A CPA’s Guide to the Top Issues in Technology

EXECUTIVE SUMMARY

EACH YEAR, THE AICPA’s INFORMATION TECHNOLOGY team assembles a group of tech-savvy CPAs to identify the topics it believes will most affect the profession, its clients and employers. SECURITY AND PRIVACY are two of the group’s top technology issues for 2001, reflecting concern that existing measures are not fully safeguarding online systems and confidential data, such as health records and tax returns, from hackers and other intruders. Adequate resources and enlightened leadership are necessary to protect these resources against unauthorized use. ADVANCES IN TECHNOLOGY are making it easier to gain access to information and systems functions anywhere, any time, through phones and lightweight computing and communications devices with wireless capabilities. FASTER, CHEAPER AND MORE ACCURATE financial reporting is now possible because of eXtensible Business Reporting Language (XBRL), which stores data in standardized formats, simplifying its retrieval and reducing ambiguity in financial reports. ACCOUNTANTS NEED TECHNOLOGY TRAINING that focuses on developing the skills they must have to achieve their clients’ and employers’ business goals—not on learning how to perform complex tasks best left to information technology specialists. APPLICATION SERVICE PROVIDERS will, for a monthly fee, give you Web access to business programs they maintain on their own systems. Clients of ASPs should perform due diligence to ensure the safety of data they store in such applications and to understand the service level agreements that govern the provider’s responsibilities.

SCOTT H. CYTRON, ABC, is president of Cytron and Co., a public relations, marketing and communications firm based in Dallas. ROBERT TIE is a Journal senior editor. Mr. Tie is an employee of the American Institute of CPAs and his views, as expressed in this article, do not necessarily reflect the views of the AICPA. Official positions are determined through certain specific committee procedures, due process and deliberation.

n the early 1980s, when desktop computing and communications capabilities became affordable, practitioners began to realize that understanding basic hardware and software—PCs, modems and spreadsheets—would give them a competitive edge. Since then, the potential rewards for technological proficiency have mushroomed. Not only has technology become a popular practice niche for CPAs who understand it and keep up-to-date, but it also has made life easier for practitioners in all specialties and generally improved their ability to handle multiple tasks simultaneously.

For example, convenient and economic communications systems now enable CPAs on the road to work closely with home office colleagues and achieve several goals at once. Frequent business traveler Michael W. Harnish, CPA, chief information officer of Oak Brook, Illinois law firm Dickinson Wright PLC, uses such technology extensively. “Wireless and mobile technologies give me cheap, convenient phone and Web service,” he says, “enabling me to be in two places at once—an essential survival tool for any CPA today.”

And just in time, because CPAs need to get more done without compromising on quality. The challenge, however, is understanding and addressing the complicated issues that inevitably accompany the new technologies.

Twelve years ago, the AICPA’s information technology team convened a gathering of technology-focused CPAs to identify new ways practitioners could improve their services, boost efficiency and control costs. Each year, the group releases a list of technology-related issues, such as information security and control, that it believes will have the greatest impact on CPAs, their clients and employers as they begin to use new technological products and services. (See “E-Business Tops Tech Priorities for CPAs,” JofA , Mar.00, page 20. )

In the following pages, members of the group—CPAs who work closely with technology in small, medium and large firms, as independent consultants and in education—explain why, during their most recent gathering, they chose the following 10 issues as the most important ones affecting the profession and its use of technology.

PROTECTING YOUR MOST PRECIOUS RESOURCE:
INFORMATION SECURITY AND CONTROLS

With the courts showing little sympathy for organizations or individuals who fail to adequately safeguard their clients’ confidential personal information, it’s easy to see why the group chose this as the most important issue related to current technology. CPAs skilled in this area can help their clients and employers manage risk and avoid litigation resulting from theft, viruses and other breaches of their systems’ security.

Although electronic tools and procedures play a central role in ensuring that only authorized individuals have access to the information contained in any computer system, individual behavior also figures strongly in the effectiveness of any security structure. Carol A. Langelier, assistant director of the GAO’s accounting and information management division in Washington, D.C., knows this well. “The human problem is the biggest one,” she says. “People don’t do even the simple things they should, such as keeping their passwords confidential and making sure they aren’t easy to decipher.”

After breaking into a large system, a hacker can easily copy datasets containing thousands of user passwords, each providing access to an array of systems capabilities and information. Often it doesn’t help much if passwords are encrypted or converted into an apparently unreadable coded format. Using software available for free on the Web, hackers can decode 90% of encrypted passwords.

