Okay.  You have received a letter from the PICPA Committee on Professional Ethics ("the Committee") indicating that it has received information that "you may have violated the PICPA Code of Professional Conduct."  What do you do?  Stop.  Breathe.  Remember it is not the end of your world.  The Committee’s role is remedial not to punish.  If you are doing something wrong the goal is to help you learn and improve and thus protect the public and provide a better service.  

For clarification purposes, if you have committed a felony and in some other egregious situations, you will be expelled.  However, in these situations you generally have a lot more to worry about than your PICPA membership.  

The Committee commonly refers to this letter as the "Opening Letter."  The last thing you want to do is ignore this letter.  Do not bury your head in the sand and hope this will go away.  It will not.  Keep in mind that as a member of the PICPA you have agreed to abide by the Code of Professional Conduct and a part of the Code is that you will cooperate with an ethics investigation.  Failure to cooperate is grounds for termination of your membership in the PICPA.  Not responding to the committee when it asks for a response and/or further information is failing to cooperate and may lead to expulsion from the PICPA.  The good news is that if you do not respond to the first letter there will be a follow-up about 30 days letter giving you another opportunity to respond.  The reality is that you will have to ignore numerous opportunities to respond before you will be expelled for non-cooperation.

You generally have thirty days to respond to the Opening Letter.  Appropriate responses to this letter include just about anything that demonstrates that you will cooperate.  You can ask for more time, you can provide the requested information, and you can ask for a deferral because the underlying matter is in dispute in any court of law and/or if there is an ongoing investigation by another regulatory body (i.e. the SEC).  Deferrals are routinely granted and are preferred by the Committee because a member should not have to fight a battle concerning their actions on two fronts at the same time and because any investigation or findings by the Committee should not be used as leverage in any other proceeding.  You will eventually have to provide the requested information, even if it is years later after the matter has been deferred during that time (i.e. while you defend yourself from a civil lawsuit).  Should you request additional time to respond to the Opening Letter, the Committee will generally work with you, if demonstrate you need extra time.

Once the Committee has the information requested it will review all the information and ask for more information if necessary.  It will ultimately decide whether there has been any violation of the Code.  The best outcome is a letter from the Committee that based upon the response received that the Committee "has concluded not to pursue the matter at this time."  The worst case is expulsion from the PICPA but this does not directly affect your license to practice accounting.  Typically, the Committee will recommend CPE’s that will help you learn and understand how to do a better job the next time you under take a similar engagement.  Other remedial measures include pre or post issuance reviews, an accelerated PEER Review and restrictions on performing PEER Reviews.  Short of expulsion, the Committee also has the authority to suspend a member up to two years and to publicly admonish the member.

Before the Committee will decide anything other than an outright dismissal based upon your initial response you will be offered an interview where you will be given an opportunity to answer questions and present your side of the issues.  There are a number of procedural and due process protections.  Additionally, members can agree to settle cases rather than undergo a full investigation.  Where no settlement agreement is reached the case is heard by the AICPA Joint Trial Board for a decision.

Please let me know if you have any general questions about this topic but if you have a specific matter before the Ethics Committee I cannot address those issues because I represent and advise the Committee on legal issues including due process issues as they may arise. jmcguire@c-wlaw.com


 
 
As counsel to numerous professional firms and associations I am asked frequently about cyber risk.  As technology advances we have more and more information stored in electronic devices and in the so called “cloud.” Cyber risk is of particular concern for professionals like CPAs and attorneys because they have confidential client information like Social Security Numbers and financial information. There is no prohibition to maintaining our data electronically and particularly in the cloud, however, we must be aware of the risks and take reasonable precautions to protect our data and particularly our clients’ confidential information.  As professionals we must remember that our clients trust us and we have to make sure that trust is not misplaced.

Clients have an increased expectation that we are available 24/7 and that we have all their information at our fingertips to answer their questions and respond to their concerns. Therefore, we are more and more dependent on technology and storing more and more information, which is available remotely. This makes our data subject to increased cyber risk.  The first question is, are we prepared for the risk? Generally, the answer is that firms are
not.  They are not fully aware of the risk and are not prepared for it.  The second question is, are we prepared to respond to a breach of our data?  Again, generally, the answer is that firms are not.

Any size firm is subject to cyber risk.  The statistics are alarming.  Identity theft and security breaches are on the rise.  The cost to respond to a breach has been reported up to $204 per record with an average cost of $2.4 million per breach.  The cost to respond to a cyber-breach can be staggering.  The damage from a cyber-breach can be tremendous. Ignoring just the financial cost of responding, there may also be bad publicity, loss of productivity, and loss of reputation.

