It’s a lot easier to identify problems in hindsight when one knows what went wrong than to appreciate the risk in real-time. By Cormac Lucey About once a year, I dine with three friends from my training days. As you can imagine, the discussion is always high-powered and elevated. Well, some of the time it is. At our last dinner, I asked a question of someone who works in a senior position at AIB Group: how many people does he think there are on planet earth that have completely read and comprehended the most recent AIB annual report? We reckoned the answer might be about 10 people, at least half of them connected to AIB. I fear that more and more work is spent preparing and auditing financial statements as fewer and fewer people read and comprehend them. Increasingly, people working on financial statements must feel like those at ground control in David Bowie’s ‘Space Oddity’ as they wonder whether anyone is listening to their signals. As a personal investor, I am increasingly concerned that, in reading financial statements, there may be some detail whose importance I have failed to appreciate. Recent events at Datalex provide a cautionary tale. A cautionary tale Between summer 2017 and January of this year, the company’s share price gradually lost value (from about €4 to €2.50). On 15 January, the company made an abrupt announcement that “the board has revised its guidance for adjusted EBITDA for FY 2018 and now expects to report an adjusted EBITDA loss in the range of -$4m to -$1m”. This was shocking, as the company had generated an EBITDA of $13.6 million in 2017 and $11.6 million the year before. The share price fell to €1. The directors commented that “a substantial element of the revised guidance reflects changes in the timing of recognition by the Group of certain contracted revenue. Most of this revenue, not recognised in 2018, will be recognised in 2019 and 2020”. A later company statement in March declared that an external review by PwC had “identified significant accounting irregularities during the period as the underlying cause for the Group’s overstatement of revenues, noting material weaknesses in the internal control environment; the Group’s accounting process in this area has been largely manual…” Other signs I wondered whether the auditors had missed something. The 2017 annual report suggests they didn’t. First, EY had correctly identified revenue recognition as the largest audit risk. Second, they had “communicated to the audit committee that the revenue recognition and Accrued Income process for professional services projects is manual”. Third, they had reported that “the Group’s largest project increased significantly during the year and, as a result, there was a heightened degree of subjectivity applied by management in determining an appropriate percentage of completion calculation for this project”. It would have been very easy for a reader of the 2017 financials to pass over these comments without appreciating their eventual significance. Were there other signs that might have raised attention?  If revenue was being overstated, we would expect receivables to grow disproportionately. That is indeed what happened. At the end of 2016, Datalex’s trade receivables (including accrued income) amounted to 87 days of sales. By December 2017, this had grown to 114 days. That substantial rise was entirely due to an increase in the balance owed by “Customer A”. On top of that, some 31.12.2017 accrued income was recorded as a non-current asset, something that hadn’t occurred the previous year. Recording income that the firm doesn’t expect to receive for more than 12 months raises questions. It’s a lot easier to identify these matters in hindsight, when one knows what went wrong, than to conclude in real-time that they represented an important signal, rather than mere noise. Cormac Lucey FCA is an economic commentator and lecturer at Chartered Accountants Ireland.

The FAE Core curriculum is undergoing significant changes in order to maintain the Irish  ACA’s global reputation for excellence. By Ronan O'Loughlin   Members and students will be aware of the significant technological changes impacting on the work and careers of Chartered Accountants. It isn’t just the technological changes that are significant, but the increasing pace of change. Against this backdrop, the Institute’s Education Training and Lifelong Learning Board (Education Board) and Exam Committees have been adapting and enhancing the ACA curriculum to meet these challenges. This article outlines the changes to the FAE Core examination, which will be rolled out from autumn 2019. From a practical perspective, this can be viewed as a first step and will be further enhanced in the years ahead. The journey At a global level, the profession is paying significant attention to the impact of technology on the education needs of students and qualified accountants. Technology is impacting what we learn, how we learn and how we are assessed. The skillsets of Chartered Accountants must be further developed to cope with these changes. The Institute launched a new syllabus in 2018, which featured new FAE electives. These are: the Public Sector elective, which is aimed at students working or advising in this sector; the Financial Services elective, which is targeted at students training in the Financial Services sector; and the Advisory elective. With the other existing Audit and Tax electives, students now have a choice of five electives. This innovative structure recognises the changing nature of the work of the profession and in the case of those working in practice, the increasing importance of Advisory in particular. The 2018/9 structure is summarised in Table 1. Students completing FAE must complete FAE Core and one elective. This structure is unique amongst our reciprocity partners and supports a level of pre-qualification specialisation. All electives can be completed at the time of qualification and additional electives can be completed post-qualification to support career changes. The Education Board and the relevant examination committees are also mindful of the work currently underway with our reciprocity partners in the Global Accounting Alliance, which will frame the skillsets and requirements that will be necessary for Chartered Accountants in the future. This work will conclude in 2019 and will inform the new reciprocity agreements, which will be rolled out in the years ahead. In the meantime, the FAE Core syllabus will be further developed in anticipation of likely reciprocity developments and emerging technological developments. This will be rolled out in 2019/20. Changes to the FAE Core syllabus The Core syllabus is being restructured, with a reduction in modules from five to four (see Table 2). This new structure reflects a desire to create ‘space’ for the new material and to better reflect the changes in our key training firms and organisations. These changes include an increased focus on advisory work and the re-framing of audit practice. There are a number of reasons for these changes: Financial Reporting in terms of syllabus requirements remains as before; it is a key skill for all Chartered Accountants. The slight change in weighting reflects its importance. Assessment will