Tech talk: What CPAs need to know

Experts weigh in on smartphones, tablets, PCs, cloud, cyberthreats, and more.

Tax Code modifications and new FASB rules aren’t the only changes that CPAs have to concern themselves with these days. Whether it’s the security of clients’ data, the implications of migrating to the cloud, or the uncertain future of the once-venerable desktop, rapid technological transformation continues to generate new challenges and opportunities for accounting professionals.

What do CPAs need to know about big data, bring your own device (BYOD), malware, mobile computing, and any number of other technology issues? To find out, the JofA for the second straight year assembled a trio of top experts to provide answers.
Participating in the round table were:

  • David Cieslak, CPA/CITP, a principal with Arxis Technology.
  • Randy Johnston, executive vice president at K2 Enterprises and president of Network Management Group Inc.
  • Rick Richardson, CPA/CITP, founder and CEO of Richardson Media & Technologies.

JofA Senior Editor Jeff Drew: What’s the most exciting technology trend or development in the accounting space?

Johnston: It has to be mobility-enabled platforms. When you consider at this point that pretty much 100% of the smartphones and tablets that I would recommend didn’t exist midyear of 2012 and that the vendors who are writing applications are really learning how to make these things work effectively, there is an awful lot of change even for those people who think of themselves as just going to the office and going home, and not really working mobilely.

Cieslak: Folks are just so in love with their mobile devices, and that’s really helping push cloud, because the cloud is how we’re going to better access the data from these devices. In the same way, cloud is such a smart way to look at how we’re going to work with IT going forward.

Richardson: Probably the most exciting thing that’s happened, at least in terms of acceptance across the mobile space, is BYOD. The concept of bring your own device has changed the relationship of partners, managers, and staff with their IT departments or those responsible for managing and planning their IT departments.

Drew: Which of the many available devices will show the most staying power, and which ones will make the biggest impression on the accounting profession?

Richardson: First and foremost, the desktop’s not going away. We have a transitional period of several years in which the desktop is going to continue to play a terribly important role in most every practice in the country.

That said, the majority—particularly of our younger staff and those we’re going to be looking to hire in the next few years—are going to expect to be able to get to the data produced by those systems with mobile devices.

 If I had to pick a technology that I thought might wane, it’s the traditional laptop. I think being squeezed out by both Ultrabooks and tablets, the laptop’s going to have a hard time finding a space in this new world.
One of the more exciting things I’m waiting to see is some of the tier-two and tier-three firms (those with more than 60 employees) beginning to develop their own custom applications in the mobile space. These apps are not that difficult to create, and as the firms start realizing they can provide differentiation in their service to clients by the products that their professionals carry on their portable devices, we may see some exciting new things happening in that vein.

Johnston: A good way to think about a lot of technologies is that it’s not an “either/or,” it’s an “and.” And so we can look back and say, mainframes are still around, and mini-computers are still around, and so forth. So, what happens is we just have additional tools. Now, we may choose to eliminate a few over time, but I think we’re going to continue to add tools for a while.

Cieslak: When you think about technology, there’s certain technology you’re going to want to have available when you’re sitting down and working away diligently, whether it’s on a tax return, or something audit related, or working on spreadsheets and so forth.

And so, we’re seeing more and more firms go with three monitors. They’re really trying to make that a rich experience when someone’s sitting down. At the same time, what’s the grab-and-go technology? What is it they take with them when they get up from their desk? The tablet, the mobile devices, their smartphones, and so forth. So really, it’s not a one or the other, it’s both. 
Drew: What are the biggest security threats on the technology front, and what should accounting firms and CPAs be doing to protect themselves?

Cieslak: What we’re finding in the security world is that some of the malware has gotten so darn good that even with what we’ve always thought were good security measures in place, it’s just blowing right through that stuff.

And, candidly, cloud comes right into play, because we’re not worried about infected local workstations infecting servers and other workstations within the office. So, instead, if our applications, our data are out in the cloud, they’re hosted, and we’re accessing them via a web browser, which isn’t going to pass any of that malicious code back and forth by design, as it were. It’s creating an almost more secure working environment.

We need to evaluate (cloud vendors’) security profile and what steps and measures they’re taking, but most of the big name ones are going to be doing a much better job of backing up, having redundancy, being able to restore or fail over (automatically switch to a backup server when a main server becomes unavailable), in the event that needs to take place. These are military-grade-based facilities with armed personnel, as it were. I’m looking at it and going, “Who can claim something similar in their own internal IT infrastructure?” And the reality is nobody.

How does this (malware) make it to the desktop? The whole notion of spear phishing (a targeted, social engineering attack) is really just getting so darn good, and I don’t care what spam-filtering tools you’re using—one or two or three make it through … to the desktop, and we just can’t resist clicking through.

Just this morning, I was reading something from a bank saying my PIN had changed, and I’m going, “Well, that’s a bank I use, and nobody changed the PIN.” And it’s personalized to my name, so, of course, why wouldn’t I click through there, because potentially, I’m concerned. I’m going to want to address what I think is a problem.

