The single factor of most concern in the cloud

With vendors inconsistently offering multifactor authentication, the JofA’s annual technology roundtable identifies single sign-on as a possible solution.
By Jeff Drew

The single factor of most concern in the cloud
Image by krulua/iStock

The JofA's sixth annual technology roundtable hit on some familiar topics this year: cybersecurity, cloud computing, the importance of proper technology training for staff. It also dived into a few topics that have received little or no mention in the past.

Midsize accounting firms, at least in the eyes of the three technology experts who participated in the roundtable, are falling behind their larger and smaller counterparts when it comes to technology implementation, maintenance, and strategy. It's a trend that at least one panel member believes is putting those firms at risk.

An area for possible improvement is cloud computing, though the profession as a whole continues to make progress in embracing internet-based computing resources. There is a big factor, however, that is easy to overlook and can negate many of the security advantages of using cloud-based servers and applications. The panel discussed that factor (or factors) and examined a single solution that might prove beneficial to organizations of all sizes.

Those topics are the main focus of this first of a two-part edited transcript of the technology roundtable call. (Click here to listen to the JofA podcast of the roundtable call.) Next month's installment will examine blockchain, among other topics.

The JofA interviewed the experts in a February conference call. Short profiles of the panelists—David Cieslak, J. Carlton Collins, and Lisa Traina—are at the bottom of the page, and the first part of the edited transcript follows:

What are CPAs doing well on the technology front, and what are they not doing so well?

Traina: There seems to be more progress toward paperless environments, and CPAs have made great strides there. I think it's a little bit easier for me to say what they're not doing so well. One of the things that continues to surprise me is that too many CPAs still exchange information in unsecured email. I know that encrypting end to end can be cumbersome, but moving toward exchanging information and documents through portals has far more benefits than just getting the information out of unsecured email.

Collins: CPAs in industry seem to be doing a better job of embracing and deploying technology than CPAs in public practice. Even so, when I tour client offices, I typically see piles of paper, rows of filing cabinets, cluttered workstations, uncomfortable chairs, small computer screens, lack of smartphone strategy, and weak cloud strategies. Their applications are usually one or two versions out of date, and I find a lack of knowledge as to how to fully utilize the products that they have implemented. Many companies seem to have addressed three or four technology areas adequately, while other areas are virtually ignored. In public practice, CPAs typically have their tax preparation software nailed down pretty good; their data servers and their paperless systems are also good. But there are 15 other technologies that are kind of woefully neglected, such as cloud and mobile and color printing, email, accounting system reporting, technology training. When I do see CPAs embracing technology, it's usually because one of their leaders is a champion of technology, and they make it their goal to utilize the latest, greatest technologies and training. Without strong support from a company's leadership I find that most companies' technology usually flounders.

Cieslak: We're finding some firms are, in fact, looking at business processes and asking how they can leverage technology to become more efficient, more productive. I'm thinking about firms that maybe have a write-up practice and are really encouraging and helping their customers migrate to QBO [QuickBooks Online] or to Xero or to Intacct.

We're finding that younger, smaller organizations are all-in on technology. They understand the benefit and impact that technology can have. They're digital natives and happily want to go in that direction. Larger firms, we also are finding in many respects can be quite committed to really driving technology into business process and into the organization. Large firms oftentimes have younger team members participating on the internal technology advisory board. It's really the midsize firms that we're finding are the most challenged, and I think in so many respects it's because they might have established systems that still work. The mindset of one more day, one more year, has caused some organizations to hang on to technology far too long or to not look for ways to implement new technologies into what they do and how they do it. It's some of those midsize firms, especially those where there's an aging demographic, that tend to be the most technology-challenged. Candidly, I think they are potentially putting the organization at risk.

What should be the top technology priorities for CPAs?

Cieslak: Security absolutely needs to be top of mind and should be part of every firm's DNA. We are all living in a 24/7 connected world. The applications and systems we use in the office during the day, the ones we use when we are mobile or at home at night, even [the] internet of things connecting the devices are really part of every facet of our lives. Security is an overlay on top of that. So we need to make certain we're remediating any known issues, as well as understanding the risks behind what we're doing and how we're doing it.

