Notice to Readers. Copyright 2006 by

Transcription

1 Building A Privacy Practice In Small and Medium-Sized CPA Firms

2 Notice to Readers Building a Privacy Practice in Small and Medium-Sized CPA Firms does not represent an official position of the American Institute of Certified Public Accountants, and it is distributed with the understanding that the author and the publisher are not rendering accounting or other professional services in the publication. If legal advice or other expert assistance is required, the services of a competent professional should be sought. This publication has not been approved, disapproved, or otherwise acted upon by any senior technical committee of the American Institute of Certified Public Accountants or the Financial Accounting Standards Board and has no official or authoritative status. Copyright 2006 by American Institute of Certified Public Accountants, Inc. New York, NY The Canadian Institute of Chartered Accountants Toronto, Ontario All rights reserved. Checklists and sample documents contained herein may be reproduced and distributed as part of professional services or within the context of professional practice, provided that reproduced materials are not in any way directly offered for sale or profit. For information about the procedure for requesting permission to make copies of any part of this work, please visit or call (978) PP

3 TABLE OF CONTENTS ACKNOWLEDGMENTS V SECTION I PLACING PRIVACY ADVISORY SERVICES INTO PERSPECTIVE A Practitioner-Relevant Definition When to Use This Guide The Suite of Privacy Advisory Services Tools SECTION II MAKING THE DECISION TO OFFER PRIVACY ADVISORY SERVICES Today s Business Environment-It s Time Fit With Your Current Offerings Costs to Practitioner SECTION III ADDRESSING THE LIKELY ISSUES IN IMPLEMENTING PRIVACY ADVISORY SERVICES How Much Billable Time Will Be Logged in Implementing Privacy Advisory Services? What Components of the Client s Privacy Program May Need to Be Assessed? What Criteria and Measures Will I Use in Assessing My Clients? How Can I Strengthen My Ability to Implement Privacy Advisory Services? Sore Spots Before, During, and After an Implementation SECTION IV IMPLEMENTING PRIVACY ADVISORY SERVICES Skills Needed to Implement Privacy Advisory Services Checklist Information Needed to Complete the Privacy Advisory Services Checklists Assessment Plan Outline Implementation Plan Outline SECTION V ADDRESSING THE LIKELY ISSUES IN MARKETING PRIVACY ADVISORY SERVICES Practitioner Issues To Whom Should I Market Privacy Advisory Services? When Is the Right Time to Market Privacy Advisory Services? Who in My Firm Should Market Privacy Advisory Services? How Easy Are Privacy Advisory Services to Market? What Clinches the Deal With Clients? iii

4 Client Issues What Is the Benefit to Clients for Investing in Privacy Advisory Services? Why Should Clients Invest in Privacy Advisory Services? Why Should Clients Invest in Privacy Advisory Services From a CPA Firm? Why Should Clients Invest in Privacy Advisory Services From Your CPA Firm? What Return on Investment Can a Client Expect by Adopting Privacy Advisory Services? SECTION VI MARKETING PRIVACY ADVISORY SERVICES Identifying Clients for Privacy Advisory Services Checklist Criteria for Hiring Marketing Professionals in Your Firm Conversation Starters Marketing Plan Outline Self-Assessment Checklist and Marketing Brochure Client Self-Assessment SECTION VII SUMMARY AND ADDITIONAL GUIDANCE Summary Additional Guidance iv

5 Acknowledgments The AICPA expresses appreciation to everyone who provided assistance in the development of Building a Privacy Practice in Small and Medium-Sized CPA Firms. AICPA/CICA Privacy Task Force Chair Everett C. Johnson, CPA Deloitte & Touche LLP (retired) Vice Chair Kenneth D. Askelson, CPA.CITP, CIA Eric K. Federing KPMG LLP Marilyn Prosch, Ph.D. Accounting & Information Systems Arizona State University-West Don H. Hansen, CPA Moss Adams LLP Philip M. Juravel, CPA Juravel & Company, LLC Sagi Leizerov, Ph.D. Ernst & Young LLP Doron M. Rotman, CPA (Israel), CISA, CIA, CISM KPMG LLP Kerry Shackelford, CPA KLS Consulting LLC Donald E. Sheehy, CA, CISA Deloitte & Touche LLP AICPA Staff Nancy A. Cohen, CPA, Senior Technical Manager, InfoTechnology Communities Andrea Carella, CPA, Director, Specialized Communities and Credentials James Metzler, CPA.CITP, Vice President, Small Firm Interests CICA Staff Bryan Walker, Principal, Assurance Services Development A special word of appreciation goes to Philip M. Juravel, CPA; Kenneth D. Askelson, CPA.CITP, CIA; and Kerry Shackelford, CPA, for their dedication to this project. v

