Best practices in managing litigation risk
for the Year 2000 problem

By Suzanne M. Holl

In Brief

A Potential Bonanza for Lawyers

There is a great deal of uncertainty concerning the Y2K problem. However, one thing is certain: If something goes wrong, CPA firms will be exposed to malpractice claims.

To minimize this risk, CPA firms should follow a logical process to prepare for the Y2K problem. The first step is to obtain a thorough understanding of the authoritative guidance on the topic. The second step is to understand and clarify responsibilities related to Y2K issues between the client and CPA firm.

Additional risk management considerations relate to a communications policy, client acceptance and retention procedures, and most importantly, comprehensive documentation.

The Year 2000 (Y2K) frenzy continues! A recent survey found that one out of every four Americans thinks Y2K computer problems will affect their daily life. Are the fears justified or are they imagined paranoia? Most likely it is a combination of both.

Most CPAs are aware of many of the what-if scenarios. In fact, some may have even concocted a few of those scenarios to spook family, friends, and business associates. Now the challenge for CPAs is to separate truth from fiction and protect themselves from the potential risks associated with Y2K while still meeting the needs of clients.

If in doubt about how well they understand the implications and responsibilities of Y2K, CPAs should consider whether these statements are true or false:

* A CPA is responsible for validating the information obtained from the client regarding Y2K issues and efforts.

* A CPA firm is only responsible for providing
tax and general accounting services to clients. Therefore, if a firm chooses not to address Y2K issues with its clients, it will have no exposure to a malpractice claim.

* The effects of Y2K issues are primarily reflected in the recording of transactions normally reflected in the financial statements.

* Y2K is nothing more than media hype perpetuated by some unscrupulous individuals to generate revenues at the expense of others.

In fact, all of these statements are false. In regard to the first statement, a CPA is not responsible for validating information obtained from the client regarding Y2K issues and efforts. Unless a CPA has been engaged to provide specific Y2K consulting services, there is no responsibility to provide assurance regarding Y2K compliance now or in the future. Confusion in this area has created an "expectation gap" that will certainly increase CPAs' exposure and create client relations problems that can be avoided.

Concerning the second statement, firms may still be exposed to a malpractice claim even if they do not address Y2K issues with their clients. The saying, "My trusted advisor failed to warn me," tells it all. Ignoring the problem will not absolve CPAs of the responsibility to act with due care on all engagements, big or small. Inherent in that is a duty to advise or make clients aware of potential harm. Alerting clients to the possibility of the adverse effects of Y2K will add value to CPAs' business relationships and help avoid future claims.

As for the third statement, the effects of Y2K issues can be widespread throughout an entity. The disruptions to the operating functions of an entity may be far more significant than the actual impact on the process for recording transactions. Consider these examples of operational risks to organizations that could threaten business continuity:

* Problems with manufacturing equipment and environmental systems. This could interrupt the normal business flow and also result in hazardous work conditions.

* Suppliers, customers, and service providers that are not Y2K compliant. This could threaten the entity's ability to meet commitments and deadlines.

* The potential for litigation and regulatory intervention. This could impose added burdens upon the organization.

Finally, to confront the fourth statement, Y2K is not a plot by unscrupulous individuals to create a problem where one does not exist. In truth, Y2K may turn out to be the most significant and costly problem that enterprises will encounter this century--or the next. Ready or not, the nonnegotiable deadline of December 31, 1999, is fast approaching, and it is important to act now in a proactive and efficient manner to avoid, or at least minimize, the chaos of the new millennium.

One positive thought in the midst of all the Y2K doom and gloom is that, unlike random catastrophes and unpredictable natural disasters, this potential calamity is a known, "date-certain" event. As such, with appropriate planning and forethought by all involved, efforts can be made to defuse the Y2K bomb before it goes off. CPAs with expertise in this area may even add valuable, billable services to their client base.

Prepare for the Problem

There is a logical way to prepare for the Y2K problem. Step one in the process should be to obtain a thorough understanding of the authoritative guidance on the topic as well as any nonauthoritative guidance relevant to the issue at hand.

