CPAs face a dizzying array of choices and decisions. Some of the most crucial are in the technology arena. Technology can unlock efficiencies and drive progress, but it also can create confusion and introduce risk.
What should CPAs do to maximize the benefits of technology while minimizing their tech troubles? That was among the topics tackled during the JofA's annual accounting technology round table. The JofA is publishing an edited transcript of the discussion in two parts. The first, which appeared in the June issue ("Should CPAs Switch to Windows 10 or Office 2016?" page 48) examined Microsoft's major product releases of the past year and identified some of the most exciting technologies set to debut in the near future. This month's installment addresses what CPAs should have as their top tech priorities, what CPAs should be doing to protect themselves from hackers, and what technology changes CPAs should be expecting to see over the next year or so.
The JofA interviewed the experts in a February conference call. Quick profiles of the panelists—David Cieslak, J. Carlton Collins, and Lisa Traina—appear below, and the second part of the edited transcript follows.
The panelists
David Cieslak, CPA/CITP, CGMA, GSEC, principal and founder of Arxis Technology Inc. and a popular technology speaker known as Inspector Gadget.
J. Carlton Collins, CPA, the CEO of ASA Research and author of the JofA's monthly Technology Q&A column.
Lisa Traina, CPA/CITP, CGMA, founder and owner of Traina & Associates, which provides information systems and IT security audit and consulting services to business clients.
What should be the number one tech priority for CPAs over the next six to 12 months? What questions should CPAs be asking themselves on the technology side?
Traina: I think most CPAs in firms and in industry are still mostly in a paper world. Certainly, paperless systems have been put in place, but more needs to be done and not just with primary data, like finally sharing tax returns with clients electronically, but payroll, accounts payable, receivables, forms, and policies—everything in the office. Because what we've seen is that once people start to eliminate the paper, everything else falls into place. Then they truly can use the technology—the devices and the cloud—and have anytime, anywhere access. People think they are there, but they're not. It just is a major milestone in where you can take your organization.
Cieslak: We're awash in so much good technology—hardware, software, cloud-based applications, mobile products. We're suggesting that firms look across their organization and ask the hard questions. What can they do differently? How can they leverage the latest technologies to create a smarter, more efficient workplace?
I use the term, "individual process improvement." So rather than saying, "Why don't we re-architect the whole organization?," we look at individual processes in the organization and say, "Where can we apply some of this great new technology and just piece by piece start to enjoy more efficiency and effectiveness?" Current examples include accounts payable automation, electronic expense reports, and e-signing contracts.
Traina: Individual process improvement is a great way to describe what I was saying. When you get rid of paper expense reports, for example, you see tremendous increases in productivity.
Collins: Training employees to properly use the company's technologies should always be a top priority, if not the top priority, every year. As new employees are hired, new products are purchased, and new editions of existing products emerge, training is important to ensure that your employees can use the tools properly. Besides technology training, I will add that four additional tech priorities should be:
1. Ensuring your technologies are up-to-date by replacing older equipment, upgrading software editions, and updating computer, router, and printer drivers.
2. Ensuring your technologies are secure. This is best done by having an outside security company review your computers, infrastructure products, and activities. You should also bolster physical security by bolting down equipment and strengthening door locks and window locks.
3. Periodically scanning the horizon for new, upcoming technologies or products you might want to embrace. This should be part of your technology planning and strategy process.
4. Automating your backup process so all systems are backed up automatically (i.e., no human action required) and test those backup systems regularly to confirm they are working properly.
Traina: Because I operate in the IT security area, my top questions are security-focused, and they're kind of basic. But I think they will get CPAs thinking. One question might be if your email was hacked, would the hacker have access to your client information, and how well would your firm or your organization survive that kind of a breach? Second, if a CPA's computer were hijacked by ransomware, would the CPA have to pay the ransom?
Collins: Do you recommend they pay the ransom, Lisa?
Traina: Not really. I'm into prevention, so I would hope that they have backups in place and can just do a restore to back before they got the ransomware.
