Technology experts in the accounting space have plenty to say about the assets that organizations should protect from cybercriminals, what Web 3.0 could mean for the profession, and what skills future CPAs will need.
This is part two of a two-part conversation with:
- Amanda Wilkie of Boomer Consulting;
- Wesley Hartman of Kirsch Kohn & Bridge LLP; and
- Donny Shimamoto, CPA/CITP, CGMA, of IntrapriseTechKnowlogies.
The conversation also was turned into a JofA article. The podcast episode of the first part of the conversation was posted May 11. The speakers are scheduled to present at AICPA & CIMA ENGAGE in Las Vegas the week of June 5.
- Previous podcast conversation with Hartman about RPA.
- The 2020 podcast episode that featured tech roundtable participants Wilkie and Shimamoto.
What you'll learn from this episode:
- Wilkie's explanation of "data governance strategy" — using the example of a client with a laptop running old versions of software.
- Shimamoto's assertion that "cybersecurity is a mindset."
- Why a question about digital assets spurred Wilkie to say "get your bucket of popcorn."
- The skills that Wilkie, Hartman, and Shimamoto say will be vital for the tech-savvy CPA of the future.
- More on Hartman's "pick one or two processes" advice.
Play the episode below or read the edited transcript:
— To comment on this episode or to suggest an idea for another episode, contact Neil Amato at Neil.Amato@aicpa-cima.com.
Neil Amato: Welcome to a special joint episode of the Small Firm Philosophy podcast and the Journal of Accountancy podcast. This is Neil Amato of the JofA, and this two-part episode marks the return of the JofA's accounting technology roundtable, a group that first met 12 years ago with the goal to pass on tech-related knowledge for accountants to put to good use. Three tech experts in the accounting space are featured in this interview.
This is part two of two; the first part was published May 11 and will be linked in the show notes for this episode. Another link in the show notes will be an article featuring the roundtable participants from the Journal of Accountancy's May issue.
Host Jeff Drew is leading off this second episode with a question about cybersecurity, and the first tech roundtable expert to respond is Amanda Wilkie. So, enjoy the second part of the conversation with the three experts: Wilkie, Wesley Hartman, and Donny Shimamoto, all of whom are scheduled to speak at AICPA & CIMA ENGAGE the week of June 5.
Jeff Drew: Donny had mentioned cybersecurity a little earlier in talking about the RPA, and that's definitely a topic we need to touch on, so I'll throw that out to the group. What's the most important thing firms should be doing to protect their data and networks from cybercriminals?
Amanda Wilkie: I'll just say they need to stop doing the bare minimum. That's what they need to stop doing. We hear a lot about multifactor authentication, things like advanced threat protection tools, data loss prevention, these are all tools that if they're not using, they need to be using. These are actually becoming the bare minimum. These are becoming table stakes.
I would also say they need to really look at their infrastructure. If you have an old computer running Windows XP because that's the only computer that this 15-year-old application will run on and we can't get our client to upgrade to a later version, those are threat vectors. People can leverage those. You need to make sure that your infrastructure and your technology is really up to date.
I'd also say that the firm needs to have a data governance strategy. You need to know what data you have, where it is, and have a plan for protecting it. Depending on what you have and where it's at, it may be a different plan, but you need to start documenting those things and then actually executing on those as well.
Donny Shimamoto: Amanda really hits it right. I'm glad she didn't immediately dive into all of the little technical things. Cybersecurity really is, you need to think of it as a mindset. She used the word governance, which I know a lot of people hear that, and they start to go, "Oh, this is for big companies." Actually, it's not only for big companies. It's just that with a smaller business or a smaller firm, it's actually easier to do, but it still requires this mindset that cybersecurity is important and I have to protect my own data or my clients' or customers' data.
Also the other one I was adding, is you also have to protect your employees' data, too, because none of us wants to have a data breach. The two main things I always think about with cybersecurity is one, data breach, and do you have Social Security numbers, bank card numbers, or bank account numbers that you have to protect?
Then the other thing that I always think about what cybersecurity is ransomware. Could something come in and actually cause me to not be able to work? If it's an accounting firm, especially a tax firm, you need to think about what happens if the ransomware hits me right before a deadline? Do I know which returns I need to extend? Am I able to communicate with the people and get access to my data?
The other two terms I'm going to bring in as we talk about this is incident response. Am I ready to respond in an incident? Then the second one is business continuity. Have I thought about how I'm going to operate if I were subject to ransomware and I couldn't get into any of my electronic files? So those are the two additional thoughts I would encourage people to think about as they're thinking, I'm going to use these tools, the tools might be a path in for ransomware or a data breach to actually occur, and are you ready to respond?