The AICPA has published a number of auditing interpretations on the subject. The first one, related to planning, is included in The Year 2000 Issue--Current Accounting and Auditing Guidance, available on the AICPA website (www.aicpa.org). The publication provides an overview of the Y2K issue and summarizes some of the applicable accounting, disclosure, and auditing standards. It also offers guidance on the responsibilities of various parties and discusses some practice management matters that auditors may wish to consider in coping with Y2K. In July 1998, the AICPA issued an interpretation of SAS No. 59, which clarifies the auditor's consideration of an entity's ability to continue as a going concern relating to Y2K issues.

The SEC recently issued an interpretive release, Disclosure of Year 2000 Issues and Consequences by Public Companies, Investment Advisers, Investment Companies, and Municipal Securities Issuers. This release supersedes guidance previously issued in SEC Staff Legal Bulletin No. 5 and covers disclosures relating to the Y2K issue in the MD&A section of SEC filings. The interpretation calls for discussions in the areas of the registrant's state of readiness, cost of addressing, and business risks relating to the Year 2000 issues. There might also be industry-specific regulatory requirements for CPAs to contend with related to Y2K reporting and disclosure. As the Y2K issue evolves, CPAs must make every effort to stay current with new guidance as it surfaces.

Even with the current guidance promulgated on the Y2K issue, there still appears to be confusion as to what a CPA's ultimate responsibility will be once the clock strikes and actual damages are suffered. In the event a Y2K problem gives rise to a financial loss by a third party, a reasonable person (on a jury) might conceivably conclude that the CPA, in addition to adhering to the authoritative requirements discussed above, should have done more. More what? That is the million-dollar question that leaves many CPAs worried and wanting more answers.

From a loss-prevention perspective, it will be very difficult for the CPA to avoid becoming a litigation target if a third party suffers a loss because a client was not properly prepared and the lack of readiness was not disclosed. This will also be the case if the disclosure is judged incomplete based on subsequent events. The interpretation to SAS No. 59 and the AICPA's Year 2000 publication state that the accountant is not responsible for designing procedures solely to identify conditions and events relating to the Y2K issue. However, if conditions and events relating to the Y2K issue come to the CPA's attention, their significance to the entity should be considered and the various authoritative and nonauthoritative guidance applied according to his or her professional judgment.

CPAs can begin to defuse the threat of Y2K mania by following best practices and communicating with management. Documenting this communication is essential to minimize any future liability exposure in the event of a client dispute or litigation with respect to Y2K issues.

Separating Fact From Fantasy

The second step in preparing for the Y2K problem is understanding and clarifying responsibilities related to Y2K issues. In addition to separating fact from fantasy, this step also helps in evaluating potential risk areas for the accounting firm. There are some responsibilities that clearly belong to the client's management, while others plainly belong with the accounting firm.

The process should begin by identifying many of the key tasks to prepare for Y2K. As indicated below, those tasks should be separated according to who should assume responsibility for each activity.

Client Responsibilities. Client management should--

1) Identify and assess all significant threats to systems and hardware, as well as the likely impact dates of Y2K problems. Some of the business risk categories that need to be considered by management are as follows:

* Information risk (e.g., data availability, infrastructure)

* Operational risk (e.g., business interruption, health and safety concerns, other external influences)

* Financial risk (e.g., financial reporting, cash flow implications)

2) Develop a step-by-step compliance plan using either internal or external resources, as appropriate, with a time line of critical dates. In addition to stating how management will address the specific Y2K issues identified within the organization, the plan needs to identify how the company will assess Y2K compliance of its major customers, suppliers, and others whose systems interface with its own. If the failure of the third party's system could negatively affect its system, the company should have a contingency plan to continue operating as effectively as possible.

3) Monitor and manage compliance efforts to assure all reasonable efforts have been made to prepare the organization for the Y2K date change.

CPA Firm Responsibilities. Apart from specific responsibilities associated with Y2K consulting services, the CPA firm and its representatives should--

1) Understand the general nature and magnitude of the Y2K issue and communicate this to each client's management along with a clear definition of what the client and the CPA firm are responsible for.

Risk management tools to aid the CPA include the following:

* Engagement letter

* Y2K letter to client

* Newsletters, brochures, or articles sent to vulnerable clients

The CPA should be sure to maintain adequate documentation (e.g., copies of letters, control log for newsletter mailings) to prove the communications took place.

2) Make appropriate inquiries of management and obtain information about management's view regarding its Y2K compliance plan.

