Improper Release of Proprietary Information
Firm Specialization Increases the Risks

By Brian McAllister and Brad Cripe

E-mail Story Print Story

The presence of multiple companies from the same industry within a firm’s client base creates opportunities for staff, managers, and partners to become industry specialists. As these specialists audit more and more clients within the same industry, they transfer knowledge from one client engagement to another. This transfer of knowledge has positive benefits, such as increased efficiency and productivity. In addition, industry specialization provides a competitive advantage for firms in the auditing and professional services market. Companies within an industry are attracted to accounting firms with the strongest industry expertise.

While industry specialization has benefits for accounting firms, it also has the potential to reduce firm independence and objectivity. The AICPA Advisory Panel on Auditor Independence warned that firms operating as industry specialists could become captive to the industry and industry-related interests to the detriment of the public interest (AICPA Advisory Panel on Auditor Independence Report to the Public Oversight Board of the SEC Practice Section, Strengthening the Professionalism of the Independent Auditor, 1994). In particular, firms with industry specialization may be faced with potential conflicts of interest arising from auditor-client relationships with two or more companies within an industry. This can result in the intentional or inadvertent release of proprietary client information to a competitor, the consequences of which can be significant. These consequences include dissension in the accountant-client relationship, the loss of a client, enforcement actions from regulators and the AICPA, and litigation.

Firms should make an effort to adhere to the advice below regarding the appropriate use of knowledge gained during a prior engagement. They should also be up to date on the accounting profession’s conflict-of-interest standards with respect to the confidentiality of proprietary client information. There is a two-step approach for firms to follow to reduce the possibility of the intentional or inadvertent release of this information. The first step is to address three questions at the beginning of each engagement to minimize the potential for improper release of proprietary client information. The second step suggests creating an environment of awareness within a firm with regard to client confidentiality based on five factors.

Conflict-of-Interest Standards and Client Confidentiality

AICPA Code of Professional Conduct Rule 102 on integrity and objectivity states: “[I]n the performance of any professional service, a member shall maintain objectivity and integrity, shall be free of conflicts of interest, and shall not knowingly misrepresent facts or subordinate his or her judgment to others” (see www.aicpa.org/about/code/
index.html). A conflict of interest occurs any time an auditor or an audit firm has a relationship with another person or entity that could be viewed by the client or other person or entity as impairing objectivity. This means that actual and perceived impairment of auditor objectivity resulting from relationships with possible conflicts of interest may result in violations of the AICPA Code of Professional Conduct. Audit firms performing attestation or other professional services to multiple companies within an industry could potentially be viewed in the eyes of any of the contracting client entities as having conflicts of interest. As a result, all relationships with even a remote possibility for actual or perceived conflicts of interest should be disclosed immediately to all parties concerned. If the relationship is disclosed and consent is received from the appropriate parties, an auditor or audit firm is not in violation of Rule 102.

Audit personnel should also be aware of client confidentiality issues when using client-specific knowledge and expertise gained on previous audit engagements. A problem may arise when the client information obtained during an engagement for one company is proprietary in nature and an auditor either knowingly or unknowingly uses the information when performing other engagements. The likelihood of this problem occurring increases for firms with industry specialization, because these audit firms are likely to provide attestation or other professional services for several companies within the same industry.

AICPA Code of Professional Conduct Rule 301 states that members are prohibited from disclosing confidential information obtained in the course of an audit engagement without consent from the client. However, paragraph 30 of Rule 301 allows auditors to provide “knowledge and expertise resulting in a special competence in a particular field” to clients without violating the confidence of another client as long as details associated with a particular engagement are not disclosed. This indicates that auditors are allowed to apply technical knowledge and experience acquired during current audit engagements to future audit engagements. Nonetheless, auditors should ensure that the origin of any technical information is not shared with inappropriate parties.

