24
Building A Privacy Practice In Small and Medium-Sized CPA Firms
BBuuiillddiinngg AAPPrriivvaaccyy PPrraaccttiiccee IInn
SSmmaallll aanndd MMeeddiiuumm--SSiizzeedd CCPPAA FFiirrmmss
Notice to ReadersBuilding a Privacy Practice in Small and Medium-Sized CPA Firms does not represent an official posi-tion of the American Institute of Certified Public Accountants, and it is distributed with the understand-ing that the author and the publisher are not rendering accounting or other professional services in thepublication. If legal advice or other expert assistance is required, the services of a competent profes-sional should be sought. This publication has not been approved, disapproved, or otherwise actedupon by any senior technical committee of the American Institute of Certified Public Accountants or theFinancial Accounting Standards Board and has no official or authoritative status.
Copyright © 2006 by
American Institute of Certified Public Accountants, Inc.New York, NY 10036-8775The Canadian Institute of Chartered AccountantsToronto, Ontario
All rights reserved. Checklists and sample documents contained herein may be reproduced and dis-tributed as part of professional services or within the context of professional practice, provided thatreproduced materials are not in any way directly offered for sale or profit. For information aboutthe procedure for requesting permission to make copies of any part of this work, please visitwww.copyright.com or call (978) 750-8400.
1 2 3 4 5 6 7 8 9 0 PP 0 9 8 7 6
TABLE OF CONTENTS
ACKNOWLEDGMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . V
SECTION I PLACING PRIVACY ADVISORY SERVICES INTO PERSPECTIVE . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
A Practitioner-Relevant Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
When to Use This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
The Suite of Privacy Advisory Services Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
SECTION II MAKING THE DECISION TO OFFER PRIVACY ADVISORY SERVICES . . . . . . . . . . . . . . . . . . . . 3
Today’s Business Environment-It’s Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Fit With Your Current Offerings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Costs to Practitioner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
SECTION III ADDRESSING THE LIKELY ISSUES IN IMPLEMENTING PRIVACY ADVISORY SERVICES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
How Much Billable Time Will Be Logged in Implementing Privacy Advisory Services? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
What Components of the Client’s Privacy Program May Need to Be Assessed? . . . . . . . . 5
What Criteria and Measures Will I Use in Assessing My Clients? . . . . . . . . . . . . . . . . . . . . . . . 7
How Can I Strengthen My Ability to Implement Privacy Advisory Services? . . . . . . . . . . . . . 7
Sore Spots Before, During, and After an Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
SECTION IV IMPLEMENTING PRIVACY ADVISORY SERVICES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Skills Needed to Implement Privacy Advisory Services Checklist . . . . . . . . . . . . . . . . . . . . . . . . . 9
Information Needed to Complete the Privacy Advisory Services Checklists . . . . . . . . . . . . . 9
Assessment Plan Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Implementation Plan Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
SECTION V ADDRESSING THE LIKELY ISSUES IN MARKETING PRIVACY ADVISORY SERVICES . . . 11
Practitioner Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11To Whom Should I Market Privacy Advisory Services? . . . . . . . . . . . . . . . . . . . . . . . . . . 11
When Is the Right Time to Market Privacy Advisory Services? . . . . . . . . . . . . . . . . . . . 12
Who in My Firm Should Market Privacy Advisory Services? . . . . . . . . . . . . . . . . . . . . 12
How Easy Are Privacy Advisory Services to Market? . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
What “Clinches the Deal” With Clients? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
iii
iv
Client Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13What Is the Benefit to Clients for Investing in Privacy Advisory Services? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Why Should Clients Invest in Privacy Advisory Services? . . . . . . . . . . . . . . . . . . . . . . . . 13
Why Should Clients Invest in Privacy Advisory Services From a CPA Firm? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Why Should Clients Invest in Privacy Advisory Services From Your CPA Firm? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
What Return on Investment Can a Client Expect by Adopting Privacy Advisory Services? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
SECTION VI MARKETING PRIVACY ADVISORY SERVICES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Identifying Clients for Privacy Advisory Services Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Criteria for Hiring Marketing Professionals in Your Firm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Conversation Starters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Marketing Plan Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Self-Assessment Checklist and Marketing Brochure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Client Self-Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
SECTION VII SUMMARY AND ADDITIONAL GUIDANCE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Additional Guidance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
v
AcknowledgmentsThe AICPA expresses appreciation to everyone who provided assistance in the development of Buildinga Privacy Practice in Small and Medium-Sized CPA Firms.
