CPA concerns growing over privacy and security issues

by Seth Fineberg

Las Vegas - As CPA firms and their clients become increasingly mobile, safety and security issues have moved rapidly to the forefront of the profession’s concerns - joining such front-burner issues as the Sarbanes-Oxley cascade and audit fraud.

As evidence of the omnipresent concern over safety and security, the recent American Institute of CPAs’ 2003 Information Technology Conference featured several well-attended sessions that were devoted to supplying CPAs with practical information and tools to address current privacy and security concerns.

“The temperature is rising, and attendance in those sessions was a good indicator,” said David Cieslak, a principal of Encino, Calif.-based technology consultant and reseller ITG and moderator of two security-related sessions. “More specifically, as firms look more to mobility, they see how easily security can be compromised. People are realizing that they can no longer take a reactive approach” to security.

Cieslak hosted two full sessions dealing with the general and specific concerns of assessing firm and client security.

“Most everyone I spoke to gave me their situations, and asked what they need to be concerned about,” Cieslak said. “The common theme was mobility. For instance, most people have routers but don’t even turn on the limited security that is there and unwittingly share their network.”

In addition to keeping up with the latest update patches and installing firewalls and routers, Cieslak discussed the new California legislation (S. 1386) that requires anyone who has a business or conducts business in California to notify customers and the state of any unauthorized access to personal data.

In other words, if a firm’s database is hacked or there is any form of security threat, they are now required to inform their clients and the state of this activity or face fines.

According to Cieslak, the ruling is just “the tip of the iceberg,” as other states are likely to adopt similar legislation in the future. His firm is one of many that are becoming known for making security risk assessment a profitable business.

Baton Rouge, La.-based CPA Lisa Traina, who develops information security programs for banks, admits that privacy and security are big investments for CPA firms, but ones that are worth the time and training.

“Nobody knows what compliance is just yet - we are figuring it out as we go - but it is clear that clients will look to their CPAs more,” said Traina, who also hosted a session on privacy at the confab. “It’s a great business opportunity for them, but they have to look inside their own shops first before helping others.”

Meanwhile, Tony Delevati and his Woodland, Calif.-based CPA firm, Ullrich Delevati, are addressing client security concerns, as well as their own, more than ever lately.

Delvati also realizes that the cost of compliance may be high, but there are certain things that can be done to mitigate the expense. He is actively looking into hosted services, rather than housing all of his clients’ data on site, and suggesting the same strategy to his clients.

“For a small firm or company, it is really cost-prohibitive to try and keep up with the latest and greatest products, so you have to know what you are paying for those, versus what you would pay a vendor to host it all for you,” Delevati said.

“Some of the new online services [either] we or they set up have fairly extensive encryption and accessing codes, so if they get breached, they usually have the people and dollars to deal with it,” he added.

Delevati also believes that convenience, not just cost, is the real selling point for clients, and is doing his best to convince them that using a hosted accounting service such as QuickBooks Online or even Net-Ledger may be the way to go.

“In the past, we had clients e-mail us backups of documents, and now you have to wonder if e-mail is a secure issue,” Delevati said. “With an online service, they can log in and access their records from anywhere. We can also access their system and do what we need to do, but we never have to house it, so our clients don’t have to worry about maintaining and updating anything.”

As Traina indicated, the cost of compliance is a definite issue and one that is not likely to ease any time soon.

A recent study from Boston-based market researcher the Aberdeen Group found that security patch deployment for operating systems costs enterprises in excess of $2 billion in 2002, mostly in the form of staff time. Despite concerted efforts by suppliers of operating systems and applications, and IT administrators, the costs will continue to increase through 2004.

Aberdeen also found that security vulnerabilities are doubling every year, and suppliers are shipping more and more patches in response. And with IT staffing essentially flat or declining, the market researcher emphasized that new approaches to deployment are essential to survival.

For reprint and licensing requests for this article, click here.
MORE FROM ACCOUNTING TODAY