6 SECTION I PLACING PRIVACY ADVISORY SERVICES INTO PERSPECTIVE A Practitioner-Relevant Definition Over the last several years, the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA) have built on their commitment to developing services to help small and medium-sized accounting firms face their unique challenges. Privacy Advisory Services is an extension of this ongoing commitment. To practitioners, Privacy Advisory Services represents an exciting, unique opportunity to conduct work valued by their current clients, develop forward-looking areas of expertise, tap into new markets, generate new revenues, and grow their practices. Practitioners can help business clients address privacy issues by offering a full range of value-added Privacy Advisory Services, including: Developing a privacy strategic and business plan. Providing a privacy gap and risk analysis. Providing privacy advice, recommendations, and training. Designing privacy policies and procedures. Benchmarking and performance measurement. Providing independent verification of privacy controls. When to Use This Guide Practitioners in small and medium-sized firms are to use this Privacy Advisory Services guide to answer the following questions: 1. Why should we implement and market Privacy Advisory Services? 2. What do we need to know to implement and market Privacy Advisory Services? To answer these questions adequately, this guide addresses: The value of Privacy Advisory Services from the practitioner s perspective. The issues involved in implementing and marketing Privacy Advisory Services. Existing and prospective clients concerns about buying Privacy Advisory Services. This guide serves as the first step for practitioners reviewing or considering investing time and resources in Privacy Advisory Services. It was developed under the leadership of practitioners in small firms for use by small and medium-sized accounting firms. The guide focuses on two areas: implementation (see Sections II, III, and IV) and marketing (see Sections V and VI). The Suite of Privacy Advisory Services Tools The AICPA and CICA developed numerous tools to help small firms successfully introduce Privacy Advisory Services. The following table places the implementation and marketing guide into perspective by summarizing the prominent AICPA and CICA privacy tools, as well as highlighting the optimal time to use them. Your first step will probably involve becoming familiar with a number of these tools, which can be found on the IT Center Web site. 1

7 THE SUITE OF AICPA AND CICA PRIVACY ADVISORY SERVICES TOOLS PRACTITIONER TOOL TYPE OF INFORMATION WHEN TO USE THE TOOL Building a Privacy Practice in Small and Medium-Sized CPA Firms Practice Guide Describes the value of Privacy Advisory Services from the practitioner s perspective. Outlines the issues involved in marketing and implementing Privacy Advisory Services. Discusses existing and prospective clients concerns about purchasing Privacy Advisory Services. Used as a first step in deciding why practitioners should make the effort to market and implement Privacy Advisory Services, and what practitioners need to know to market and implement Privacy Advisory Services. Generally Accepted Privacy Principles A Global Privacy Framework Privacy Advisory Services Marketing Brochure 20 Questions Businesses Need to Ask About Privacy An Overview of HIPAA: The Role of CPAs in Privacy Compliance Privacy Matters - An Introduction to Personal Information Protection Privacy - Are Your Clients Minding Their Own Business? Privacy - Minding Your Own Business Understanding and Implementing Privacy Services A CPA s Resource Incident Response Plan Lays out the complete set of principles and criteria that serve as a benchmark of internationally known fair information practices and recognized good privacy practices. Introduces the practitioner s firm s suite of Privacy Advisory Services to clients. Provides a high-level summary of business issues relating to privacy. Provides guidance for CPAs in public practice in providing Health Insurance Portability and Accountability Act (HIPAA) services. Defines privacy as a risk management issue for all organizations. Explains the AICPA s privacy initiatives and what they mean to CPAs in public practice. Explains the AICPA s privacy initiatives and what they mean to CPAs in business and industry. Provides a complete reference of practical, results-oriented procedures, methods, and tools for providing value-added Privacy Advisory Services for all types and sizes of business clients. Contains numerous tools, exhibits, and questionnaires. Provides guidance for designing, developing, or adapting a plan and better preparing the client for handling a breach of personal information within their organization. Can be modified to fit the needs of the smaller client. Used by practitioners once a Privacy Advisory Services engagement has been signed, to work with clients to identify privacy practices requiring improvement. Used as a first step in educating clients. The practitioner can also personalize and leave with the client. Used at any time for raising questions to current and potential clients about critical business issues such as privacy and corporate governance. Used when the practitioner is considering expanding Privacy Advisory Services to clients affected by HIPAA. Used as a first step to understanding privacy. Used as a first step to understanding privacy. Used as a first step to understanding privacy. Used as a second step to learn about and understand privacy in greater detail. Used when personal information is breached or compromised. 2