I think cloud-based services, when they're done right by the correct providers, offer [a] significantly more secure approach than most of the hosted, in-house, self-supported, self-provisioned solutions. So I think the cloud adoption needs to continue. We also need to upgrade end-user devices and applications to the latest versions, such as Windows 10 on the desktop. We need to make certain that systems are patched.

From an end-user perspective, think about what we can do to not only make our people more secure but also make their jobs more awesome. How can we make this a more enjoyable, more delightful, more awesome experience for the end user?

Traina: You can't really address the problem of needing to keep everything updated and patched until you know what you have. In just about every cybersecurity assessment we do, there's just not a handle on all the security threats out there, and the threats are multiplying like crazy because of the mobile world we live in. So the first priority is to get a handle on what you have, what's connecting where, where's the data being synced. It's all over the place in mobile devices, home computers, etc. The second piece in the security arena is the vulnerability testing. That's the automated process where systems are scanned for well over 50,000 different vulnerabilities to let you know what devices have which holes or security weaknesses. In the last year or so, we've started to see bigger organizations make wholescale recommendations for regular vulnerability testing. [Most] CPA firms are not doing that. How are you going to know how to protect yourself if you're not taking some basic steps to get an inventory of what you have and then do some testing to see where you might be weak?

Collins: David and Lisa are exactly right that security is the top priority, but I really don't like putting security up there as the top priority because all security does for you is keep something bad from happening. In no way does any security measure make you a more productive employee. It doesn't help you get your job done faster, better, easier, or produce better results. So, yeah, you're right. You've got to make security a priority, but aside from security, if there's one thing I would make a priority, it's the commitment to technology training. If you just take one Excel course every two years, that's not sufficient to produce true tech-savvy CPAs. CPAs need training on all of their products, hardware, and software applications, and you've got to do it on a regular basis. Many of my clients' staff seem to only be mildly educated about the products that they use. They know the basic features of those tools, and that's it. I wonder whatever happened to employees that took it upon themselves to have the initiative to study and learn and "completely own" the products they use so that they could get full utility out of them. Give me those employees, not the ones who have the product in front of them all day long but tend to use only the same six features out of 2,000 possible features and then think they're really using that accounting system or that reporting system properly.

A few other priorities that CPAs should probably have: Of course, encrypting emails, upgrading workstations to larger monitors, using spacious desks and comfortable chairs. I see people crammed into uncomfortable chairs, and I don't know how they can work for long periods of time that way. I also see that people don't update their software applications and operating systems as frequently as they should. Everybody should be on the latest, greatest version because it has more of the features and more of the security implemented. If you have an old computer and you put a new operating system on it, there could be bugaboos, conflicts with memory assignments, and things of that nature, but if you have a new computer with new applications, that system seems to run well for several years.

Where does the profession stand on its migration to the cloud?

Collins: I've seen a few firms fully embrace the cloud and they seem to be reaping the benefits, but a lot of CPAs I work with only seem to have touched upon the cloud. The obstacles remain the same: ignorance of how the technology actually works, fear their data will not be secure, and an unwillingness to let go of the sunk cost of those historical products that they've already implemented. But on the positive side, I get the impression from talking with a lot of my clients that more CPAs are now more open to using cloud technologies. They're just not sure how to make that smooth transition to the cloud platform yet.

Cieslak: How do you move to the cloud? You do it one step at a time. Think about those processes that would potentially benefit the most by transitioning them to a cloud-based approach, and piece by piece you can make that move.

Traina: People are putting in more cloud systems and that's a good thing, but I think there is one thing that's been missed: having two-factor or multifactor authentication on cloud systems. When people don't have the multifactor [authentication], if anybody with a malware keylogger gets your password, they can log in from any device in any country and get to those systems. I continue to be surprised at how many vendors either are not offering multifactor or they offer it as an add-on and it's not the default. That's disappointing to me. Multifactor shouldn't be something you have to pay extra for or be looking for.