But a simple precaution can frustrate them, Langelier reports. The 10% of encrypted passwords that resist deciphering typically consist of random series of six or more characters, including numbers. “So,” she advises, “it’s worth taking time to be creative.”

For their part, systems administrators should concentrate on using two powerful processes at their disposal, says Everett C. Johnson, international director of enterprise risk services in Deloitte & Touche LLP’s Wilton, Connecticut office. “Electronic authentication ensures that only the right people gain access to systems and information,” he says, “by making users prove they are who they say they are—no longer just by passwords, but also by more advanced means.” Sophisticated systems that can recognize a user’s voice, retina or fingerprint are examples of such technology.

And once a user is admitted to the system, his or her movement through it must be managed. “That’s where electronic authorization comes in,” Johnson says. “The system ‘authenticates’ each user’s system rights as contained in his or her user profile and then grants access only to the data and systems capabilities that person is authorized to use.”

WORKING THE WEB FOR PROFIT:
E-BUSINESS

Despite the hype surrounding business-to-consumer electronic commerce, most online business takes place between companies, and each day more of them become aware of the potential benefits business-to-business (B2B) e-commerce offers.

John D. Woodburn, a principal of the Woodburn Group, a St. Louis Park, Minnesota, consulting firm specializing in online financial and business information systems, is excited about the e-business consulting opportunities for CPAs he sees coming from the proliferation of large Web sites known as B2B exchanges.

By creating online communities where businesses can meet each others’ needs, he says, B2B exchanges dramatically increase the efficiency of countless paper-based processes. (For more on B2B exchanges, see “The B2B Virtual Bazaar,” JofA , July00, page 26. )

If properly managed, Woodburn says, such exchanges can be especially valuable to small and medium size businesses by offering them otherwise expensive access to convenient communication with suppliers and other businesses and enabling them to lower processing costs and reduce reliance on large, nonearning inventories.

CYBER BOOKS:
ELECTRONICALLY BASED FINANCIAL REPORTING

One of the most important events in 2000 was the introduction of XBRL, which makes it possible to consistently define and format data elements, enabling software to manipulate them more quickly and accurately, thus reducing the chance of errors and ambiguity in corporate financial reports.

“The effective use of XBRL is based more on successful agreements between users and providers of information than it is on technology,” says PricewaterhouseCoopers’ XBRL project leader Eric E. Cohen of the firm’s Rochester, New York office. “Computers require consistency, but people need the freedom to vary the formats in which they view information. One of XBRL’s strengths is that it satisfies both these requirements.”

For more information on the benefits of using XBRL, see “Finally, Business Talks the Same Language,” JofA , Aug.00, page 24.

PRESERVING CONFIDENCES:
PRIVACY

“Privacy and security go hand in hand,” says the GAO’s Langelier. “Without the proper controls, you have no privacy.” But protecting information without inappropriately restricting its use is a delicate task. On one hand, government agencies, companies and firms must maintain adequate security systems, procedures and staff to prevent and recover from system disasters, to keep out hackers and to ensure that otherwise legitimate users do not enter systems or perform functions for which they are not authorized. But within these limits, systems also must offer legitimate users the freedom and flexibility they need to find and manipulate information quickly and easily.

To augment its audits of agencies’ security systems, Langelier says, the GAO developed a hierarchy of essential security principles that guide agencies’ efforts to preserve the privacy of the personal information they collect. CPAs on privacy consulting engagements should ensure their clients have similar resources to draw on after the engagement ends.

A BASIC NECESSITY:
TRAINING

Businesses can derive many benefits from knowledge management (KM) systems, which allow an organization to collect and integrate internal and external information, then make it easily available to its staff members, who use it to help the group achieve its goals. “Systems are only as good as the technology and people behind them,” says Gary S. Rushin, a technology consultant from Leesburg, Virginia. So, if an organization funds and implements such a system, it only makes sense to train staff in its effective use.

But where should such training begin? Is it reasonable to expect educational institutions to give accounting students more instruction in technology? Charles E. Davis, associate professor of accounting in Baylor University’s department of accounting and business law, says educators grapple with this issue constantly. “What entry-level skills are we trying to develop in an accounting undergraduate?” he asks. Consider, for example, the impact of XBRL on accounting. Davis says that instead of studying XBRL coding, students need to understand XBRL’s effect on Web-based financial reporting and e-business.

“Which is better to have—pure technical expertise or the ability to adapt to technology?” His answer: the latter. “What students really need is an understanding of how technology interacts with accounting.”

