Doing Business in Europe? New Privacy Rules Go into Effect May 25

The General Data Protection Regulation (GDPR), which replaces the 1998 Data Protection Act, is a new series of privacy regulations that apply to anyone who stores or processes personal information of European Union citizens or residents, regardless of a company’s physical presence in Europe. An implementation deadline of May 25, 2018 has been set by the European Union, and North American firms who deal with clients overseas need to be in compliance or face hefty fines.

The GDPR defines personal information as anything that can be used to identify a person – an identification number, bank account number, or simply a name and email address. If personal data is involved in a data breach then the individual must be notified within 72 hours of discovery. Under the GDPR, individuals have other enhanced rights including:

  • The right to erasure, also known as the right to be forgotten. An individual has the right to request their data be deleted, including any backups or cloud storage.
  • The right to be informed. Firms are obligated to provide fair processing information, typically through a privacy notice, which is written in clear language rather than legal jargon.
  • The right to object. Individuals can object to the processing of their data and to direct marketing.

Organizations that process personal data must have a lawful basis for doing so. GDPR outlines six bases, including fulfilling a necessary contractual obligation for clients or obtaining explicit (rather than implied) consent. Firms must determine the lawful basis, and document it, before processing.

If one thing is clear about the GDPR, it’s that whatever you do, it must be documented. This documentation could be the duty of a Data Protection Officer (DPO), which organizations are required to appoint in some circumstances, such as when information is processed on a large scale. The DPO has responsibility for data protection compliance and is the first point of contact for any data protection activities. The GDPR allows for this position to be an existing employee, as long as there is no conflict of interest and the professional duties are compatible.

Questions your firm should be asking: 1) Is your privacy notice written clearly? 2) Do your processes uphold privacy by design? 3) Do you have a breach notification plan? 4) Do you engage a third party to process any personal data?

Those found in violation of the GDPR could be fined up to 4% of their annual revenue, or €20 million, whichever is greater. However, according to the European Commission, the most important aspect of the GDPR is that it allows for client trust and confidence that their sensitive personal information is being handled with appropriate care. Only 15% of people feel they have complete control over the information they provide online, the commission says.

Helpful resources:

New York Accountant Pleads Guilty in Stock Manipulation Scheme

Shaun Greenwald, president of a New York accounting firm, pleaded guilty before U.S. District Judge John Michael Vazquez to one count of securities fraud conspiracy and one count of tax fraud conspiracy.

From 2014 to 2016, Greenwald, Joseph Taub and others conspired to manipulate securities prices of numerous public companies by coordinating trading in dozens of brokerage accounts that they secretly controlled.

These “straw accounts” were held in the conspirators’ own names, the names of their family members and the names of entities they controlled. Many of the accounts were opened in the names of individuals who neither controlled the accounts nor traded the securities held in the accounts.

The fraudulent trades typically involved two types of straw accounts. First, a “winner account” purchased a large block of shares in a particular security. Next, a “loser account” placed multiple small orders in the same security to create upward pressure on the stock price. Once the price of the security moved higher due to the loser account’s manipulative orders, the conspirators sold their large position in the winner account and the shares from any executed trades in the loser account. While the loser accounts would generally lose money, the conspirators expected the gains from the winner accounts to more than make up for them.

Taub was one of Greenwald’s clients. As part of the scheme, Greenwald opened brokerage accounts in his name or entities that he controlled. However, the vast majority of the funding for these accounts was provided by Taub, which Greenwald concealed on the account opening forms.
Greenwald also admitted that he performed accounting services for the conspiracy, including calculated the taxes on profits made from the straw accounts. While Taub did provide the account holders funds for the taxes on his portion of the straw account profits, he failed to declare any of this income on his tax returns.

Each count to which Greenwald pleaded guilty is punishable by a maximum potential penalty of five years in prison and a $250,000 fine, or twice the gross gain or loss from the offense. Sentencing is scheduled for June 5, 2018. Taub was charged by complaint on Dec. 12, 2016.

Study: SOX Regulations Not Enough to Overcome ‘Alumni Effect’ in Audits

New research shows that auditors are more accommodating to clients who once worked at a Big 4 firm, threatening auditor independence and professional skepticism.

The so-called “alumni effect,” was outlined in a paper published in the March issue Accounting Horizons, a journal of the American Accounting Association.

