Release of Proprietary Information
Firm Specialization Increases the Risks
Brian McAllister and Brad Cripe
MARCH 2008 - Beginning
with the 1986 merger of KMG Main Hurdman with Peat Marwick and ending
with the collapse of Arthur Andersen in 2002, the former Big Eight
have become the Big Four. This consolidation of the largest accounting
firms occurred for various reasons, including the creation and expansion
of industry-specific and technical expertise [U.S. Government Accountability
Office (GAO), formerly the General Accounting Office, Public
Accounting Firms: Mandated Study on Consolidation and Competition,
2003]. In fact, merger activity has provided the quickest means
for large accounting firms to achieve industry-specific expertise.
Industry specialization is not exclusive to the Big Four, however;
it is also critical to the success of non–Big Four firms.
Regional and smaller accounting firms have developed niche practices
specializing in particular industries.
presence of multiple companies from the same industry within a
firm’s client base creates opportunities for staff, managers,
and partners to become industry specialists. As these specialists
audit more and more clients within the same industry, they transfer
knowledge from one client engagement to another. This transfer
of knowledge has positive benefits, such as increased efficiency
and productivity. In addition, industry specialization provides
a competitive advantage for firms in the auditing and professional
services market. Companies within an industry are attracted to
accounting firms with the strongest industry expertise.
specialization has benefits for accounting firms, it also has
the potential to reduce firm independence and objectivity. The
AICPA Advisory Panel on Auditor Independence warned that firms
operating as industry specialists could become captive to the
industry and industry-related interests to the detriment of the
public interest (AICPA Advisory Panel on Auditor Independence
Report to the Public Oversight Board of the SEC Practice Section,
Strengthening the Professionalism of the Independent Auditor,
1994). In particular, firms with industry specialization may be
faced with potential conflicts of interest arising from auditor-client
relationships with two or more companies within an industry. This
can result in the intentional or inadvertent release of proprietary
client information to a competitor, the consequences of which
can be significant. These consequences include dissension in the
accountant-client relationship, the loss of a client, enforcement
actions from regulators and the AICPA, and litigation.
make an effort to adhere to the advice below regarding the appropriate
use of knowledge gained during a prior engagement. They should
also be up to date on the accounting profession’s conflict-of-interest
standards with respect to the confidentiality of proprietary client
information. There is a two-step approach for firms to follow
to reduce the possibility of the intentional or inadvertent release
of this information. The first step is to address three questions
at the beginning of each engagement to minimize the potential
for improper release of proprietary client information. The second
step suggests creating an environment of awareness within a firm
with regard to client confidentiality based on five factors.
Standards and Client Confidentiality
of Professional Conduct Rule 102 on integrity and objectivity
states: “[I]n the performance of any professional service,
a member shall maintain objectivity and integrity, shall be free
of conflicts of interest, and shall not knowingly misrepresent
facts or subordinate his or her judgment to others” (see
index.html). A conflict of interest occurs any time an auditor
or an audit firm has a relationship with another person or entity
that could be viewed by the client or other person or entity as
impairing objectivity. This
means that actual and perceived impairment of auditor objectivity
resulting from relationships with possible conflicts of interest
may result in violations of the AICPA Code of Professional Conduct.
Audit firms performing attestation or other professional services
to multiple companies within an industry could potentially be
viewed in the eyes of any of the contracting client entities as
having conflicts of interest. As a result, all relationships with
even a remote possibility for actual or perceived conflicts of
interest should be disclosed immediately to all parties concerned.
If the relationship is disclosed and consent is received from
the appropriate parties, an auditor or audit firm is not in violation
of Rule 102.
should also be aware of client confidentiality issues when using
client-specific knowledge and expertise gained on previous audit
engagements. A problem may arise when the client information obtained
during an engagement for one company is proprietary in nature
and an auditor either knowingly or unknowingly uses the information
when performing other engagements. The likelihood of this problem
occurring increases for firms with industry specialization, because
these audit firms are likely to provide attestation or other professional
services for several companies within the same industry.
of Professional Conduct Rule 301 states that members are prohibited
from disclosing confidential information obtained in the course
of an audit engagement without consent from the client. However,
paragraph 30 of Rule 301 allows auditors to provide “knowledge
and expertise resulting in a special competence in a particular
field” to clients without violating the confidence of another
client as long as details associated with a particular engagement
are not disclosed. This indicates that auditors are allowed to
apply technical knowledge and experience acquired during current
audit engagements to future audit engagements. Nonetheless, auditors
should ensure that the origin of any technical information is
not shared with inappropriate parties.