8 SECTION II MAKING THE DECISION TO OFFER PRIVACY ADVISORY SERVICES Today s Business Environment-It s Time... Every magazine, newspaper, and Web site tells us that today s business environment is different. That s not news to practitioners-they experience it daily in their practices. The important question for practitioners is, Given the current and evolving business challenges faced by us and our clients, why should we consider offering Privacy Advisory Services? Three reasons concern practitioners: 1. Our role as practitioner is changing.... It s time to distinguish ourselves. a. Competitors are chipping away at the type of services we have typically offered. Clients are increasingly turning to financial planners, financial analysts, financial consultants, lawyers, insurance advisers, and real estate professionals for advice that we have provided for years. b. Our profession has had its credibility shaken to the core by recent and widely publicized scandals of incompetence and poor judgment. c. Our current and future clients are recognizing that opportunity for business growth, cost savings, and operational efficiencies means expanding into e-commerce. d. Recurrent data security breaches across the country have given rise to consumers wanting better protection of the privacy of their personal information. By offering forward- looking/proactive risk management services, we can help our clients prevent these types of incidents. As practitioners, we can take advantage of these changes by expanding into areas that respond to, and anticipate, current and future client needs. Offering leading-edge services such as Privacy Advisory Services will strengthen the bonds we have with our clients and demonstrate our business insight. 2. Our practice is changing.... It s time to think ahead. Practices of all sizes, especially smaller firms, find it increasingly difficult to attract and retain welltrained, experienced, driven, innovative professionals - in other words, true leaders - who will actively help build your practice. Introducing new, innovative services sends out a strong message to current staff, potential employees, the professional community, and clients that your practice recognizes the need for leadership and growth. Committing your practice to these services is compelling for practitioners who seek to go beyond traditional accounting, as well as understand their clients core business issues and challenges. 3. Our services are changing.... It s time to expand beyond the commodity box. With the goal of securing more profitable work, practices often compete on price for time-intensive, unprofitable work. By competing on price, are we sending a message that we are an easily replaced commodity? New services, such as Privacy Advisory Services, enable CPAs to stretch beyond the commodity box with work that can be priced to reflect the fact that we bring a rare set of skills, technical competence, refined judgment, and a valuable discipline to solve our clients business (and personal wealth) challenges. 3

9 Fit With Your Current Offerings Without a doubt, the biggest obstacle that we face as practitioners in marketing or implementing Privacy Advisory Services is our own fear, a fear that seems to stem from not knowing how these services fit into our current skills and services. It s natural for us as professionals to be less than comfortable with the prospect of offering new services. After all, we build our reputation, revenues, and sense of personal and professional self-worth from knowing exactly what to do. This guide aims to provide you with the tools to give you the confidence to add Privacy Advisory Services to your current offerings. Costs to Practitioner Just like all typical professional service offerings, the greatest share of costs is at start-up and involves learning how to adapt current skills and apply new ones. A good place to start would be to identify a leader for these services (which may be the practitioner) for your practice. The assigned individual could start by becoming familiar with all the privacy resources available through the AICPA Web site ( and the reference material mentioned under the suite of Privacy Advisory Services tools. Much of this material is available for free or at minimal cost. As the leader develops a general understanding of privacy issues from these materials, he or she can start identifying the potential for adding new business in this area, as well as discuss initial strategies on how to develop these services within your practice. Your cost for developing new skills and maintaining them to offer Privacy Advisory Services will generally depend upon the privacy needs and complexity of your clients businesses and the variety of services you may offer. For example, you may decide to become specialists on the requirements of HIPAA if several of your clients are in the medical industry. You may decide to expand your offerings to a broader range of services, such as strategizing, diagnosing, implementing, sustaining and managing, and assuring, which may require a greater commitment of practice resources. Other than the time required to research the privacy resources, your costs for the materials to offer Privacy Advisory Services should be less than $500. 4