AICPA/CICA Privacy Task Force
ChairEverett C. Johnson, CPADeloitte & Touche LLP (retired)
Vice ChairKenneth D. Askelson, CPA.CITP, CIA
Eric K. FederingKPMG LLP
Marilyn Prosch, Ph.D.Accounting & Information SystemsArizona State University-West
Don H. Hansen, CPAMoss Adams LLP
Philip M. Juravel, CPAJuravel & Company, LLC
Sagi Leizerov, Ph.D.Ernst & Young LLP
Doron M. Rotman, CPA (Israel), CISA, CIA, CISMKPMG LLP
Kerry Shackelford, CPAKLS Consulting LLC
Donald E. Sheehy, CA, CISA Deloitte & Touche LLP
AICPA Staff
Nancy A. Cohen, CPA, Senior Technical Manager, InfoTechnology Communities
Andrea Carella, CPA, Director, Specialized Communities and Credentials
James Metzler, CPA.CITP, Vice President, Small Firm Interests
CICA Staff
Bryan Walker, Principal, Assurance Services Development
A special word of appreciation goes to Philip M. Juravel, CPA; Kenneth D. Askelson, CPA.CITP, CIA;and Kerry Shackelford, CPA, for their dedication to this project.
1
SECTION I PLACING PRIVACY ADVISORY SERVICES INTO PERSPECTIVE
A Practitioner-Relevant Definition
Over the last several years, the American Institute of Certified Public Accountants (AICPA) and theCanadian Institute of Chartered Accountants (CICA) have built on their commitment to developing serv-ices to help small and medium-sized accounting firms face their unique challenges. Privacy AdvisoryServices is an extension of this ongoing commitment.
To practitioners, Privacy Advisory Services represents an exciting, unique opportunity to conduct workvalued by their current clients, develop forward-looking areas of expertise, tap into new markets, gen-erate new revenues, and grow their practices. Practitioners can help business clients address privacyissues by offering a full range of value-added Privacy Advisory Services, including:
• Developing a privacy strategic and business plan.
• Providing a privacy gap and risk analysis.
• Providing privacy advice, recommendations, and training.
• Designing privacy policies and procedures.
• Benchmarking and performance measurement.
• Providing independent verification of privacy controls.
When to Use This Guide
Practitioners in small and medium-sized firms are to use this Privacy Advisory Services guide to answerthe following questions:
1. Why should we implement and market Privacy Advisory Services?
2. What do we need to know to implement and market Privacy Advisory Services?
To answer these questions adequately, this guide addresses:
• The value of Privacy Advisory Services from the practitioner’s perspective.
• The issues involved in implementing and marketing Privacy Advisory Services.
• Existing and prospective clients’ concerns about buying Privacy Advisory Services.
This guide serves as the first step for practitioners reviewing or considering investing time andresources in Privacy Advisory Services. It was developed under the leadership of practitioners in smallfirms for use by small and medium-sized accounting firms. The guide focuses on two areas: implemen-tation (see Sections II, III, and IV) and marketing (see Sections V and VI).
The Suite of Privacy Advisory Services Tools
The AICPA and CICA developed numerous tools to help small firms successfully introduce PrivacyAdvisory Services. The following table places the implementation and marketing guide into perspectiveby summarizing the prominent AICPA and CICA privacy tools, as well as highlighting the optimal timeto use them. Your first step will probably involve becoming familiar with a number of these tools, whichcan be found on the IT Center Web site.
2
THE SUITE OF AICPA AND CICA PRIVACY ADVISORY SERVICES TOOLS
PRACTITIONER TOOL TYPE OF INFORMATION WHEN TO USE THE TOOL
Building a Privacy Practicein Small and Medium-SizedCPA Firms Practice Guide
Describes the value of PrivacyAdvisory Services from the practi-tioner’s perspective.Outlines the issues involved inmarketing and implementingPrivacy Advisory Services.Discusses existing and prospectiveclients’ concerns about purchasingPrivacy Advisory Services.
Used as a first step in decidingwhy practitioners should make theeffort to market and implementPrivacy Advisory Services, andwhat practitioners need to knowto market and implement PrivacyAdvisory Services.
Generally Accepted PrivacyPrinciples — A GlobalPrivacy Framework
Lays out the complete set of princi-ples and criteria that serve as abenchmark of internationallyknown fair information practicesand recognized good privacypractices.
Used by practitioners once aPrivacy Advisory Servicesengagement has beensigned, to work with clients toidentify privacy practices requir-ing improvement.
Privacy Advisory ServicesMarketing Brochure
Introduces the practitioner’s firm’ssuite of Privacy Advisory Servicesto clients.
Used as a first step in educat-ing clients. The practitioner canalso personalize and leave withthe client.
20 Questions BusinessesNeed to Ask About Privacy
Provides a high-level summary ofbusiness issues relating to privacy.
Used at any time for raisingquestions to current and potentialclients about critical businessissues such as privacy and corpo-rate governance.