Cieslak: I would go one step further and say that if you're looking at migrating a core function to the cloud, then you should not even consider migrating it to a service provider that doesn't give you that multifactor, multistep authentication option.

Traina: Totally agree, even with email systems. It just needs to be there for all these cloud systems.

Is multifactor authentication something that CPAs should be looking for on an application-by-application basis, or is there any kind of all-encompassing solution that can help cover everything?

Cieslak: There are some good management tools, some good approaches to this. Single sign-on comes to mind. As firms move more and more services to the cloud, not only do they need to make sure that each of those services supports multistep or multifactor authentication, but also that they can ultimately pull that together in a management console and through single sign-on. That makes it essentially much easier to provision and de-provision users and even allows you to maintain passwords and maintain access controls to core organizational applications, insulating the user from even needing to know what passwords are to specific applications or devices. You can essentially bake complex passwords into the single sign-on login experience. A single sign-on tool can give end users a control panel of icons showing all the cloud-based applications that a firm is using. Then end users click on the icon gaining access to the application they need. If it's their first time accessing, and the system doesn't recognize this device or where they are trying to connect from, then it can require them to provide a second factor of authentication.

What's the best way for CPAs or their organizations to get single sign-on? Are there certain vendors they should go to?

Cieslak: Absolutely, I recommend doing a Google search on single sign-on—you'll find bunches of them. We happen to currently use a product called Bitium, which scales down to smaller and midsize firms very well. Microsoft is in the game. There are Okta, OneLogin, Centrify, a great variety of products, and many of them will even integrate with a hybrid environment. So if you continue to have local on-premises servers that are running Active Directory under Microsoft, then you may want to integrate the single sign-on experience with Active Directory. Those tools are out there. They are mature with very delightful end-user experiences. 


The panelists

David Cieslak, CPA/CITP, CGMA, principal and founder of Arxis Technology and a popular technology speaker known as Inspector Gadget.

J. Carlton Collins, CPA, the CEO of ASA Research and author of the JofA's monthly Technology Q&A column.

Lisa Traina, CPA/CITP, CGMA, partner with Traina & Associates, a CapinCrouse company, which provides information systems and IT security audit and consulting services to business clients.


About the author

Jeff Drew is a JofA senior editor. To comment on this article or to suggest an idea for another article, contact him at Jeff.Drew@aicpa-cima.com or 919-402-4056.


AICPA resources

Articles

Publication

  • 10 Steps to a Digital Practice in the Cloud: New Levels of CPA Firm Workflow Efficiency, Second Edition (#PTX1401P, paperback; #PTX1401E, ebook)

CPE self-study

  • IT Trends: Supporting Organizational Strategy and Operations (#165616, online access)
  • The Purpose and Management of the Technology and Information Function (#165615, online access)

Online

Conferences

  • Practitioners Symposium and Tech+ Conference at AICPA ENGAGE, June 12—15, Las Vegas
  • Digital CPA Conference, Dec. 4—6, San Francisco

For more information or to make a purchase or register, go to aicpastore.com or call the Institute at 888-777-7077.

Information Management and Technology Assurance (IMTA) Section and CITP credential

The Information Management and Technology Assurance (IMTA) division serves members of the IMTA Membership Section, CPAs who hold the Certified Information Technology Professional (CITP) credential, other AICPA members, and accounting professionals who want to maximize information technology to provide information management and/or technology assurance services to meet their clients' or organization's operational, compliance, and assurance needs. To learn about the IMTA division, visit aicpa.org/IMTA. Information about the CITP credential is available at aicpa.org/CITP.

SPONSORED REPORT

CPEOs provide peace of mind around payroll services

The creation of these new IRS-certified service providers for small businesses clarifies some issues around traditional professional employer organizations.

QUIZ

8 sentences to help you master subject-verb agreement

When professionals prepare written material for readers inside their organization or outside, they should make sure that no errors distract from the message they need to convey. Take this short quiz for practice in subject-verb agreement.