In most cases, audit documentation should not be made available to outside parties without the express permission of the client. Four exceptions to Rule 301 on confidential client information supersede the maintenance of confidential relations with clients:

• Obligations to discharge professional audit standards in the performance of professional services;
• Obligations to comply with a validly issued and enforceable subpoena or summons, or to prohibit compliance with applicable laws and government regulations;
• Obligations to allow peer review by the AICPA, state CPA society, or state board of accountancy; and
• Obligations to respond to the AICPA Ethics Division and investigative or disciplinary bodies of a state CPA society or state board of accountancy.

In the case of an issued subpoena, it is very important to immediately notify the client, who may want to challenge the issuance of the subpoena (Alvin A. Arens, Randal Elder, and Mark Beasley, Auditing and Assurance Services: An Integrated Approach, 11th Edition, Prentice-Hall, 2006). Conversely, firms rarely notify clients chosen in the peer review process. Firms should consider whether it is necessary to inform their clients of situations involving any of these four exceptions, even though permission is not specifically required.

Three Important Questions

Firms have an obligation to preserve the confidentiality of proprietary client information obtained during the course of an engagement.

Compliance with Rule 301 as an industry specialist involves walking a fine line between using information gained from an audit of Company A to assist in the audit of Company B while not compromising the details of the engagement with Company A. To minimize the potential for release of proprietary client information, (Exhibit) a firm should address three questions at the beginning of each engagement:

• Who has access to proprietary client information?
• What are the guidelines for retaining proprietary client information?
• To whom may proprietary client information be distributed?

An important first step in limiting the potential for the dissemination of proprietary client information involves identifying all personnel who have access to such information for each client and engagement. This identification process will differ depending on the size of the CPA firm. Larger firms are likely to have existing safeguards in place to limit access to information based on a “need-to-know” basis. As a result, it is critical for larger firms to ensure that only authorized individuals have access to proprietary client information. In smaller firms, all personnel may have access to most, if not all, proprietary client information. Therefore, these firms should concentrate on maintaining strong document-retention policies and controlling the distribution of proprietary client information, given the broad level of access.

Firms should also consider taking a risk-based approach when evaluating controls over who has access to proprietary client information. For example, as the number of employees with access to client-specific information increases, the potential for a breach also increases. Firms may want to focus attention regarding client confidentiality toward larger clients that operate within an industry specialization; and involve large numbers of audit personnel, rather than applying a single level of control of proprietary client information over their entire portfolio.

After identifying personnel access levels, firms should ensure that their document-retention policies include specific procedures for protecting proprietary client information. Such procedures should be formalized by firms as part of their document-retention policies. Procedures include: locking desks, file cabinets, or offices where paper copies of client information are retained; using technology to safeguard electronic copies of documents; and escorting visitors to a central location, such as a conference room. In addition, the policies outlining acceptable retention of client information should be clearly stated and communicated to firm personnel. To document the communication of the document-retention policies, all employees should be required to sign an affidavit stating that they have read and fully understand these policies. Finally, appropriate personnel should be trained in how to properly archive or dispose of documents after each engagement, and firm management should periodically monitor the proper implementation of these procedures to ensure compliance.

In today’s regulatory climate, most firms have fairly standard documentation-retention policies. Nevertheless, certain issues associated with the distribution of proprietary client information are complicated and may not be completely addressed in these policies. In particular, one issue facing all firms involves applying to current engagements lessons learned from past engagements for industry competitors. While firms should be encouraged to apply general lessons learned across many audits to their current engagement, they should be discouraged from using proprietary client information during an audit of a competitor. In cases where proprietary client information is extremely sensitive, firms should consider constructing “Chinese walls” between firm personnel involved with clients within the same industry to provide de facto separation of the proprietary information created on the competing engagements.

Finally, firms should establish procedures for the proper distribution of proprietary client information to both external and internal parties. The distribution of proprietary client information to outside parties is subject to state regulations and the AICPA Rules of Professional Conduct. Distribution processes to internal parties, such as engagement personnel, are, however, at the discretion of each firm. At a minimum, firms should limit access to both traditional and electronic workpaper files by requiring firm members to check them out from a central location monitored by an administrative professional. When files are checked out, the individual has the responsibility of ensuring their safety. An added benefit of a formal checkout procedure is that workpaper files can be easily located by other personnel when needed. These formal procedures reduce inefficiencies when other firm members need files but are unable to access a paper trail identifying the specific personnel holding proprietary client information.