take place within the Core exam and, separately, in an interim Advanced Application of Financial Reporting Principles (AAFRP) assessment; Strategic Management and Leadership contains the areas of strategy (analysis, choice and implementation), as before, with the addition of the Strategic Finance Management Accounting (SFMA) topics previously examined under a separate heading. In terms of the SFMA topics, the focus will be on dealing with the key strategic aspects of these topics; Data Analytics, Artificial Intelligence and Emerging Technologies represent new material, which reflects the current and emerging technological developments that will impact businesses and clients of Chartered Accountants. The topic covers data analytics, with particular reference to determining the data set and its integrity and the interpretation of the outcome of the data analysis. Artificial intelligence will be explored, given its significant impact on business processes. The Emerging Technologies focus specifically on blockchain and cryptocurrency developments, which are creating significant new opportunities for the processing of financial information. The aim is to ensure that newly qualified Chartered Accountants are equipped to understand these developments and their impact on their clients and employers; and Risk Management and Sustainability focuses on the area of audit process, risk management and internal control rather than the traditional external audit focus. Extended coverage of audit and assurance will occur in the Audit Elective. Other new topics include professional scepticism, sustainability and integrated reporting. This rebalancing reflects the evolving nature of audit and the emergence of topics that are altering the role of today’s Chartered Accountant. Feedback received We shared these developments recently with our students and other stakeholders, and the feedback was fully supportive. Students recognise that these developments will future-proof their careers and enhance their career prospects. One recently admitted member said: “I wish I was completing the FAE in 2020”. These changes are just the first step in the planned evolution of our syllabus to reflect the ongoing rapid changes in technology. The education programme in 2019/20 will be supported by a suite of new learning materials. Other changes In addition to the FAE Core changes, a new e-assessment platform will be launched on a pilot basis at CAP1 level. The initial pilot will be conducted in 2019/20 and will be limited to the CAP1 interim assessments and Law. If successful, it will be expanded to all of CAP1 and all interim assessments from CAP1, CAP2 and FAE in 2020/21 and to all CAP1, CAP2 and FAE assessments in 2021/22.  The new platform allows students to complete their exam in an appropriate environment (including their home) with an online live moderation of their exam by an invigilator supported by artificial intelligence. This replaces the current online double entry examination and will include a new CAP1 Law paper and the Management Accounting interim assessment on the same platform. The new platform will not only facilitate increased security and efficiencies, but enhanced student and customer service – and it is fully GDPR compliant. It will also lay the foundation for future enhancements to the Institute’s examination offering. Conclusion The enhanced syllabus and planned developments in FAE Core and e-assessments are significant developments that seek to retain the Irish ACA’s standing in the global business landscape. This output reflects significant work and investment on the part of Chartered Accountants Ireland and forms part of a plan of continuous enhancement. Ronan O’Loughlin FCA is Director of Education and Training at Chartered Accountants Ireland.

Gary McErlean of Quarter Chartered Accountants writes: The ancient saying that change is the only constant seems to be more true today than ever before. The pace of change in the accounting world, driven by continuous technological advances, has never been swifter, or more unforgiving. As a practice which has embraced and adopted the new technologies available, we at Quarter Chartered Accountants can confidently say that this has only been advantageous. There are various Cloud Accounting Software providers such as Xero, Surf, Quickbooks, Sage 1 etc. A few years ago, we decided to invest time with Xero, and I thought it would be useful to outline some of the areas where we have benefited from significant time (and ultimately cost) savings by utilising a Cloud Accounting System. Bank reconciliations still comprise a key component of the accounting process, with staff time requirements being quite significant with bank accounts comprising high numbers of transactions. Not any more – Cloud Accounting Systems have the ability to link directly to most banks, with all underlying transactions being posted within the accounting system automatically, and on a daily basis. Granted that, although such a system automatically records every single lodgement and payment going through the bank, it doesn’t necessarily know where to post the other side of the transaction. However, all the processer needs to do is click on each item and allocate it to the relevant nominal code etc. The time required to do this is a fraction of the time required to post the bank the old fashioned way. Furthermore, the system learns, or can be told, where certain recurring items should be posted and this can also be done automatically, saving even more time. Cloud Accounting Systems also link in with lots of different mobile phone/tablet apps. For example, there are apps that allow the user to take a photograph, on their mobile phone/tablet, of supplier invoices which are then automatically posted to the Cloud Accounting system, to which the app is linked. All you have to do is approve the transaction. Based on the above, it is therefore quite conceivable for all your bank transactions and your supplier invoices to be posted to your Cloud Accounting System before you have even opened it! Another prominent feature of Cloud Accounting Systems is that they can be accessed from anywhere with an internet connection. Gone are the days when all work was carried out in the office on a 9 to 5 basis. It is becoming increasingly common for people to work from home, or on the move, and with the ability to log in to their accounting system being as equally mobile, the business finances can be processed or monitored anywhere on a real time basis. Cloud Accounting Systems provide a platform for offering a more regular reporting service to clients, which is better for the firm as well as the clients. They allow practices to develop client relations and, in our experience, leads to additional revenue streams being generated. In summary, if I was to use one word to sum up the effects of these technological advances in Cloud Computing, it would be EFFICIENCY, and, in my opinion, those that want to survive and thrive in this ever changing world of technology need to embrace it. Gary McErlean is a Principal in Quarter Chartered Accountants, and is a member of the Members in Practice Committee of the Institute. The Members in Practice Committee represents the interests of smaller practices.