One other thing that I think is really important that we bring in, is that there was a change to the FTC Safeguards Rule, and when you read the rule, it says it's financial institutions, but specifically in the rule, it also mentions tax preparers.
Any tax preparers out there are subject to this rule, and the big change that occurred with this recently is that there are now eight different requirements, not optional. Previously, they said, oh, you should do these things, like should. Now it says, you must do these things. Originally, this was supposed to go into effect on December 9th. I think they figured out everyone wasn't ready and so it's been extended, I believe it's until May of this year. Right after busy season, if firms don't have their written information security, haven't thought about incident response, aren't doing proper monitoring of what their IT provider is doing to ensure cybersecurity, they need to get all of these policies and procedures in place.
Drew: Amanda, what's going on with blockchain and digital assets?
Wilkie: Oh, Jeff, I'd say get your bucket of popcorn when it comes to talking about some of the things that's happening in the digital asset world these days. A lot of people have heard about FTX, which is a digital asset exchange that basically imploded last fall, and we're still seeing the ripple effects. When I say ripple effects, that's tens of billions of dollars in ripple effects and other bankruptcies of other crypto exchanges or crypto companies. But something to keep in mind is that FTX was a corporate implosion of poor management and lack of internal controls.
It did not implode because of digital assets or blockchain. But the FTX debacle does have regulators perking up again. We're seeing things like the SEC now looking more closely at some organizations. They recently shut down Kraken's staking operation. That's a large exchange. They said that the way that staking is happening, they should be registered with the SEC because it looks more like a security. So we're kind of back to enforcing old standards and old regulations on this new type of assets. Of course, large VC investors are super skittish, and regulators honestly are still trying to figure out who has agency to oversee digital assets in the entire market. Sometimes we're looking at the SEC, sometimes we're looking at the CFTC. It just depends.
What we're seeing is accounting firms are starting to recoil as well. Some say that they're going to stop doing financial statement audits of crypto exchanges altogether. Some have raised their risk monitoring assessment when taking on new clients in this space. Now, keep in mind, these are usually quite large firms, but that means there's a lot of people getting out of this space in the profession. Also creates some opportunity for firms that want to get into it. I would say overall right now, the digital asset world is a bit of a mess as the dust from the FTX implosion really starts to settle, but I do think that ultimately we'll start to see it stabilize. We're going to get some new regulations out of it, which then the profession will be able to leverage those to really build guidance around and hopefully support digital assets better.
On the blockchain side of things, Jeff, we're not really hearing a lot about blockchain these days, but it's actually stronger than ever because people are starting to realize that blockchain is not an application. It's a platform. It's a building block. Back in the day, no one got excited when things like TCP/IP was released, this was a decades and decades ago, but that's a protocol that is part of the internet's foundation. Now blockchain is fading into the background because it's becoming woven into the foundational networks that we're starting to use and we'll be using going forward, especially in things like Web 3 and the Web 3 universe.
Drew: Can you expand on what is Web 3, which has also been called Web 3.0?
Wilkie: At this point, what I would say, accountants really need to know about Web 3 is they just need to be aware of it. It's another one of those buzzwords that people are starting to talk about, just like hearing the word blockchain or now ChatGPT. Just be aware of what Web 3, Web 3.0 really is. If you think about how the internet started, there was a lot of static text on webpages, you sent a lot of texts back and forth, and then what's referred to as Web 2 or Web 2.0 is when the internet became more mobile first, it was app driven, individuals like you and I could create content through social media platforms, and we saw the sharing economy emerge on top of these technologies. That gave us things like Uber and gave us Uber Eats, Airbnb.
Web 3 is the next iteration. It's a more immersive experience, leveraging technologies like AR or augmented reality, virtual reality, the metaverse, things like that. With that comes the opportunity to build a world that's a bit more decentralized with a focus on privacy and things like self-managed identities. With Web 3, the economy is going to be supported in that universe by things like digital assets and things like NFTs, which we've heard a lot about. Those things are all supported by blockchain. That's where we're seeing blockchain, we're seeing it become part of that foundation. Again, in addition to being aware of what Web 3 is, I think accountants need to be aware of it. They should also start considering how their clients will operate as we grow into Web 3 technologies and how accountants can support and advise their clients that will be operating in that world as well.
Drew: Well with all the transformative changes in technology, and it just seems to be changing faster and faster and more dramatically. Now, what skill sets do CPAs need, both current and entering the profession? Donny, do you have some thoughts on this?
Shimamoto: I think at a minimum, it's an understanding of what the technology can and can't do, so you don't have to become a programmer. You just need to understand some basic, I would say, programming constructs, which by the way, a lot of us will learn that as part of creating these like crazy Excel spreadsheets. I've seen some Excel formulas where I'm like, whoa, how did you even come up with that? There's all these IF statements, but a lot of that actually is used in programming. The whole concept of understanding what programming can do, as well as what it can't do, I think is also very important. Then that's for more of a structured type of stuff, and then the other side I would add to that is the data analytics.