An Overview of HIPAA: TheRole of CPAs in PrivacyCompliance
Provides guidance for CPAs in pub-lic practice in providing HealthInsurance Portability and Account-ability Act (HIPAA) services.
Used when the practitioneris considering expandingPrivacy Advisory Servicesto clients affected by HIPAA.
Privacy Matters - AnIntroduction to PersonalInformation Protection
Defines privacy as a risk management issue for all organizations.
Used as a first step to under-standing privacy.
Privacy - Are Your ClientsMinding Their OwnBusiness?
Explains the AICPA’s privacy ini-tiatives and what they mean toCPAs in public practice.
Used as a first step to under-standing privacy.
Privacy - Minding YourOwn Business
Explains the AICPA’s privacy ini-tiatives and what they mean toCPAs in business and industry.
Used as a first step to under-standing privacy.
Understanding andImplementing PrivacyServices — A CPA’sResource
Provides a complete reference ofpractical, results-oriented proce-dures, methods, and tools for pro-viding value-added PrivacyAdvisory Services for all typesand sizes of business clients.Contains numerous tools, exhibits,and questionnaires.
Used as a second step tolearn about and understand pri-vacy in greater detail.
Incident Response Plan Provides guidance for designing,developing, or adapting a planand better preparing the client forhandling a breach of personalinformation within their organiza-tion. Can be modified to fit theneeds of the smaller client.
Used when personal infor-mation is breached orcompromised.
3
SECTION II MAKING THE DECISION TO OFFERPRIVACY ADVISORY SERVICES
Today’s Business Environment-It’s Time ....
Every magazine, newspaper, and Web site tells us that today’s business environment is different. That’snot news to practitioners-they experience it daily in their practices.
The important question for practitioners is, Given the current and evolving business challenges faced byus and our clients, why should we consider offering Privacy Advisory Services?
Three reasons concern practitioners:
1. Our role as practitioner is changing. ... It’s time to distinguish ourselves.
a. Competitors are chipping away at the type of services we have typically offered. Clients areincreasingly turning to financial planners, financial analysts, financial consultants, lawyers,insurance advisers, and real estate professionals for advice that we have provided for years.
b. Our profession has had its credibility shaken to the core by recent and widely publicized scan-dals of incompetence and poor judgment.
c. Our current and future clients are recognizing that opportunity for business growth, cost sav-ings, and operational efficiencies means expanding into e-commerce.
d. Recurrent data security breaches across the country have given rise to consumers wanting bet-ter protection of the privacy of their personal information. By offering forward- looking/proac-tive risk management services, we can help our clients prevent these types of incidents.
As practitioners, we can take advantage of these changes by expanding into areas that respond to,and anticipate, current and future client needs. Offering leading-edge services such as PrivacyAdvisory Services will strengthen the bonds we have with our clients and demonstrate our businessinsight.
2. Our practice is changing. ... It’s time to think ahead.
Practices of all sizes, especially smaller firms, find it increasingly difficult to attract and retain well-trained, experienced, driven, innovative professionals - in other words, true leaders - who will activelyhelp build your practice.
Introducing new, innovative services sends out a strong message to current staff, potential employees, theprofessional community, and clients that your practice recognizes the need for leadership and growth.Committing your practice to these services is compelling for practitioners who seek to go beyond tradition-al accounting, as well as understand their clients’ core business issues and challenges.
3. Our services are changing. ... It’s time to expand beyond the “commodity box.”
With the goal of securing more profitable work, practices often compete on price for time-intensive,unprofitable work. By competing on price, are we sending a message that we are an easily replacedcommodity? New services, such as Privacy Advisory Services, enable CPAs to stretch beyond the com-modity box with work that can be priced to reflect the fact that we bring a rare set of skills, technicalcompetence, refined judgment, and a valuable discipline to solve our clients’ business (and personalwealth) challenges.
4
Fit With Your Current Offerings
Without a doubt, the biggest obstacle that we face as practitioners in marketing or implementingPrivacy Advisory Services is our own fear, a fear that seems to stem from not knowing how these serv-ices fit into our current skills and services.
It’s natural for us as professionals to be less than comfortable with the prospect of offering new servic-es. After all, we build our reputation, revenues, and sense of personal and professional self-worth fromknowing exactly what to do.
This guide aims to provide you with the tools to give you the confidence to add Privacy AdvisoryServices to your current offerings.
Costs to Practitioner
Just like all typical professional service offerings, the greatest share of costs is at start-up and involveslearning how to adapt current skills and apply new ones.
