For the past 18 years, the AICPA Top Technologies task force has surveyed members of the accounting community to identify those technologies that they feel will impact our profession in the year ahead. While the top techs list is designed to apply to all accountants, including those in industry and academia, this month’s column looks at the impact of the Top Technologies specifically on accountants in public practice.
Information Security and Management
With almost weekly headlines of IT security breaches, it is not surprising that Information Security Management is the number one issue, with security being a top concern for the past five years. This year’s definition has focused on the approach that firms must put into place to manage their people, processes and systems to safeguard critical systems and information. With IT staff often overworked and having little time to focus on the intricacies of IT security as a whole, it is often better to outsource the implementation of all “one shot” items such as firewalls and VPNs, or partner with integrators that have focused experience and current security certifications. These integrators can also review the firm’s overall security infrastructure and make recommendations through a formal security audit, which should also teach the firm what items to monitor as well as ensure that network and workstation security patches are properly implemented.
Identity and Access Management
Tax and accounting firms are notoriously lax in enforcing recommended controls for not only access to their networks, but also physical access into the office. At a minimum, every person should change passwords at least four times per year with “hardened” passwords that include upper and lower case letters, numbers, and punctuation characters. This should be enforced by the firm’s network policies, and there should also be standardized and tested procedures to ensure that both the password and building access codes are terminated with employees. Some firms are beginning to use additional user authentication techniques such as tokens, Public Key Infrastructure (PKI), and biometrics to verify that people are who they say they are, and today’s network operating systems and document management applications are further defining the files to which users can have access.
Conforming to Assurance and Compliance Standards
Major shake-ups have affected assurance and compliance standards, and it is imperative that firms create a formal process to make sure they remain in compliance with current and evolving standards. There is no silver bullet here, and it is up to firms to integrate new standards into the firm’s procedures, using their existing audit document container applications and other collaborative firm applications. This will require assigning the responsibility of monitoring changes, assessing risk, adjusting firm procedures, and allocating an adequate number of hours to an assurance champion. The burden of keeping current can be minimized by subscribing to publications focusing in this area, as well as participation in CPE and assurance forums, particularly within the CPA Firm Associations where information is shared freely.
Tax and accounting firms are transitioning to completely digital formats where all files are stored on the network including scanned images of all client documents (along with Social Security numbers and other personal information), and it is the responsibility of firms to protect access to this information, as well as to stay in compliance with local and national privacy legislation. The firm’s Human Resources department also needs to review its data access and privacy procedures in regards to all information stored on the network to ensure that access controls are in place to protect the privacy of all individuals.
Disaster Recovery Planning (DRP) and Business Continuity Management (BCM)
Firms must have a process to recover lost data or facilities regardless of the cause, which I feel should consist of two parts. All firms should first create an immediate response document that details who (and how) key individuals should be notified, procedures to assess the situation and minimize further loss, and specifics on notifying and accounting for all personnel. The second part should consist of a written document that details the information infrastructure and procedures to restore the system. The AICPA’s Disaster Recovery center has templates and resources to assist in this area, and much of the technical information can be collected via automated tools.
IT Governance consists of the personnel and processes that manage the IT infrastructure within the firm. This would include an understanding of the firm’s strategic objectives and how information technology will assist in achieving these objectives. For effective IT Governance within a firm, a person must be designated as the champion with the responsibility of developing, implementing and monitoring a three-year technology plan and budget, as well as participate in CPE or industry forums to keep abreast of accounting technology.
Securing and Controlling Information Distribution
New to this year’s list is the process by which firms transfer data to and from clients in a secure manner. This can be accomplished via password protected and encrypted e-mails or by utilizing the secure document portals, many of which are integrated into today’s document management systems. Firms must also update their computer policies to reflect these changes and educate employees.
Mobile and Remote Computing
The ability to work from anywhere and at any time is very important for today’s accountants and encompasses the infrastructure and tools to do so securely. This would include using wireless solutions such as broadband cellular connections and WiFi/WiMax as well as secure Internet connections using virtual private networks, Windows XP Remote, and thin-client applications such as Citrix or Windows Terminal Server. The last year has seen a surge of firms using air cards or connecting smart phones to their laptops to access the Internet.
Electronic Archiving and Data Retention
As firms transition all their data to document archival systems, it is important that they also manage the applications and hardware that make them accessible for the length of time required by statutory obligations. They must also update their retention policies to include digital data (and backups) and their destruction procedures to ensure that policies are adhered to.
Document, Content and Knowledge Management
While many firms today understand the concept of document management and have purchased a firm-wide application to do so, they are now beginning to understand that archival of files is not enough. Content and knowledge management expands this definition to incorporate the workflows and access to this data (and the inherent “intellectual capital”) that maximizes its ability to be used by the firm. This would include tax workflow integration with document management, as well as the expansion of traditional intranets to include better collaboration within the firm via tools such as Microsoft SharePoint and Lotus Notes.
The AICPA Top Technologies list is designed to help accountants understand the issues, applications and technologies that they should be aware of. It is up to each of us to evaluate these items, their impact on our firms, and prioritize them for implementation.