in your GDPR related policies and procedures include the following: Data Protection Impact Assessments (DPIAs), Privacy by Design and Privacy Notices, Document Retention, Security and Breaches. 8.  Staff training and ongoing compliance While not all staff will need to understand the GDPR in its entirety at your firm, each of your staff should at least be aware that data protection is an issue for everyone. For staff who do not deal with personal data, training can be limited to an annual (refresher) course on information and cyber security. On the other hand, for staff who regularly deal with personal data, training should focus on security over data, plus an awareness of the firm GDPR policies and procedures on a regular basis (at a minimum annually or more often if the need arises). Again this can be tailored to their particular role and responsibilities. Ongoing testing Testing in the areas of IT Security and other key aspects of GDPR compliance (e.g. audits of records held for constant compliance) should be formalised into a regular ongoing programme of work at your firm, as well as outsourced providers. Cyber security is a rapidly evolving area. Meeting best practice in May 2018 does not mean you will maintain compliance over the months and years ahead; you will need to keep this area under review. Conclusion At first glance, the process to ensuring GDPR compliance may appear to be a massive undertaking and a drain on resources for your firm. It is important to bear in mind that most accountancy firms and small businesses are in the same boat as you, and that by breaking down the required steps into clear manageable stages as above, you too can achieve GDPR Compliance in a timely manner. Should you need further assistance, Practice Consulting has also developed a half day consultation offering. One of our consultants can visit your firm and offer practical advice and guidance on how to tailor your procedures, make progress on your GDPR journey, and meet key compliance milestones. If you have any question in relation to GDPR, please feel free to contact either Conal Kennedy or myself in Practice Consulting.

Jeremy Twomey writes: Billed as the most important change in data privacy regulation in over 20 years, and with its enforcement deadline of 25 May 2018 fast approaching, ensuring General Data Protection Regulation (GDPR) compliance has become a top priority for the majority of Irish businesses. Over the last year, the Institute has been helping its members to prepare for GDPR in a number of ways. For example, we have provided guidance via articles in recent issues of Accountancy Ireland, while in the last few weeks we have run a series of half day roadshows and courses in a number of towns and cities across Ireland. In addition, the Practice Consulting team has been busy preparing detailed practical guidance in this area, explaining what the changes resulting from GDPR will mean for accountants and their clients. This guidance will be available under the Knowledge Centre section of the Institute website, and is designed to answer the GDPR-related questions that members have contacted us on over recent months. While preparing this guidance, it became evident that a number of “myths” have developed over the last couple of years surrounding the implementation of GDPR. In this article, I am going to address a few of these and try to help you ensure that you do not fall foul of these, as you prepare to achieve GDPR compliance at your firm. Myth 1 - GDPR Compliance is a once off project to be achieved by 25 May With so much hype surrounding the regulation, one should remember it is not a once off event or test for compliance. Unlike planning for the Y2K deadline in 1999, GDPR preparation doesn’t end on 25 May; it requires ongoing effort. It’s an evolutionary process for organisations; 25 May is the date that GDPR will be enforced but no business stands still. You will be expected to continue to identify and address emerging privacy and security risks in the weeks, months and years beyond May of this year. GDPR will require ongoing governance of data, as organisations migrate to new systems or apply their customer data to new markets and trends. Initial compliance is the first heavy lift, but ongoing governance is the long-term reality! All entities falling under GDPR should endeavour to be fully compliant by the implementation day, although this may not be possible in all instances. In such circumstances it is important that you address the essential elements of compliance at your firm as soon as possible, and can demonstrate your ongoing efforts in this regard in a comprehensive documented plan of work. Myth 2 - GDPR is only for large firms, a small accountancy practice or company is not expected to have the time or resources to achieve compliance You will have to comply with GDPR, regardless of your size, if you process personal data. Small accountancy practices do not escape the demands of compliance. GDPR needs to be prioritised by all firms, regardless of size. The vast majority of businesses across Ireland are small businesses and it is important to remember these firms often process a lot of personal data, and their data protection reputation and liability risks are just as real as for larger entities. Myth 3 - With Brexit, entities located in the UK, including Northern Ireland, will not have to comply with GDPR GDPR will apply to all EEA countries and any individual or organisations trading with them. As it comes into force on 25 May 2018 (before the UK is due to leave the EU), UK individuals & organisations must ensure compliance with the new regime by then. The British government has confirmed that the UK’s decision to leave the EU following Brexit will not affect the commencement of GDPR. Post Brexit, it is envisaged that if a UK organisation or individual processes personal data, then they will have to do this in accordance with GDPR. To ensure that the UK will be GDPR-compliant post Brexit, the new Data Protection