Now, I generally don’t use text messaging for work but where are those messages stored and how safe are they? 
When we are using technology we need to evaluate the risk and what if any safeguards are in place.  I just assume Verizon has those text messages secured on their end but what about my phone? If my phone is stolen everything that I have texted and not deleted is open for reading.  But do I have access to wipe the phone’s memory remotely? 
These are questions we need to know about all our devices.  Do we have an inventory of all the devices that are subject to cyber risk?  (Every server, desktop, laptop, iPad, cell phone etc.)  And not just company owned devices, but also personal devices that have access to company data.  Do we have an inventory of the types of data on each device? (Documents, emails, contact information, texts etc.)  Do we have an inventory of what data of each type on each device?  Without all this information, we can’t fully appreciate the cyber risks involved.

Of course, there is insurance available to help with some of the risk.  From a professional firm’s standpoint, insurance is about spreading or lessening risk.  There are several types of policies available and I suggest any firm consult with their insurance broker about the type of insurance that might work best for them. Fortunately, this type of insurance is not expensive, because although incidents are on the rise, there is a relatively low incident rate.  Unfortunately, as touched on above, the losses can be extremely high, so be careful that your policy will cover the full extent of the loss.

 The reality is that professional firms need to spend time addressing their cyber risk.  They need to catalog their data and determine action plans to prevent the loss of data and to respond to any loss. I recommend you address these issues immediately in consultation with your computer experts, your insurance broker, and your attorney.

Since posting this blog, the following exchange took place in LinkedIn which you may find helpful:

Jeffrey - it is far less costly and much more effective to implement appropriate (i.e., cost vs countermeasures; reduction of risk to an acceptable level) information system security policies, procedures and countermeasures than purchase insurance policies. Properly implemented, an adequate IS security program will obviate the need of additional insurance and go much further to prove prudent managerial action (for litigation). This is not just a technical issue as most incidents involve human behavior (both authorized insiders as well as non-authorized  outsiders). Also - there is a slight (but very important) differences in implementing risk mitigation for information system incidents versus disaster recovery planning. The IS security profession has been around for several decades and some very well-regarded professional certification systems are now key (e.g., CISSP, GIAC). There are even a couple LinkedIn groups for this.

My Response
Thanks for the additional information.  I completely agree that appropriate information system security policies, procedures and countermeasures must be implemented.  But I'm not sure there is an acceptable risk level.  This is particularly true for associations and depends upon what confidential information an organization or company maintains.  That is why I think everything should be assessed and considered.

Further comment
If there is no acceptable level of risk, no firm has enough resources nor are there enough countermeasures available.   Here is synopsis of information system controls viewed to be critical: 

http://www.sans.org/critical-security-controls/

My Response
That is an excellent list! Thank you for sharing it.  I think we agree on this.  My point is that there is no one level of risk that is acceptable across the board and each company must assess the risk.  There are far too many variables.   Even if a company does everything listed, there remains a risk. For some companies I believe that risk is too great to not purchase insurance but that is why a complete assessment is needed.  From everything I have read on the subject the data cannot be completely protected if it is to be accessible and usable.  At that point, what confidential information is contained in the data will certainly be a factor.  Lawyers and CPAs whom I represent maintain social security numbers and a lot of other extremely confidential information.  A data breach would be extremely expensive and the firm should decide ahead of time
what risk they will take and whether they will insure it. 
Unfortunately, Many companies do not know the risks and take no
comprehensive action.

 
 
So I sat down to write this blog intending to make it a complete list of the tasks of all volunteer board members.   Only as I started to write this I realized that although I know many of the tasks from having served on volunteer boards and representing non-profits and associations, every board is different and I can’t possible know all the tasks of every board.  I hope I know most of the tasks and even the most important tasks but please tell me what my list is missing and I’ll update this as additional information is obtained. So please comment so that your thoughts can be shared with everyone.  (Or email me privately and I’ll add your comments anonymously.) 

In no particular order, here are the tasks for board members that I’ve compiled:

Strategic Planning
Policy setting
Fundraising
Marketing
Oversight of programs (often including education of members)
Oversight of management (often confused with micromanaging)
    This can include the hiring of an executive director or chief officer.
Investments
Cash management
Risk management

 What did I miss?
 
 
So you’re a board member. . .  Now what?

Hopefully, there is a robust orientation that will help you to understand the commitments and expectations you just agree to meet.  Whether or not there is there are some common things that should help any board member.  Here are three items you should consider.

First you should know that attendance is generally required.  Usually that attendance is in person but as technology expands and improves some board allow attendance via conference call or video conference.  You should find out how many meetings and plan to attend at a minimum the majority of these meetings.  You will want to know if you can attend other than in person and if you are not in person if you may still fully participate, vote and if your vote counts.  You need to understand the time commitment so you can be certain you can fulfill that commitment.