A good place to start would be to identify a leader for these services (which may be the practitioner)for your practice. The assigned individual could start by becoming familiar with all the privacyresources available through the AICPA Web site (www.aicpa.org/privacy) and the reference materialmentioned under the suite of Privacy Advisory Services tools. Much of this material is available for freeor at minimal cost. As the leader develops a general understanding of privacy issues from these mate-rials, he or she can start identifying the potential for adding new business in this area, as well as dis-cuss initial strategies on how to develop these services within your practice.
Your cost for developing new skills and maintaining them to offer Privacy Advisory Services will gener-ally depend upon the privacy needs and complexity of your clients’ businesses and the variety of serv-ices you may offer. For example, you may decide to become specialists on the requirements of HIPAAif several of your clients are in the medical industry. You may decide to expand your offerings to abroader range of services, such as strategizing, diagnosing, implementing, sustaining and managing,and assuring, which may require a greater commitment of practice resources.
Other than the time required to research the privacy resources, your costs for the materials to offerPrivacy Advisory Services should be less than $500.
5
SECTION III ADDRESSING THE LIKELY ISSUES IN IMPLEMENTING PRIVACY ADVISORY SERVICES
How Much Billable Time Will Be Logged in Implementing Privacy AdvisoryServices?
At the onset of any Privacy Advisory Services engagement, small and medium-sized practitioners needto swallow one unappetizing truth — clients may not instantly recognize the value of Privacy AdvisoryServices. Part of our challenge will be to demonstrate a cost/benefit to the client. Despite the researchfindings demonstrating the need for such services, most research refers to customers’ preferences forprotecting their personal information and to potential savings that would have been achieved if a pri-vacy breach were averted.
For clients you may have in the medical or financial industries that are impacted by privacy legislation,you have an opportunity to work with them to help ensure their privacy programs are in compliancewith these regulations. For clients in other industries, you have an opportunity to ensure they have ade-quate privacy programs to protect their customers’ and employees’ personal information.
One approach to start developing Privacy Advisory Services with your clients is to offer an awarenesspresentation on why privacy is important to their business. While this initial approach would generallynot result in billable hours, it would provide you the opportunity to demonstrate your knowledge andinterest in assisting you clients in this area. Conducting these presentations would build your clientsconfidence in your practice. Presentations also could result in many Privacy Advisory Services men-tioned previously, and, ultimately, billable hours.
As a result, you may spend some time convincing your client to let you do a Privacy Assessment. Youshould understand that an initial Privacy Assessment may only be a two- to three-hour engagement fora small client with a potential fee of approximately $500-$750. However, this initial assessment pro-vides you with a great opportunity to recommend additional privacy services your client may need.
What Components of the Client’s Privacy Program May Need to BeAssessed?
The following chart highlights examples of components of your client’s privacy program that you canassess for Privacy Advisory Services. Along the top of the chart are examples of functional areas withinmost client organizations. Along the side of the chart are the prime areas of focus for Privacy AdvisoryServices that can be assessed. This is by no means an exhaustive list and in some unique client situa-tions, the items marked ‘Not Applicable’ may have relevance.
6
PRIVACY ADVISORY SERVICES AND EXAMPLES OF COMPONENTS TO BE ASSESSED
FUNCTIONAL AREA Human Resources Marketing Operations Legal InformationTechnology
Online Web site
Management Personnel records; policies, procedures, and controls
Customer records; policies,procedures, andcontrols
Corporategovernance; policies, procedures, and controls
Consistency ofpolicies with lawsand regulations
IT infrastructure;systems management
Policies, procedures, and controls
Notice Communications to employees or potential employees
Communications to customers orprospective customers
Communications to customers
Compliancewith laws and regulations
IT infrastructure Privacy notice
Choice and Consent Employees Customers Customers Not applicable IT infrastructure Customers
Collection Employee information
Customer informa-tion; third parties.
Customer informa-tion; third parties
Fair and lawful collection
IT infrastructure Customer information
Use and Retention Personnel records;payroll records
Customer records Customer records Legal retentionrequirements
IT infrastructure Communications
Access Employees Customers Customers Not applicable IT infrastructure Customers
Disclosure to ThirdParties
Personnel records;payroll records
Customer records Customer records Contractual agreements
IT infrastructure Communications
Security for Privacy Personnel records;payroll records
Customer records Information securityprocedures
Not applicable IT infrastructure;information security program
Communications
Quality Accuracy and relevancy of personnel records
Accuracy and rele-vancy of customerrecords
Accuracy and rele-vancy of customerrecords
Not applicable IT infrastructure Not applicable
Monitoring andEnforcement
Complaint processfor employees
Not applicable Compliant processfor customers; dispute resolution
Not applicable IT infrastructure Communications
7
What Criteria and Measures Will I Use in Assessing My Clients?