An Environment of Awareness

In addition to addressing the three questions above, accounting firms should create an environment of awareness with regard to client confidentiality by considering the following factors: 1) tone at the top; 2) regulation and legislation; 3) technology; 4) education and training; and 5) engagement administration. Firms should assess the individual effects of each of the five factors, as well as their interaction. In fact, interaction of these factors is needed to create a successful environment of awareness pertaining to client confidentiality issues.

First, senior management must be proactive in instilling a positive “tone at the top.” Should proprietary client information be disclosed, senior management faces the greatest risk of loss. As a result, it must set the right example by developing and enforcing rules governing the use of proprietary client information, with negative consequences for accidental or purposeful release of it. Senior management should communicate these rules to everyone in the firm and demonstrate how they are applied. This will result in the development of a control “tone,” or philosophy, that junior and administrative staff will understand and follow. Middle management and engagement team supervisors can reinforce the expectations of senior management by upholding the firm’s rules and reminding engagement staff of the consequences of the release of proprietary client information. Knowledge of the importance of a proper tone at the top is only the first step; communication of that philosophy to everyone and a commitment to continuous improvement are critical in avoiding conflicts of interest and the disclosure of proprietary client information.

Tone at the top can be emphasized in many ways. One of the most observable measures is to include ethics and ethical behavior within the context of the firm’s core values, and then reinforce those values throughout the year. Showcasing the core values at the beginning of meetings, displaying them prominently within the office, and recognizing behavior that is in accordance with those values can have a dramatic effect on both employee morale and the incidence of undesirable behavior. Companies can also set up fraud and ethics hotlines as well as mandatory annual ethics training for all employees.

The goal is to increase awareness of ethical behavior so everyone, from the most senior partner to the most junior staff member, knows the difference between right and wrong behavior. A successful firm will have its employees continuously echoing the comments of Steven Cutler, former SEC director of enforcement, who, in a 2004 speech, gave a model of good behavior that everyone within the firm should follow:

I’m going to spend part of my day today worrying about, and doing something about, the culture of my company. I’m going to make sure that others at the company don’t break the law, and don’t even come close to breaking the law.

Once a positive tone at the top has been achieved, firms should consider how regulation and legislation affect the confidentiality of proprietary client information. In particular, the AICPA, state boards of accountancy, and foreign governmental agencies are likely to take the necessary remedial action when such information is improperly disclosed to illegitimate parties. Firms should be diligent in reminding all personnel about the unauthorized dissemination of client information to prevent illegal acts pertaining to confidentiality.

The AICPA Code of Professional Conduct provides rules related to the professional responsibilities of CPAs. State regulations and legal opinions, however, can also result in significant civil and criminal penalties for the unauthorized dissemination of client information. State legislatures have the primary responsibility for regulating conflicts of interest and confidentiality for CPAs practicing within their state borders, while state accountancy boards enforce these laws and regulations. It is important for CPAs to be familiar with state laws and regulations on conflicts of interest and confidentiality. This is especially true for CPAs who practice in multiple state jurisdictions. State boards of accountancy and CPA societies are excellent resources for keeping current on these important issues.

Foreign governments also take seriously conflicts of interest regarding the disclosure of confidential, proprietary client information. For example, French penal law imposes criminal penalties for the disclosure of confidential information:

The disclosure of secret information by a person entrusted with such a secret, either because of his position or profession, or because of a temporary function or mission, is punished by one year’s imprisonment and a fine of †15,000 (Legifrance, French Penal Code, Article 226-13, www.legifrance.gouv.fr, 2006).

