Here’s a new opportunity for Saiba members to boost their incomes: those that have obtained the designation Business Accountant in Practice (BAP) may perform and issue a “factual findings” report on POPIA compliance requirements.
POPIA refers to the Protection of Personal Information Act, which was enacted on 1 July 2020, allowing a one year window to ensure compliance. That means the deadline for compliance is 1 July 2021.
The purpose of the Act is to ensure privacy of personal information, and sets out certain obligations in the handling and processing of this information.
From an employment perspective, POPIA applies to:
- information such as identity numbers, contact details, employment history, psychometric assessment results, references, qualifications, disciplinary records, union membership, grievances, health and biometric information; and
- the full life cycle of the employment relationship – from recruitment to post termination and continues to apply for five years after the relationship has ended (and still applies where the employer is approached as a reference).
Some aspects of the Act came into force in 2014, though the following sections became applicable on 1 July 2020: Sections 2 to 38, 55 to 109, 111 and section 114(1), (2) and (3).
These sections comprise the “meat” of the Act as they deal with the processing of personal information; the processing of special personal information; the need for an Information Officer; direct marketing by means of unsolicited communications; flow of information outside of South Africa and enforcement of POPIA.
The three parties involved in POPIA
- The data subject: the person to whom the information relates (you and I).
- The responsible party: the person who determines why and how to process the information, such as companies, non-profit organisations, governments, state agencies and individual people. These are called “controllers” in other jurisdictions.
- The operator: a person who processes personal information on behalf of the responsible party. For example, an IT vendor. These are called “processors” in other jurisdictions.
Penalties for non-compliance
Those found to be in breach of the Act can suffer two major penalties:
- A fine or imprisonment of between R1 million and R10 million or 1-10 years in jail.
- Paying compensation to data subjects for the damage they have suffered.
Given the serious nature of the penalties, companies and organisations will want to ensure they do not fall foul of the Act – hence, the need for Saiba members to equip themselves to deliver this service.
The opportunity for Saiba members
As already mentioned, Saiba members with the BAP designation may perform and issue a “factual findings” report on POPIA compliance requirements.
Factual findings engagements fall under accounting standard ISRS 4400 and also known as Agreed-Upon-Procedures (AUP).
Under ISRS 4400, an AUP engagement involves a practitioner performing procedures that have been agreed to by the practitioner, the entity and any appropriate third parties, and reporting on the factual findings based on the procedures performed.
In conducting an AUP engagement in accordance with ISRS 4400, the practitioner does not express an opinion. Users of the AUP report assess for themselves the factual findings based on the procedures performed and draw their own conclusions.
In contrast, in an assurance engagement the practitioner conveys an opinion or conclusion on the outcome of the measurement or evaluation of the underlying subject matter against criteria.
Tens of thousands of companies and organisations across the country are obliged to comply with the Act and will need assistance from experts such as Saiba members. This is a huge business opportunity.
Assessing a client’s readiness for POPIA
All forms of processing of personal information must, in terms of section 114(1) of POPIA, conform with POPIA by 1 July 2021. All business and public entities have to ensure compliance by this date.
The Saiba Guide to Engagements on the POPIA for Business Accountants in Practice was commissioned by Saiba to provide guidance to members on performing services to clients in relation to clients’ readiness for POPIA.
A BAP(SA) may approach any entity offering them the ISRS 4400 engagement and a report that demonstrates the client’s readiness for POPIA.
What Saiba needs to do
Saiba is a legislative controlling body for accountants, accounting officers and independent reviewers. As a controlling body we are required to monitor and sanction compliance to standards of member conduct. We perform this function by ensuring compliance by our members to the International Auditing and Assurance Standards Board’s (IAASB) engagement standards. We offer CPD and training courses to help guide members with their everyday challenge in the workplace. We lobby government and SME associations to allocate work to business accountants.
What you need to do
The firm should study the Saiba Guide and the ISRS 4400 and ensure that all POPIA engagements are performed in terms of this standard. The firm should study any relevant laws, regulations, founding documents or contract terms to determine the qualifications of the persons required to perform the engagement, prior to performing the engagement.
Steps you can take to identify the target market
- Do a google search to identify the types of companies that are likely to need this particular service.
- Write an email or letter to them and explain how you can help them.
- Do the SAIBA CPD and relevant license related to the particular service.
- Perform the service for your new client.
- Alternatively contact a SAIBA Strategic Alliance partner.
Saiba has provided a number of guides, videos and PowerPoint slides that will assist accountants with understanding their responsibilities in terms the various types of engagements: