Relationships fuel so many businesses — including accounting — but for the clients of San Jose, California-based PP&Co.’s fastest growing industry specialization, they are the “lifeblood,” according to assurance partner Richard O’Leary.

More specifically, for the Regional Leader’s burgeoning private and public club industry clients, members are their foundation.

“Membership is the lifeblood and lifeline of the industry — keeping members, and especially always getting new members, is paramount to the industry,” explained O’Leary of the firm’s club clients, part of its wider hospitality group that includes private clubs as well as public golf clubs, city clubs, yacht clubs, equestrian/athletic clubs, hotels, amusement parks and conference centers.

O’Leary has worked with this type of client since the mid-1980s — first as part of a New York firm that specialized in hospitality and transferred him to the Bay Area, and later at their largest competitor in that niche in 2018, as PP&Co. was, according to him, “dominating the Bay Area in this particular industry.”

And PP&Co.’s success has only grown in recent years, he reports. “We did have a very good 2024 in terms of new client opportunities,” O’Leary said. “That comes from brand recognition, name recognition, all of these clubs and hospitality clients all talk amongst one another — ‘Who are your auditors, your tax providers? Do you work well with them? Do you get along with them?’ Opportunities come by word of mouth and reputation. And other firms — there isn’t another firm in the state of California that does as many clubs as we do. We are dedicated to the industry. There are other firms that just dabble in the industry and don’t provide [full] service and the clients can tell. It’s only a matter of time before they want to change service providers.”

Long before his decades serving these clients, he had an understanding of their business as a “country club kid” growing up in New York. It even led to his first accounting firm job.

“My parents belonged to a local club and I was kind of raised in the country club environment,” he shared. “My pop referred me to the partner that did that particular country club’s audits — my pop was treasurer at the time. I connected with the partner at the firm, and that’s how I got the interview.”

As a direct beneficiary of the powerful connections that can be formed at clubs, O’Leary can personally relate to the needs of his clients — the overriding one, again, being to maintain and grow membership. This has led to changing priorities as these organizations aim to bring in younger members.

“New members, the younger generation of their parents, belong to these clubs,” O’Leary said. “Keeping membership strong is one of the challenges the industry faces. In order to attract younger members, the industry has to react to the changing trends of younger generations. We are seeing that happen within clubs providing things like casual dining versus formal dining, fitness facilities — things the younger generation is more interested in versus the older generations. There are a lot of changes in the industry.”

Keeping pace with a changing industry

Recent changes to regulations, especially in the wake of COVID, mean O’Leary and his practice are kept busy as they keep clients up to date and informed. The firm provides traditional assurance and tax services to these clients, though that work has expanded to include more consulting work.

“There’s always opportunity in the industry to educate your client base,” he explained of his club clients, which he estimates to currently include about 45 organizations in the Bay Area. “Because a lot of clubs are tax-exempt, the industry comes with lots of rules and regulations that need to be understood to preserve tax exemption and to understand what aspects of the business are taxable, where to pay tax. With that, there is a world of opportunity to consistently and constantly advise clients on these rules and regulations.”

While this year-round advisory work, including recently updated Internal Revenue Service regulations, keeps PP&Co. in ongoing conversations with clients, O’Leary aims to also strike up new ones with his involvement and board memberships in several local industry and networking groups.

In addition, he shared, “There are a myriad of opportunities for the firm and for myself to provide articles, webinars, to stay face-front to our clients and the industry itself.”

Fluctuating regulations and membership numbers are not the only things keeping these clients up at night. “On a ratio basis, it is one of the most capital-intensive industries that exists,” O’Leary shared. “[Clients] need to have a clubhouse where members can come and use the facilities, mingle with fellow members. They need to have a golf course, tennis facilities, swimming facilities … it’s very capital-intensive.”

Nationwide, the industry encompasses 5,000 to 6,000 clubs, O’Leary cited from a recent study, generating $32 billion of direct revenue to the economy.

“It’s a very labor-intensive industry,” he explained. “To where payroll expenses have been tabulated to be $17 to $18 billion, with the number of employees at almost 600,000.”

With this kind of reach, certain misconceptions about the niche abound, according to O’Leary.

“It’s a very large industry,” he explained. “The industry sometimes gets a little of a bad rap, from the public, from the media, because members are in the top 1% of the country and get an unfair advantage, or tax breaks. That’s not really true. The industry is an incredibly large employer to the economy in the U.S. It often gets misunderstood. The needs of these organizations are solely that they get together and provide social and recreational activities to their membership group. It’s why the organizations exist. Some are formed as tax-exempt organizations, some are taxable organizations. It’s just specific to the voice of each individual club, and the path they want to go when the club is formed.”

As for O’Leary’s personal career path, his success can be attributed to “basic familiarity with the industry, being connected at a young age,” he said.