In most cases,
audit documentation should not be made available to outside parties
without the express permission of the client. Four exceptions
to Rule 301 on confidential client information supersede the maintenance
of confidential relations with clients:
to discharge professional audit standards in the performance
of professional services;
to comply with a validly issued and enforceable subpoena or
summons, or to prohibit compliance with applicable laws and
to allow peer review by the AICPA, state CPA society, or state
board of accountancy; and
to respond to the AICPA Ethics Division and investigative or
disciplinary bodies of a state CPA society or state board of
In the case
of an issued subpoena, it is very important to immediately notify
the client, who may want to challenge the issuance of the subpoena
(Alvin A. Arens, Randal Elder, and Mark Beasley, Auditing
and Assurance Services: An Integrated Approach, 11th Edition,
Prentice-Hall, 2006). Conversely, firms rarely notify clients
chosen in the peer review process. Firms should consider whether
it is necessary to inform their clients of situations involving
any of these four exceptions, even though permission is not specifically
an obligation to preserve the confidentiality of proprietary client
information obtained during the course of an engagement.
with Rule 301 as an industry specialist involves walking a fine
line between using information gained from an audit of Company
A to assist in the audit of Company B while not compromising the
details of the engagement with Company A. To minimize the potential
for release of proprietary client information, (Exhibit)
a firm should address three questions at the beginning of each
- Who has
access to proprietary client information?
are the guidelines for retaining proprietary client information?
- To whom
may proprietary client information be distributed?
first step in limiting the potential for the dissemination of
proprietary client information involves identifying all personnel
who have access to such information for each client and engagement.
This identification process will differ depending on the size
of the CPA firm. Larger firms are likely to have existing safeguards
in place to limit access to information based on a “need-to-know”
basis. As a result, it is critical for larger firms to ensure
that only authorized individuals have access to proprietary client
information. In smaller firms, all personnel may have access to
most, if not all, proprietary client information. Therefore,
these firms should concentrate on maintaining strong document-retention
policies and controlling the distribution of proprietary client
information, given the broad level of access.
also consider taking a risk-based approach when evaluating controls
over who has access to proprietary client information. For example,
as the number of employees with access to client-specific information
increases, the potential for a breach also increases. Firms may
want to focus attention regarding client confidentiality toward
larger clients that operate within an industry specialization;
and involve large numbers of audit personnel, rather than applying
a single level of control of proprietary client information over
their entire portfolio.
personnel access levels, firms should ensure that their document-retention
policies include specific procedures for protecting proprietary
client information. Such procedures should be formalized by firms
as part of their document-retention policies. Procedures include:
locking desks, file cabinets, or offices where paper copies of
client information are retained; using technology to safeguard
electronic copies of documents; and escorting visitors to a central
location, such as a conference room. In addition, the policies
outlining acceptable retention of client information should be
clearly stated and communicated to firm personnel. To document
the communication of the document-retention policies, all employees
should be required to sign an affidavit stating that they have
read and fully understand these policies. Finally, appropriate
personnel should be trained in how to properly archive or dispose
of documents after each engagement, and firm management should
periodically monitor the proper implementation of these procedures
to ensure compliance.
regulatory climate, most firms have fairly standard documentation-retention
policies. Nevertheless, certain issues associated with the distribution
of proprietary client information are complicated and may not
be completely addressed in these policies. In particular, one
issue facing all firms involves applying to current engagements
lessons learned from past engagements for industry competitors.