10 SECTION III ADDRESSING THE LIKELY ISSUES IN IMPLEMENTING PRIVACY ADVISORY SERVICES How Much Billable Time Will Be Logged in Implementing Privacy Advisory Services? At the onset of any Privacy Advisory Services engagement, small and medium-sized practitioners need to swallow one unappetizing truth clients may not instantly recognize the value of Privacy Advisory Services. Part of our challenge will be to demonstrate a cost/benefit to the client. Despite the research findings demonstrating the need for such services, most research refers to customers preferences for protecting their personal information and to potential savings that would have been achieved if a privacy breach were averted. For clients you may have in the medical or financial industries that are impacted by privacy legislation, you have an opportunity to work with them to help ensure their privacy programs are in compliance with these regulations. For clients in other industries, you have an opportunity to ensure they have adequate privacy programs to protect their customers and employees personal information. One approach to start developing Privacy Advisory Services with your clients is to offer an awareness presentation on why privacy is important to their business. While this initial approach would generally not result in billable hours, it would provide you the opportunity to demonstrate your knowledge and interest in assisting you clients in this area. Conducting these presentations would build your clients confidence in your practice. Presentations also could result in many Privacy Advisory Services mentioned previously, and, ultimately, billable hours. As a result, you may spend some time convincing your client to let you do a Privacy Assessment. You should understand that an initial Privacy Assessment may only be a two- to three-hour engagement for a small client with a potential fee of approximately $500-$750. However, this initial assessment provides you with a great opportunity to recommend additional privacy services your client may need. What Components of the Client s Privacy Program May Need to Be Assessed? The following chart highlights examples of components of your client s privacy program that you can assess for Privacy Advisory Services. Along the top of the chart are examples of functional areas within most client organizations. Along the side of the chart are the prime areas of focus for Privacy Advisory Services that can be assessed. This is by no means an exhaustive list and in some unique client situations, the items marked Not Applicable may have relevance. 5

11 PRIVACY ADVISORY SERVICES AND EXAMPLES OF COMPONENTS TO BE ASSESSED FUNCTIONAL AREA Human Resources Marketing Operations Legal Information Technology Management Notice Personnel records; policies, procedures, and controls Communications to employees or potential employees Customer records; policies, procedures, and controls Communications to customers or prospective customers Corporate governance; policies, procedures, and controls Communications to customers Consistency of policies with laws and regulations Compliance with laws and regulations IT infrastructure; systems management IT infrastructure Online Web site Policies, procedures, and controls Privacy notice Choice and Consent Employees Customers Customers Not applicable IT infrastructure Customers Collection Employee information Customer information; third parties. Customer information; third parties Fair and lawful collection IT infrastructure Customer information Use and Retention Personnel records; payroll records Customer records Customer records Legal retention requirements IT infrastructure Communications Access Employees Customers Customers Not applicable IT infrastructure Customers Disclosure to Third Parties Personnel records; payroll records Customer records Customer records Contractual agreements IT infrastructure Communications Security for Privacy Personnel records; payroll records Customer records Information security procedures Not applicable IT infrastructure; information security program Communications Quality Accuracy and relevancy of personnel records Accuracy and relevancy of customer records Accuracy and relevancy of customer records Not applicable IT infrastructure Not applicable Monitoring and Enforcement Complaint process for employees Not applicable Compliant process for customers; dispute resolution Not applicable IT infrastructure Communications 6