Bill (currently going through Parliament in London) incorporates all of the GDPR. Myth 4 - GDPR is a completely new approach to Data Protection It is vital to remember that GDPR builds upon the existing legislation in this area. It is an update, not a wholesale revision, to meet the changes in technology and data use over the last twenty years or so. As a result of these changes, consumers’ privacy and data were not by now as well protected as they could be. GDPR rectifies this by increasing the responsibility on organisations to use personal data appropriately and to hold it securely. Although GDPR is not a completely new approach, it is more stringent in its application and the fines for non-compliance have been considerably increased. This means that doing nothing is not an option, although GDPR does allow organisations to take a risk based approach, based on your size and circumstances. Many organisations struggle to assess where they should start in preparing for GDPR. It is helpful to remember that we have had data protection legislation in both the UK and the Republic of Ireland for a number of decades and therefore, firms who have taken data protection compliance seriously are already in good shape for beginning to meet GDPR’s increased compliance standards. Myth 5 - GDPR is just more bureaucracy and work for small firms, with no potential  benefits When legislation of this nature is announced, one can take either a positive or negative view of the task at hand. If you take a negative view, you will see GDPR as more bureaucracy and cost to your firm. If you take a positive view, on the other hand, you will view GDPR as a necessary strengthening of the rights of individuals, and indeed a potential  opportunity. As accountants position themselves as strategic advisers to clients, GDPR is also an opportunity for firms to demonstrate to clients that they can securely hold and process information in accordance with data requirements, and that protection of client data is a priority for the practice. As a result, clients are likely to see their accountants as trusted professionals with whom they can partner to drive their business forward. Therefore, being a leader in this area may enhance your practice and its reputation. In addition, as trusted business advisors to your clients, you must have sufficient knowledge of this new legislation to be able to provide sound advice. SMEs need to be ready when the new law comes into force, but they may struggle to know where to start. Chartered Accountants in practice can help these small businesses bridge the gap to GDPR compliance and, in the process, win new business. Myth 6 - Outsourcing GDPR compliance will be a quick fix for me and my firm There is no quick fix to GDPR compliance. No one piece of software or outsourced service provider is going to provide everything you need to comply with GDPR. For accountancy practices, GDPR will impact on how you manage and store data across your entire firm (e.g. client, prospective client, contact, supplier and staff data). You cannot outsource your responsibility for this information, and compliance with GDPR will require considerable time and preparation from all levels within your practice. With the implementation date of 25 May approaching quickly, it is important to start sooner rather than later on this. Myth 7 - GDPR only applies to Digital Processing Under GDPR, data processing covers both automated personal data and manual filing systems. Manual/paper records are included if they are part of a ‘relevant filing system’. This means papers stored systematically, for example, in a filing cabinet are probably included, but ad hoc paper files may not be. Members should ensure that they apply the same levels of diligence to paper records as they do digital records and that any decisions made regarding the lawful basis for processing, adhering to data protection principles and upholding data subjects’ rights include paper records held. Myth 8 - Under GDPR, accountants will only be seen as Data Processors and hence avoid much of the responsibility that falls on Data Controllers in this new regulation The UK Information Commissioner’s Office (ICO) has previously advised that it considers that an accountancy firm providing accountancy services acts as a data controller. The firm’s status as a data controller in relation to clients arises because the firm has flexibility over the manner in which it provides services to its clients and will not be simply acting on their instructions. In addition to this, the firm has its own professional responsibilities regarding record-keeping and confidentiality. Therefore, because an accountant “determines what information to obtain and process in order to do the work”, firms act as “controllers in common” with clients. Under GDPR, member firms will also be data controllers with regard to their firm data (e.g. employee information). If there is any doubt regarding your status as a processor or controller in relation to your firm’s activities, you should take legal advice. Going forward, firms will need to ensure that client terms and conditions reflect this reality, potentially extending engagement terms as appropriate. No doubt, for many accounting practitioners, much work remains to be done to fully meet GDPR compliance requirements. Between now and the end of May, firms new  to the process will need to examine their existing data processing, review their data protection policies, procedures & controls, and identify any gaps that need to be addressed. Following on from this, firms will need to implement any changes required in a structured documented manner to meet the needs of GDPR and continue to show full compliance long after the implementation date. The Institute will continue to assist members on your GDPR compliance journey, with ongoing updates to our available guidance in this area and, should you have a specific query in this area, please feel free to contact the Practice Consulting Team.