Johnston: David, you are spot on with the sophistication of these attacks. It is appalling how bad they are. In our experience in 2012, we’ve not been in a CPA firm or a bank, which are our two areas of expertise, where there are not infections present.

Drew: What can we be doing to protect ourselves from these kinds of social engineering attacks?

Johnston: Well, right now the best practice, unfortunately, is not to click through messages, but that is so hard to ingrain in people, and once in a while you just forget while you’re working, and you click through anyway. And I don’t want to overstate the problem, and it is disruptive not to be able to click through. So, perhaps for a trusted source, maybe that’s not so much of an issue, but for something that’s got any question in your mind, you’ve got to have that little mental trigger that says, “Whoops. Stop. Let’s go someplace else.”

Cieslak: Often, we see the most virulent problems on older machines, running older operating systems like Windows XP. And once infected, these susceptible, older machines have to be reformatted to remove the malware. So my advice is to discontinue using Windows XP and move all machines to Windows 7, or maybe even Windows 8, which are both more secure versions of Windows.

Making certain to not (give) local users admin rights over their own machine—that’s another key step that folks can take to afford added protection.

Richardson: One other thing I would add, we’ve said for a long time that one of the neatest parts of the whole concept of mobile, and the cloud, and all of this is that we’re starting to see a blend of personal and business, friends and colleagues, but the lines get much more blurred, particularly with the BYOD, and allowing somebody to bring their own device, and having potentially both personal and company business on the same box.

In the cloud, you have similar situations, and one of the things a practitioner has to do is realize the difference between what I’ll call a commercial cloud service and a cloud service that’s designed for enterprise security. So take, for example, something like Dropbox. I don’t mind using that for sharing my pictures of the grandkids at the soccer game with the rest of the family. But that’s entirely different than ever using Dropbox for, let’s just say, exchanging (Form) 1040 tax return data.

And so, understanding the difference between cloud offerings that are clearly commercial, clearly designed for personal use of data that may or may not ever need to be husbanded, and the kinds of stuff that are required, the controls required by a CPA to communicate with his client, we have got to be careful of both of those.

Drew: What are some specific vendors that CPAs should know that they may not have heard of before that can address some of these security concerns regarding file sharing?

Johnston: We’ll start with small (and) inexpensive, but (what) I believe to be secure classes of products. Something like Ziptr might be a candidate. Somebody like SnapCrowd might be a candidate.

(Ziptr) is a combination of encryption, collaboration, and file transfer. It’s got those three elements together. SnapCrowd has a lot of those same elements together. ShareFile would be another one that we know to be good in file transfer and encryption. RPost would be another one that would be good at encryption of email and digital signatures.

Cieslak: I would tell you that, in addition, I don’t know that I heard Randy mention LeapFILE. That’s one other that came to mind as he was going through his list there.

Richardson: We talk about the fact that these lines get blurred relative to personal and business. One of the other things that firm management needs to do is be cognizant that some of the products that their individual practitioners or staff are using may not be using data, if you will, that we would consider to be firm private data, but it just may be directly related to all of the stuff they deal with with their clients. And part of that work flow automation could be just getting rid of paper.

I think of my absolute favorite, all-time, die-for product: Evernote. And Evernote as a product has brought out a version for business … and it looks like they’re starting to realize how much of a secure environment they need to provide in order to make this a true business service.

As a personal service, Evernote meets every need I have, but if I’m now a staff senior in an accounting firm, and I’m the guy handling, let’s say, 10 different auto dealerships, and I’ve got a whole bunch of data about those dealerships, and I happen to conveniently put (the data) into Evernote, because that’s where I keep everything else, haven’t I now contaminated that with data that we ought to be worried about whether it’s secure or not? The answer is probably yes, but we aren’t necessarily thinking through how that’s happening.

Johnston: And if we go back to the big boys, and we’ll pick on Google as an example, although I could say it about a number of other providers, they’re analyzing their data using big data techniques, looking at all email, looking at files that are stored in Google Drive, to help provide personalized search results when you use the Google search engine.

And, in effect, they might—you might say they’re violating the confidence of that data, but if we have team members who … put out client confidential information or intellectual property in one of these public stores, you could have your firm in a compromised position caused by an employee not really thinking it through, much like the Dropbox employee who stored all the user IDs and passwords in his own Dropbox account, and then accidentally exposed it to everyone publicly.


Johnston: We’ve talked about a lot of different technologies, and there are many more we have not discussed that are important, as well. Remember, the right thing to do is have a business plan, strategy and tactics, and back that up with an IT strategy and set of tactics. Keep your vision focused on the client experience, and consider the many different technologies that are becoming available to solve the problems.

Cieslak: You absolutely want to be understanding of what’s coming, how it could impact you, and embracing it in a meaningful time frame in order to bring about a new working model so we ensure the ongoing health of the organization.

Richardson: The firms that are going to be successful in the next five to 10 years and are going to have incredible opportunities for both increased profits and client service are the ones that involve the youngsters in the firm. Don’t leave them out. Make them an integral part of this overall rethink.