Understanding data, data behavior, this might take some people back quite far, but looking at what we learned in our accounting information systems course, or maybe even just auditing or grabbing a textbook from a current course that you see to get yourself up to speed that covers data modeling, data structures, a little bit of usually SQL or structured query language, which is what you used to get data out of some of the systems and manipulate it. I think those are all really fundamental things.
Drew: Wesley or Amanda, do you have anything else to add?
Wilkie: I'll hop in here. I think from a mindset perspective, curiosity is one of the things that current CPAs really need to have. Like Donny was saying, you don't have to understand how to actually code something, but you need to understand the basics around it. Being curious about the technology is very important and about how the technology is changing. Don't get comfortable with the status quo. Don't get comfortable with any technology because it's changing so quickly.
I think for young people who are still in school or looking to major in accounting, adding a minor or even a double-major in something that's information systems or data science, data analytics, that is going to be a great addition. You don't see a lot of computer science minors, but there are a lot of technology minors that you could add to your accounting major. It's really going to set you up for success in the profession going forward.
Shimamoto: I totally agree with Amanda on that one. I was actually a double accounting, information systems major. I did the double major. Actually, listening made me think of one other thing. Under our professional standards as CPAs, as we look at independence and objectivity, one of the threats to independence and objectivity is this concept of being intimidated by the technology. Another aspect I think we should bring in, especially for the CPAs that are listening, is that you need to make sure under our professional standards, that you're not letting yourself get intimidated by the technology and just believing that what the technology does is the right thing.
How do you do that? Part of that is educating yourself, making sure that you, again, just understand what it can and can't do, also understanding its limitations, like we brought up the artificial intelligence stuff earlier. A lot of people are intimidated by that. But if you take the time to actually understand conceptually, what is it doing, the fact that it can make mistakes, as Amanda said, that you're not just accepting it, whatever comes out and says, oh, I got to go with this, really coming back and looking at it. Because actually even especially in the AI part, there was an accounting professor that actually was doing some testing of ChatGPT, and he checked to see if it could pass his exam.
For the things that were reiterating something from the book, it actually gave good answers and it could do it. When it came down to synthesizing that information, that's where it started to fail. If you think about what we do as accountants, that's more value of what we're doing. It's not just reiterating whatever the standard is, it's how does the standard apply to this specific situation? That's where you use the ChatGPT, use the AI to do the roadwork and then apply your judgment and your expertise and your experience onto that.
Wesley Hartman: I'll go ahead and jump in with some of the stuff and actually extend with Donny with the tools like ChatGPT. Whenever a new technology comes out, there's always going to be people that claim, well, this is going to replace this industry or this industry is going to go in. Sometimes that happens. When electric street lamps came out, gas lamps disappeared and the person going around lighting gas lamps, they lost their job, 100 years ago. But really things like ChatGPT, again, just reinforcing what Donny is saying, they can do these basic things, but it's not going to make accounting go, it's not going to make programming go. If anything, it actually makes our jobs a little bit easier. Like I'll use more on the coding side for ChatGPT.
I can have it build some basic code for me, and that's now code I don't have to build, and then I can really focus on the complicated parts like the API calls and things like that. Just want to reinforce that these AI tools are not going to put the accounting industry or the programming industry out of business. It's really just tools that are going to help them.
Drew: What should be the top technology priority for accounting firms over the next year?
Hartman: I'll jump in and start just because I have one because I was very frustrated with the process for the last two months. The short version: Our engagement letter process is very inefficient, very old school, and by old school, I mean, unfortunately as a technology person, I'm sad to say I was using Excel and Word templates as opposed to using a software to manage our engagement letters. The one thing I would say should be your priority is as you go through, pick one or two processes that are arduous, are a problem, that sort of thing thing, where you actually can realize that this is something I should not be spending my time on. Look for solutions.
I know earlier we're talking about solutions looking for a problem, but on the flip side, you really need to look at your problems and then find solutions for it. For example, for the next year, I'm going to be looking at and implementing a better solution for managing our engagement letters so that the process is streamlined, efficient, and then, honestly, it's something that I don't have to do anymore because then I can give it to admin staff. The reason why I do is because I can manage the templates and the Excel files efficiently, but if I can set up a piece of software and give it to other people to use, that's great. So that's why I say pick a process — one or two, don't try to pick 20. I've found in my experience, you can usually do about one or two big changes a year, mixed in with all the other work you have to do.