Conal Kennedy writes: In the past few years, accountants in practice have had to deal with a wave of change that has washed over them, including the new accounting frameworks in the UK and Republic of Ireland. In both jurisdictions, small and micro company regimes have been introduced which are generally welcome, but like any change in standards, can present challenges in just getting it right first time. In Practice Consulting we have given assistance and support to a large number of members and firms as they applied the new frameworks. Most of the firms that we have encountered have been successful in the transition process. However, we thought that you would be interested in a list of some of the more common issues that we have encountered, with a view to avoiding them, of course! OK, so here’s what we have observed… Directors’ remuneration disclosures. In ROI, including the directors’ remuneration information on the face of the profit and loss account does not mean it can be omitted from the abridged financial statements.  Section 353 of the Companies (Accounting) Act (‘2017 Act’) specifically requires this information to be included in the abridged financial statements filed with the CRO. Mixing and matching. Care should be taken when early adopting the ‘specified provision’ of the 2017 Act. For instance, we came across some ROI companies preparing statutory financial statements under the small companies regime but using the old abridging rules. Departure from FRS 102 or Company Law. This is expected to be rare and only to arise in very unusual circumstances.  We have seen instances where preparers departed from legislation or standards to account for relatively straightforward transactions and balances. Non-disclosure of critical accounting judgements and estimates. FRS 102, when applied in full, requires these to be disclosed in the notes to the financial statements.  Section 1A of FRS 102 encourages entities applying the small companies regime to disclose critical accounting judgements (but not estimates).  We have seen cases where these disclosures were omitted altogether, or where standard boilerplate wording was used, not reflecting the circumstances of the preparing entity. Connected entity or connected person loans. Under FRS 102, loans which are interest free or are low interest may be required to be classified as financing transactions and valued at the present value of future payments discounted at a market rate of interest if they are due after more than one year. This is a difficult area and some preparers have struggled to apply the accounting standard correctly. In some instances, a loan whose terms were undocumented was mistakenly treated as being due after more than one year. A loan whose terms are undocumented may be considered to be repayable on demand, notwithstanding the intentions of the parties to repay it over a longer period. The solution: if the loan is repayable on demand, then, unless there is an impairment issue, it should be carried at the original transaction price with no adjustment, and as an amount due in less than one year. In ROI, reference may also need to be made to the Evidential Provisions in Sections 236 and 237 of the Companies Act. See also the new concession applying to small entities for loans from persons who are within a director’s group of close family members (including the director), when that group contains at least one shareholder in the entity - for details, please see the Amendments to FRS 102 publication issued by FRC in December 2017 (this publication is also mentioned later in Technical Signpost). We hope that this article will prove useful in identifying issues. Naturally, it is not a comprehensive list in part because we have concentrated on errors which are completely new and particular to the new frameworks. The article has been written in general terms, and should be viewed as a pointer towards issues that may have been overlooked and should not be relied upon.