12 What Criteria and Measures Will I Use in Assessing My Clients? As practitioners, the most basic assessment will use several interview questionnaires and tools found on the IT Center Web site. For more advanced engagements, use the Generally Accepted Privacy Principles-A Global Privacy Framework (GAPP) as the basis for client assessments. GAPP consists of 10 principles with criteria, illustrations, and explanation of good privacy practices. This information can also be found on the IT Center Web site. The first meeting with your client will typically involve going through a privacy questionnaire and discussions on why a privacy assessment is important for the client s organization. During follow-up, you will review results of the questionnaire with the owner and/or other key management, and discuss the initial privacy assessment along with recommendations. These meetings would also be the basis for developing and defining the scope and timing for additional Privacy Advisory Services. If the client has significant needs in this area, then the engagement should be expanded resulting in additional resources required from your firm. The engagement letter and fees should be adjusted accordingly as additional Privacy Advisory Services are conducted for the client. How Can I Strengthen My Ability to Implement Privacy Advisory Services? As a CPA, we already have a strong working knowledge of business practices, internal controls, and the audit of internal control systems. As your clients CPA, you may know more about the business processes of the company than the owner(s). With this knowledge and understanding, we have created a foundation to expand our service offerings. However, like any new service we provide, implementation requires us to gain the needed knowledge and skill sets to offer these Privacy Advisory Services. There are numerous resources to help gain this knowledge. Generally Accepted Privacy Principles is one of the many resources you need to become familiar with; many others are mentioned in this publication. In addition to these reference materials, you may want to include online and offline courses, seminars, and workshops to get more comfortable with the concepts and processes involved in Privacy Advisory Services. Sore Spots Before, During, and After an Implementation If your client needs additional services as a result of the initial assessment, you will need to be prepared to address the following. Before the Implementation Do I have the required skills to do the implementation? Do I have the right checklist(s) of principles and criteria from which to conduct the implementation and additional follow-up work? If you do not have the necessary skills, outside experts may have to be retained to assist with the work. The relevant checklists begin with GAPP by providing the criteria required for conducting the implementation. 7

13 During the Implementation 1. What if the client s staff is uncooperative because they look at our work as a challenge to their authority or competence? The only way of addressing this is having senior management (owner) buy-in from day one. Ideally, during the first meeting, you should work with the owner to make it clear that your work is not a reflection of past performance, but a way to anticipate and head off control risks in areas that in-house experts typically have little or no knowledge. 2. Will I have problems coordinating my staff and the client staff? Without a doubt, a big part of the implementation involves efficient project management. It is advisable to involve a senior person who has strong project management, cost management, and communication skills in charge of the implementation. 3. What happens if the client has significant privacy gaps? It is very likely that a client may have significant gaps that need addressing. It falls on you to manage your clients expectations and focus on the positive benefits of proceeding through the implementation process (for example, process improvement). Once the process is complete, another outcome is a reduced business risk. After the Implementation 1. What happens if the client modifies its policies, procedures, and controls and becomes privacy noncompliant? In responding to their business and budget challenges, it is typical for clients to change their procedures throughout the year. The goal is for you to keep ongoing communications with your clients so you are notified or consulted before they make any material change in their privacy practices. You may want to consider setting up some kind of periodic update program with your client (for example, quarterly or semi-annual). 8

14 SECTION IV IMPLEMENTING PRIVACY ADVISORY SERVICES Skills Needed to Implement Privacy Advisory Services Checklist Implementing Privacy Advisory Services uses audit skills long familiar to all accounting professionals. The core skills required to implement Privacy Advisory Services include the following: Subject matter knowledge Business advisory skills Technical skills Controls and assurance skills Application of laws and regulations to business Information Needed to Complete the Privacy Advisory Services Checklists When implementing Privacy Advisory Services, the following client information will need to be obtained and reviewed: Privacy policies and procedures Key personnel responsible for privacy compliance, and updating and maintaining privacy programs Privacy laws and regulations that apply to the business Third parties with whom the organization shares personal information Systems and technology used to store, process, protect, and transmit personal information Assessment Plan Outline The following outline can be used as an assessment plan for offering Privacy Advisory Services to a client: 1.Prepare engagement letter indicating the nature of the service to be provided. (As a reminder Practitioners should seek the advice of legal counsel and their liability insurance provider when developing engagement letters.) 2.Ensure appropriate information was received from the client and reviewed. 3.Complete checklists as necessary HIPAA, GLBA, COPPA, and 20 Questions to Ask Your Client About Privacy (found on the IT Center Web site). 4.Prepare a report to client with findings, and if necessary, note additional work that may be required by the client. 9