As practitioners, the most basic assessment will use several interview questionnaires and tools found onthe IT Center Web site. For more advanced engagements, use the Generally Accepted PrivacyPrinciples-A Global Privacy Framework (GAPP) as the basis for client assessments. GAPP consists of10 principles with criteria, illustrations, and explanation of good privacy practices. This informationcan also be found on the IT Center Web site.
The first meeting with your client will typically involve going through a privacy questionnaire and dis-cussions on why a privacy assessment is important for the client’s organization. During follow-up, youwill review results of the questionnaire with the owner and/or other key management, and discuss theinitial privacy assessment along with recommendations. These meetings would also be the basis fordeveloping and defining the scope and timing for additional Privacy Advisory Services. If the client hassignificant needs in this area, then the engagement should be expanded — resulting in additionalresources required from your firm. The engagement letter and fees should be adjusted accordingly asadditional Privacy Advisory Services are conducted for the client.
How Can I Strengthen My Ability to Implement Privacy Advisory Services?
As a CPA, we already have a strong working knowledge of business practices, internal controls, andthe audit of internal control systems. As your clients’ CPA, you may know more about the businessprocesses of the company than the owner(s). With this knowledge and understanding, we have createda foundation to expand our service offerings. However, like any new service we provide, implementa-tion requires us to gain the needed knowledge and skill sets to offer these Privacy Advisory Services.
There are numerous resources to help gain this knowledge. Generally Accepted Privacy Principles isone of the many resources you need to become familiar with; many others are mentioned in this publi-cation.
In addition to these reference materials, you may want to include online and offline courses, seminars,and workshops to get more comfortable with the concepts and processes involved in Privacy AdvisoryServices.
Sore Spots Before, During, and After an Implementation
If your client needs additional services as a result of the initial assessment, you will need to beprepared to address the following.
Before the Implementation
• Do I have the required skills to do the implementation? Do I have the right checklist(s) of princi-ples and criteria from which to conduct the implementation and additional follow-up work?
If you do not have the necessary skills, outside experts may have to be retained to assist with the work.The relevant checklists begin with GAPP by providing the criteria required for conducting the imple-mentation.
8
During the Implementation
1. What if the client’s staff is uncooperative because they look at our work as a challenge to theirauthority or competence?
The only way of addressing this is having senior management (owner) buy-in from day one. Ideally,during the first meeting, you should work with the owner to make it clear that your work is not a reflec-tion of past performance, but a way to anticipate and head off control risks in areas that in-houseexperts typically have little or no knowledge.
2. Will I have problems coordinating my staff and the client staff?
Without a doubt, a big part of the implementation involves efficient project management. It is advisableto involve a senior person who has strong project management, cost management, and communicationskills in charge of the implementation.
3. What happens if the client has significant privacy gaps?
It is very likely that a client may have significant gaps that need addressing. It falls on you to manageyour clients’ expectations and focus on the positive benefits of proceeding through the implementationprocess (for example, process improvement). Once the process is complete, another outcome is areduced business risk.
After the Implementation
1. What happens if the client modifies its policies, procedures, and controls and becomes privacynoncompliant?
In responding to their business and budget challenges, it is typical for clients to change their proce-dures throughout the year. The goal is for you to keep ongoing communications with your clients soyou are notified or consulted before they make any material change in their privacy practices. Youmay want to consider setting up some kind of periodic update program with your client (for example,quarterly or semi-annual).
9
SECTION IV IMPLEMENTING PRIVACY ADVISORYSERVICES
Skills Needed to Implement Privacy Advisory Services Checklist
Implementing Privacy Advisory Services uses audit skills long familiar to all accounting professionals.The core skills required to implement Privacy Advisory Services include the following:
• Subject matter knowledge
• Business advisory skills
• Technical skills
• Controls and assurance skills
• Application of laws and regulations to business
Information Needed to Complete the Privacy Advisory Services Checklists
When implementing Privacy Advisory Services, the following client information will need to beobtained and reviewed:
• Privacy policies and procedures
• Key personnel responsible for privacy compliance, and updating and maintaining privacy programs
• Privacy laws and regulations that apply to the business
• Third parties with whom the organization shares personal information
• Systems and technology used to store, process, protect, and transmit personal information
Assessment Plan Outline
The following outline can be used as an assessment plan for offering Privacy Advisory Services to a client:
1.Prepare engagement letter indicating the nature of the service to be provided. (As a reminder —Practitioners should seek the advice of legal counsel and their liability insurance provider whendeveloping engagement letters.)
2.Ensure appropriate information was received from the client and reviewed.
3.Complete checklists as necessary — HIPAA, GLBA, COPPA, and 20 Questions to Ask Your Client About Privacy (found on the IT Center Web site).