Second you need to understand the role of your board and thus your role as a member.  Depending on the size of the organization and particularly the size of the staff of the organization, some boards are hands on in running the activities while many and perhaps most serve as the general steering committee for the overall direction of the organization.  In some boards there may be an expectation that you will serve as a good will ambassador and/or fundraiser for the organization.  However, you will want to know early on whether you are expected to manage or micromanage the organization.

Finally, in any board you must remember that you are responsible for the health, well-being and sustainability of your organization.  This is true no matter the organization whether a trade association or non-profit raising funds to fight cancer or any type of association.  The organization and you as a board member have a responsibility to see that the funds of the organization, no matter the source, are used for the express purposes of the organization.

There are numerous other items you may want to consider.  You should familiarize yourself with the policies of the organization particularly as it relates to conflicts of interest.  You will also want to know the term of your service and whether you may serve additional terms.  Finally, there may be additional board member training that is available to you through your association.  There are numerous resources available online both free and at some cost. 

 
 
So you’re a board member. . .  Now what?

Hopefully, there is a robust orientation that will help you to understand the commitments and expectations you just agree to meet.  Whether or not there is there are some common things that should help any board member.  Here are three items you should consider.

First you should know that attendance is generally required.  Usually that attendance is in person but as technology expands and improves some board allow attendance via conference call or video conference.  You should find out how many meetings and plan to attend at a minimum the majority of these meetings.  You will want to know if you can attend other than in person and if you are not in person if you may still fully participate, vote and if your vote counts.  You need to understand the time commitment so you can be certain you can fulfill that commitment.

Second you need to understand the role of your board and thus your role as a member.  Depending on the size of the organization and particularly the size of the staff of the organization, some boards are hands on in running the activities while many and perhaps most serve as the general steering committee for the overall direction of the organization.  In some boards there may be an expectation that you will serve as a good will ambassador and/or fundraiser for the organization.  However, you will want to know early on whether you are expected to manage or micromanage the organization.

Finally, in any board you must remember that you are responsible for the health, well-being and sustainability of your organization.  This is true no matter the organization whether a trade association or non-profit raising funds to fight cancer or any type of association.  The organization and you as a board member have a responsibility to see that the funds of the organization, no matter the source, are used for the express purposes of the organization.

There are numerous other items you may want to consider.  You should familiarize yourself with the policies of the organization particularly as it relates to conflicts of interest.  You will also want to know the term of your service and whether you may serve additional terms.  Finally, there may be additional board member training that is available to you through your association.  There are numerous resources available online both free and at some cost. 

 
 
It seems like associations like most employers can’t keep up with the changing technology as it relates to social media.  This is true as it relates to the use of social media and the governance of social media in the workplace.  I'm new to social media and won't make any effort to instruct you on blogging, twitter, facebook et. al.  I’m going to discuss social media policies. There is so much variety in the use of social media that that will be reflected in the variations in social media policies.  There is no one policy that everyone should use.  The policy will reflect the attitudes and differences in the various associations.

In drafting your social media policy you will have to ask, does your organization use social media?  Is there an expectation or requirement that some of the employees will use social media during work hours?  Do you want to encourage your staff and volunteers to engage in the use of social media either as a member service or as an advertisement or for something else?  What are your goals with regard to social media and with your social media policy?  Is there confidential information which needs to be protected?  How are you addressing copyright issues?  The answers will shape what direction your association's social media policy will take.

To my knowledge the most famous Social media policy currently is that of Coca-cola http://www.thecoca-colacompany.com/socialmedia/.   Coke has a wide open policy, encourages its employees to use social media to essentially promote Coke and has made its policy available to the public.  The Coke policy sets some guidelines or expectation for the use of social media.  Coke encourages its employees to be “online spokespeople.”  Your organization may want to be more or less like Coke. 

My advice is that social media is not going away.  Employees are using social media so you need to provide some guidance on when and how they may use social media while at work and what they may communicate in official association publications and personal communications concerning.  Without talking to you I can't tell you what form your social media policy should take but I can tell you you need a policy.  If you need assistance drafting a Social Media Policy (or any other policy) for your association or business please do not hesitate to contact me.  jmcguire@c-wlaw.com

 
 
Tax Exempt Organizations need to be aware of the changes to the new 990 which was released on January 24, 2012.  Here is a link to the 2011 990 http://www.irs.gov/pub/irs-pdf/f990.pdf and the instructions http://www.irs.gov/pub/irs-pdf/i990.pdf. The first two pages of the instructions provide information about the “significant changes”. 

One very important change that all organizations must be aware of is that you can no longer say “yes” to question 11a on the 990 if the 990 form was made available upon request of the board members.  In order to answer “yes” the board will have to be provided the document.   Obviously the idea is that the board should actually review the 990 and be aware of its content before the 990 is filed.

