At their last board meeting, the Washington Board of Accountancy approved changes to several rules that go into effect on February 24. I went straight to the man himself, Mark Hugh, who serves on the Board of Accountancy to discuss each revision and learn how the changes affect WSCPA members.

If you're interested in learning more about how the new section, WAC 4-30-050(4) addresses client confidentiality as well as an example of an engagement letter that includes client consent, check out Mark's article here. 

Transcript

Ashley: To begin with, the definition of authorized person, can you explain a little bit about that?

Mark: Yea, the definition of authorized person, and at the board, we have our definitions all in one rule. So when we’re adding the definition to another rule, we actually put it in this main rule of definitions. So if you ever reading the board rules, it’s important to go find that rule because all the definitions are there.

We added a definition of authorized person because in the rule for record request, we wanted to make it more clear who could request records of the CPA. Before it was a little ambiguous, does every owner of an entity have the right to request all the records that the CPA does? Does every shareholder of a large corporation have the right to do that? We really wanted to clarify only certain persons are permitted to do that. For example, in a corporation it’s the officers, it’s their delegates, in a trust it may be the trustee. We wanted to be really more specific, and the goal is to help CPA’s where a lot of times they’re put in really difficult positions, and record requests they’re kind of put between maybe the main shareholder and another shareholder that someone’s tried to freeze out.

So we wanted to add a lot more definition around those to get more clarification to CPAs so they have a better idea of who they can give records to and who they should not.

Ashley: Part of the rule change eliminated the charge for copies of those public records and then it renamed the rule.

Mark: It renamed the rule, and this came down from some legislative change that affected all public records of all agencies, so it required that you revisit your rule. And we looked at it and we renamed it. The law does allow you to charge for public records requests. It’s so incidental at the Board of Accountancy that they decided it’s more inconvenient than it is. So they eliminated any charge for public records request.

Ashley: Ok. So far it’s simple. So, fees, is that kind of along the same line?

Mark: Exactly—eliminate the fees for the public records.

Ashley: Client records, the big conversation in meetings was the Cloud and how CPAs deal with that.

Mark: We did several things with that and part of it was the Cloud. Over time, everything has moved to the Cloud, and there’s a lot of confusion among CPAs what the rules were. And that’s because you had AICPA standards that allowed some exceptions but we didn’t have those exceptions or rules. And the way it works, if there’s a conflict with a Board rule or the Board rule’s more restrictive under the law, the Board rule wins.

So people were maybe following the AICPA rule, which was more liberal than following the rule that they should have been following, which was the Board rule. Essentially the AICPA rule was for when you’re leasing confidential information to a third party, you need to do one of two things: you needed to get the client’s permission, or alternatively, not get permission, and you had to make sure that the client, or the people you’re giving the records to, had adequate safeguards to protect the client confidentiality. That was in an AICPA interpretation. In Washington Board rules, it was always written consent was required; you didn’t have that exception for making sure they had adequate safeguards.

Especially as more and more things have moved to the Cloud—data storage and email and tax locators and pretty much everything—more and more situations were coming up where we realized we really need to clarify. So we adopted the AICPA’s more liberal standard—our standard, again, was always written, so even if you used offsite data storage, the standard was always written. So we adopted the AICPA’s more liberal interpretation, which says you get client consent, or you still have to make sure they or the third party service provider have adequate safeguards for that client data.

So now you have an “or” test for people to follow. It’s kind of a little bit of a dangerous “or” test for people to follow because in the rules of professional conduct you have to apply some safeguard to any situation, you have to be able to demonstrate that the safeguard reduced the risk down to an acceptable level. So if you decide not to get client consent but decide to make sure the third party service provider has adequate controls, you have to demonstrate that you did that. And so, how do you know? An example that I always use, I use Microsoft Exchange for hosting my email and Microsoft OneDrive for all my records.

Now, I can’t demonstrate that Microsoft has applied adequate safeguards. I don’t have those skills, those are programs. So what I do is I follow this solution of putting it in my engagement letters; it’s elegant, it’s simple, it’s not complex, it’s the best documentable thing you can do. So my engagement letters have a provision in it as part of providing professional services to you, we secure online storage services from Microsoft for hosting data communications; by agreeing to this consent, and by agreeing to this engagement, you agree this is acceptable to you. I’m going to still do that, because it’s hard to verify that people have adequate safeguards.

There are some third-party service providers that deal a lot with CPAs actually get a copy of the report. Intuit has a copy of the report, ACH has a copy of the report. But everyone uses a lot of third party service providers, and the rules say, you’re supposed to demonstrate that you’ve applied some safeguard. That’s really ambiguous. And if there’s a complaint about client confidentiality, it’s much better to follow the safer alternative but really easily documented.

Ashley: You actually have a really good example of that on our website. You wrote an article giving a similar overview and actually providing an example of how you would write that out.

Mark: Yeah, another firm gave me an example. I’m a consultant so everything is just Word and Excel.  But another consultant that uses a lot more client-based services gave me a great example. So we have really two examples on the website, you have my example from my engagement letters and then this other example. So again, engagement letters are a wonderful tool. People don’t utilize them enough. But that’s just another example of, there’ll be no misunderstandings, just put it in the engagement letter, well-documented.

Ashley: So the last rule that the Board made changes to was the investigative process. Can you explain that a little?

Mark: Yeah. The investigative process, the Board rule was a very long and prescribed rule. And if you read it, it didn’t really read like a rule. It was kind of this long, rambling discussion. Very odd administrative rule. So we decided to allow more flexibility to work with licensees and disciplinary actions.

We decided to cut the rule down and in the rule put a much shorter rule but then move that investigation process more to a board policy. This actually gives us more flexibility. In Washington, the view of the Board of Accountancy has really tried to rehabilitate people. 

Ashley: Great. Well sounds like a lot of good was done. Those rules go into effect February 24^th?

Mark: Absolutely. I know they’ll be in the WSCPA magazine and on the website there’s an article. At the Board we’re going to try to do more outreach now so we’ll have more articles coming out.

Ashley: Great. Well thanks so much for joining me today.

Mark: Thank you, great to be here.