The Property Services Regulatory Authority (PSRA) writes: The Property Services Regulatory Authority (PSRA) licences and regulates Auctioneers, Estate Agents, Management Agents and Letting Agents (licensees). The PSRA works to protect the interests of the public by ensuring that high standards are maintained in the delivery of property services by licensees. The PSRA considers the opinion of the Reporting Accountant, and the work leading to that opinion, on whether client moneys are managed in accordance with PSRA Client Moneys Regulations by a licensee as paramount in their assessment of licence renewal applications. In this regard, a licence renewal application must be accompanied by a signed accountant’s report relevant to the licence(s) held. The PSRA acknowledges the vital work undertaken by accountants in completing these reports effectively.   Accountants are required to review the books of account and records of the licensee and give an opinion on whether the licence holder has complied with the PSRA Client Moneys Regulations and to report where breaches of the Regulations have occurred. While the vast majority of reports received do not require the PSRA to request additional information, in some instances the PSRA is required to query the licensee’s application, including the content of the accountant’s report. By way of information, common issues encountered by the PSRA while reviewing licensees’ applications and accountant’s reports include: The most recent updated specified accountant’s report is not completed. Specified accountants reports are available at http://www.psr.ie/en/psra/pages/accountant’s_report Accountants fail to complete Section 4 of Part I of the relevant renewal accountant’s report expressing an opinion as to whether the regulations have been complied with by the licensee. Incorrect calculation of the balance on the Balancing Statement. The name of the Client Account(s) does not match exactly with the name on the relevant bank statement. A client account must be in the name of the licensee and contain the word “client” in the title. Issues of greater concern to PSRA identified in 2018 include: Liabilities to clients reduced on the balancing statement (Appendix 3A of PSRA/S35 – Renewal ABC) by deducting moneys owed in, which were intended for clients, but had not yet been received or placed in the client account. An example includes: where a licensee pays money out of the client account to a landlord in advance of receipt of rent by the licensee from the tenant. In a small number of instances this transaction is not shown as a liability on the client account by the licensee when completing the balancing statement. Before giving an opinion, the accountant should be satisfied in respect of the statement in section 3.3 of the report, namely “I have obtained the client account balancing statement(s) prepared by the Licensee as set out in Appendix 3A and checked that the information therein is in agreement with the books of account and records of the Licensee”. Liabilities to clients are not reported on the balancing statement (Appendix 3A of PSRA/S35 – Renewal ABC). Before giving an opinion, the accountant should be satisfied in respect of the statement in section 3.3 of the report as noted above. Licensee using one account for all client and business transactions. This is a breach of the Client Moneys Regulations and is required to be included by the accountant at Appendix 2 of the accountant’s report. Instances where a deficit/surplus on the client account has been identified but not addressed by the licensee, despite confirmation in Appendix 3B that funds have been paid into/withdrawn from (as appropriate) the client account by the licensee and the signed accountant’s report being submitted as part of the licence renewal application. In these instances, the PSRA has by way of follow up confirmed that in such cases outstanding monies owed have not been repaid to the client account. The PSRA encourages that you consider whether there is evidence of any of the above issues arising when completing the accountant’s reports on behalf of licensees. The PSRA acknowledges the engagement of accountants with licensees and the cooperation extended to the PSRA in addressing queries. More information regarding accountant’s reports and the PSRA in general can be found on www.psr.ie. The PSRA may be contacted on 046 9033800 or by email at info@psr.ie in relation to any query you may have when completing PSRA Accountant’s Reports. Members should refer to Technical Release (TR) 03/2018 ‘Licence applications under the Property Services (Regulation) Act 2011 and the Property Services (Regulation) Act (Client Moneys) Regulations 2012’ issued in June 2018.  

Orla McGahan writes: 1. Join a network “If you want to go fast, go alone; if you want to go far, go together.” There are 1,730 Chartered firms in practice in Ireland. Of that, around 950 are sole practitioners; and yet, there are only 40 listed networks. Even with an average of ten members per network, there are a lot of people out there going it alone. Don’t isolate yourself. The benefits of being part of a network are copious: A case study group – for those times when a case needs to be talked out.  A forum to benchmark – to benchmark fees, charge out rates, overheads, staff salaries, and so on, can be invaluable. Consider joining a network outside your geographical or competitive area if necessary.  Knowledge sharing – share experiences on dealing with Revenue, CRO and other areas. For that moment when you are just having a blank, being able to run it by a trusted colleague. Referrals – often within a network various members specialise in varying fields, industries or disciplines. This can lead to additional work through referrals. CPD and training – organising training by network offers more flexibility to custom make the course, attendees, and location, while gaining cost reductions. 2. Don’t underestimate the value of your work I was lucky enough to be shown early in my practice life (by a client!) that the value of your work is not the time it took to put together the relevant documents and submit them to the appropriate authority. But rather, and more importantly, your fee should reflect the time, effort, knowledge and experience you have gained over the years which gives you the technical and practical knowhow. For a lot of practitioners, our work revolves around solving problems or doing work our clients do not have the time, knowledge, skill or experience to do. Make sure the price you put on your work adequately reflects value to both you and your client. 3. Stock control - record your time How often do we criticize clients for inadequate stock control and yet how many of us, particularly partners, do not record our time? We sell time. Fact. And yet quite often we have no control over it. There are many good CRM packages available to practitioners offering time recording systems with simple reporting facilities. Invest in one and use it. It will pay for itself, and then some. Find the discipline to record your time, every day. 4. Organise your time and stick to it! As the saying goes – “Failing to plan is planning to fail.” If I were to pick one thing that will make a difference, it’s time management. This is crucial to creating and maintaining an easy (easier) practice life. Plan, systemise where possible, and stay on top of The annual return and compliance review - do this when it comes in or as it falls due; Anti-money laundering compliance; Engagement letters; Practice housekeeping – A Chartered Accountant I know, who runs a very successful practice, has developed the habit of spending the first hour of his day, every day, without fail, to practice housekeeping. And his success is testament that it works; CPD and your CPD record; Staff mentoring records. 5. Embrace technology and update your software regularly Efficiencies leading to higher profitability and better cash-flow can be achieved with regular investment in software and technology. Incorporate this cost as an ongoing overhead. 6. Value your staff I’m sure this is not the first time you have been told this, but your staff are your most valuable asset. “We are only ever as good as the people around us”. Invest in your staff. The cost of losing an experienced staff member goes far beyond the financial cost. Added to that, a new staff member will take at least six months to become comfortable and familiar with the position. The cost of this should never be underestimated. Invest in training, talk to your staff openly and regularly (maybe over a nice lunch) about the things that make a difference to their enjoyment of the position, and it’s not always about salary. Particularly in the current environment, taking care of your staff should be a high priority. 7. Self-care In the words of Stephen Covey (The 7 habits of highly effective people) – “sharpen the saw”. Take care of yourself, your health, your mental health and your private life. As a practitioner, the pressure to develop, to stay up to date technically, meet deadlines, manage staff, and still live your life can sometimes be overwhelming, not to mention managing the expectations of clients. We carry a huge responsibility. So take time out regularly and routinely to take care of yourself. 8. Get involved in your Institute For some members “The Institute” may seem like an anonymous entity from which they can feel somewhat disconnected. But the Institute has many more facets than members realise and offers many valuable services. In addition to the staff, many member volunteers are lobbying and working away for the interests of its members. Volunteers are always required in many areas. The benefit of involvement and having an active role is that you can help shape and change the world in which you work, influence policy and changes in legislation, education, membership and many other areas. And as an added bonus, involvement gives you a sense of belonging to the Institute of which you are a member. 9. Agree fees upfront and in writing When you make this routine a habit, it is second only to time recording in revolutionising your practice, your fee recovery and your cash flow. It focuses your mind in identifying exactly what service is required, what the client is willing to pay for that service, and the timing of when you will get paid. It opens the doors for a discussion on what work the client wants done, and identify any work they are willing to do themselves. Make a list of the steps involved in the work and use this as a template to assist in the conversation. The benefit is that it saves a lot of stress and bad feeling when you think you’ve done a great job only to find that the client does not appreciate it and is unwilling to pay for it. Orla McGahan is the principal of McGahan and Co, and is a member of the Members in Practice Committee of Chartered Accountants Ireland.  