“It’s just kind of cool, as a young kid, a junior playing golf and using the club my parents belong to, it’s just kind of cool to have turned that into your career,” he shared. “There’s just a lot of passion associated with working within the industry you grew up in. From the kid-of-a-member perspective, now providing those services and expertise, it’s kind of cool.”

Despite security enhancements from Microsoft, CPA firms are likely to disable the controversial Recall feature in Windows 11, which uses AI to create a precise record of user activity, but leaders concede there is little they can do about potential indirect tracking via third parties that still have it enabled. 

Recall, debuted by Microsoft about a year ago, works by taking a screenshot of a user’s desktop every few seconds and then uses on-device large language models to allow a user to retrieve items and information that had previously been on their screen. Following a major public backlash on privacy and security grounds, the company delayed the feature’s implementation to address people’s concerns. 

Last September, Microsoft said that Recall will now encrypt snapshots and other associated information, and will only be able to be used within a Virtualization-based Security Enclave (essentially, a way to isolate a specific program inside the processor so that whatever happens inside stays inside, even if the rest of the machine is compromised, comparable to a panic room but digital) At the end of last month, after testing the feature for select users, Microsoft rolled it out for general availability for Windows 11. Microsoft has been urging people to upgrade from previous versions and said it would be shutting down support for Windows 10 in October. 

valerybrozhinsky – stock.adobe.c

Cory Wolf, director of offensive security with cybersecurity consulting firm risk3sixty, said these new changes have allayed many concerns about the Recall feature between when it was first launched and now. He noted that the initial release was indeed a major security challenge, adding that Microsoft rushed it without going through the typical insider preview process and so did not account for the security issues, but has improved the solution since then. 

“That was why everyone was freaking out, it was clear they did not do any security around it, did not go through previews and at the time it was a real security risk. Now it is going through the proper channels of Windows preview, they added content filtering, they added the virtual machine component … at least from a cybersecurity perspective, it’s really worked out and they’ve improved it quite a bit,” he said. 

Despite these changes, however, some firms are still opting to disable recall on their devices, such as California-based Navolio & Tallman LLP. Though they intend to soon get laptops specifically optimized for AI solutions, IT partner Stephanie Ringrose said that, for now at least, they’re going to disable the feature. 

“We started with the hardware that has the new processor, so that as technology comes out that has more AI in it, we’re set up for success. … So we’re open to new technology. Another part is we like to be on the leading edge, but we’re not necessarily on the bleeding edge, so initially [Recall] does not seem like something we need right away, so our plan currently is to disable it,” she said in an interview. 

Top 50 firm LBMC will also be disabling Recall, according to chief digital and technology officer David Maynard. He raised concerns about the security implications, such as the inadvertent storing of sensitive data via screenshot captures, the use of LLM-powered indexing opening up the possibility for prompt injection attacks, insider threat risks of administrative access being misused, as well as compliance and legal exposure under data protection laws. 

“With specific regard to Microsoft’s Windows 11 Recall feature, we are closely monitoring its development and capabilities as we do all other tools. Microsoft is a trusted partner and delivers some of the most powerful enterprise tools. That said, all evolving technology tools present unique challenges that merit thorough scrutiny, especially for professional services firms handling high volumes of confidential and regulated data. … We are currently disabling Recall by policy across all internal devices, even though it remains in preview. Our experts are also considering the broader implications of using LLMs in enterprise settings and continuing to test the Recall functionality in non-production environments to inform both internal and client-facing recommendations,” he said in an email. 

Still, while firms can take action for themselves, the indirect third party risk remains. While one user might disable Recall, anything shared with someone who has enabled it will be saved to their device, which could still result in data leakage and cyber incidents. Imagine someone from a firm with Recall disabled talking about sensitive matters with a vendor who does have it enabled; now imagine that vendor getting hacked and the attackers getting that sensitive data despite the firm itself protecting on their end. 

Ringrose said that while there are measures a firm can take, there are limits to how much they can control third parties. The firm can have open communications and be vigilant about their data but there is only so much one can do. 

“This [applies to] almost all technology when communicating with outside parties, that you cannot really control what every third party uses on their side. I think there’s a couple different things we can do on the client side, [like] more education as you communicate with them… you have open discussions with them on how they intend to use it and help be an advisor if [the risks] come up,” she said. 

LBMC took a similar position, saying that it can’t really control what other parties do, so they need to be careful about what they, themselves, disclose to outside parties. 

“LBMC can control only its devices, not third-party assets. Management and understanding of Recall’s implications are necessary before sharing information,” said Maynard. 

But at the same time, the two said it’s not that much different than any other communications technology. Yes, third parties might capture sensitive data through Recall, but the same thing could happen with irresponsible emails or file shares too. In this respect, while the firms intend to have controls over the use of the feature, they would be no different than the controls they would require for any other new technology.

“It’s like email, you know? It’s like any form of communication—you’re putting something out there. And so it’s a little bit open to what that third party is using,” said Ringrose. 