In the wake of high-profile accounting scandals at Enron, Global Crossings and other companies in the early 2000s, lawmakers passed the Sarbanes-Oxley Act (SOX), which banned accounting firms from performing audits if a top financial or accounting executive of the client was employed by the auditor during the preceding year. After all, top executives of Enron and Global Crossings were alumni of their companies’ external auditors.

However, the new research suggests that SOX is not effective in eliminating the threat to independence.

In a controlled experiment with three different conditions, audit managers assessed the potential impairment of goodwill. The study says: “The results indicate that auditors are more likely to make a judgment that agrees with the client’s position when the CFO is a former engagement partner from their firm, and are more confident in the CFO’s position when the CFO is a former Big 4 partner, whether from their own firm or another firm, than when the CFO is not identified as having any affiliation with any audit firm.”

The study says 76% adopt the client’s position if the client’s CFO is a former colleague at their Big 4 audit firm, while only 44% do so if the CFO is not. The alumni effect occurs even if it has been two years since the CFO left the audit firm, double the minimum required in the U.S.

“Obviously, a one-year or two-year cooling-off period is not enough to avoid the alumni effect, particularly if it requires overcoming social bonds that colleagues often develop,” says Michael Favere-Marchesi of Simon Fraser University’s Beedie School of Business, who was quoted in Favere-Marchesi conducted the study with Beedie colleague Craig Emby. “It may be that five or 10 years would be enough. Alternatively, it may be that audits of companies where a CFO or other higher-up is a former engagement partner should be banned entirely, as some research on auditor independence has suggested.”

These conclusions are based on an online experiment involving 140 managers of Big 4 firms in Canada and the U.S. The managers all received the same background information about a corporate client and its industry as well as a draft of the current year’s financial statement. Three experimental conditions were set regarding the CFO’s background, and the key issue was the valuation of goodwill, an asset on corporate balance sheets that arises when a firm purchases a company for more than the fair value of its net assets.

“Being told the CFO had formerly been a Big 4 partner inclined participants to agreement on goodwill impairment but not nearly as much as the alumni effect did,” reported. “And least likely of all to be swayed were participants whose CFO had neither alumnus status nor Big 4 imprimatur.”

The study authors urge regulators for “a more robust cooling-off period covering a wider range of management positions,” noting that the possibility of a longer period has been raised by the SEC’s PCAOB.

Compliance Education Institute Sues Dixon Hughes Goodman for Copyright Infringement

Compliance Education Institute has filed suit against Charlotte, N.C.-based Dixon Hughes Goodman (FY17 net revenue of $404 million) for copyright infringement of its Certified Regulatory Vendor Program Manager (CRVPM®) course.

As noted in the filing entered into Federal court in New York, Michael Blevins, a manager in the DHG Risk Practice, enrolled in the CRVPM course and became a Certified Regulatory Vendor Program Manager in Jan. 2015. DHG then published a four-part vendor management series on its DHG Views public website on March 1, 2015 where it remained for two years.

Chris Ricchiuto, partner in the risk practice, is shown as the author and a consolidated version of the four-part series was also posted on the public website of the Institute of Internal Auditors (IIA) Charlotte chapter. Both Blevins and Ricchiuto are shown as co-authors. The IIA is named as a co-defendant in the suit.

“It’s David vs Goliath,” says Mick Kless, CEO of Compliance Education Institute. “After many months of trying to resolve this issue with this 2,000 employee, top 20 audit firm without satisfactory result, I felt that it was best to file a complaint in court and post the complaint and the exhibits to our website. Let the legal system and jury of public opinion draw their own conclusion. View the evidence and you be the judge.”

KPMG Audits of Carillion Probed by FRC

According to Bloomberg, The U.K. Financial Reporting Council (FRC) opened a probe into New York-based KPMG LLP’s (FY16 gross revenue of $8.6 billion) audits of Carillion Plc, after the builder collapsed under debt earlier this month.

The FRC will examine KPMG’s work from 2014 and whether the auditor breached any “ethical and technical standards.” The FRC will also look at how KPMG recognized revenue on significant contracts and its accounting for pensions.

Carillion, a U.K. construction company with government contracts in everything from hospitals to the HS2 high-speed rail project, collapsed in January after failing to shore-up finances and get a government bailout, leaving behind debts of $2.3 billion.

“Several areas of KPMG’s work will be examined including the audit of the company’s use and disclosure of the going concern basis of accounting,” the FRC says. We will “conduct the investigation as quickly and thoroughly as possible.”

“Transparency and accountability are vital in building public trust in audit,” KPMG said in statement to Bloomberg. “We believe it is important that regulators acting in the public interest review the audit work related to high profile cases such as Carillion.”