Jeremy Twomey writes: With autumn’s arrival, it is timely to look back at the key events thus far in 2018 that have impacted accountancy practitioners. As in previous years, regulatory and legislative change has continued apace, including: The General Data Protection Regulation (GDPR) came into force across Europe on 25 May, resulting in the largest change to the Irish & UK Data Privacy regimes in over a generation, with wide ranging effects on all businesses, including accountants; and The Companies (Statutory Audits) Act 2018 was signed into Irish law in late July, with its resulting principal changes for practitioners outlined in a dedicated article in Technical Signpost below. It is fair to say that achieving compliance with these new requirements presents a challenge for practitioners, especially so soon after the introduction of the Small and Micro Company regimes in ROI via the Companies (Accounting) Act 2017, as well as the new and separate Auditing Frameworks for Ireland and the UK early last year. 2018 has thus far also been a very busy year for the Institute’s Practice Consulting team, as we work to assist our members across the island in meeting the challenges they face. Our Training courses in the areas of Auditing, Financial Reporting and GDPR are proving particular popular. We have developed these three courses to address the practical needs of our members, providing clear examples of how to address the issues in each respective area that both you and your clients face each day. An example from our Financial Reporting course includes how to meet the various financial statements note disclosure requirements under the Small & Micro Company regimes. We use the experience that we have gained from numerous compliance assignments at practices over the years, together with the knowledge garnered from developing our practice aids such as Pro Forma Financial Statements, Procedures for Quality Audit (PQAs) and our recent comprehensive GDPR guidance and related templates. Marrying these with insights from the Institute’s Professional Standards Department on key regulatory compliance issues that they see at firms as part of their monitoring role, our courses help to ensure that both you, and your clients, stay ahead of emerging issues and meet your regulatory requirements. Feedback that we have received over recent months on these courses has been very positive and each carries a 3 hours CPD credit. Looking ahead, our upcoming courses during the autumn months include courses on Auditing and Financial Reporting in five regional centres across the island (Belfast, Cork, Galway, Limerick and Sligo), as well as Dublin. We typically provide both of these courses in one day at each centre, allowing participants to attend both courses, should they wish. Further details on the dates and times during November and December for each course/location, as well as booking details, are available on the Professional Development area of the Institute website. The option of availing of these three courses in-house at your firm also continues to be very much in demand. This option allows you to tailor a particular course to your firm/staff’s specific needs, while having one of our consultants provide a course at your practice is a particularly cost efficient way to meet CPD requirements for both you and your staff. One very popular example of such an in-house course over recent months is our half day GDPR consultation, where one of our team can visit your firm and offer practical advice and guidance on how to tailor your procedures, make progress on your GDPR journey, and meet key compliance milestones. Other courses that we are running during October and November at the Institute include two courses focused on regulated areas. The first in late October focuses on Accounting and Auditing for Charities and Not-for-Profit Entities, while the second in late November concentrates on other Regulated Entities such as Insurance Brokers, Auctioneers, Owners’ Management Companies, Occupational Pension Schemes and Solicitors. If you are providing accounting or audit services to any of these organisations, then these courses may be for you, as we provide practical updates on the recent key changes in the standards, regulations and legislation affecting these sectors. As you prepare for the remaining busy months of the year, and indeed for 2019, it may be worthwhile taking some time now to consider your current CPD requirements and how best to tackle these needs. As ever, my colleague Conal Kennedy and I are available to contact (see contact points below) on any of your practice related training needs over the coming months.

Jeremy Twomey writes: Meeting General Data Protection Regulation (GDPR) compliance requirements has become a top priority for Irish businesses over recent months and accountancy practices are no different. Recognising that GDPR implementation presents both specific challenges and opportunities for accountants in practice, the Practice Consulting team has also been busy both offering advice and providing practical guidance in this area for our members. This guidance can be found at  https://www.charteredaccountants.ie/knowledge-centre/guidance/gdpr/gdpr-resources and includes the following: GDPR 8 Step Guide; Explanation of GDPR terms; GDPR Template Outline Procedures to be tailored and used by an accountancy firm; and Example paragraphs for a client engagement letter addressing GDPR and a template privacy statement. From talking with our members in practice over recent weeks, it is evident that practitioners are at different stages on their journey to GDPR compliance. While it may appear a daunting exercise at the outset, the process of becoming GDPR ready can be broken down into a few key practical steps. With this in mind, in this article, I am going to outline the key points to achieve GDPR implementation from our 8 Step Guide: 1.  Raise GPPR awareness As a starting point on your GDPR journey, the partners and staff at your firm need to be fully aware of the Regulation, the work to be undertaken to ensure compliance, the likely problems that may arise and any budgetary implications. A basic step that can be undertaken in-house at your firm is a GDPR awareness presentation for all the staff. Your clients also have to comply with GDPR, so it is worthwhile checking that they are aware of these changes, to tell them of their GDPR obligations and how your processes may be changing. Such support may be an ‘added value’ opportunity for your firm to assist your clients. 2.  Appoint someone senior to oversee the process & resource this appropriately Your firm should appoint someone internally to take control of understanding GDPR and how it will affect your practice. It is essential that this a senior member of staff who will take responsibility for overseeing the GDPR compliance process at your firm. While it is expected that the majority of the work in relation to meeting the requirements of GDPR can be undertaken internally, a project team may be required, which may include external support and assistance on certain issues. Hence, it is vital that reasonable funding and resources are set aside to achieve your GDPR requirements. It is currently envisaged that most accountancy firms will not be required to appoint a Data Protection Officer (DPO). It is, however, recommended that you still appoint someone to be responsible for data protection within the firm going forward, but give them a title other than DPO (i.e. “Data Privacy Lead”). 3.  Review and update existing information and cyber security measures Having comprehensive levels of information and cyber security is a key step towards building a resilient organisation and ensuring GDPR compliance. It is therefore recommended that members should review their existing security measures and update as necessary. Both controllers and processors are required under the Regulation to implement “appropriate technical and organisational measures” to ensure a level of security appropriate to the risks that are presented by the processing of personal information. Such measures are described as including: Pseudonymisation and encryption of data (The use of secure portals to share documents is also of benefit); The ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services; The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and A process for regularly testing, accessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. Detailed listings of examples of both practical physical and technical security measures to aid GDPR compliance at your firm are included in the full version of our 8 Step Guide as published on the Institute website. It is important to remember that managing cyber risk is not simply about managing data within your firm. Therefore, it becomes necessary to document the security risks from your supply chain (e.g. cloud service provider), as well as your own organisation. 