4.Prepare a report to client with findings, and if necessary, note additional work that may be requiredby the client.
10
Implementation Plan Outline
The following outline can be used if additional services are to be performed in Privacy AdvisoryServices:
1. Prepare an update to the previous engagement letter to cover additional services that will be performed.
2. Ensure you have the proper resources to provide these services (e.g., manuals, guides, and reference materials).
3. Interview the clients’ relevant staff members to confirm and document the policies, procedures, and controls.
4. Evaluate the findings against the clients’ privacy policies.
5. Design and implement a work program intended to evaluate the client’s policies and procedures with the Framework criteria.
6. Assist clients to become compliant with the Framework criteria and relevant legislation.
7. Periodically update clients with the status of the implementation engagement.
8. Regularly contact clients to keep current on any changes in their privacy policies.
9. Provide ongoing privacy advice throughout the year, not just during the annual (or more often) Privacy Advisory Services update.
11
SECTION V ADDRESSING THE LIKELY ISSUES INMARKETING PRIVACY ADVISORY SERVICES
Practitioner Issues
To Whom Should I Market Privacy Advisory Services?
To determine which of your current or prospective clients is likely to be in need of Privacy AdvisoryServices, begin by using the Prospecting Chart. In conjunction with this chart, use the tool found inSection VI, Identifying Clients for Privacy Advisory Services Checklist.
PROSPECTING CHART
LOW EFFORT/LOW RETURN LOW EFFORT/HIGH RETURN
We know the decision maker(s) has animmediate/short-term need for Privacy AdvisoryServices.We know the decision maker(s) recognizes the needfor Privacy Advisory Services.We know the decision maker has a budget forPrivacy Advisory Services.We have an established relationship with the keydecision maker(s).
We know the decision maker(s) has animmediate/short-term need for Privacy AdvisoryServices.We know the decision maker(s) recognizes the needfor Privacy Advisory Services.We know the decision maker(s) has a budget forPrivacy Advisory Services.We have an established relationship with the keydecision maker(s).CPAs are contracted who can demonstrate theirunderstanding of the client’s business with an aim ofbuilding a long-term relationship.Decision-makers and/or in-house specialists recognizethat CPAs provide opportunities and expertise toachieve cost-savings and efficiencies in specialty areas.
HIGH EFFORT/LOW RETURN HIGH EFFORT/HIGH RETURN
We don’t know the decision makers, the decisionmaking process, the priority of accounting/ consulting services, or the history of contractingaccountants.Accounting services are typically contracted on a “one off” response to short-term tactical needs.Decision-makers and/or in-house specialists resentusing external resources/expertise.
We don’t know the decision makers, the decisionmaking process, the priority of accounting/consultingservices, or the history of contractingaccountants/consultants.Decision-makers and/or in-house specialists recog-nize that CPAs/consultants provide opportunities/expertise to achieve cost savings and efficiencies in specialty areas.
12
When Is the Right Time to Market Privacy Advisory Services?
Marketing Privacy Advisory Services should only be undertaken when you are comfortable that youhave the required skills and resources to succeed. These are outlined in this section and Section IV,Implementing Privacy Advisory Services.
Given the AICPA and CICA’s efforts to develop new assurance services, rapid changes in legislationand technologies, and increased client exposures, there has been no better time than now for smalland medium-sized accounting firms to evaluate their markets (See Section VI, Identifying Clients forPrivacy Advisory Services Checklist) and internal resources.
Other indicators signifying when to market Privacy Advisory Services include any of the following:
• Your firm recognizes the need, or opportunity, to build revenues by offering innovative nontradi-tional services.
• Clients have expressed a concern about the completeness of their own privacy policies and pro-cedures.
Who in My Firm Should Market Privacy Advisory Services?
Marketing Privacy Advisory Services requires commitment from the most senior levels of the firm.Everyone working in the firm committed to Privacy Advisory Services will need to play a role in mar-keting these services.
The challenge for any small or medium-sized firm is clarifying the roles associated with marketingPrivacy Advisory Services. The most critical role is that of the Privacy Advisory Services Leader. Thissenior professional (that is, partner) must:
1. Facilitate training of professional staff on identifying opportunities within the existing and prospec-tive client base.
2. Serve as the point-person for the client.
3. Routinely visit the AICPA Web site (www.aicpa.org/privacy) to keep current on Privacy AdvisoryServices and changes in relevant legislation.
How Easy Are Privacy Advisory Services to Market?
Privacy Advisory Services are easy to market if all the following are in place:
• You identify and secure the required skills.
• You identify the right clients.
• You engage in one-on-one conversations with the right clients.
The tools found in Section VI will help you work through these areas and ensure that your marketingefforts and resources are focused wisely.
