While Standard 9.2, which details the COFA’s responsibilities in respect of the firm’s SRA Accounts Rules compliance and reporting does not explicitly state 'thou must keep a breaches register' the responsibilities for ensuring ongoing compliance, as well as the obligation to make a prompt report to the SRA of any serious breaches of the Accounts Rules, means this is rightly accepted as a vital tool in fulfilling these obligations.
How can any COFA be confident that they have fulfilled these obligations if they have no:
- proper internal reporting processes (in writing) in place to ensure that they are made aware of all breaches;
- formal record of all such breaches;
- evidence of their consideration of whether each breach, individually and/or in aggregate, do not point to a serious breach or failure.
The Reporting Accountant’s view
- Review at the planning stage: The Reporting Accountant will typically expect to have sight of the firm's breaches register for the period under review when they undertake their planning and risk assessment before the work commences. This is not for the Reporting Accountant to ‘avoid doing the work themselves’, it is an important factor in assessing risk and therefore what testing should be performed, how much work should be done, and where resources may need to be concentrated, in the context of the particular law firm. However, getting the best use of the breaches register from both the Reporting Accountant and the law firm’s perspective does rely on that breaches register being a complete and suitably detailed record of all breaches that have arisen and been notified to the COFA during the accounting.
- General Experience: While, as a Reporting Accountant, I have seen many excellently maintained breaches registers it is also fair to say that too many that I review are not up to that standard. It is never entirely clear to me why there seems to be a reluctance to properly maintain a relatively straight forward tool which is a vital element of the COFA’s role.
-
Failings: The failures vary but the key weaknesses tend to be that the register is:
- Incomplete. This is most evident when the Reporting Accountant is presented with a breaches register where there are no or an untypically small number of breaches that have been recorded. In the current compliance regime this does not inspire confidence in the quality of the register. This is then exacerbated by the fact that while carrying out the testing it is clear that other breaches have arisen, have been spotted and have been corrected. Yet have never made their way onto the breaches register.
- Lacking in detail. In particular; no information on the date the breach was discovered. A key detail to demonstrate compliance with rule 6.1, that the breaches were either rectified promptly or, where required, immediately, on discovery; no reference to the amount(s) involved, which in practical terms will inevitably have some implications for the assessment of the seriousness of the particular breach:no evidence of review by the COFA and/or the decision that the breach itself or the series of breaches are not deemed sufficiently serious to make a report to the SRA.
Final thought
A final thought on this. As COFA do you routinely check your own breaches register to the schedule of breaches you have been provided with by your Reporting Accountant (bearing in mind they will only have tested a sample) and does that comparison highlight potential internal reporting issues that you need to address?
The COFA’s view
Having maintained a breach register since 2013, it has just become part of the scenery an integral part of this COFA’s working life for a substantial amount of time. Like most COFAs, I am an accountant by background so the default tool of the trade for virtually everything is Excel.
Maintaining and reviewing
In its initial days, I fully maintained the register, but since the development of my role and the growth of the firm it has no longer been possible to do that myself. Therefore, the direct maintenance of the register is delegated to those closest to the coalface, the cashiers. However, delegation is not abrogation of responsibility, and the buck still stops with me. However, the separation of duties allows me to perform the role that is most reliant on the role of COFA and that is the review, identifying trends, ensuring that there are no patterns of similar breaches occurring, and enhancing our systems in the event that any particular type of breaches has happened.
Having the register in Excel allows for filtering, searching and grouping for key words, or similar rule breaches or even particular fee earners who may require additional training.
The system doesn’t need to be overcomplicated or onerous. Any time a minor breach is identified, and added to the register, the team email me, and I will usually follow up with questions about the nature of the breach and then visit the register to check whether any follow up action is required by me.
Value
This is all part of ensuring a culture of compliance is embedded throughout the firm and goes to the point above of ensuring that regular reviews are carried out and acted upon.
*The views expressed are the author’s and not ICAEW’s.