Conal Kennedy writes: For many years we in Practice Consulting have assisted members to buy, sell and merge their practices. During the recession years, and for some time afterwards, there was very little activity, but in recent times we have been receiving more enquiries and helping more practices. A firm with a recurring fee base has a value based primarily on its goodwill. It is usually preferable to arrange succession from within a practice, but in the absence of this, a sole practitioner approaching retirement age might consider realising the value of the firm by selling the goodwill to a growing practice. There are other circumstances where a practitioner may be interested in selling their practice. On the other hand, many practices have informed us of their intent to purchase, if an opportunity arises. In other cases practices may come together by way of acquisition or merger in order to pool resources and leverage the benefits of increased size and more diverse skillsets. Many mid-sized practices would be interested in offering a senior position or partnership to a dynamic sole practitioner. This possibility might be of interest to a member who has set up on practice relatively recently. The member has found that he or she has the ability to run a business and acquire clients, but the pressures of being entirely alone are just too much. This profession is a people business and in any deal, the human element is always crucial. More important than top line valuations is the ability to trust your counterparty, to establish open communication and a good working relationship. The value of a practice still tends to be based on a multiple of its fee income and the classic 1:1 ratio of recurring fees to practice value is the starting point of many conversations. That said, buyers and sellers should be aware of the changes and pressures arising in recent years due to market forces. The general skill shortage in the profession means that the staff of the practice may be the most important element in judging the inherent value of the practice. Specific purchasers may be interested in purchasing a niche practice with clients that fit specific criteria. There is any number of ways to structure the deal. If a capital sum changes hands, then this may be based paid in stages over time. There may be a clawback based on clients who do not transfer. Separate arrangements need to be made to deal with WIP and debtors that are outstanding at the date of transfer. In general every aspect can be varied by either party to suit the circumstances of the deal. Practice Consulting assists practices to come together. We work in complete confidence. If you are interested discussing any of the matters in this article, please contact Conal Kennedy Tel: 00 353 1 6377396 or Jeremy Twomey  Tel: 00 353 1 6373972.

Claire Percy writes: Members consistently tell us that “protecting and promoting the Chartered brand” is one of the key services that Chartered Accountants Ireland can provide to them. Often, this feedback relates to student recruitment and the continuity of the profession. However it is also critical in terms of helping consumers, employers and business decision-makers understand the value of choosing a Chartered Accountant. The Institute supports the brand year-long across all its services and through a range of promotional activities. This includes the annual brand advertising campaign, “Make Sure your Accountant is a Chartered Accountant”, which is currently running. The key message of the campaign is that businesses can have confidence in the training, standards and experience of Chartered Accountants in every sector. This “confidence” message is being carried across radio, press and online. This year, in order to maximise the local benefit to our firms and members nationwide, a number of regional innovations have been introduced, with regional press and radio in use alongside national outlets. In order to connect the advertising even more directly with our network of 1,500+ practices around the island, the campaign is also supplemented by a direct mail initiative. All firms should by now have received a pack containing two high-quality window vinyls for use on their offices windows or doors. The purpose of this is to promote visibility of the recently-refreshed Institute logo on the high street. This will help consumers link the advertising message to their own local Chartered Accountant – and create a “multiplier effect” that builds the confidence message for all members. The pack also provides access to co-branded marketing materials and gives links to download logos for use on firms’ own websites and promotional materials. There was also an online competition to win a table at this year’s annual dinner – simply by showing the Chartered logo in action. The design of this campaign was greatly assisted by the input of the Members in Practice committee and Strategic Communications committee. We are very keen to  hear wider feedback, and in particular may look at offering a more permanent signage option in future. Please take a look at www.charteredaccountants.ie/Brand for more information or to get in touch with feedback on the campaign or how we can assist you to make the Chartered brand work for your firm.  