While firms should be encouraged to apply general lessons learned
across many audits to their current engagement, they should be
discouraged from using proprietary client information during an
audit of a competitor. In cases where proprietary client information
is extremely sensitive, firms should consider constructing “Chinese
walls” between firm personnel involved with clients within
the same industry to provide de facto separation of the proprietary
information created on the competing engagements.
firms should establish procedures for the proper distribution
of proprietary client information to both external and internal
parties. The distribution of proprietary client information to
outside parties is subject to state regulations and the AICPA
Rules of Professional Conduct. Distribution processes to internal
parties, such as engagement personnel, are, however, at the discretion
of each firm. At a minimum, firms should limit access to both
traditional and electronic workpaper files by requiring firm members
to check them out from a central location monitored by an administrative
professional. When files are checked out, the individual has the
responsibility of ensuring their safety. An
added benefit of a formal checkout procedure is that workpaper
files can be easily located by other personnel when needed. These
formal procedures reduce inefficiencies when other firm members
need files but are unable to access a paper trail identifying
the specific personnel holding proprietary client information.
Environment of Awareness
to addressing the three questions above, accounting firms should
create an environment of awareness with regard to client confidentiality
by considering the following factors: 1) tone at the top; 2) regulation
and legislation; 3) technology; 4) education and training; and
5) engagement administration. Firms should assess the individual
effects of each of the five factors, as well as their interaction.
In fact, interaction of these factors is needed to create a successful
environment of awareness pertaining to client confidentiality
management must be proactive in instilling a positive “tone
at the top.” Should proprietary client information be disclosed,
senior management faces the greatest risk of loss. As a result,
it must set the right example by developing and enforcing rules
governing the use of proprietary client information, with negative
consequences for accidental or purposeful release of it. Senior
management should communicate these rules to everyone in the firm
and demonstrate how they are applied. This will result in the
development of a control “tone,” or philosophy, that
junior and administrative staff will understand and follow. Middle
management and engagement team supervisors can reinforce the expectations
of senior management by upholding the firm’s rules and reminding
engagement staff of the consequences of the release of proprietary
client information. Knowledge of the importance of a proper tone
at the top is only the first step; communication of that philosophy
to everyone and a commitment to continuous improvement are critical
in avoiding conflicts of interest and the disclosure of proprietary
Tone at the
top can be emphasized in many ways. One of the most observable
measures is to include ethics and ethical behavior within the
context of the firm’s core values, and then reinforce those
values throughout the year. Showcasing the core values at the
beginning of meetings, displaying them prominently within the
office, and recognizing behavior that is in accordance with those
values can have a dramatic effect on both employee morale and
the incidence of undesirable behavior. Companies can also set
up fraud and ethics hotlines as well as mandatory annual ethics
training for all employees.
is to increase awareness of ethical behavior so everyone, from
the most senior partner to the most junior staff member, knows
the difference between right and wrong behavior. A successful
firm will have its employees continuously echoing the comments
of Steven Cutler, former SEC director of enforcement, who, in
a 2004 speech, gave a model of good behavior that everyone within
the firm should follow:
going to spend part of my day today worrying about, and doing
something about, the culture of my company. I’m going
to make sure that others at the company don’t break the
law, and don’t even come close to breaking the law.
Once a positive
tone at the top has been achieved, firms should consider how regulation
and legislation affect the confidentiality of proprietary client
information. In particular, the AICPA, state boards of accountancy,
and foreign governmental agencies are likely to take the necessary
remedial action when such information is improperly disclosed
to illegitimate parties. Firms should be diligent in reminding
all personnel about the unauthorized dissemination of client information
to prevent illegal acts pertaining to confidentiality.
Code of Professional Conduct provides rules related to the professional
responsibilities of CPAs. State regulations and legal opinions,
however, can also result in significant civil and criminal penalties
for the unauthorized dissemination of client information. State
legislatures have the primary responsibility for regulating conflicts
of interest and confidentiality for CPAs practicing within their
state borders, while state accountancy boards enforce these laws
and regulations. It is important for CPAs to be familiar with
state laws and regulations on conflicts of interest and confidentiality.
This is especially true for CPAs who practice in multiple state
jurisdictions. State boards of accountancy and CPA societies are
excellent resources for keeping current on these important issues.
also take seriously conflicts of interest regarding the disclosure
of confidential, proprietary client information. For example,
French penal law imposes criminal penalties for the disclosure
of confidential information:
of secret information by a person entrusted with such a secret,
either because of his position or profession, or because of
a temporary function or mission, is punished by one year’s
imprisonment and a fine of †15,000 (Legifrance, French
Penal Code, Article 226-13, www.legifrance.gouv.fr,
As a partner
in a Big Four firm explained to the authors, data protection laws
in the European Union can “severely limit the exportation
of a foreign client’s electronic documents outside of their
countries by imposing severe penalties on individuals and companies
who share information across borders.” CPA firms with international
operations should be aware of the laws and regulations related
to conflicts of interest and confidentiality issues for accountants
relative to foreign jurisdictions.