Cieslak: I continue to be alarmed by what we'll call the "human factor," and that is too many people clicking on things that they shouldn't be clicking on in emails that are still making it successfully through to the end user's eyeballs. Clicking on email links or attachments opens the door to Trojans or, more and more often these days, ransomware. With ransomware, backups are essential, especially backing up to media not always connected to the device, because today's ransomware is doing a pretty good job of not just infecting the local machine but also the backup.
So the backups need to be made in some kind of timed interval. They also need to be encrypted so they can't get polluted when ransomware potentially takes hold of an individual machine or an organization.
CPAs also need to be sure they have the latest product versions and patches and that they are being diligent in terms of passwords. Are they turning on multifactor authentication, which is very simple to activate now for most products, especially on the web? These tools and techniques can dramatically increase security, but I'm also going to say again, what Carlton said, which is the education. When I look at cyber-security, lack of education is still probably the number one impediment.
Traina: I would add one more thing. Executives are far too complacent about cybersecurity because they just figure it isn't a problem for them. I think CPAs, particularly those in industry and CFO roles, can play a big part in trying to bring the matter to the table as a risk just like any other risk that needs to be mitigated. So training at the executive level—executives, board members, stakeholders—is something that I would add to the menu of things to be done.
Collins: I believe unencrypted email remains one of the biggest security threats to CPAs because CPAs still send email messages that are unprotected and vulnerable to being intercepted. I realize that not all messages contain sensitive information, but even seemingly noninvasive information can be used to conduct a scam or a fraud. For example, a simple email scheduling lunch with your stockbroker can let potential hackers know who your stockbroker is, which may be their first step toward hijacking your investment accounts. So you need to secure all your emails. When it comes to security, CPAs should bring in a professional security team to check things out and be sure to review security measures annually, or as your technology changes.
Cieslak: The other piece is we continue to be very vulnerable outside the office. Most of us are the system administrators for our home network, and, unfortunately, many of our home networks are the ones at greater risk, due to inadequate or outdated firewalls, applications, operating systems, and machines. In most cases, home environments lack the much more diligent kind of cybersecurity enforcement that most organizations are trying to employ. So remember that it's not just about the office, it's about when we're outside the office, and it gets back to making certain that those noncorporate environments that we're connecting to and doing business computing with are also properly secure.
So what is the standard advice that you are giving out now in terms of avoiding getting hooked in a phishing scam? Is it just don't click on any link you were sent in an email?
Cieslak: The temptation is to say if the email looks to be from a trusted source, it's OK to click on it, but that is in fact one of the things that's causing a lot of trouble right now. Too many of the phishing scams appear to come from trusted sources. These are spear-phishing scams, whaling scams. So I'm a big proponent of not clicking on links in emails—period. Don't open attachments in the email, and, whatever you do, don't execute macros in an email.
Website drive-bys are a little bit tougher because we're finding more and more legitimate websites with infected content. So what we're saying is be very careful not only with what you're clicking on, but also, when you are visiting a website, make sure all the links you click on are in encrypted mode. If the URL has "https://," that is usually a good sign, though it's not 100%.
Collins: I don't have a good answer for avoiding phishing scams because, despite crashing many computers, my father continues to fall for phishing scams by clicking nearly every pop-up that even hints that his computer might have a virus. I can't seem to explain to him—he's 88 years old—how to discern phishing scams from legitimate software update notifications.
Traina: So I think the answer is, now that we shouldn't send anything unencrypted and we can't click on anything or open anything, that I guess we have to go back to paper, right?
Collins: Yeah, after all that.
Traina: I know.
Cieslak: But let me add, though, and that is a big thing that we've talked about for a good number of years now, is that in this regard cloud computing can actually help organizations better protect end users. Many people think that physical custody of servers and other hardware gives them the best shot at keeping computing resources the most secure. In reality, that's laughable. With cloud providers, you get 24/7/365, full-time IT security administrators around these hosted services, products, and environments as well as additional controls such as multifactor authentication. In addition, some of these cloud-based offerings have the ability to turn back the denial-of-service attacks and to fail over, if necessary, allowing users to roll back to just prior to when a hack might have occurred. These are things that most organizations and CPA firms absolutely don't have the ability to do internally because of resources.
Security is the lifeblood of what cloud-based providers do. Their whole reputation, their whole existence depends on it. Still we need to do some of our homework. We need to look into and make certain each cloud-based service provider is independently tested and certified and has a good track record in and around security.