15 Implementation Plan Outline The following outline can be used if additional services are to be performed in Privacy Advisory Services: 1. Prepare an update to the previous engagement letter to cover additional services that will be performed. 2. Ensure you have the proper resources to provide these services (e.g., manuals, guides, and reference materials). 3. Interview the clients relevant staff members to confirm and document the policies, procedures, and controls. 4. Evaluate the findings against the clients privacy policies. 5. Design and implement a work program intended to evaluate the client s policies and procedures with the Framework criteria. 6. Assist clients to become compliant with the Framework criteria and relevant legislation. 7. Periodically update clients with the status of the implementation engagement. 8. Regularly contact clients to keep current on any changes in their privacy policies. 9. Provide ongoing privacy advice throughout the year, not just during the annual (or more often) Privacy Advisory Services update. 10

16 SECTION V ADDRESSING THE LIKELY ISSUES IN MARKETING PRIVACY ADVISORY SERVICES Practitioner Issues To Whom Should I Market Privacy Advisory Services? To determine which of your current or prospective clients is likely to be in need of Privacy Advisory Services, begin by using the Prospecting Chart. In conjunction with this chart, use the tool found in Section VI, Identifying Clients for Privacy Advisory Services Checklist. PROSPECTING CHART LOW EFFORT/LOW RETURN We know the decision maker(s) has an immediate/short-term need for Privacy Advisory Services. We know the decision maker(s) recognizes the need for Privacy Advisory Services. We know the decision maker has a budget for Privacy Advisory Services. We have an established relationship with the key decision maker(s). LOW EFFORT/HIGH RETURN We know the decision maker(s) has an immediate/short-term need for Privacy Advisory Services. We know the decision maker(s) recognizes the need for Privacy Advisory Services. We know the decision maker(s) has a budget for Privacy Advisory Services. We have an established relationship with the key decision maker(s). CPAs are contracted who can demonstrate their understanding of the client s business with an aim of building a long-term relationship. Decision-makers and/or in-house specialists recognize that CPAs provide opportunities and expertise to achieve cost-savings and efficiencies in specialty areas. HIGH EFFORT/LOW RETURN We don t know the decision makers, the decision making process, the priority of accounting/ consulting services, or the history of contracting accountants. Accounting services are typically contracted on a one off response to short-term tactical needs. Decision-makers and/or in-house specialists resent using external resources/expertise. HIGH EFFORT/HIGH RETURN We don t know the decision makers, the decision making process, the priority of accounting/consulting services, or the history of contracting accountants/consultants. Decision-makers and/or in-house specialists recognize that CPAs/consultants provide opportunities/ expertise to achieve cost savings and efficiencies in specialty areas. 11

17 When Is the Right Time to Market Privacy Advisory Services? Marketing Privacy Advisory Services should only be undertaken when you are comfortable that you have the required skills and resources to succeed. These are outlined in this section and Section IV, Implementing Privacy Advisory Services. Given the AICPA and CICA s efforts to develop new assurance services, rapid changes in legislation and technologies, and increased client exposures, there has been no better time than now for small and medium-sized accounting firms to evaluate their markets (See Section VI, Identifying Clients for Privacy Advisory Services Checklist) and internal resources. Other indicators signifying when to market Privacy Advisory Services include any of the following: Your firm recognizes the need, or opportunity, to build revenues by offering innovative nontraditional services. Clients have expressed a concern about the completeness of their own privacy policies and procedures. Who in My Firm Should Market Privacy Advisory Services? Marketing Privacy Advisory Services requires commitment from the most senior levels of the firm. Everyone working in the firm committed to Privacy Advisory Services will need to play a role in marketing these services. The challenge for any small or medium-sized firm is clarifying the roles associated with marketing Privacy Advisory Services. The most critical role is that of the Privacy Advisory Services Leader. This senior professional (that is, partner) must: 1. Facilitate training of professional staff on identifying opportunities within the existing and prospective client base. 2. Serve as the point-person for the client. 3. Routinely visit the AICPA Web site ( to keep current on Privacy Advisory Services and changes in relevant legislation. How Easy Are Privacy Advisory Services to Market? Privacy Advisory Services are easy to market if all the following are in place: You identify and secure the required skills. You identify the right clients. You engage in one-on-one conversations with the right clients. The tools found in Section VI will help you work through these areas and ensure that your marketing efforts and resources are focused wisely. 12