As a partner in a Big Four firm explained to the authors, data protection laws in the European Union can “severely limit the exportation of a foreign client’s electronic documents outside of their countries by imposing severe penalties on individuals and companies who share information across borders.” CPA firms with international operations should be aware of the laws and regulations related to conflicts of interest and confidentiality issues for accountants relative to foreign jurisdictions.

Technology is a primary factor in promoting an environment of awareness regarding client confidentiality issues. When asked by the authors to describe how client information is protected, members of several firms described sophisticated encryption technologies and layered password protection on personal computers, restricted access to firm intranet servers, and software that monitors and records access by firm members. These protective measures are especially critical in the context of paperless audits and wireless connections.

Certain technology can also be very useful in the management of proprietary client information, which must be controlled to mitigate organizational risk while being accessible to engagement personnel. Software with varying degrees of sophistication may provide firms with a solution to managing sensitive information. At one extreme, Microsoft provides a “Microsoft Office–based document retention solution” that enables users to manage their internal records. At the other extreme, software packages from Nextpage and Xerox provide more-sophisticated document management solutions. Technology provides firms of all sizes with the ability to manage proprietary client information based on their needs.

Firms should remember that technology works to mitigate confidentiality issues associated with proprietary client information only if employees are properly trained in how to use the technology and adapt it to changing environments. Managers must be invested in maintaining a dynamic control environment over technology and in sharing that philosophy with all members of the firm.

The education and training of staff are instrumental in creating an environment of awareness regarding confidentiality of proprietary client information. Staff should receive continuous training in professional standards. Firms can integrate this into their regular educational programs by beginning each training session with a hypothetical ethical dilemma or a review of the firm’s confidentiality policy. Experienced staff can discuss how potential problems were avoided and obtain feedback on how to avoid conflicts in the future. Senior management can address how the firm is positioned within major industries and where it sees potential for conflict. Through an educational process designed for open dialogue, all firm members can learn the importance of maintaining the confidentiality of proprietary client information while performing an audit of the highest quality.

During training sessions, accounting firms may also want to focus on informal settings. Firm personnel are likely to recognize the importance of not disclosing proprietary client information about competitors in a formal business setting such as during audit fieldwork. They may not be aware, however, of the potential risk of improperly disclosing this information in more informal or social settings. Personnel “talking shop” over drinks after a long day at work may seem innocuous, but firms must remind all of their employees that it is inappropriate to discuss client-specific matters in a public domain, to prevent embarrassing or costly situations.

Finally, an environment of awareness related to the confidentiality of proprietary client information is formally operationalized in a firm through the engagement administration process. At the beginning of each audit engagement, an evaluation of the firm’s exposure to the risk of release of proprietary client information should be performed with the engagement team. The process should take place during the early planning stages for an engagement and may begin by evaluating the answers to the following questions:

• How many competitors does the firm audit?
• How many competitors does the engagement team audit?
• How competitive is the industry?
• How much proprietary information does the firm hold for this client?
• What would be the potential negative effects of the release of this client’s proprietary information?

The answers to these questions will drive how the firm should handle possible conflicts of interest with similar types of clients, assess the potential risk of the release of proprietary client information, and create appropriate safeguards to prevent such occurrences.

Planning Ahead to Avoid Conflicts of Interest

Industry concentration and specialization within accounting firms have increased the possibility for conflict-of-interest issues regarding proprietary client information. In particular, auditors face conflicts of interest when using client-specific knowledge and expertise gained on previous or current audit engagements for other clients within the same industry. This may result in the accidental or intentional disclosure of proprietary client information, which can damage the accountant-client relationship or, in the extreme, end a client relationship as well as lead to regulatory and professional sanctions and litigation.

Accounting firms should be aware of the professional standards applicable to conflicts of interest and confidential and proprietary client information. They should have formalized document-retention policies that also note who has access to such information and to whom it may be distributed. In particular, CPAs should consider how tone at the top, regulation and legislation, technology, education and training, and engagement administration factor into the mitigation and control of the improper disclosure of proprietary client information.

©2008 The New York State Society of CPAs. Legal Notices