“It is vital that we are able to have confidence in audit and financial statements,” says Michael Izza, chief executive of the institute of chartered accountants in England and Wales. “If there are lessons that need to be learned, whether by auditors, the accountancy profession, or management, we must identify them and act.”

PwC Appeals Two-year Ban on Audits in India

According to Telegraph India, PwC (FY16 gross revenue of $14.3 billion) in India is appealing a two-year ban on auditing public companies by the Securities Exchange Board of India (SEBI).

SEBI claims PwC auditors failed to uncover irregularities in the account of Satyam, which was one of India’s leading software providers. PwC is appealing the ban and asking for the appeal to be heard on an expedited basis.

“We are happy that Securities and Appellate Tribunal (SAT) has expressed its intention to resolve our appeal against SEBI on an expedited basis, and has set an expectation of a tight timeline of six weeks to dispose the appeal. The clarification that current engagements can continue through the year, is welcome. Over the years, our stakeholders have witnessed the huge investment we made in tools, training and infrastructure and we remain committed to maintaining the highest standards of quality in our services,” says PwC in a statement.

The appeal is expected to be heard by the end of next month. “We applied for a stay, which was rejected, however, as the appeal has not yet been heard but will be heard by the end of February,” says spokesman Mike Davies.

Six CPAs Charged In Scheme to ‘Steal the Exam’ for KPMG

Six CPAs – three former employees from PCAOB and three from New York-based KPMG (FY16 gross revenue of $8.6 billion)– are facing charges related to a years-long scheme to leak insider information from PCAOB to help the Big 4 firm improve its audit results, multiple news sources reported.

The three ex-employees of PCAOB, who went on to work for KPMG or were seeking employment there, stole the information tied to future exams, the Justice Department and the Securities and Exchange Commission said Monday.

“These accountants engaged in shocking misconduct – literally stealing the exam – in an effort to interfere with the PCAOB’s ability to detect audit deficiencies,” said Steven Peikin, co-head of the SEC’s enforcement division, according to Bloomberg. In The Washington Post, SEC Chair Jay Clayton called the case “disturbing,” noting that “audited financial statements are at the heart of the SEC’s disclosure-based regulatory regime. . . . In matters of this type, I am also concerned about potential adverse collateral effects, including on our Main Street investors.” (Read Clayton’s full statement.)

The government alleges that KPMG was trying to improve on the poor grades it received from PCAOB in 2013 and 2014. In 2014, for example, it received about twice as many negative comments, on average, during its inspections as its competitors.

Soon after the conduct was discovered in early 2017, the six respondents were terminated, resigned or placed on leave before separating from KPMG and the PCAOB.

The ex-PCAOB employees are: Brian Sweet, of Fresno, Calif., Cynthia Holder, of Houston, and Jeffrey Wada, of Tustin, Calif. According to court papers, they made unauthorized disclosures of PCAOB plans for inspections of KPMG audits from 2015 until February 2017.

The ex-KPMG employees are: David Middendorf, of Marietta, Ga., then-national MP for audit quality, Thomas Whittle, of Gladstone, N.J., PIC for inspections, and David Britt, of New Canaan, Conn., banking and capital markets group co-leader.

Britt and Whittle pleaded not guilty during an appearance before U.S. Magistrate Judge Andrew J. Peck in Manhattan on Monday, Bloomberg reported. Middendorf made a court appearance in Atlanta and was released on bail. He denies the allegations.

Sweet left PCAOB and went to work for KPMG, U.S. District Court papers say. On his last day at PCAOB, Sweet copied confidential information, including a list of accounting firm audits the PCAOB would inspect in 2015, to a personal hard drive, according to the government. Sweet has pleaded guilty to conspiracy and is cooperating with prosecutors, his lawyer says.

On his first day at KPMG, Sweet had lunch with his new boss, Whittle, and other colleagues, where he disclosed that a particular client audit would be examined by the PCAOB, according to the filing. Several days later, Sweet emailed the list of KPMG audit clients that what would be reviewed to Whittle, who then forwarded on to his boss Middendorf, writing: “The complete list. Obviously, very sensitive. We will not be broadcasting this.”

On Sweet’s recommendation, Holder joined KPMG a few months later. Like Sweet, she copied confidential PCAOB data before leaving, the court documents claim. Wada also sought work there.

Before Wada could land a job, KPMG’s office of general counsel began an investigation. Sweet and Holder allegedly tried to avoid detection by deleting texts with Wada and confidential PCAOB documents from company computers, but were eventually fired, the Post reported.