4.  Map your data With the many potential pitfalls of non-compliance to GDPR, taking action to map any gaps in relation to the personal data your firm holds is critical. The first step is to get started by scoping the problem and mapping the data flows associated with your firm. It involves identifying, understanding and mapping out the data flows into and out of the organisation. As the data map evolves, you should be able to identify the flow of data, as well as gaps in required contracts and consents for processing data under the GDPR, and risks in security measures etc. that will need to be prioritised and resolved to ensure compliance. This requirement for data mapping is quite far reaching when you think about it. A typical accountancy practice possesses the following: accounting and tax software, audit software, payroll software, practice management systems, network drives and, of course, paper accounting, tax, company secretarial and audit files. This review will also need to extend to the many individual devices on which information is stored (e.g. laptops, desktops, tablets, phones and memory sticks). Finally, it is important to emphasise that, when completing your data mapping, GDPR compliance is only required for personal data that you hold. Company data is, for example, beyond the scope of the regulation, however your data mapping exercise may have an added benefit of identifying efficiencies that you can implement at your firm for non-personal data as well. 5.  Review your contracts with clients and suppliers As the GDPR imposes new obligations on data controllers and data processors, you will need to make sure you understand your status and your responsibilities with regard to both client data and firm data. At the very least, firm contracts will need to be updated to reflect the requirements of the GDPR. Accountancy firms should review their existing contracts with their clients, suppliers and sub-contractors to identify whether the accountancy firm is the data controller or data processor of any personal data it processes under the different contracts. This involves identifying which party ultimately determines the purpose and means of processing data. It is of vital importance that you satisfy yourself that your firm is correctly assigned the role of either data controller or processor (with matching appropriate requirements/liabilities) before signing any contract with your client or supplier. Remember that entering into a contract on the wrong basis may potentially open both you and your firm to unnecessary requirements/liabilities that may be difficult to overturn. More detailed guidance on each of these areas is included in the full 8 Step Guide, while Section 5 of our Outline Policies and Procedures provides advice on your firm’s likely status as either a Data Controller or Processor for a variety of possible assignments that you may undertake. Both of these documents can be found on the Institute website under GDPR resources. 6.  Employment contracts & information for your employees As with existing legislation in this area, under GDPR, certain information must be supplied to employees before their personal data is collected and processed by your firm. The information will typically be provided in the form of a notice to job candidates, and a further privacy policy will be supplied to successful job applicants as part of their on-boarding induction to the firm (typically included in an Employee Handbook along with other firm policies). It is also important to remember that, for the processing of employees’ personal data, where possible, the employer should rely on performance of the employment contract as the legal basis for processing, rather than consent. Consent is a weaker legal basis for such processing, as it can for example be easily withdrawn by the data subject Finally, do not forget to review (and redraft as necessary) employment contracts to update any data protection references or sections to comply with GDPR. 7.  Draft/update data protection policies and controls to meet the new requirements The GDPR introduces the principle of ‘accountability’. This means that all organisations must not only ensure they are compliant with the GDPR, but be in a position to prove this too. The best way to prove this is to document your data protection policies and procedures. We suggest that your firm’s GDPR policies and procedures should include, but not be limited to, the following (Outline policies in several of these areas are included in “Outline GDPR Policies and Procedures” on our website): Who is responsible for GDPR at your firm and what are the reporting lines? Data Processing Your policies in this area should detail the categories of personal data collected by your firm and the purpose for which it is collected. In addition, these policies should detail your firm’s role as a Data Controller and also instances when you act as a Data Processor, together with your responsibilities in fulfilling these roles. Data Subject Rights Your firm will need to have specific policies and procedures in place to ensure the rights of your data subjects are upheld under GDPR and that you have adequate processes and resources to meet the requirements of the Regulation. Specific subject rights areas requiring defined policies and procedures include: Data Subject Access Requests (DSARs); Right of erasure (Right to be forgotten); The right to restrict processing; The right to object to processing; and The right to data portability Some of these rights may not be enforceable by the data subject where data is held under legitimate purpose.   Data Governance Example areas of data governance to be considered for inclusion in your GDPR related policies and procedures include the following: Data Protection Impact Assessments (DPIAs), Privacy by Design and Privacy Notices, Document Retention, Security and Breaches. 8.  Staff training and ongoing compliance While not all staff will need to understand the GDPR in its entirety at your firm, each of your staff should at least be aware that data protection is an issue for everyone. For staff who do not deal with personal data, training can be limited to an annual (refresher) course on information and cyber security. On the other hand, for staff who regularly deal with personal data, training should focus on security over data, plus an awareness of the firm GDPR policies and procedures on a regular basis (at a minimum annually or more often if the need arises). Again this can be tailored to their particular role and responsibilities. Ongoing testing Testing in the areas of IT Security and other key aspects of GDPR compliance (e.g. audits of records held for constant compliance) should be formalised into a regular ongoing programme of work at your firm, as well as outsourced providers. Cyber security is a rapidly evolving area. Meeting best practice in May 2018 does not mean you will maintain compliance over the months and years ahead; you will need to keep this area under review. Conclusion At first glance, the process to ensuring GDPR compliance may appear to be a massive undertaking and a drain on resources for your firm. It is important to bear in mind that most accountancy firms and small businesses are in the same boat as you, and that by breaking down the required steps into clear manageable stages as above, you too can achieve GDPR Compliance in a timely manner. Should you need further assistance, Practice Consulting has also developed a half day consultation offering. One of our consultants can visit your firm and offer practical advice and guidance on how to tailor your procedures, make progress on your GDPR journey, and meet key compliance milestones. If you have any question in relation to GDPR, please feel free to contact either Conal Kennedy or myself in Practice Consulting.