is a primary factor in promoting an environment of awareness regarding
client confidentiality issues. When asked by the authors to describe
how client information is protected, members of several firms
described sophisticated encryption technologies and layered password
protection on personal computers, restricted access to firm intranet
servers, and software that monitors and records access by firm
members. These protective measures are especially critical in
the context of paperless audits and wireless connections.
can also be very useful in the management of proprietary client
information, which must be controlled to mitigate organizational
risk while being accessible to engagement personnel. Software
with varying degrees of sophistication may provide firms with
a solution to managing sensitive information. At one extreme,
Microsoft provides a “Microsoft Office–based document
retention solution” that enables users to manage their internal
records. At the other extreme, software packages from Nextpage
and Xerox provide more-sophisticated document management solutions.
Technology provides firms of all sizes with the ability to manage
proprietary client information based on their needs.
remember that technology works to mitigate confidentiality issues
associated with proprietary client information only if employees
are properly trained in how to use the technology and adapt it
to changing environments. Managers must be invested in maintaining
a dynamic control environment over technology and in sharing that
philosophy with all members of the firm.
and training of staff are instrumental in creating an environment
of awareness regarding confidentiality of proprietary client information.
Staff should receive continuous training in professional standards.
Firms can integrate this into their regular educational programs
by beginning each training session with a hypothetical ethical
dilemma or a review of the firm’s confidentiality policy.
Experienced staff can discuss how potential problems were avoided
and obtain feedback on how to avoid conflicts in the future. Senior
management can address how the firm is positioned within major
industries and where it sees potential for conflict. Through an
educational process designed for open dialogue, all firm members
can learn the importance of maintaining the confidentiality of
proprietary client information while performing an audit of the
sessions, accounting firms may also want to focus on informal
settings. Firm personnel are likely to recognize the importance
of not disclosing proprietary client information about competitors
in a formal business setting such as during audit fieldwork. They
may not be aware, however, of the potential risk of improperly
disclosing this information in more informal or social settings.
Personnel “talking shop” over drinks after a long
day at work may seem innocuous, but firms must remind all of their
employees that it is inappropriate to discuss client-specific
matters in a public domain, to prevent embarrassing or costly
an environment of awareness related to the confidentiality of
proprietary client information is formally operationalized in
a firm through the engagement administration process. At the beginning
of each audit engagement, an evaluation of the firm’s exposure
to the risk of release of proprietary client information should
be performed with the engagement team. The process should take
place during the early planning stages for an engagement and may
begin by evaluating the answers to the following questions:
- How many
competitors does the firm audit?
- How many
competitors does the engagement team audit?
- How competitive
is the industry?
- How much
proprietary information does the firm hold for this client?
would be the potential negative effects of the release of this
client’s proprietary information?
to these questions will drive how the firm should handle possible
conflicts of interest with similar types of clients, assess the
potential risk of the release of proprietary client information,
and create appropriate safeguards to prevent such occurrences.
Ahead to Avoid Conflicts of Interest
concentration and specialization within accounting firms have
increased the possibility for conflict-of-interest issues regarding
proprietary client information. In particular, auditors face conflicts
of interest when using client-specific knowledge and expertise
gained on previous or current audit engagements for other clients
within the same industry. This may result in the accidental or
intentional disclosure of proprietary client information, which
can damage the accountant-client relationship or, in the extreme,
end a client relationship as well as lead to regulatory and professional
sanctions and litigation.
firms should be aware of the professional standards applicable
to conflicts of interest and confidential and proprietary client
information. They should have formalized document-retention policies
that also note who has access to such information and to whom
it may be distributed. In particular, CPAs should consider how
tone at the top, regulation and legislation, technology, education
and training, and engagement administration factor into the mitigation
and control of the improper disclosure of proprietary client information.
McAllister PhD, CPA, is an assistant professor of accounting
at the college of business and administration at the University
of Colorado at Colorado Springs.
Brad Cripe, PhD, CPA, is an assistant professor
of accounting at Northern Illinois University, DeKalb, Ill.