Risks and Liabilities

How CPAs can protect themselves.
BY LYNN J. MCKELL AND MARSHALL B. ROMNEY

The technical headaches caused by software that cant distinguish between the 20th and 21st centuries are only part of the problem facing businesses and the accounting profession. More serious—and for some possibly more expensive—will be the wave of lawsuits the Year 2000 (Y2K) issue is likely to trigger as those hurt by the millennium change seek deep pockets to compensate them for their losses. A handful of suits have already been filed, but the avalanche isnt expected for a year or two, when the major impact of noncompliant Y2K systems will be felt.

Who are most likely to sue, and why? Organizations could sue software and hardware vendors because their programs and computer systems cant handle the new millennium; shareholders could sue managers of their corporations, charging that the value of their holdings suffered because the companies failed to correct the problem in a timely way; auditors could be sued because they failed to detect material misstatements in the financial statement caused by errors, including those triggered by the Year 2000 issue; suppliers could sue customers because their invoices were incorrect, lost or delayed; banks, insurance companies and securities firms could be sued by customers whose accounts were mangled; and, alas, the opportunistic litigious fringe probably will sue just to try to take advantage of situations like this.


RISK REDUCTION
What complicates the issue is that legal precedents are minimal and the law is yet to be defined on the extent of professional responsibilities. But that doesnt mean organizations cant take immediate steps to try to eliminate, or at least reduce, the risks. At the very least, those at risk should demonstrate a good-faith effort at addressing the problem.

Management should acknowledge the problems existence. It should assess both the risks of failing to act and what needs to be done to comply. It should plan steps to solve the problem, providing reasonable resources for the tasks. Keep in mind that officers and directors who fail to act may be charged with avoiding their fiduciary responsibilities.

Companies should check their software contracts for the availability of legal recourse to require vendors to provide compliance updates. Be aware that some software and hardware companies may actually terminate their businesses rather than incur the costs associated with bringing systems into compliance. Obviously, companies should contact their computer and software vendors immediately to determine the actions planned or implemented. The vendors should be asked if new upgrades are included in the current pricing plan, if extra charges will be assessed and when upgrades will be ready. If a software developer balks at upgrading its products, it probably would be prudent to seek legal advice about what steps to take next.

Companies would do well to seek compliance certifications from the software vendors. Some professional service organizations (including CPAs) are offering such compliance certification services.

Delivery of a software update does not necessarily resolve the problem totally. In many cases, a company must still convert its data files to the new version format. And, equally important, management has to be sure that electronic data (orders, bills, payments) from the outside (vendors, customers and other third parties) are in compliance, too. To ensure this, management must contact those organizations to assess their compliance status.


THE ROLE OF CPAs/CONSULTANTS
Aside from the obvious duty of a CPA with a Y2K engagement —providing an independent assessment of the problem — the accountant also can identify potentially costly oversights or mistakes and monitor and ensure the adequacy of compliance documentation.

Considering the complexity of the Y2K issue, plus the volume of work and the associated liability potential, a prudent CPA should be unusually circumspect before accepting an engagement that deals with the issue—especially if the client is deemed to be uncooperative. In short, this is an area where CPAs should carefully screen clients. Further, resource commitments and even fees should be adjusted to compensate for the risks. In fact, although it is a severe measure, firms may consider dropping clients that pose a high risk or refuse to respond adequately to the problem.

In addition, it is important as a precaution to document all Y2K communications with clients. The CPAs advice and suggestions stand some chance of being ignored or otherwise not implemented in a timely way, so documentation of all communications can be vital in establishing the client was properly forewarned and advised on the matter. A strong advisory statement in written communications with management may be an effective avenue for raising concerns.

As an added precaution, firms should consider setting aside partnership funds to handle problems or establish partnership insurance to cover risk.

Internal auditors also should be aware of their responsibilities, which involve mostly professional and moral expectations, corporate loyalty and fiduciary responsibility.

Some proactive steps CPAs can take — for their clients or for their employer:

  • Involve all client processes —operations, technology, financial — in addressing the problem.
  • Assist in identifying the tools and resources needed for the fix.
  • Conduct an initial scope/impact assessment.
  • Get vendor compliance certifications.
  • Assess budgetary requirements.
  • Review all software-related procedures and standards.
  • Test all interfaces with other software, plus monthly, quarterly and yearend accounting processes.
  • Determine whether all Y2K costs are being expensed as prescribed.
  • Consider business interruption insurance.

Clearly, there is an urgent need for companies to become Y2K-compliant. This is an opportunity for the CPA profession to add significant value to clients or employers, but it is also a time to be careful: The rewards for the CPA may be high, but so are the risks. Remember, January 1, 2000, is only about 24 months away.

Lynn J. McKell , Phd, CCP, is a professor of accounting and information systems at Brigham Young University, Provo, Utah.
Marshall B. Romney , CPA, PhD, CFE, also a professor of accounting and information systems at Brigham Young University, is a member of the American Institute of CPAs information technology executive committee.

SPONSORED REPORT

Year-end tax planning and what’s new for 2016

Practitioners need to consider several tax planning opportunities to review with their clients before the end of the year. This report offers strategies for individuals and businesses, as well as recent federal tax law changes affecting this year’s tax returns.

QUIZ

News quiz: IRS warning on cyberattacks and a change in pension rules

Once again, the IRS sounds the alarm about a threat from cyberthieves. See how much you know about this and other recent news with this short quiz.

CHECKLIST

Bolster your data defenses

As you weather the dog days of summer, it’s a good time to make sure your cybersecurity structure can stand up to the heat of external and internal threats. Here are six steps to help shore up your systems.