18 What Clinches the Deal With Clients? Privacy Advisory Services engagements are signed when you adequately demonstrate that you understand your client s issues and how Privacy Advisory Services can help them achieve their goals better, smarter, faster, or cheaper. With that in mind, engagements are usually agreed on by emphasizing the following: The price is flexible (partly based on value to client) and competitive. You are able to begin the engagement according to the client s timetable. Clients have the need to demonstrate their legal compliance. You can make a convincing case that Privacy Advisory Services offers an opportunity for your clients to distinguish themselves from their competitors. Client Issues What Is the Benefit to Clients for Investing in Privacy Advisory Services? Clients want to invest in Privacy Advisory Services to achieve very real benefits unique to their business. Two of the primary benefits that tend to be common across organizations, regardless of the Privacy Advisory Services adopted, include: Corporate governance. Privacy Advisory Services help business owners and/or senior officers demonstrate to investors and other relevant stakeholders that rigorous efforts were undertaken to govern the business in a responsible way. Marketing. Privacy Advisory Services provides an opportunity for companies to distinguish themselves from their competitors by adopting privacy practices that will build trustworthy relationships with their customers and employees. Why Should Clients Invest in Privacy Advisory Services? Your clients customers are likely becoming more selective of the organizations that they choose to purchase from; the same can be said of your clients business partners. By adopting Privacy Advisory Services, your clients can demonstrate a highly desirable, unique commitment to ensuring excellent performance and management in the area of privacy practices. Why Should Clients Invest in Privacy Advisory Services From a CPA Firm? CPAs understand the clients business processes, systems, controls, and goals better than anyone else. They have a long history of providing excellent service to their clients based on professional standards and ethical guidance. Why Should Clients Invest in Privacy Advisory Services From Your CPA Firm? You have been building your reputation as a trusted business adviser with your existing and prospective clients. By introducing and offering Privacy Advisory Services, you can once again demonstrate your business intelligence. 13

19 What Return on Investment Can a Client Expect by Adopting Privacy Advisory Services? By adopting good privacy practices, your client will be able to: Protect its public image and brand. Achieve a competitive advantage in the marketplace. Meet the membership requirements of an industry association. Efficiently manage personal information, thereby reducing administration costs and avoiding unnecessary financial costs, such as retrofitting information systems. Enhance credibility and promote continued consumer confidence and goodwill. 14

20 SECTION VI MARKETING PRIVACY ADVISORY SERVICES Identifying Clients for Privacy Advisory Services Checklist This checklist helps practitioners focus their marketing efforts by identifying characteristics of existing or prospective clients that will experience the greatest benefit by investing in Privacy Advisory Services. See Identifying Clients for Privacy Advisory Services on the IT Center Web site for a complete checklist. The following are three examples of characteristics to review to determine which of your clients may need Privacy Advisory Services. The greater number of these characteristics the prospective client has, the more likely the client will be to consider or embrace Privacy Advisory Services. 1. The organization s reputation is built on, or largely depends on, its ability to keep information accurate, secure, private, or confidential. 2. The organization s clients have demanded accountability around processes for keeping information available, accurate, confidential, and secure. 3. The organization needs to adopt new practices and technologies to comply with legislation. Criteria for Hiring Marketing Professionals in Your Firm CPAs should take into consideration the following characteristics when evaluating prospective marketing professionals to help promote privacy services: Business skills. A track record and the ability to quickly and accurately understand the nature of the businesses carried out by the prospects for Privacy Advisory Services. Communication skills. A track record and the ability to translate the benefit of Privacy Advisory Services into terms that are relevant to the prospects for Privacy Advisory Services. Interpersonal skills. Strong listening and empathy skills. Evaluation skills. A track record and the ability to measure the impact of marketing strategies and activities. Networking skills. A track record and the ability to build networks within relevant markets. Promotion skills. A track record and the ability to follow a rigorous methodology to increase the visibility of the professional services firm with targeted audiences. Conversation Starters When speaking to existing and prospective clients, practitioners need ways to raise the topic of Privacy Advisory Services. Ideally, this topic should be in response to questions about clients current issues and priorities. The following is a selection of practitioner conversation starters that have successfully raised client interest: 15