PREPARING FOR THE WORST:
DISASTER RECOVERY

Mary R. MacBain, an information technology (IT) consultant from Lenexa, Kansas, finds that owners of small businesses often fail to take simple, but effective precautions. “They prefer to store and back up their data files themselves,” she says. “But a good share of them have never tested their backup tapes, and some don’t even have the software they need to restore data from their tapes.”

The remedy applies to companies and firms of all sizes. “Whether you’re a sole practitioner or a member of a 15-person firm networked on a server, you should back up your entire system daily and store the tapes off-site,” says Roman H. Kepczyk, president of InfoTech Partners North America, Inc. in Phoenix, which provides advice on disaster prevention and recovery.

“And back up the data in a way that will be convenient to work with when you need to restore it,” he adds. “For example, put all your client files in one master directory. In a crisis, you won’t want to be spending hours searching through several backup tapes to locate an important file.”

Kepczyk also recommends preparing a detailed disaster recovery plan and updating it regularly. “If you need help creating a plan or setting up your backup system, find a company that supports your software,” he advises, “and have your tech staff take close note of how the specialist configures your system.”

AN EFFECTIVE WORK FORCE:
QUALIFIED PERSONNEL

Attracting qualified systems professionals is only half the battle, says Michael S. Kridel, a partner specializing in litigation and consulting services for Daszkal, Bolton, Manela, Devlin & Co. in Boca Raton, Florida and manager of his firm’s IT staff. He knows that in today’s competitive employment market, firms that don’t keep their high-tech employees happy will lose them.

“The rule of thumb is one IT person for every 20 users,” Kridel says, “but many firms are reluctant to hire staff who can’t generate billable hours.” Kridel, however, says his IT team boosts the bottom line by supporting those who can.

KEEPING SYSTEMS UP AND RUNNING:
QUALITY OF SERVICE

“Technology gives us a set of tools that can expand our ability to serve our company or our client,” says Wayne E. Harding, business development director of the AICPA’s cpa2biz Web portal. “What we have to do is pick the right ones and learn how to use them.”

Until recently, finding the right tools has been a trial-and-error process that can quickly become expensive. But help has arrived in the form of a new service that makes it possible to try out software without buying it. For a relatively modest rental fee, application service providers (ASPs) offer convenient access to a wide variety of programs on their servers.

Attractive as such arrangements can be, though, Harding advises ASP clients to prepare for the worst-case scenario. He foresees rough going when, inevitably, some ASPs go out of business during market consolidations and other times of disruptive change. That’s why he says CPAs need to focus their clients’ and employers’ attention on the all-important service level agreements—contracts that spell out exactly what happens to ASP clients’ access to services and their data in times of crisis. (See sidebar, “All About ASPs,”below.)

THE NEW EVIDENCE:
ELECTRONIC AUDIT TRAIL

Electronic evidence is a component of the electronic audit trail, which is Kridel’s specialty. Typically, when a court issues a subpoena for documents, it specifically demands all related electronic data. “That’s a problem for companies and firms that don’t know how to deal with potentially incriminating material. For example, few understand what happens when they press the delete key to erase a file; the file is no longer visible to the user, but remains intact until fully erased by a special type of software. So, it’s a simple matter to restore it.”

In fact, Kridel says, electronic evidence is almost everywhere—on desktop PCs, network servers, notebook computers, tape backup systems and, now, on devices such as Web-enabled cell phones that interface with company servers, PDAs that store e-mail and even in digital cameras that store images.

To be sure of their legal rights, responsibilities and exposures, Kridel advises CPA firms to consult an attorney who specializes in IT litigation, to meet with their errors and omissions insurer and to review their firm’s practices and procedures for creating, storing and distributing important information.

WORKING THE WEB FOR SAVINGS:
APPLICATION SERVICE PROVIDERS

While application service providers (ASPs) have become one of the most significant new developments in technology, they come with their own set of complications, including the service level agreements discussed above.

ASPs can relieve companies of burdensome and expensive administration and staffing responsibilities by giving them fee-based Web access to business-critical databases and other software applications related to accounting and finance, enterprise resource planning, manufacturing, human resources, sales and many other industries and professions. (See “Technology for the New Millennium,” JofA, Apr.00, page 22. )

Cpa2biz’s Harding says CPAs need to make sure their clients understand what kind of service their ASP offers. “Be sure you understand the difference between Web-based and Web-enabled applications,” he says. (See sidebar, “Which Web Application Is Which?,” below.)