Traina: And there's less stuff going around in emails when everybody can access the system in real time. So I totally agree.
Can we take this conversation into a little happier direction and talk about some new products? What new products or new technologies should people be learning about?
Collins: What comes to mind is the new EMV (Europay, MasterCard, Visa) credit card chip standards that took effect in October [2015] (see "Technology Q&A: Credit Cards Getting Smarter," JofA, Nov. 2015, page 85). While it hasn't happened yet, some people expect that credit card companies might eventually shift the burden of covering fraudulent credit card charges to those merchants that fail to adopt the new EMV standard. For this reason alone, CPAs should ensure their companies comply with these new standards. If a business has multiple retail outlets with dozens of retail cash registers, it could be a major and costly undertaking to bring them up to the new standards.
Traina: EMV is an area where you've got a little bit of a wait-and-see, chicken-and-egg because the banks haven't sent out the new cards, and so the merchants are saying, "Well, I'm not getting the new readers and spending the money until all the banks send the cards, and customers demand it." So that whole EMV transition is just not going forward as fast as people hoped, because the October deadline has already passed when most merchants were supposed to do it. It is expensive, and so it could be disruptive. But it's just tough to know when people are going to take the plunge.
Collins: Once the fraud burden shifts (if it does shift), everybody will upgrade to the new EMV system immediately.
Traina: But the fraud liability has technically already shifted, right? In October there was already that shift, but people somehow don't see it happening. So I would ask, do you really think that EMV is going to make a big difference? I don't think it's going to make a huge, huge difference because so many transactions are handled on the internet now with no card present. So I'm still leery of the difference it's going to make, and it's because of the time it's going to take and in that time frame, people are going to start paying with their Apple Pay and their Samsung Pay.
Collins: Based on the results of adopting chip-based cards in other countries, these new cards will significantly reduce credit card fraud in face-to-face transactions but will likely lead to an increase in online credit card fraud activities. To combat online credit card fraud, new virtual PIN-based solutions have been created, such as Apple Pay and Visa Pay. These virtual solutions protect transactions by passing unique, one-time-only tokens, instead of credit card numbers, to the merchants; hence, there is no credit card information for hackers to harvest for use in other fraudulent online transactions.
Cieslak: One of the things I'll weigh in here on is how technology should help IT security going forward. I know we just talked about the credit cards and chip technology, but we're seeing a lot more in and around biometric validation, such as when users use retinal scans or some kind of facial recognition to connect with, for example, their laptop or mobile device.
Do you have any idea on a time frame for when we'll really see that out there?
Cieslak: In the next 12 to 24 months. I mean, if you look at the Windows Hello feature available in Windows 10 on the Microsoft Surface line, it gives a glimpse of what a password-less environment might look like. But we need to see that roll out across other products and platforms as well.
About the author
Jeff Drew is a JofA senior editor. To comment on this article or to suggest an idea for another article, contact him at jdrew@aicpa.org or 919-402-4056.
AICPA RESOURCES
JofA articles
- "Should CPAs Switch to Windows 10 or Office 2016?" June 2016, page 48
- "5 Steps CPAs Can Take to Fight Hackers," April 2016, page 58
Publication
- 10 Steps to a Digital Practice in the Cloud: New Levels of CPA Firm Workflow Efficiency, Second Edition (#PTX1401P, paperback; #PTX1401E, ebook)
CPE self-study
- Analytics and Big Data for Accountants (#746270, text; #164210, one-year online access)
Conference
- Digital CPA Conference, Dec. 5—7, Las Vegas
For more information or to make a purchase or register, go to aicpastore.com or call the Institute at 888-777-7077.
Information Management and Technology Assurance (IMTA) Section and CITP credential
The Information Management and Technology Assurance (IMTA) division serves members of the IMTA Membership Section, CPAs who hold the Certified Information Technology Professional (CITP) credential, other AICPA members, and accounting professionals who want to maximize information technology to provide information management and/or technology assurance services to meet their clients' or organization's operational, compliance, and assurance needs. To learn about the IMTA division, visit aicpa.org/IMTA. Information about the CITP credential is available at aicpa.org/CITP.
