1. Cyber Insurance is cheap and important to protect against risks not covered by E&O. Work with a knowledgeable broker and insurer and buy the coverage because the risk is real and growing.
2. Make sure your engagement letter includes:
• a specific description of the work you will do;
• limitation of damages provision where not precluded by standards;
• indemnification where not prohibited by standards;
• disclaimers where appropriate ( i.e. AUP’s);
• jurisdiction, venue and choice of law provisions; and
• a provision for the client to pay for time and expense you incur for subpoena compliance.
Watch out for client changes including cyber representations and indemnifications of any kind.
3. Evaluate the risk to your firm before responding to subpoenas or document requests. Consultation with your insurer or outside counsel may be time well spent. The risk runs from minimal to existential and different risks require different responses.
4. You save money by not engaging with bad clients. Red flags include:
• financially stressed or unprofitable clients;
• clients whose work you are not really equipped to handle;
• clients whose interests conflict with other clients; and
• clients who lack management integrity.
These all should be evaluated for disengagement. Consider firing your bottom 5 or 10% and investing those resources into developing better opportunities.
5. All of us have clients who present some special risk. Do what you can to mitigate that risk with:
• thorough client acceptance procedures;
• engagement letters;
• robust conflict analysis; and
• continuous reevaluation.
Employ detailed financial management including precise billing entries, timely billing and early AR follow-up in order to spot problems quickly.
As public offerings have gotten more complex and expensive, capital has flowed to non-public securities. Consequently, the exempt securities market has expanded and increased in complexity and risk. Issued on July 27, 2017, SAS 133 is intended to provide guidance to bring auditing consistency across offerings and increase public confidence in the presentation of financial information.
Beginning with offerings made in June 2018, this new standard will apply when audited financials are used in connection with exempt securities offerings. Common exemptions involve private placements, municipal securities, not-for-profit securities, new crowd-funding and Regulation A offerings, and franchise offerings. Thus, heightened audit procedures will be the rule rather than the exception, applying in some form to both private and public capital raising efforts.
SAS 133 will apply when an auditor is “involved” in an exempt offering. Being involved has two components: (1) the auditor’s report is included or referenced in the exempt offering document and (2) the auditor performs specific activities with respect to the offering document like reading the offering materials, offering a comfort letter, or agreeing to allow the use of the report in connection with the offering. These requirements are designed to protect auditors from fallout from the use of their audits in connection with exempt offerings without their knowledge.
Among other things, SAS 133 will import the requirements AU-C Section 720 regarding “other information in documents containing audited financial statements” and AU-C Section 560, which requires auditors to consider whether events after the report would cause the auditor to revise the report.
This new auditing standard will require auditors to pay attention to two related developments. First, auditors will have to be more attuned to which transactions count as securities. For example, the SEC recently decided that offering cryptocurrency is a securities offering requiring registration or exemption. Second, auditors will have to consider how closely to hue to GAAP and the FASB’s auditing standards, which are not yet mandatory but do influence how disappointed investors seek redress for failed investments. For more information on non-GAAP accounting and the state of the industry, see our video here.