Cloud Coverage

A recent survey of 624 AICPA members in public accounting found that 11% of the firms were operating completely on cloud-based software, platforms, and infrastructure. Another 33% reported using business-grade cloud options, while 46% said they had no plans to move to the cloud. The remaining 10% of respondents said their firms are planning to use cloud services (see “Most CPAs See Role in Helping Clients Adopt Technology, AICPA Survey Finds”).

Is your organization still deliberating the merits and drawbacks of using cloud technology? The technology round-table experts addressed some of the key issues. Here is a quick rundown of what they had to say:

David Cieslak on how the cloud can change your business model: Those business model changes are both a combination, I think, of internal (and external). So, it gives us, obviously, a distributed workforce option. So, that’s an internal aspect of it. But then I think it’s also really important to say what kind of opportunities does that open up for us externally? And so, we’ve got clients that we can serve in a different way, and maybe even provide a different kind of service to our clients, leveraging the cloud (for) desktop-to-desktop interacting, presentations, and meetings.

Rick Richardson on overcoming security concerns regarding the cloud: Part of what practitioners have a problem with in the cloud today is the distinction between control and security. They’re very comfortable when things are on-premise and they see the server. They can lock it in a closet. They know it’s there. It’s not going anywhere. Nobody’s getting the Social Security numbers of my taxpayers, period.

Of course, that doesn’t mean somebody can’t come in and blow the door down and take the whole machine away. So, from that perspective, it may or may not be secure, but it certainly feels like better control from a CPA’s perspective. Getting comfortable with the control side of life in the cloud is a maturation process for today’s CPAs. They just have to get into (the cloud) to realize and understand what it can and can’t do, and be prepared to deal with it like all the other things they’ve had to deal with.

Richardson on how the cloud will affect firms’ ability to attract and retain talent: I just got through reading an MIT technology review survey on the 20- to 35-year-old professionals in accounting, law, and medicine. And they found that 66% of these guys want to use any device they have to access the data they need to perform their work. Second, they’d take less money if they had more flexibility in how they did their work and what they used in the way of mobile devices. And third, 60% of them said they did not think it was necessary to be in an office to be productive.

So, if we didn’t think the world of the younger professional was changing and the attitudes were changing, hearing some of that data just drives the point home. We need to be out there rethinking, either collaborating with other firms or bringing in firms whose primary job it is to reassess work flow, and see how we can both increase our productivity and hopefully by that increase profit.

Randy Johnston on the vendors who could provide cloud services to CPAs: In the CPA firm world today, the common ones would be Cloud9 Real Time, InsynQ, Real Time Data Services, Cloudvara, (and) xCentric.


The rapid development of mobile devices, cloud computing, and bring your own device (BYOD) are the top technology trends impacting the accounting sector. A slew of new smartphones and tablets is pushing the adoption of cloud computing and BYOD programs and giving CPAs greater access to the data they need and more choices in the technology they use.

The rise of mobile devices does not yet signal the demise of the desktop, but it could result in an erosion of the laptop’s place in the tech landscape. With the surge of tablets and the potential growth of Ultrabooks, the laptop could be squeezed out by lighter-weight competition.

Hackers and cybercriminals have become so proficient at developing sophisticated malware and designing social engineering schemes that even the best security systems can be breached. Organizations and individuals can mitigate the risk of cyberattacks by discontinuing the use of Windows XP, making greater use of the cloud, and educating workers about the hazards of targeted email attacks such as spear phishing.

CPAs need to understand the difference between cloud services aimed at individual users and cloud services designed with the enterprise in mind. It’s important to know how strong the cloud providers’ data security and privacy policies are and where and how sensitive information is moved, stored, and processed in the vendor’s servers.

CPA firms need to develop a technology strategy and implement it in their business plan. The tech strategy should be focused on the client experience.

Jeff Drew is a JofA senior editor. To comment on this article or to suggest an idea for another article, contact him at or 919-402-4056.


JofA articles


Practitioners Symposium and Tech+ Conference in partnership with the Association for Accounting Marketing Summit, June 10–12, Las Vegas

For more information or to make a purchase or register, go to or call the Institute at 888-777-7077.


Quantum of Paperless Guide, (available to only Private Companies Practice Section members)

Information Management and Technology Assurance (IMTA) Section and CITP credential

In an effort to better recognize and support the breadth of its members’ professional duties and responsibilities, the AICPA changed the name of the Information Technology Section to the Information Management and Technology Assurance (IMTA) Section. The IMTA division serves members of the IMTA Membership Section, CPAs who hold the Certified Information Technology Professional (CITP) credential, other AICPA members, and accounting professionals who want to maximize information technology to provide information management and/or technology assurance services to meet their clients’ or organization’s operational, compliance, and assurance needs. To learn about the IMTA division, visit

Where to find August’s flipbook issue

The Journal of Accountancy is now completely digital. 





Better decision-making with data analytics

Data analytics has become a hot topic, but many organizations have not yet managed to understand its potential, let alone put it to work. This report will take a deep-dive on how to best introduce or enhance the use of data in decision-making.