The Professional Standards Department (PSD) Quality Assurance Team has recently compiled a list of common matters arising on audit and investment business inspection visits, which are set out below. Please note that, where PSD returns to firms that have had a relatively recent visit, it conducts follow-up procedures to ensure that the firm has taken action to address matters raised at the previous visit. Audit Inspections Financial  Reporting Firms need to perform audit procedures to evaluate whether the overall presentation of the financial statements, including the related disclosures, is in accordance with the applicable financial reporting framework which, in recent years, has been substantially changed by the introduction of FRS 100-105 and amendments to company law. PSD found that, for the most part, firms had adequately addressed the requirements of FRS 102 and, in RoI, the Companies Act 2014 (‘CA 2014’) through the use of checklists. However, non-application of FRS 102 by audit clients was sometimes not identified. Firms should ensure that their audit procedures to assess the appropriateness and completeness of disclosures are up to date for the relevant financial reporting regimes. Certain common omissions were identified: Statement of Changes in Equity or Statement of Cash Flows, where relevant; Significant judgements and key sources of estimation uncertainty in relation to amounts recognised in the financial statements (FRS 102 s8.6-8.7); Where relevant, material uncertainties related to events or conditions that cast significant doubt upon the entity’s ability to continue as a going concern (FRS 102 s3.8-3.9); The measurement basis (or bases) used for financial instruments and the other accounting policies used for financial instruments that are relevant to an understanding of the financial statements (FRS 102 s11.40); Disclosures relating to creditors required by CA 2014 Schedule 3, such as terms of payment/repayment and the rate of any interest payable on debts. (N.B.The specific FRS 102-related matters noted above relate to financial statements prepared in accordance with the full requirements of FRS 102 and may not be relevant to financial statements where the small/micro companies regime is applied.) International Education Standard (IES) 8 (Revised) IES 8 Professional Competence for Engagement Partners Responsible for Audits of Financial Statements (Revised) was issued by the International Accounting Education Standards Board (IAESB) in December 2014 and is effective from 1 July 2016. Its objective is to establish the professional competence that professional accountants develop and maintain when performing the role of an Engagement Partner. During an audit monitoring visit, the inspector will make enquiries to assess whether a firm is familiar with IES 8 (Revised), including consideration of the learning outcomes which are listed in Table A to the Standard. Firms can obtain a copy of IES 8 (Revised) at: http://www.ifac.org/system/files/publications/files/IAESB-IES-8.pdf Investment Business inspections Investment Business (IB) inspections carried out by PSD over the last few years had focused on firms holding IB1/IB2 authorisation. However, PSD is now conducting an increased number of IB inspections to firms holding all levels of IB authorisation, including a sample of firms holding IA1/IA2 authorisation. Firms should be mindful of, and ensure they address, the following  matters Investment business procedures (IBR 2.56) All authorised firms are required to establish and maintain adequate written investment business procedures. These should include managing conflicts of interest, maintaining ‘Chinese Walls’ and the consequences of breaching them, along with the handling of errors and complaints. A firm must adequately train its principals carrying on investment business and its employees using these procedures. Training (IBR 2.60) Authorised firms must make arrangements to ensure that principals and employees involved in investment business maintain an appropriate level of competence and comply with Institute CPD requirements. Firms authorised in Category IA2 and above must make arrangements to ensure compliance with the Central Bank Minimum Competency Code, which has recently been updated. A copy of the Code can be obtained on the Central Bank of Ireland’s website. Investment Business Compliance Review (IBR 2.58) An authorised firm must carry out an Investment Business Compliance Review (IBCR) at least annually. PSD found that, for some firms, an annual IBCR had not been carried out, or did not include a whole firm review, a review of accounting records and a sample of client files. Some IBCRs did not identify different types of IB advice provided by the firm or non-compliance with the IBRs. Corrective action was not always taken in a timely manner. Engagement letters (IBR 3.19-3.20) PSD found that some firms did not have an engagement letter in place, or the letter had not been agreed with the client prior to investment business advice being provided, as required by IBR 3.19 or did not include the minimum details required by IBR 3.20. Commission consent and disclosure (IBR 3.30-3.32) If a firm receives commission it must account to the client for that commission, and both the terms (%) of the commission and the amount (€/£) must be disclosed. In cases where the firm retains the commission, it must have the client’s written consent to do so. Consent to retain commission can be obtained in the client engagement letter. The Quality Assurance Committee views non-compliance with commission consent and disclosure requirements very seriously. Section 30 receipts (IBR 4.44-4.46) Firms must issue receipts when they receive client premiums or investment business clients’ money. Details of what must be included on the receipt are specified in IBR 4.45. Other matters Firms should ensure that they are aware of their category of IB authorisation and the limits of that category. Category IA2 is required to hold client premiums; Category IB2 is required to hold investment business clients’ money; and If handling or holding client premiums or investment business clients’ money, the firm must appoint an independent accountant and submit an independent accountant’s report to the Institute. Carrying on investment business, when not authorised to do so, is an offence under the Act. Firms may wish to review their category of investment business authorisation and assess whether it is suitable for their needs. Firms should refer to Schedule 1 to Chapter 1 of the IBRs for activities which may be undertaken under the various categories. For further details on the above matters, please look out for PSD’s forthcoming Regulatory Bulletin. For advice or support on the above matters, firms may contact, in strict confidence, the Practice Consulting Team, which is independent of the Professional Standards Department.