Maynard raised a similar point: while LBMC will be thoroughly evaluating Recall for safety, it does so for every new piece of technology it potentially could adopt. At a high level, every new tool under consideration—whether developed internally, by a third party, or as part of a widely used platform—is assessed using a phased model. The evaluation model encompasses infrastructure and compatibility review, security review, privacy and data governance review, legal and regulatory risk assessment, ethical and professional standards alignment, cybersecurity and AI committee input, governance and approvals process, a test phase with controlled rollouts, then training, usage, policies and compliance integration. 

“Window 11 Recall is just one of many emerging technologies that highlights the need for organizations, especially those in regulated industries like accounting to have a structured enterprise-wide process for evaluating new tools. At LBMC we view every innovation through a multidimensional lens balancing potential benefits with security, privacy, regulatory and ethical considerations. Our approach is part of a broader, proactive framework that involves cross functional expertise from cybersecurity, AI, legal, compliance and operational leadership. This is how we ensure new technology aligns not only with our internal standards, but with the expectations of the clients and industries we serve,” he said. 

Wolf, from risk3sixty, said that while the risks from improper use are real, at this point they are not dramatically greater than other solutions. He noted that many CPA firms already have third party risk management programs and it wouldn’t be difficult to work Recall into these already existing controls. However, he said it might be more of a lift for those who do not already have these programs in place. 

“So when doing vendor questionnaires and audits they should bake in Recall, things like doing security awareness training around Recall, that should be baked into that, but it definitely needs adjustment … for smaller firms that do not have one. Contractual obligation is their best recourse. It’s no different than sending something to a noncompany email for example, the risks are still the same,” he said. 

There was similar thinking regarding remote work and bring-you-own-device policies. Many firms already have specific security policies in these areas, and while Recall is a factor in both cases, there appears to be little need to carve out an entire new set of policies specifically for this feature. Firms should be diligent with their cybersecurity overall, said Maynard, which includes accounting for Recall but no more than other tools. 

“For accounting and advisory firms, any tool that touches client data must be evaluated not just on features—but on trust, integrity, and compliance. We believe that by embedding subject matter expertise into every phase of the evaluation process, firms can strike the right balance between innovation and responsibility,” he said.

The U.S. firm of Grant Thornton is adding Grant Thornton Netherlands to the multinational platform it launched earlier this year, in a deal that is expected to close later this year.

In January Grant Thornton Advisors combined with Grant Thornton Ireland, in its first step to create an integrated international firm. In late April it announced agreements with GT firms in Luxembourg, the United Arab Emirates and the Cayman Islands.

The platform is backed by an investor group led by private equity firm New Mountain Capital, which acquired a majority stake in Grant Thornton in March 2024, after selling a majority stake in Top 100 Firm Citrin Cooperman that it had acquired in 2021.

As a result of the PE investment, Grant Thornton took on the alternative practice structure that is common to those deals, with Grant Thornton Advisors offering non-attest services, and Grant Thornton LLP offering audit and assurance services. GT Netherlands’ audit practice will join the latter.

The Dutch firm brings close to 800 professionals in eight offices to the platform’s almost 13,000 team members in 60 offices. Its CEO, Marcel Blöte, will remain in his current position as head of that geography.

“Joining forces with Grant Thornton Advisors empowers us to deliver enhanced value for clients as a diversified platform poised for growth and expansion,” Blöte said in a statement. “We’ll be able to offer our people extremely attractive paths for career development, while maintaining our hallmark entrepreneurial culture and commitment to quality. Collectively, we will ensure our status as a top 10 firm in our market well into the future — one that can flexibly respond to a dynamic market and changing regulations.”

“By uniting with preeminent high-growth firms such as Grant Thornton Netherlands, we’ve established a world-class service provider platform spanning multinational markets,” said Jim Peko, CEO of Grant Thornton Advisors, in a statement. “We will continue to solidify our standing as the industry’s destination of choice for clients and team members alike, providing a singular experience focused on quality and unparalleled service delivery.”  

“We welcome Grant Thornton Netherlands to our expanded platform,” said Steve Tennant, managing partner of Grant Thornton in Ireland, who leads international M&A on behalf of Grant Thornton Advisors, in a statement. “The Dutch firm brings complementary ambition and talent as we look to extend our capabilities, services and geographic reach to benefit our clients and our people.”

“We’re bringing the highest quality and fastest-growing firms together into one truly integrated global platform,” said Andre Moura, a managing director at New Mountain Capital, in a statement. “Grant Thornton Netherlands is a perfect example of this — delivering the quality, expertise and industry specialization integral to the world-class client experience we’re creating.”

Grant Thornton isn’t the only international network that has member firms consolidating. Last October, the U.S. and U.K. firms of RSM International announced plans to combine by the end of 2025. KPMG is also reportedly looking to combine many of its member firms around the world, reducing the number from over 120 in 2023 to between 30 and 40 by the end of 2026, according to the Wall Street Journal, and last year its U.K. and Swiss firms merged into a $4.4 billion firm.