21 Have you heard about the latest breach of privacy by [enter name]? Are you comfortable with your privacy practices? Do you collect personal information about customers and employees? Are you sharing any personal information with third parties? How do you communicate your privacy policies and practices to your customers and others? How do you protect the personal information you collect? Are you subject to any privacy legislation? Marketing Plan Outline Each firm s marketing plan will differ depending on the availability of resources and client data. Nonetheless, here are some elements that are common to any successful Privacy Advisory Services marketing plan. 1. Use the Prospecting Chart (Section V) and the Identifying Clients for Privacy Service Checklist to target existing and prospective clients for Privacy Advisory Services. 2. Use your existing base of clients, suppliers, and contacts who can take your Privacy Advisory Services message to prospective clients. Educate these channels and provide them with an incentive to endorse you as a provider of Privacy Advisory Services. 3. Regularly contact prospective clients directly to discuss their understanding of, and the importance they place on, their privacy practices. 4. Provide articles to online and offline publications that are seen as credible by your prospective clients. Articles should balance the business risks associated with unreliable privacy practices and the growth benefits that result from ensuring privacy programs achieve high standards. 5. Regularly attend, give presentations, network in, and eventually sponsor or cosponsor events that dovetail privacy and business issues. Self-Assessment Checklist and Marketing Brochure CPAs expressed a need to have a client assessment checklist and marketing brochure they could leave with, or send to, clients to enlighten them about Privacy Advisory Services. Client Self-Assessment The following is a series of questions that can be modified depending on your client s industry, size, budget, and understanding of privacy programs to highlight their potential need for Privacy Advisory Services. 16

22 Privacy Advisory Services-Does My Business Need Them Now? If you answer yes to any of the following questions, you could achieve considerable return on your investment by adopting Privacy Advisory Services. 1. Do you need to adopt new practices or procedures to comply with legislation? 2. Is your company s reputation built or largely dependent on your ability to keep information accurate, secure, private, or confidential? 3. Are you finding it increasingly difficult to distinguish yourself from competitors in the eyes of your clients? 4. Do you need to demonstrate to investors or other relevant stakeholders that you are governing the business responsibly? 5. Are you interested in identifying cost-saving efficiencies in your privacy programs? 6. Have your competitors recently invested in systems-related technologies and processes to enhance their privacy programs? 7. Does your organization rely heavily on collecting, updating, processing, and storing customer or prospect information with contact management software programs and technologies? 8. Do you rely on any outsourced processes or operations? 9. Do you know that your systems and data are secure? 10. Do you regularly collect customer or prospect information in advance of launching or modifying new products or services? 11. Does your Human Resources Department collect and store personal information on employees and potential recruits? In addition, a Privacy Advisory Services marketing brochure that can be personalized for your firm can be found on the IT Center Web site. 17

23 SECTION VII SUMMARY AND ADDITIONAL GUIDANCE Summary This guide has been developed to assist you, the practitioner, to expand your service offerings. As you can see, other than your time to become proficient with the skills and resources needed, Privacy Advisory Services requires a minimal financial outlay. By taking the time to read this manual and familiarize yourself with the tools, checklists, and other practice aids, you can be offering these new services to your clients. We believe this guide provides you with all the materials and resources you need to add Privacy Advisory Services to your firm. Additional Guidance Throughout this guide we have made reference to numerous resources, checklists, and practice aids. You will find the following documents provided for your use and reference on the IT Center Web site: 1. Suite of Tools (Section I) Generally Accepted Privacy Principles A Global Privacy Framework Privacy Advisory Services Marketing Brochure Twenty Questions Businesses Need to Ask About Privacy An Overview of HIPAA: The Role of CPAs in Privacy Compliance Privacy Matters An Introduction to Personal Information Protection Privacy Are Your Clients Minding Their Own Business? Privacy Minding Your Own Business Privacy and Outsourcing Is Your Organization at Risk? Privacy Incident Response Plan Template 2. Checklists (Section IV and VI) HIPAA Health Insurance Portability and Accountability Act GLBA Gramm-Leach-Bliley Act COPAA Children s Online Privacy Protection Act 20 Questions to Ask Your Client About Privacy Identifying Clients for Privacy Advisory Services 3. Other Practice Tools Privacy Advisory Services... A Best Practices, Integrated Approach, a PowerPoint presentation to sell service to clients U.S. and International Regulations 4. Other Resources Available AICPA Privacy Channel Publication Understanding and Implementing Privacy Services A CPA s Resource available through 18

24 For more information To learn more about privacy and how implementing new privacy measures can benefit your organization, please visit ISO Certified