Michael McAllister writes: Chartered Accountants Ireland often receives requests from members for clarification on how to deal with confirmation requests from third parties, such as banks or other funders, concerning client matters. For example, a bank may request some form of confirmation regarding a proposed loan. Usually there is no obligation on accountants and auditors to provide the reports/assurances being sought, as they are not bound by arrangements between clients and third parties to which they were not party. However, accountants may come under pressure from lenders and funders, and wish to assist their clients wherever possible. The general principles that need to be applied when members are asked for these confirmation requests are set out in ‘Miscellaneous Technical Statement M39 – Reporting to third parties’ (M39). The main steps in the process that should be followed are: Determine who will rely on the accountants’ work and for what purpose; Consider the form of report requested by the third party; Agree the work to be performed and the form of report to be given; Agree appropriate terms of engagement; Perform the work; and Report. It is advisable that appropriate engagement terms are agreed at the commencement of the engagement for providing such reports, in order to avoid disagreements with the client or the third party regarding the form of the report that is needed, and to ensure sufficient time for the work to be completed and the report to be given. Confirmation requests often take the form of a standard form for the accountant to complete and sign. The Institute advises members to avoid signing such forms where they incorporate a broad and open- ended statement confirming the client’s ability and/or willingness to repay borrowings. Sometimes, the assurance being sought is of a legal nature, in which case it should either be a matter for the third party’s own lawyers, or contact should be made with the client’s legal advisers. Should you agree to provide any form of report to a third party, Appendix 2 of M39 provides some examples of types of wording or opinions that are “unacceptable”. Accountants are advised against using language such as “we certify”, “correct”, “accurate” or “we have ensured” since it implies a level of certainty which cannot necessarily be given. The Institute also advises against the use of words such as “we verify” or "certificate”. Notable other examples in M39 include “true and fair” opinions (other than with regard to the auditor’s opinion on financial statements), opinions that are open-ended or that are beyond the professional competence, knowledge and experience of the accountant. Appendix 2 also advises against providing qualifications to the report in a covering letter – such qualifications should be included in the main body of the report. The Representation & Technical Policy Department has recently issued TR 11/2016 ‘Third Party– Letters of Confirmation’ (which replaces IS 01/2005 ‘Bank of Scotland (Ireland) – Letter of serviceability’). This provides a pro-forma wording for a letter to a third party in connection with a request for confirmation that members may use instead of a standard form. It is confined to confirming some factual information that the accountant is in a position to stand over and may be amended to suit particular situations. Another common area is that of grant claims, the subject of ‘Miscellaneous Technical Statement M45 – Grant Claims’ (M45). The usual scenario is that a claim for payment under a previously approved grant must be accompanied by an independent accountant’s report. M45 highlights matters on which accountants cannot provide meaningful assurance, such as whether expenditure was incurred on an “arm’s length basis” or non-accounting criteria such as engineering specifications. Sometimes, the agency issuing the grant asks for confirmation on whether the expenditure claimed has been the subject of another grant claim. It is unlikely that the accountant will be in a position to provide such an assurance. M45 includes an example accountant’s report at Appendix C. The opinion is worded as follows: “Based on the procedures set out above, in our opinion, the statement of grant claim attached dated [date] is consistent with the records we inspected and has been prepared, in all material respects, in accordance with the requirements set out in the letter of offer or grant agreement dated [date]”. It should be noted that the opinion does not “certify” anything. Instead, it provides an opinion based on the conclusions of work carried out by the accountant, in accordance with the principles explained above. M45 also provides a recommended work programme and model terms of engagement. M45 was produced in conjunction with several agencies in the Republic of Ireland, but the principles set out therein should be applied to all accountant’s reports on grant claims. However, members should note that, for grant claims from Invest NI, ‘Information Sheet IS 02/2009 - Invest NI Grant Claims’ sets out a proforma engagement letter and several example pro forma reports. Reports to Invest NI should be worded in accordance with this document rather than M45. Members are advised to read the abovementioned documents in full, which are available on CHARIOT at www.charteredaccountants.ie