Jeremy Twomey writes: Billed as the most important change in data privacy regulation in over 20 years, and with its enforcement deadline of 25 May 2018 fast approaching, ensuring General Data Protection Regulation (GDPR) compliance has become a top priority for the majority of Irish businesses. Over the last year, the Institute has been helping its members to prepare for GDPR in a number of ways. For example, we have provided guidance via articles in recent issues of Accountancy Ireland, while in the last few weeks we have run a series of half day roadshows and courses in a number of towns and cities across Ireland. In addition, the Practice Consulting team has been busy preparing detailed practical guidance in this area, explaining what the changes resulting from GDPR will mean for accountants and their clients. This guidance will be available under the Knowledge Centre section of the Institute website, and is designed to answer the GDPR-related questions that members have contacted us on over recent months. While preparing this guidance, it became evident that a number of “myths” have developed over the last couple of years surrounding the implementation of GDPR. In this article, I am going to address a few of these and try to help you ensure that you do not fall foul of these, as you prepare to achieve GDPR compliance at your firm. Myth 1 - GDPR Compliance is a once off project to be achieved by 25 May With so much hype surrounding the regulation, one should remember it is not a once off event or test for compliance. Unlike planning for the Y2K deadline in 1999, GDPR preparation doesn’t end on 25 May; it requires ongoing effort. It’s an evolutionary process for organisations; 25 May is the date that GDPR will be enforced but no business stands still. You will be expected to continue to identify and address emerging privacy and security risks in the weeks, months and years beyond May of this year. GDPR will require ongoing governance of data, as organisations migrate to new systems or apply their customer data to new markets and trends. Initial compliance is the first heavy lift, but ongoing governance is the long-term reality! All entities falling under GDPR should endeavour to be fully compliant by the implementation day, although this may not be possible in all instances. In such circumstances it is important that you address the essential elements of compliance at your firm as soon as possible, and can demonstrate your ongoing efforts in this regard in a comprehensive documented plan of work. Myth 2 - GDPR is only for large firms, a small accountancy practice or company is not expected to have the time or resources to achieve compliance You will have to comply with GDPR, regardless of your size, if you process personal data. Small accountancy practices do not escape the demands of compliance. GDPR needs to be prioritised by all firms, regardless of size. The vast majority of businesses across Ireland are small businesses and it is important to remember these firms often process a lot of personal data, and their data protection reputation and liability risks are just as real as for larger entities. Myth 3 - With Brexit, entities located in the UK, including Northern Ireland, will not have to comply with GDPR GDPR will apply to all EEA countries and any individual or organisations trading with them. As it comes into force on 25 May 2018 (before the UK is due to leave the EU), UK individuals & organisations must ensure compliance with the new regime by then. The British government has confirmed that the UK’s decision to leave the EU following Brexit will not affect the commencement of GDPR. Post Brexit, it is envisaged that if a UK organisation or individual processes personal data, then they will have to do this in accordance with GDPR. To ensure that the UK will be GDPR-compliant post Brexit, the new Data Protection Bill (currently going through Parliament in London) incorporates all of the GDPR. Myth 4 - GDPR is a completely new approach to Data Protection It is vital to remember that GDPR builds upon the existing legislation in this area. It is an update, not a wholesale revision, to meet the changes in technology and data use over the last twenty years or so. As a result of these changes, consumers’ privacy and data were not by now as well protected as they could be. GDPR rectifies this by increasing the responsibility on organisations to use personal data appropriately and to hold it securely. Although GDPR is not a completely new approach, it is more stringent in its application and the fines for non-compliance have been considerably increased. This means that doing nothing is not an option, although GDPR does allow organisations to take a risk based approach, based on your size and circumstances. Many organisations struggle to assess where they should start in preparing for GDPR. It is helpful to remember that we have had data protection legislation in both the UK and the Republic of Ireland for a number of decades and therefore, firms who have taken data protection compliance seriously are already in good shape for beginning to meet GDPR’s increased compliance standards. Myth 5 - GDPR is just more bureaucracy and work for small firms, with no potential  benefits When legislation of this nature is announced, one can take either a positive or negative view of the task at hand. If you take a negative view, you will see GDPR as more bureaucracy and cost to your firm. If you take a positive view, on the other hand, you will view GDPR as a necessary strengthening of the rights of individuals, and indeed a potential  opportunity. As accountants position themselves as strategic advisers to clients, GDPR is also an opportunity for firms to demonstrate to clients that they can securely hold and process information in accordance with data requirements, and that protection of client data is a priority for the practice. As a result, clients are likely to see their accountants as trusted professionals with whom they can partner to drive their business forward. Therefore, being a leader in this area may enhance your practice and its reputation. In addition, as trusted business advisors to your clients, you must have sufficient knowledge of this new legislation to be able to provide sound advice. SMEs need to be ready when the new law comes into force, but they may struggle to know where to start. Chartered Accountants in practice can help these small businesses bridge the gap to GDPR compliance and, in the process, win new business. Myth 6 - Outsourcing GDPR compliance will be a quick fix for me and my firm There is no quick fix to GDPR compliance. No one piece of software or outsourced service provider is going to provide everything you need to comply with GDPR. For accountancy practices, GDPR will impact on how you manage and store data across your entire firm (e.g. client, prospective client, contact, supplier and staff data). You cannot outsource your responsibility for this information, and compliance with GDPR will require considerable time and preparation from all levels within your practice. With the implementation date of 25 May approaching quickly, it is important to start sooner rather than later on this. Myth 7 - GDPR only applies to Digital Processing Under GDPR, data processing covers both automated personal data and manual filing systems. Manual/paper records are included if they are part of a ‘relevant filing system’. This means papers stored systematically, for example, in a filing cabinet are probably included, but ad hoc paper files may not be. Members should ensure that they apply the same levels of diligence to paper records as they do digital records and that any decisions made regarding the lawful basis for processing, adhering to data protection principles and upholding data subjects’ rights include paper records held. Myth 8 - Under GDPR, accountants will only be seen as Data Processors and hence avoid much of the responsibility that falls on Data Controllers in this new regulation The UK Information Commissioner’s Office (ICO) has previously advised that it considers that an accountancy firm providing accountancy services acts as a data controller. The firm’s status as a data controller in relation to clients arises because the firm has flexibility over the manner in which it provides services to its clients and will not be simply acting on their instructions. In addition to this, the firm has its own professional responsibilities regarding record-keeping and confidentiality. Therefore, because an accountant “determines what information to obtain and process in order to do the work”, firms act as “controllers in common” with clients. Under GDPR, member firms will also be data controllers with regard to their firm data (e.g. employee information). If there is any doubt regarding your status as a processor or controller in relation to your firm’s activities, you should take legal advice. Going forward, firms will need to ensure that client terms and conditions reflect this reality, potentially extending engagement terms as appropriate. No doubt, for many accounting practitioners, much work remains to be done to fully meet GDPR compliance requirements. Between now and the end of May, firms new  to the process will need to examine their existing data processing, review their data protection policies, procedures & controls, and identify any gaps that need to be addressed. Following on from this, firms will need to implement any changes required in a structured documented manner to meet the needs of GDPR and continue to show full compliance long after the implementation date. The Institute will continue to assist members on your GDPR compliance journey, with ongoing updates to our available guidance in this area and, should you have a specific query in this area, please feel free to contact the Practice Consulting Team.

