SRA Accounts Rules compliance: Breaches and Cyber Security

Subscribe

I was interviewed recently by Law Firm Ambition about my views on the most common questions I come across in respect to mergers/accounts rules. To read my thoughts on the first five questions, find the article here. Below I answer questions around breaches and cyber security, with the next article focusing on internal reviews and compliance checks. 

 

6. How should the COFA be notified of breaches?

All employees within the practice should be aware of their obligations with regard to the Solicitors Accounts Rules. They should report any breach or suspected breach to the COFA immediately.

In addition, the systems and reporting lines that you have put in place should work to identify and highlight minor/trivial breaches with ease.

 

7. What format should the breach register take?

There is no prescriptive guidance on the format of the breach register, but it should be capable of being interrogated easily; for example, by filtering and categorising.

The register should also contain sufficient detail for the COFA to use it as a management tool to identify trends and issues. For example, the register might include the rule number and name as well as amounts, frequency and timings of rectification.

In its most simple format, Microsoft Excel will work for most practices.

 

8. When do we need to report a breach to the SRA?

When a breach should be reported is very subjective and is based on materiality.

When considering the materiality of a breach, the COFA should consider:

  • the amounts involved;
  • whether there is any loss to a client;
  • whether there is a systematic failure in controls within the practice;
  • whether it forms part of a pattern of breaches;
  • how quickly it was discovered and rectified.

Whatever your decision on materiality, you must be comfortable that you can justify your decision. It would be useful to document that from a reporting accountant’s perspective.

If you decide a breach is material and should be reported, it isn’t necessarily the end of the world. This can in fact be an indication of good risk management. You should ensure the report is clear and transparent.

 

9. How do we make sure the firm’s accounting systems are robust?

As COFA you have responsibility for having systems in place which ensure sound financial and risk management of the practice. As such you need to have access to all management information systems and business information.

 

10. How are cyber security issues affecting accounting systems in law firms?

As everyone is aware, law firms are at particular risk of cyber crime due to the large amounts of client monies held and financial transactions undertaken. It is not just the accounting systems that are affected, but all systems within the law firm.

Specifically with regard to the accounting function, the following areas should be considered:

  • How you communicate and collect client data such as bank details. Email may not be secure. Face-to-face meetings are the safest way, but letter is another option, or fax (if still used).
  • Everyone in the firm needs to be given regular updates of the risks and ever-evolving technologies used by fraudsters, so that they can identify a potential scam and question instructions which may not feel quite right.
  • Provide your bank details to clients in a secure manner at the outset of the transaction. Make it clear that this will not change during the course of the transaction.
  • Check the practice’s bank statements on a regular basis. Highlight anything that seems unusual or cannot be identified with your bank immediately.

If you have any unanswered questions about SRA Accounts Rules, contact Huw Nicholls

get in touch