13
What “Clinches the Deal” With Clients?
Privacy Advisory Services engagements are signed when you adequately demonstrate that you under-stand your client’s issues and how Privacy Advisory Services can help them achieve their goals better,smarter, faster, or cheaper. With that in mind, engagements are usually agreed on by emphasizing the following:
• The price is flexible (partly based on value to client) and competitive.
• You are able to begin the engagement according to the client’s timetable.
• Clients have the need to demonstrate their legal compliance.
• You can make a convincing case that Privacy Advisory Services offers an opportunity for your clients to distinguish themselves from their competitors.
Client Issues
What Is the Benefit to Clients for Investing in Privacy Advisory Services?
Clients want to invest in Privacy Advisory Services to achieve very real benefits unique to theirbusiness. Two of the primary benefits that tend to be common across organizations, regardless of the Privacy Advisory Services adopted, include:
• Corporate governance. Privacy Advisory Services help business owners and/or senior officersdemonstrate to investors and other relevant stakeholders that rigorous efforts were undertaken togovern the business in a responsible way.
• Marketing. Privacy Advisory Services provides an opportunity for companies to distinguishthemselves from their competitors by adopting privacy practices that will build trustworthy rela-tionships with their customers and employees.
Why Should Clients Invest in Privacy Advisory Services?
Your clients’ customers are likely becoming more selective of the organizations that they choose to purchase from; the same can be said of your clients’ business partners. By adopting PrivacyAdvisory Services, your clients can demonstrate a highly desirable, unique commitment to ensuringexcellent performance and management in the area of privacy practices.
Why Should Clients Invest in Privacy Advisory Services From a CPA Firm?
CPAs understand the clients’ business processes, systems, controls, and goals better than anyone else.They have a long history of providing excellent service to their clients based on professional standardsand ethical guidance.
Why Should Clients Invest in Privacy Advisory Services From Your CPA Firm?
You have been building your reputation as a trusted business adviser with your existing and prospec-tive clients. By introducing and offering Privacy Advisory Services, you can once again demonstrateyour business intelligence.
14
What Return on Investment Can a Client Expect by Adopting Privacy Advisory Services?
By adopting good privacy practices, your client will be able to:
• Protect its public image and brand.
• Achieve a competitive advantage in the marketplace.
• Meet the membership requirements of an industry association.
• Efficiently manage personal information, thereby reducing administration costs and avoiding unnecessary financial costs, such as retrofitting information systems.
• Enhance credibility and promote continued consumer confidence and goodwill.
15
SECTION VI MARKETING PRIVACY ADVISORY SERVICES
Identifying Clients for Privacy Advisory Services Checklist
This checklist helps practitioners focus their marketing efforts by identifying characteristics of existing orprospective clients that will experience the greatest benefit by investing in Privacy Advisory Services.See Identifying Clients for Privacy Advisory Services on the IT Center Web site for a complete check-list.
The following are three examples of characteristics to review to determine which of your clients mayneed Privacy Advisory Services. The greater number of these characteristics the prospective client has,the more likely the client will be to consider or embrace Privacy Advisory Services.
1. The organization’s reputation is built on, or largely depends on, its ability to keep information accurate, secure, private, or confidential.
2. The organization’s clients have demanded accountability around processes for keeping information available, accurate, confidential, and secure.
3. The organization needs to adopt new practices and technologies to comply with legislation.
Criteria for Hiring Marketing Professionals in Your Firm
CPAs should take into consideration the following characteristics when evaluating prospective market-ing professionals to help promote privacy services:
• Business skills. A track record and the ability to quickly and accurately understand the nature ofthe businesses carried out by the prospects for Privacy Advisory Services.
• Communication skills. A track record and the ability to translate the benefit of Privacy AdvisoryServices into terms that are relevant to the prospects for Privacy Advisory Services.
• Interpersonal skills. Strong listening and empathy skills.
• Evaluation skills. A track record and the ability to measure the impact of marketing strategiesand activities.
• Networking skills. A track record and the ability to build networks within relevant markets.
• Promotion skills. A track record and the ability to follow a rigorous methodology to increase thevisibility of the professional services firm with targeted audiences.
Conversation Starters
When speaking to existing and prospective clients, practitioners need ways to raise the topic of Privacy Advisory Services. Ideally, this topic should be in response to questions about clients’ currentissues and priorities. The following is a selection of practitioner conversation starters that have success-fully raised client interest:
16
• Have you heard about the latest breach of privacy by [enter name]?• Are you comfortable with your privacy practices?
• Do you collect personal information about customers and employees?
• Are you sharing any personal information with third parties?
• How do you communicate your privacy policies and practices to your customers and others?
• How do you protect the personal information you collect?