Conal Kennedy writes: In the past few years, accountants in practice have had to deal with a wave of change that has washed over them, including the new accounting frameworks in the UK and Republic of Ireland. In both jurisdictions, small and micro company regimes have been introduced which are generally welcome, but like any change in standards, can present challenges in just getting it right first time. In Practice Consulting we have given assistance and support to a large number of members and firms as they applied the new frameworks. Most of the firms that we have encountered have been successful in the transition process. However, we thought that you would be interested in a list of some of the more common issues that we have encountered, with a view to avoiding them, of course! OK, so here’s what we have observed… Directors’ remuneration disclosures. In ROI, including the directors’ remuneration information on the face of the profit and loss account does not mean it can be omitted from the abridged financial statements.  Section 353 of the Companies (Accounting) Act (‘2017 Act’) specifically requires this information to be included in the abridged financial statements filed with the CRO. Mixing and matching. Care should be taken when early adopting the ‘specified provision’ of the 2017 Act. For instance, we came across some ROI companies preparing statutory financial statements under the small companies regime but using the old abridging rules. Departure from FRS 102 or Company Law. This is expected to be rare and only to arise in very unusual circumstances.  We have seen instances where preparers departed from legislation or standards to account for relatively straightforward transactions and balances. Non-disclosure of critical accounting judgements and estimates. FRS 102, when applied in full, requires these to be disclosed in the notes to the financial statements.  Section 1A of FRS 102 encourages entities applying the small companies regime to disclose critical accounting judgements (but not estimates).  We have seen cases where these disclosures were omitted altogether, or where standard boilerplate wording was used, not reflecting the circumstances of the preparing entity. Connected entity or connected person loans. Under FRS 102, loans which are interest free or are low interest may be required to be classified as financing transactions and valued at the present value of future payments discounted at a market rate of interest if they are due after more than one year. This is a difficult area and some preparers have struggled to apply the accounting standard correctly. In some instances, a loan whose terms were undocumented was mistakenly treated as being due after more than one year. A loan whose terms are undocumented may be considered to be repayable on demand, notwithstanding the intentions of the parties to repay it over a longer period. The solution: if the loan is repayable on demand, then, unless there is an impairment issue, it should be carried at the original transaction price with no adjustment, and as an amount due in less than one year. In ROI, reference may also need to be made to the Evidential Provisions in Sections 236 and 237 of the Companies Act. See also the new concession applying to small entities for loans from persons who are within a director’s group of close family members (including the director), when that group contains at least one shareholder in the entity - for details, please see the Amendments to FRS 102 publication issued by FRC in December 2017 (this publication is also mentioned later in Technical Signpost). We hope that this article will prove useful in identifying issues. Naturally, it is not a comprehensive list in part because we have concentrated on errors which are completely new and particular to the new frameworks. The article has been written in general terms, and should be viewed as a pointer towards issues that may have been overlooked and should not be relied upon.

Conal Kennedy writes: For many years we in Practice Consulting have assisted members to buy, sell and merge their practices. During the recession years, and for some time afterwards, there was very little activity, but in recent times we have been receiving more enquiries and helping more practices. A firm with a recurring fee base has a value based primarily on its goodwill. It is usually preferable to arrange succession from within a practice, but in the absence of this, a sole practitioner approaching retirement age might consider realising the value of the firm by selling the goodwill to a growing practice. There are other circumstances where a practitioner may be interested in selling their practice. On the other hand, many practices have informed us of their intent to purchase, if an opportunity arises. In other cases practices may come together by way of acquisition or merger in order to pool resources and leverage the benefits of increased size and more diverse skillsets. Many mid-sized practices would be interested in offering a senior position or partnership to a dynamic sole practitioner. This possibility might be of interest to a member who has set up on practice relatively recently. The member has found that he or she has the ability to run a business and acquire clients, but the pressures of being entirely alone are just too much. This profession is a people business and in any deal, the human element is always crucial. More important than top line valuations is the ability to trust your counterparty, to establish open communication and a good working relationship. The value of a practice still tends to be based on a multiple of its fee income and the classic 1:1 ratio of recurring fees to practice value is the starting point of many conversations. That said, buyers and sellers should be aware of the changes and pressures arising in recent years due to market forces. The general skill shortage in the profession means that the staff of the practice may be the most important element in judging the inherent value of the practice. Specific purchasers may be interested in purchasing a niche practice with clients that fit specific criteria. There is any number of ways to structure the deal. If a capital sum changes hands, then this may be based paid in stages over time. There may be a clawback based on clients who do not transfer. Separate arrangements need to be made to deal with WIP and debtors that are outstanding at the date of transfer. In general every aspect can be varied by either party to suit the circumstances of the deal. Practice Consulting assists practices to come together. We work in complete confidence. If you are interested discussing any of the matters in this article, please contact Conal Kennedy Tel: 00 353 1 6377396 or Jeremy Twomey  Tel: 00 353 1 6373972.