There are changes concerning entities with foreign investment greater than $100,000, board chair compensation and compensation of officers and employees, net losses and contributions.  There are other changes that affect joint ventures, investment partnerships and hospitals as well.  The instructions now provide more guidance in areas that were lacking.  Other minor changes include instructions that an orginization must make reasonable efforts to obtain information from third parties and paid preparers must enter their PTIN but may sign with a rubber stamp, mechanical device or computer software program.  For more information and to see all the changes review the forms and instructions.

The 990 (or 990-EZ) is generally required by the IRS to be filed for tax exempt organizations.  Which form is required is generally determined by the amount of gross receipts or assets of an organization.  Please have a qualified CPA assist your organization in the completion of the return.

 
 
I’ve previously mentioned Directors and Officers Liability Insurance or D&O Insurance.  As a volunteer board member it is important that your organization maintain D&O Insurance and you should satisfy yourself that your organization carries this insurance.  D&O Insurance is different than E&O Insurance.

D&O Insurance is necessary because when claims are made against a company they are often made directly against its board of directors at the same time.  These claims are most often employment related so make certain there is employment practices coverage.  However these claims can be essentially any type of civil lawsuit including conflict of interest.  D&O Insurance is specifically designed to protect directors and officers who are sued for activities conducted within the performance of their duties on behalf of the company.  You should have this coverage for any board on which you serve.

As a board member you can insist upon D&O Insurance before you serve.  You should do so in all instances but particularly if the company has any employees, handles funds or provides services.  Some questions to ask in addition to whether there is a policy would include what the policy limit is, whether the policy is claims made and if so is tail coverage available, whether defense costs are inside or outside the policy limit and whether that are any exclusions.  Your company probably has an insurance broker or agent who can help you understand if there exists proper coverage.  Otherwise ask the company’s attorney for that information.

An alternative is to have a personal umbrella insurance policy which would provide covered protection but would cost you money.

 
 
I've previously blogged about some general fiduciary duties.  At this point I want to point out some additional legal issues which any volunteer board member should be aware. 

Perhaps the most important issue for trade and professional associations is the need to avoid antitrust liability.  The antitrust laws were created to promote fair competition.  They specifically prevent businesses or professions from getting together to set pricing or divide markets.  This means that there should really be no discussions of pricing or comparison of prices.  There should be no discussions about refusing to use certain vendors or refusing to do business with specific individuals or groups.  There are serious consequences to violating the antitrust laws.

Another potential issue for board members is that their actions may be attributed to their organization even when acting as an individual.  If individuals "appear" to be acting with the authority of the organization the organization may be legally responsible for the actions.  This can be tricky because as individuals we have freedom of speech but we need to consider when we are speaking whether people may assume that what we are saying is being said on behalf of the organization.  We often see statements like “the views expressed here are my own and or not those of XYZ.”Having legal counsel to review these issues and advise the board should it start to go astray is essential to avoid legal liability.  Organizations can purchase and you have the right to know whether there is a policy that covers officers and directors so ask.  Many organizations whether by resolution or bylaw have indemnification provisions that will protect volunteer board members.  You should check on this as well.

Please keep volunteering.

 
 
Many professionals serve on volunteer boards.  Without these volunteers the work of so many organizations would never be accomplished.  But do the volunteers know and understand their duties when they agree to volunteer? 

The primary duties that must be considered by any volunteer are as follows: 1) the duty to act in the best interest of the organization, 2) the duty to keep confidential information confidential and 3) the duty to avoid conflicts.  In subsequent posts I may address these duties with more specificity, as well as additional duties, however, these three duties should be fairly obvious.  Unfortunately, they are not always easy to follow.

Hopefully, volunteer board members are volunteering for the "right" reasons and are there to act in the best interest of the organization.  However, what one board member believes is in the best interest of the organization will not necessarily align with what another member believes is in the best interest.  There can be differences of opinion.  A board member must use reasonable and ordinary care in performing their duties.  They must put the interests of the organization before any other interests.

Unless give permission to disclose, confidential information should never be disclosed.  This can include discussions in executive session.  However, as we volunteer for boards we sometimes have access to so much information it is difficult to know or remember what information has not been made public.  When in doubt don't disclose and refer the matter to the Executive Director or legal counsel. 

A board member must avoid conflicts of interest.  (A similar duty is to disclose conflicts when they arise.)  Avoiding a conflict can simply mean abstaining from a vote.  However, it may mean not participating in any discussion and it can mean that a board member might have to abstain from a business opportunity of their own if it is in direct competition with the organization.  This does not mean that a board member can never compete with the organization.  In any conflict situation, disclosure is necessary and a discussion with legal counsel and/or the Executive Director will help resolve the situation.

Although I focused on volunteer board members for this blog the same duties will apply in a paid situation as well.  Don't let these fiduciary duties prevent you from serving as a volunteer.  We need your service.