Data, security take top two spots in AICPA technology priorities survey

On the surface, the results of the 2013 North America Top Technology Initiatives survey, released Wednesday by the AICPA and CPA Canada, show that “managing and retaining data” nudged past “securing the IT environment” to become the top technology priority cited by the nearly 2,000 accounting professionals polled.

Dig a little deeper, and the evidence indicates that the emphasis on data stems at least in part from concerns about the increased security risks caused by the proliferation of mobile devices and the mass movement of confidential information to the cloud. Add to those factors the explosive growth in the amount of data worldwide and the rapid rise in the number and sophistication of cyberthreats to the security of that data, and the result is a situation ripe for security breaches. It’s no wonder then that the survey found increased concern with the prevention and response to computer fraud and decreased confidence among CPAs in the ability of their organizations to achieve success with their top tech initiatives. 

“The challenge is to identify where data resides and moves during the data cycle,” said Steven J. Ursillo Jr., CPA/CITP, CGMA, principal and director of technology and assurance services for Sparrow, Johnson & Ursillo, a Rhode Island-based accounting firm that also provides technology and security audits and consulting. “It’s very challenging to govern all of that.”

This article looks at the results of the 2013 North America TTI survey and the implications for public accounting firms, businesses, and other organizations.

The Survey: U.S. vs. Canada

The 2013 North America TTI survey was a joint effort of the AICPA and the Chartered Professional Accountants of Canada (CPA Canada). In the United States, the AICPA surveyed nearly 1,700 of its members from Feb. 12 through March 6. In Canada, CPA Canada surveyed more than 200 of its members from Feb. 14 through March 5.

Asked to prioritize the importance of their employers’ and clients’ 2013 technology initiatives, the U.S. CPAs and their Canadian counterparts responded with the same top two answers: managing and retaining data; and securing the IT environment (see Exhibit 1).

There were some notable differences between the U.S. and Canadian respondents. The poll found that the Canadian chartered accountants placed more emphasis than U.S. CPAs on using technology to enable decision support and analytics and on managing their IT investments and spending. The U.S. respondents gave greater weight to managing IT risks, ensuring privacy, and, most notably, preventing and responding to computer fraud.

CPA Confidence Slips

The U.S. CPAs surveyed were less confident than their Canadian counterparts of the ability of their organizations to achieve their top technology initiatives this year (see Exhibit 2). The CPAs also were less confident than respondents were a year ago, when securing the IT environment ranked as the top concern in the U.S.-only Top Technology Initiatives survey (see Exhibit 3). Last year, 60% or more of U.S. respondents said they were confident or highly confident that their organizations would prevent and respond to fraud; successfully manage and retain data (61%); secure the IT environment (62%); ensure privacy (62%); and manage IT risk and compliance (65%).

This year, the highest level of confidence was 55% (for managing and retaining data). Why did the U.S. confidence levels drop?

“My gut feeling is that there is actually more awareness of the issues and challenges in all of these areas as a whole,” said Donny Shimamoto, CPA/CITP, CGMA, managing director of IntrapriseTechKnowlogies LLC, and chair of the AICPA Information Management and Technology Assurance Executive Committee. “The decline in confidence levels may mean professionals are making more knowledgeable assessments of the ability of organizations to achieve technology goals. These goals are within reach, but organizations must have the focus, commitment, and drive to achieve them.”

Data management and information security are the only two initiatives to produce confidence ratings higher than 50% in the U.S. survey, but a look at the responses to individual questions reveals wide differences in opinion. On the positive side, CPAs exude confidence in their organizations’ data retention, cost management, and data backup and restoration policies. Similarly, most CPAs are confident in their organization’s policies and protections for internal networks and servers.

The confidence level plunges once outside the firewall. Only a third of U.S. respondents are confident or highly confident that their organizations have properly protected all mobile devices (laptops, tablets, mobile phones, etc.) to prevent a data breach. Similarly, only 33% of U.S. respondents have confidence in their organizations’ ability to quickly detect and respond to a cyberattack, and less than 40% believe their employers have “considered all of the relevant vulnerabilities and threats pertaining to IT, including those related to emerging technologies like cloud computing, mobile technologies, and social media.”