Claire Percy writes: Members consistently tell us that “protecting and promoting the Chartered brand” is one of the key services that Chartered Accountants Ireland can provide to them. Often, this feedback relates to student recruitment and the continuity of the profession. However it is also critical in terms of helping consumers, employers and business decision-makers understand the value of choosing a Chartered Accountant. The Institute supports the brand year-long across all its services and through a range of promotional activities. This includes the annual brand advertising campaign, “Make Sure your Accountant is a Chartered Accountant”, which is currently running. The key message of the campaign is that businesses can have confidence in the training, standards and experience of Chartered Accountants in every sector. This “confidence” message is being carried across radio, press and online. This year, in order to maximise the local benefit to our firms and members nationwide, a number of regional innovations have been introduced, with regional press and radio in use alongside national outlets. In order to connect the advertising even more directly with our network of 1,500+ practices around the island, the campaign is also supplemented by a direct mail initiative. All firms should by now have received a pack containing two high-quality window vinyls for use on their offices windows or doors. The purpose of this is to promote visibility of the recently-refreshed Institute logo on the high street. This will help consumers link the advertising message to their own local Chartered Accountant – and create a “multiplier effect” that builds the confidence message for all members. The pack also provides access to co-branded marketing materials and gives links to download logos for use on firms’ own websites and promotional materials. There was also an online competition to win a table at this year’s annual dinner – simply by showing the Chartered logo in action. The design of this campaign was greatly assisted by the input of the Members in Practice committee and Strategic Communications committee. We are very keen to  hear wider feedback, and in particular may look at offering a more permanent signage option in future. Please take a look at www.charteredaccountants.ie/Brand for more information or to get in touch with feedback on the campaign or how we can assist you to make the Chartered brand work for your firm.  

The Professional Standards Department (PSD) Quality Assurance Team has recently compiled a list of common matters arising on audit and investment business inspection visits, which are set out below. Please note that, where PSD returns to firms that have had a relatively recent visit, it conducts follow-up procedures to ensure that the firm has taken action to address matters raised at the previous visit. Audit Inspections Financial  Reporting Firms need to perform audit procedures to evaluate whether the overall presentation of the financial statements, including the related disclosures, is in accordance with the applicable financial reporting framework which, in recent years, has been substantially changed by the introduction of FRS 100-105 and amendments to company law. PSD found that, for the most part, firms had adequately addressed the requirements of FRS 102 and, in RoI, the Companies Act 2014 (‘CA 2014’) through the use of checklists. However, non-application of FRS 102 by audit clients was sometimes not identified. Firms should ensure that their audit procedures to assess the appropriateness and completeness of disclosures are up to date for the relevant financial reporting regimes. Certain common omissions were identified: Statement of Changes in Equity or Statement of Cash Flows, where relevant; Significant judgements and key sources of estimation uncertainty in relation to amounts recognised in the financial statements (FRS 102 s8.6-8.7); Where relevant, material uncertainties related to events or conditions that cast significant doubt upon the entity’s ability to continue as a going concern (FRS 102 s3.8-3.9); The measurement basis (or bases) used for financial instruments and the other accounting policies used for financial instruments that are relevant to an understanding of the financial statements (FRS 102 s11.40); Disclosures relating to creditors required by CA 2014 Schedule 3, such as terms of payment/repayment and the rate of any interest payable on debts. (N.B.The specific FRS 102-related matters noted above relate to financial statements prepared in accordance with the full requirements of FRS 102 and may not be relevant to financial statements where the small/micro companies regime is applied.) International Education Standard (IES) 8 (Revised) IES 8 Professional Competence for Engagement Partners Responsible for Audits of Financial Statements (Revised) was issued by the International Accounting Education Standards Board (IAESB) in December 2014 and is effective from 1 July 2016. Its objective is to establish the professional competence that professional accountants develop and maintain when performing the role of an Engagement Partner. During an audit monitoring visit, the inspector will make enquiries to assess whether a firm is familiar with IES 8 (Revised), including consideration of the learning outcomes which are listed in Table A to the Standard. Firms can obtain a copy of IES 8 (Revised) at: http://www.ifac.org/system/files/publications/files/IAESB-IES-8.pdf Investment Business inspections Investment Business (IB) inspections carried out by PSD over the last few years had focused on firms holding IB1/IB2 authorisation. However, PSD is now conducting an increased number of IB inspections to firms holding all levels of IB authorisation, including a sample of firms holding IA1/IA2 authorisation. Firms should be mindful of, and ensure they address, the following  matters Investment business procedures (IBR 2.56) All authorised firms are required to establish and maintain adequate written investment business procedures. These should include managing conflicts of interest, maintaining ‘Chinese Walls’ and the consequences of breaching them, along with the handling of errors and complaints. A firm must adequately train its principals carrying on investment business and its employees using these procedures. Training (IBR 2.60) Authorised firms must make arrangements to ensure that principals and employees involved in investment business maintain an appropriate level of competence and comply with Institute CPD requirements. Firms authorised in Category IA2 and above must make arrangements to ensure compliance with the Central Bank Minimum Competency Code, which has recently been updated. A copy of the Code can be obtained on the Central Bank of Ireland’s website. Investment Business Compliance Review (IBR 2.58) An authorised firm must carry out an Investment Business Compliance Review (IBCR) at least annually. PSD found that, for some firms, an annual IBCR had not been carried out, or did not include a whole firm review, a review of accounting records and a sample of client files. Some IBCRs did not identify different types of IB advice provided by the firm or non-compliance with the IBRs. Corrective action was not always taken in a timely manner. Engagement letters (IBR 3.19-3.20) PSD found that some firms did not have an engagement letter in place, or the letter had not been agreed with the client prior to investment business advice being provided, as required by IBR 3.19 or did not include the minimum details required by IBR 3.20. Commission consent and disclosure (IBR 3.30-3.32) If a firm receives commission it must account to the client for that commission, and both the terms (%) of the commission and the amount (€/£) must be disclosed. In cases where the firm retains the commission, it must have the client’s written consent to do so. Consent to retain commission can be obtained in the client engagement letter. The Quality Assurance Committee views non-compliance with commission consent and disclosure requirements very seriously. Section 30 receipts (IBR 4.44-4.46) Firms must issue receipts when they receive client premiums or investment business clients’ money. Details of what must be included on the receipt are specified in IBR 4.45. Other matters Firms should ensure that they are aware of their category of IB authorisation and the limits of that category. Category IA2 is required to hold client premiums; Category IB2 is required to hold investment business clients’ money; and If handling or holding client premiums or investment business clients’ money, the firm must appoint an independent accountant and submit an independent accountant’s report to the Institute. Carrying on investment business, when not authorised to do so, is an offence under the Act. Firms may wish to review their category of investment business authorisation and assess whether it is suitable for their needs. Firms should refer to Schedule 1 to Chapter 1 of the IBRs for activities which may be undertaken under the various categories. For further details on the above matters, please look out for PSD’s forthcoming Regulatory Bulletin. For advice or support on the above matters, firms may contact, in strict confidence, the Practice Consulting Team, which is independent of the Professional Standards Department.