Wilkie: I think that's a great recommendation, Wes. I talked to a lot of firms that are having similar struggles with things like engagement letters. I think that's a great process to focus on. My recommendation would be to really focus on your data. If you don't have that data governance plan, work on that, but many of the things that we have talked about, leveraging AI, leveraging automation. You really can't do that if your data is a mess — if you don't know what you have, where it's at, or if your data is in a lot of disparate systems. I would say focus on getting your house clean. By getting your house clean, I mean getting your data in order.
Shimamoto: I like both of your recommendations. I'm hearing process automation from Wesley, data management and insights from Amanda. I'm going to go in a different direction and I'm going to say people technologies. With all the issues that we're having with recruiting and retention, starting to look at the people technologies. We would have called these HR apps in the past, but I'm not talking about processing payroll and doing your old school performance reviews. My firm has been looking at, and well actually, we've been using different tools that help us do things like pulse checks. Every week my team essentially fills out a form, takes them I think between 15 minutes to half an hour. Just telling me how was the week? What challenges are they having?
Is there anything that I can help them with? This is me as their coach or supervisor, helping them through stuff. There is a little bit of goal setting, so what did you accomplish in the last week? What are you planning to accomplish in the coming week? When we talk through it, doing their one on one, so this is the other thing this technology does is it supports doing these one-on-one meetings where you're able to look at, so these were the goals you set for last week, did you accomplish them? Why or why not? The other things that I built into the way that we're using this is our values.
This is how we're starting to create and proliferate our firm's culture. We're completely virtual firm. We have 12 people, and part of the way that we create that culture is we emphasize culture as part of these weekly check-ins that people do. What have you done to give others peace of mind, vision, and clarity and hope? Because those are the three things that we want to deliver to our clients, whether it's an internal client or an external client, and the software also has ways for people to show appreciation to each other. It lets them recognize each other for going out of their way to help something or just being there, and we can actually tag our values as part of this appreciation that we show to each other. If you're really trying to reduce turnover and you're trying to make sure that you're creating a good environment and you know what's going on, I encourage people to look at these types of people solutions.
Drew: Those are all excellent recommendations, so I think we have given firms their three priorities for the year, so we have accomplished that, and we will have one more fun question to close out this year's roundtable. Is there any emerging technology that excites you that we haven't mentioned yet?
Hartman: Are we limited to accounting or can we talk about other cool stuff?
Drew: You can talk about other cool stuff.
Hartman: I'll throw in first, so I'll keep it brief since it's not directly accounting-related, but bio-printing. Bio-printing is the cool thing I've been trying to keep an eye on. But basically 3D printing but for biological stuff and some of the applications they're talking about is like bio-printing transplant organs, is because we have in the world a shortage of transplant organs. Like I said, I'm veering very off course, but if there's an accountant out there who maybe needs something, this technology could be very helpful. It started with bio-printing just like bones, like surgeons would bio-print things before they go in. They take the MRI scans and all that so they could get a physical representation outside the body before going in, and that's now extended into the idea of being able to print organs. They've actually already done some trials and had some success. Not large-scale stuff, but they're very little things.
Wilkie: I'll jump in, and I'll go back to what I mentioned earlier. I don't think we'll be recording this podcast in the metaverse next year. But I am excited about some of the opportunities that Web 3 is going to bring us and things like virtual reality in the metaverse is going to bring us. Being able to meet in a virtual world that is more immersive, that allows us to feel like we're more together. There are studies that are showing that doing training in those type of platforms actually creates more focus. It creates more retention. It actually creates more emotional connection and more empathy as well, so as we are continuing to be more and more remote, I think that those technologies that can bring us together are going to become more and more important, and they're certainly not there yet. But they'll get there, and we'll get there with them.
Shimamoto: That's a cool one. It comes from the IT side, so it's the DevOps technology, and what DevOps technology does, it's used for software development currently. But what it really does is it lets you figure out, what do you need to do to deliver a product in the IT space that's usually software by a certain deadline? I think there's a direct analogy to the product of accounting services, which may be a tax return or a financial statement, or an audit report. What my firm is actually starting to do is we're experimenting with the use of DevOps for advisory services, where our endpoint is usually some type of report, and we're really looking at it and seeing, there's ways that we can adapt this to the way that we provide services as accountants, and that's going to give us a lot of flexibility in terms of scheduling, resource management, expertise management, coordination with outside people.
I hope as I say those words people can start to hear, there's a lot of parallels to what we do in accounting, not just in the advisory space. I think that's one of the next things we're going to see come from a bleeding edge to really mainstream adoption. Because the biggest thing I'm getting asked about this actually last year and still continuing to this year's practice management and workflow. Everyone's still trying to solve those plus scheduling. This DevOps brings in this concept of scheduling and workload management.