The CPAs’ concerns are understandable. News of successful cyberattacks on companies and government agencies worldwide, including several cloud-computing providers, has increased dramatically over the past couple of years. Cybercriminals have leveraged an intimate knowledge of data flow and a slew of sophisticated malware-building techniques to design attacks that have compromised data in myriad ways, including the theft of money through falsified automated clearing house (ACH) and wire transactions and the delivery of malware to social networks, where a variety of viruses can infect employee computers, then gain access to corporate networks and even cloud-based confidential data.

“Years ago, nine out of 10 corporate frauds were inside jobs,” Ursillo said. “The big theme we are starting to see carried out is that it’s when you are going to be attacked, not if.”

The Data Dilemma

The front lines in the war against cybercrime have moved to the cloud, because that’s where most of the world’s data is. And it’s data that creates incentives for security threats, said Dan Schroeder, CPA/CITP, a partner with Atlanta-based accounting and consulting firm Habif, Arogeti & Wynne.

“In its most simplistic sense, security threats exist because data exists, is accessible, and has value,” Schroeder said. “So, no data, no security problem.”

Of course, no data is not an option. Instead, the amount of data is growing at a 60% annual clip, a pace projected to continue for several years, Schroeder said.

That growth makes it imperative that public accounting firms, businesses, and other organizations know where their data and their clients’ or customers’ data is stored, moved, and processed. This can be easier said than done when using cloud-based software, infrastructure, and/or computing platforms. Such subscription-based services can offer anytime, anywhere connectivity, and access to clients and technology resources previously out of reach due to geographic and cost barriers. The downside is that organizations that leverage the power of the cloud must also manage their data in the labyrinth of servers and networks, providers, and threats that make up the internet.

“Very few businesses have formalized data management practices commensurate with their data assets,” Schroeder said. “For that matter, very few think of data as an asset.”

CPAs and their organizations need to understand that not all data is of equal value and that trying to provide equal protection to all of an organization’s data is prohibitively costly or ineffective, or both, Schroeder said. “There is an adage that if you protect toothbrushes and diamonds the same, at the end of the day you will have more toothbrushes and fewer diamonds,” he said. “Businesses need to understand which of their data is like toothbrushes and which is like diamonds, and apply security controls commensurately.”

The Big Asset Challenge

Data is generated by sources as diverse as websites and social media networks, emails and texts, voice and video files, and innumerable business transactions and processes. The development of faster computer processors and software applications has made it possible for organizations to aggregate and analyze large amounts of data, or big data, to uncover patterns and other insights that can help drive better, and quicker, business decisions.

The proper mining and application of data, big and small, can create great value for organizations, but only if they know how to manage it. Organizations that implement strong data management policies can leverage data to increase productivity, control costs, or improve the effectiveness of their marketing and sales efforts. Failure to handle data correctly can lead to poor business decisions based on bad or incomplete information, the loss of crucial information due to security breaches or improper storage, or even regulatory or legal problems.

To mitigate those risks, organizations need to develop a strategic plan to ensure that they meet internal, legal, and compliance-related requirements for data retention and usage. Organizations also need to vet vendors and their own security procedures to provide as much protection as possible to their confidential corporate and customer information.

Conclusion

The results of the 2013 North America Top Technology Initiatives survey show that U.S. and Canadian accounting professionals recognize the importance of data management and security efforts with their employers and clients. The U.S. results show that CPAs are aware that their organizations might not be as prepared as they had thought to protect their far-flung data and mobile assets in a rapidly expanding galaxy of cyberthreats and criminal activity.

Organizations that employ best practices for data management and security can lower their risk of a data breach but by no means eliminate it. Given that reality, organizations need to implement cyberattack detection and response procedures that fulfill all regulatory, legal, and competitive obligations for the stewardship of confidential customer information. Those public accounting firms, businesses, and other entities that can minimize data and security risks while maximizing the value of their data assets will have a competitive edge in the marketplace. 
 
Jeff Drew (jdrew@aicpa.org) is a JofA senior editor.