KPMG promptly notified authorities, and has been fully cooperating with the government, spokesman Manuel Gonclaves said in a statement.

“KPMG took swift and decisive action, including the engagement of outside legal counsel to conduct a detailed investigation and the separation of involved individuals from the firm,” Gonclaves said. “Since then, KPMG has taken remedial actions to assure that such conduct cannot happen again.”

The PCAOB, for its part, is also cooperating. “The new PCAOB Board will conduct an ongoing review of the organization’s information technology and security controls, as well as its compliance and ethics protocols, to assess their effectiveness,” PCAOB Chairman William Duhnke said in a statement.

The PCAOB was created by Congress under the 2002 Sarbanes-Oxley Act, corporate reform legislation that was designed restore public confidence in the audit industry after accounting scandals at Enron Corp. and WorldCom Inc.

Calif. Accountancy Board Recommends License Suspension

Irvine, Calif.-based Hagen Streiff Newton & Oshiro (HSNO) is facing a critical report by the California Board of Accountancy for its audits of spending and contracts at Great Park in Irvine, the Voice of OC reported.

Former Mayor Larry Agran, whose political career was damaged by the Great Park audits, said, “For heaven’s sakes, if you can’t trust auditors to be honest and straightforward, then who can the public trust?” The Voice of OC is a nonprofit news organization that covers Orange County’s local governments.

The firm said in a statement that it “strongly disagrees with the State Board’s Accusation, as they appropriately completed the engagements with the city of Irvine in accordance with professional standards.”

Mayor Pro Tem Christina Shea defended the audits and said one of the contractors on the project filed the complaint with the Board of Accountancy.

“It’s just another political operation to justify what they did at the Great Park,” Shea told Voice of OC. “I think they’re just doing everything they can to exonerate themselves … we stand behind our audit, the city does and I do.”

The city spent over $1.4 million on the audits that examined why more than $250 million was spent to develop 88 of the Great Park’s 1,300 acres. The firm reviewed spending and Great Park development contracts awarded between July 2005 and the end of 2012.

The state auditor, Elaine Howle, also criticized spending on the park. She cited poor governance from the city, saying a city subcommittee failed to enforce auditing standards and that city officials failed to enforce the industry standards to ensure an impartial analysis.

The accountancy board report says HSNO violated numerous public accounting standards and recommended HSNO reimburse the state for the cost of the investigation and pay an administrative penalty. It’s also recommended HSNO and its lead accountant in the audits have their accounting licenses revoked, suspended or restricted.

PwC Hit with Two-Year Audit Ban

The Securities and Exchange Board of India (SEBI) has banned PwC (FY16 gross revenue of $14.3 billion) from auditing listed companies in the country for two years, after it failed to spot a $1.7 billion fraud at the now defunct Satyam Computer Services, according to CNN.

SEBI claims PwC auditors failed to uncover irregularities in the account of Satyam, which was one of India’s leading software providers.

These irregularities were revealed in 2009 by Ramalinga Raju, the company’s chairman. He admitted to inflating Satyam’s profits with “fictitious” assets, non-existent cash and misreporting of debts the company was owed. He was sentenced to seven years in jail along with nine co-conspirators in 2015.

SEBI believes that PwC overlooked “several red flags…. which were all too obvious for any reasonable professional auditor to miss.”

SEBI also ordered the accounting firm to relinquish “wrongful gains” of around 130 million rupees ($2 million), plus 12% interest per year for the past eight years.

“The SEBI order relates to a fraud that took place nearly a decade ago in which we played no part and had no knowledge of,” says PwC.

Former MP of Hawaii Firm Receives 20-Year Prison Sentence

According to Honolulu Star Advertiser, Patrick Oki, previous MP of Spire Hawaii (formerly PKF Hawaii), was sentenced to 20 years in prison for stealing more than $400,000 from the company.

Circuit Judge Rom Trader gave a mandatory prison term of 20 years after Oki was found guilty on all counts, including money laundering, theft, forgery and using a computer to commit crimes during a two-week nonjury trial in February.

Oki admitted to claiming false reimbursements and lying to his partners. However, he said he took only what PKF owed him.

The judge decided to delay Oki’s restitution payment of $440,178 until the rightful recipients of the money can be determined. The state has asked the judge to order Oki to pay the money to his former partners at PKF.

PKF Pacific Hawaii changed its name to Spire Hawaii following Oki’s indictment and arrest in October 2015.