Risk management tools to aid the CPA include the following:

* Y2K client assessment form. This form should ask the who, what, where, when, why, and how of the client's Y2K compliance plan or lack thereof. (The AICPA has published a
sample questionnaire, available at www.aicpa.org/members/y2000/
appb.htm. It is a good tool for CPAs to use to obtain an understanding of the steps their clients are taking.) CPAs should be on the lookout for any red flags in the responses. For example, are there a lot of "failure to's" in the responses you receive (such as, failure to have adequate management awareness and support, failure to allocate sufficient resources, failure to have contingency plans)?

* Management representation letter

3) Consider the impact of the client's compliance plan on the services the CPA firm is providing.

Risk management tools to aid the CPA include the following:

* Practice aids from third parties. CPAs should have a solid understanding of the risk areas applicable to the specific services being provided. For example, an auditor should have a thorough understanding of the risks associated with Y2K. The exhibit is a sample summary sheet that addresses such risks.

* Thoughtfully and carefully prepared audit programs. Steps within engagement programs should specifically address how Y2K issues will be evaluated within the scope of the services being provided. These steps should clearly define how Y2K issues will be addressed during all phases of the engagement. For example, the planning phase of an audit should detail how the auditor will plan and perform the audit to obtain reasonable assurance about whether the financial statements being audited are free of material misstatement, including material misstatement from Y2K problems. By having specific procedures for addressing Y2K issues within engagement programs (from the planning phase to the disclosure and reporting considerations) CPAs can help minimize exposure.

4) Communicate observations to
management.

Risk management tools to aid the CPA include the following:

* Management letter comments

* Presentations to management, the board of directors, or the audit committee

The CPA may identify Y2K matters that need to be communicated to management. Whether the communication takes the form of a management letter or an oral report, the CPA needs to ensure the communication not only identifies the matter but also clarifies the limited basis on which the comments were derived. This is necessary to ensure there is no confusion or expectation gap about the CPA's responsibilities for Y2K. The last thing the CPA needs is for management to perceive, based on his or her comments, that extensive work on Y2K matters has been performed. Confusion may be avoided and risks minimized by including a statement to the effect that a failure to report does not mean that there are no Y2K deficiencies.

Additional Risk Management Considerations

Communications Policy. Most CPAs would agree that it is essential to establish and maintain good client relationships. To achieve this, emphasis should be placed on encouraging timely and ongoing communication. Many firms currently have a communications policy in place as part of their risk management program. This policy typically outlines how a client will be kept informed of the progress of an engagement, the problems that have been encountered, the firm's intended response to these problems, and other matters that may have come to the attention of the firm. This policy should be amended to include a section specifically identifying the how to's of client communication regarding Y2K. Developing a uniform practice of Y2K communications will help avoid any misunderstandings or discrepancies in expectations down the road.

Client Acceptance and Retention. Accepting new clients, or continuing with or disengaging from existing clients are important decisions for CPA firms. These decisions should be based on the objective needs and strategies of the firm and should be consistent with the firm's philosophy regarding risk management. Incorporating a Y2K risk assessment into your client acceptance and retention procedures will help firms identify whether new and existing engagements will contain unacceptable levels of liability risks. As always, it is prudent to document the results of the client retention analysis and client-screening process.

Documentation. As noted earlier, one of the major ways to avoid or at least minimize malpractice risks is to document, document, document! Effective documentation will improve communication between clients and staff. Also, good documentation is written evidence a client has been informed of possible problems and solutions related to Y2K. Documentation is the first line of defense in the event of client disputes or litigation.

The following documentation techniques are basic; however, they are especially applicable to Y2K issues. It is prudent to use them to document Y2K communications:

* Only document the facts and refrain from speculation and commentary. Personal comments about an employee or a client's performance are inappropriate and could damage the integrity of the documentation.

* Always remember work papers can be subpoenaed in litigation.

* Document in a timely manner.

* Document efficiently and define both results and actions. Each piece of documentation should be dated and signed by the preparer.

* Keep meticulous records that indicate when and how communications took place.

No matter what services your firm provides, employees should prepare documentation beyond the minimum work paper requirements. Because any client interaction could be used against the firm, it is paramount to document all of them, from formal consultation with the company president to a telephone inquiry with the accounts receivable clerk. Although CPAs may think the chances of becoming engaged in legal action are slim, the chances of surviving such an action are even slimmer if there is no backup. *