• Are you subject to any privacy legislation?
Marketing Plan Outline
Each firm’s marketing plan will differ depending on the availability of resources and client data.Nonetheless, here are some elements that are common to any successful Privacy Advisory Servicesmarketing plan.
1. Use the Prospecting Chart (Section V) and the Identifying Clients for Privacy Service Checklist totarget existing and prospective clients for Privacy Advisory Services.
2. Use your existing base of clients, suppliers, and contacts who can take your Privacy AdvisoryServices message to prospective clients. Educate these channels and provide them with an incen-tive to endorse you as a provider of Privacy Advisory Services.
3. Regularly contact prospective clients directly to discuss their understanding of, and the importancethey place on, their privacy practices.
4. Provide articles to online and offline publications that are seen as credible by your prospectiveclients. Articles should balance the business risks associated with unreliable privacy practices andthe growth benefits that result from ensuring privacy programs achieve high standards.
5. Regularly attend, give presentations, network in, and eventually sponsor or cosponsor events thatdovetail privacy and business issues.
Self-Assessment Checklist and Marketing Brochure
CPAs expressed a need to have a client assessment checklist and marketing brochure they could leavewith, or send to, clients to enlighten them about Privacy Advisory Services.
Client Self-Assessment
The following is a series of questions that can be modified — depending on your client’s industry, size,budget, and understanding of privacy programs — to highlight their potential need for PrivacyAdvisory Services.
17
Privacy Advisory Services-Does My Business Need Them Now?
If you answer yes to any of the following questions, you could achieve considerable return on yourinvestment by adopting Privacy Advisory Services.
1. Do you need to adopt new practices or procedures to comply with legislation?
2. Is your company’s reputation built or largely dependent on your ability to keep information accu-rate, secure, private, or confidential?
3. Are you finding it increasingly difficult to distinguish yourself from competitors in the eyes of yourclients?
4. Do you need to demonstrate to investors or other relevant stakeholders that you are governing thebusiness responsibly?
5. Are you interested in identifying cost-saving efficiencies in your privacy programs?
6. Have your competitors recently invested in systems-related technologies and processes to enhancetheir privacy programs?
7. Does your organization rely heavily on collecting, updating, processing, and storing customer orprospect information with contact management software programs and technologies?
8. Do you rely on any outsourced processes or operations?
9. Do you know that your systems and data are secure?
10. Do you regularly collect customer or prospect information in advance of launching or modifyingnew products or services?
11. Does your Human Resources Department collect and store personal information on employees andpotential recruits?
In addition, a Privacy Advisory Services marketing brochure that can be personalized for your firm canbe found on the IT Center Web site.
18
SECTION VII SUMMARY AND ADDITIONALGUIDANCE
Summary
This guide has been developed to assist you, the practitioner, to expand your service offerings. As youcan see, other than your time to become proficient with the skills and resources needed, PrivacyAdvisory Services requires a minimal financial outlay. By taking the time to read this manual andfamiliarize yourself with the tools, checklists, and other practice aids, you can be offering these newservices to your clients.
We believe this guide provides you with all the materials and resources you need to add PrivacyAdvisory Services to your firm.
Additional Guidance
Throughout this guide we have made reference to numerous resources, checklists, and practice aids.You will find the following documents provided for your use and reference on the IT Center Web site:
1. Suite of Tools (Section I)
• Generally Accepted Privacy Principles – A Global Privacy Framework
• Privacy Advisory Services Marketing Brochure
• Twenty Questions Businesses Need to Ask About Privacy
• An Overview of HIPAA: The Role of CPAs in Privacy Compliance
• Privacy Matters – An Introduction to Personal Information Protection
• Privacy – Are Your Clients Minding Their Own Business?
• Privacy – Minding Your Own Business
• Privacy and Outsourcing – Is Your Organization at Risk?
• Privacy Incident Response Plan – Template
2. Checklists (Section IV and VI)
• HIPAA – Health Insurance Portability and Accountability Act
• GLBA – Gramm-Leach-Bliley Act
• COPAA – Children’s Online Privacy Protection Act
• 20 Questions to Ask Your Client About Privacy
• Identifying Clients for Privacy Advisory Services
3. Other Practice Tools
• Privacy Advisory Services ... A Best Practices, Integrated Approach, a PowerPoint presentationto sell service to clients
• U.S. and International Regulations
4. Other Resources Available
• AICPA Privacy Channel – www.aicpa.org/privacy
• Publication – Understanding and Implementing Privacy Services – A CPA’s Resourceavailable through www.cpa2biz.com/store
For more informationTo learn more about privacy and how implementing new privacy measures can benefit your organization, please visit www.aicpa.org/privacy
9566-395
ISO Certified
