Last updated: 27 Feb 2024 09:30 Posted in: AIA
Ian Waters explains the ethical principle of professional behaviour, and some of the statutory obligations placed upon accountancy practices.
AIA members, like anyone else, must comply with the law. But as professional accountants, that obligation is underpinned by the requirements of the International Ethics Standards Board for Accountants (IESBA) Code of Ethics (as adopted by AIA) with which all AIA members must comply.
In particular, the fundamental ethical principle of Professional Behaviour requires a member to ‘comply with relevant laws and regulations and avoid any conduct that the professional accountant knows or should know might discredit the profession’. So I am keen to remind you of your obligations under UK law, although the time and space available in this article won’t allow me to cover all those obligations in detail.
Statutory limitations
Before addressing statutory obligations, let us acknowledge our statutory limitations, by which I mean the areas of work undertaken by some firms that are subject to statutory regulation (and beyond the bounds of ‘general practice’). I am thinking of audit work, insolvency, regulated investment business and reserved legal activities (such as probate). Unless you and your firm are authorised in these areas, you must be aware of the risk of straying into them and thus fundamentally breaching the law.
For example, you might not even realise when you are going beyond your role as executor of a deceased client’s estate or undertaking regulated activities specified under the Financial Services and Markets Act 2000. Sometimes, our wish to help our clients – especially those we have known for a long time – can lead us to overlook the fact that our relationship is a professional one, and we are not authorised to provide services in certain areas.
What are your statutory obligations?
Understanding the limitations on what you can do without needing authorisation within a statutory framework might be something you need to research further. In this article, I can only focus on your ‘general practice’ legal obligations. I should, of course, mention anti-money laundering compliance, but there is little I could say in this article that couldn’t be covered better in a more focused article or CPD event. However, you should be aware of the wide range of resources AIA makes available to members on its website.
So the rest of this article considers two other important areas of statutory compliance.
The accountability principle
As stated by the Information Commissioner’s Office: ‘The accountability principle requires you to take responsibility for what you do with personal data and how you comply with the other principles. You must have appropriate measures and records in place to be able to demonstrate your compliance.’ These are the six key principles regarding the processing of personal data.
1. Lawfulness, fairness and transparency
2. Purpose limitation
3. Data minimisation
4. Accuracy
5. Storage limitation
6. Integrity and confidentiality
Data privacy and security
The careful handling of personal data makes good business sense for your practice, as well as being a legal requirement. You will be holding personal data about your clients, their officers and employees, and perhaps your own employees.
A small accountancy practice is perhaps particularly vulnerable to non-compliance with data privacy legislation. Furthermore, a practitioner may be compliant but lack sufficient understanding of the legislation when the rights of a data subject are exercised.
The legislation is complex. The UK General Data Protection Regulation (UK GDPR) interacts with the Data Protection Act (DPA) 2018, and Part 2 of DPA 2018 supplements the UK GDPR.
However, the principles are relatively straightforward. The UK GDPR and DPA 2018 together:
Your practice must be able to justify how and why it uses personal data. This is known as the ‘accountability principle’, which is relevant to the six key principles regarding the processing of personal data (see above).
Unfortunately, it is easy to retain large amounts of data without necessarily realising it. So think about the six principles and whether you can justify the way your practice processes personal data. It is advisable to document your policies and procedures for complying with these data processing principles and set aside time to periodically monitor compliance.
There is a comprehensive guide to the UK GDPR on the website of the Information Commissioner’s Office (ICO). It explains each of the key principles, and provides checklists and examples that you may wish to consider when assessing your practice’s risk of non-compliance.
Different responsibilities apply according to whether your practice is in the role of ‘data controller’ or ‘date processor’. In brief, a controller determines the purpose and means of processing the data; a processor simply processes data on behalf of a controller, in accordance with their instructions. Guidance on the ICO website sets out how to identify who is determining the purpose and means of processing the personal data.
This is important because if your practice is, in fact, using a data processor (perhaps where a third party is processing a client’s payroll), your practice is responsible for the processor’s compliance. You must ensure that your contract with the data processor will enable you to meet your data protection obligations.
You must also be clear about your clients’ rights and those of other individuals whose personal data your practice holds. For example, a data subject’s right of access means, in effect, their right to copies of that data. A ‘subject access request’ can be quite disruptive for any small business, so it makes sense that personal data held is kept to a minimum. (Your employees must be trained on the risks of retaining personal data unnecessarily.)
Provision of Services Regulations 2009
Your practice is required to provide specified information to its clients and those wishing to become clients. In effect, the appropriate means of providing much of the required information is by way of an engagement letter, although further information must be supplied if requested by the client.
Information provided must be clear and unambiguous. You must inform all clients (and potential clients) of where they may send a request for information about your services (or a complaint about the service). Unsurprisingly, those details must include:
Providing this information should not present a problem for your practice, as it will appear on your letterhead (when sending the engagement letter, if not before). But you must also make the following information available to clients and potential clients:
This information may be provided in a number of different ways, including your practice’s website, brochures, factsheets, letterhead, etc. However, you should be clear (and confident) about where you provide this information. In my opinion, your standard engagement letter is the best means of demonstrating compliance.
Further information must be provided if a client (or potential client) requests it, namely:
Handling complaints
Advising your clients at the outset of how they would be able to complain, if necessary, is not only a requirement of the Regulations, but a matter of professionalism. It demonstrates your respect for high technical and ethical standards. But the Regulations go beyond the provision of information and set out how your practice must react to a complaint from a client. You must respond to a complaint as quickly as possible, and use your ‘best efforts to find a satisfactory solution’ (unless the complaint is vexatious).
A practice would be expected to have processes in place to ensure that reasonable complaints receive the attention they deserve and are not (deliberately or inadvertently) put to one side.
Final thoughts
Of course, there may be other areas you need to consider when reviewing your practice’s compliance with the law. Given what you know about your practice (including any employees and subcontractors you may engage), how confident you are that you are compliant in areas such as bribery and corruption, health and safety, and employment law? What resources do you have available should you need advice in such areas? I recommend that you assess the risk to your practice of non-compliance with the law, and establish clear policies and procedures that define what you and your colleagues may and may not do.
Furthermore, as an AIA member, you are required to plan and undertake CPD that must be relevant to your current role and development. Therefore, you should plan your CPD to cover any aspects of statutory compliance that may be concerning you.
Author biography
Ian Waters supports accountancy firms with compliance – AML, ethics, professional standards and more.