Data, security take top two spots in AICPA technology priorities survey
On the surface, the results of the 2013 North America Top Technology Initiatives (TTI) survey, released by the American Institute of CPAs (AICPA) and the Chartered Professional Accountants of Canada (CPA Canada), show that “managing and retaining data” nudged past “securing the IT environment” to become the top technology priority cited by the nearly 2,000 accounting professionals polled.
Dig a little deeper, and the evidence indicates that data and security have become intertwined and, in the survey’s results at least, interchangeable. The TTI survey tracked answers from accountants in business and industry (B&I) as a subset of the overall results, and the management accountants ranked IT security as their top priority, slightly ahead of managing data.
That’s fitting, because the emphasis on data stems at least in part from concerns about the increased security risks caused by the proliferation of mobile devices and the mass movement of confidential information to the cloud. Add to those factors the explosive growth in the amount of data worldwide and the rapid rise in the number and sophistication of cyber-threats to the security of that data, and the result is a situation ripe for security breaches. It’s no wonder then that the survey found increased concern with the prevention and response to computer fraud and decreased confidence amongst US accountants in the ability of their organisations to achieve success with their top tech initiatives.
“The challenge is to identify where data resides and moves during the data cycle,” said Steven J. Ursillo Jr., CPA/CITP, CGMA, principal and director of technology and assurance services for Sparrow, Johnson & Ursillo, a Rhode Island-based accounting firm that also provides technology and security audits and consulting. “It’s very challenging to govern all of that.”
This article looks at the results of the 2013 North America TTI survey, overall and amongst management accountants, and the implications for public accounting firms, businesses and other organisations.
The survey: US vs. Canada
The 2013 North America TTI survey was a joint effort of the AICPA and CPA Canada. In the United States, the AICPA surveyed nearly 1,700 of its members from February 12th through March 6th. In Canada, CPA Canada surveyed more than 200 of its members from February 14th through March 5th.
Asked to prioritise the importance of their employers’ and clients’ 2013 technology initiatives, the US CPAs and their Canadian counterparts responded with the same top two answers: managing and retaining data; and securing the IT environment.
There were some notable differences between the US and Canadian respondents. The poll found that the Canadian chartered accountants placed more emphasis than US CPAs on using technology to enable decision support and analytics and on managing their IT investments and spending. The US respondents gave greater weight to managing IT risks, ensuring privacy and, most notably, preventing and responding to computer fraud.
B&I vs. Public Accounting
In addition to flipping IT security and data management at the top of their priority rankings, management accountants placed higher emphasis than their public accounting counterparts on using technology to enable decision support and analytics. Decision support and analytics ranked fifth amongst US management accountants compared with 10th amongst US CPAs in public accounting. Management accountants in Canada placed decision support and analytics first in their rankings. This speaks to the growing trend of Big Data, which a rapidly growing number of corporations worldwide are using to quickly analyse large amounts of information and make faster, smarter business decisions.
Management accountants polled put slightly higher emphasis than their public accounting counterparts on managing system implementations, while public accountants were more concerned with ensuring privacy and preventing and responding to computer fraud. “Managing IT risks and compliance” ranked third on the B&I list and fourth on the public accounting rankings, but the same percentage of respondents chose the issue among both groups.
CPA confidence slips
The US CPAs surveyed were less confident than their Canadian counterparts of the ability of their organisations to achieve their top technology initiatives this year. The CPAs also were less confident than respondents were a year ago, when securing the IT environment ranked as the top concern in the US-only Top Technology Initiatives survey. Last year, 60% or more of US respondents said they were confident or highly confident that their organisations would prevent and respond to fraud; successfully manage and retain data (61%); secure the IT environment (62%); ensure privacy (62%); and manage IT risk and compliance (65%).
This year, the highest level of confidence was 55% (for managing and retaining data). Why did the US confidence levels drop?
“My gut feeling is that there is actually more awareness of the issues and challenges in all of these areas as a whole,” said Donny Shimamoto, CPA/CITP, CGMA, managing director of IntrapriseTechKnowlogies LLC, and chair of the AICPA Information Management and Technology Assurance Executive Committee. “The decline in confidence levels may mean professionals are making more knowledgeable assessments of the ability of organisations to achieve technology goals. These goals are within reach, but organisations must have the focus, commitment and drive to achieve them.”
Data management and information security are the only two initiatives to produce confidence ratings higher than 50% in the US survey, but a look at the responses to individual questions reveals wide differences in opinion. On the positive side, CPAs exude confidence in their organisations’ data retention, cost management and data backup and restoration policies. Similarly, most CPAs are confident in their organisation’s policies and protections for internal networks and servers.
The confidence level plunges once outside the firewall. Only a third of US respondents are confident or highly confident that their organisations have properly protected all mobile devices (laptops, tablets, mobile phones, etc.) to prevent a data breach. Similarly, only 33% of US respondents have confidence in their organisations’ ability to quickly detect and respond to a cyber-attack, and less than 40% believe their employers have “considered all of the relevant vulnerabilities and threats pertaining to IT, including those related to emerging technologies like cloud computing, mobile technologies, and social media.”
The CPAs’ concerns are understandable. News of successful cyber-attacks on companies and government agencies worldwide, including several cloud-computing providers, has increased dramatically over the past couple of years. Cybercriminals have leveraged an intimate knowledge of data flow and a slew of sophisticated malware-building techniques to design attacks that have compromised data in myriad ways, including the theft of money through falsified automated clearing house (ACH) and wire transactions and the delivery of malware to social networks, where a variety of viruses can infect employee computers, then gain access to corporate networks and even cloud-based confidential data.
“Years ago, nine out of ten corporate frauds were inside jobs,” Ursillo said. “The big theme we are starting to see carried out is that it’s when you are going to be attacked, not if.”
The data dilemma
The front lines in the war against cybercrime have moved to the cloud, because that’s where most of the world’s data is. And it’s data that creates incentives for security threats, said Dan Schroeder, CPA/CITP, a partner with Atlanta-based accounting and consulting firm Habif, Arogeti & Wynne.
“In its most simplistic sense, security threats exist because data exists, is accessible and has value,” Schroeder said. “So, no data, no security problem.”
Of course, no data is not an option. Instead, the amount of data is growing at a 60% annual clip, a pace projected to continue for several years, Schroeder said.
That growth makes it imperative that public accounting firms, businesses and other organisations know where their data and their clients’ or customers’ data is stored, moved and processed. This can be easier said than done when using cloud-based software, infrastructure and/or computing platforms. Such subscription-based services can offer anytime, anywhere connectivity, and access to clients and technology resources previously out of reach due to geographic and cost barriers. The downside is that organisations that leverage the power of the cloud must also manage their data in the labyrinth of servers and networks, providers and threats that make up the internet.
“Very few businesses have formalised data-management practices commensurate with their data assets,” Schroeder said. “For that matter, very few think of data as an asset.”
CPAs and their organisations need to understand that not all data is of equal value and that trying to provide equal protection to all of an organisation’s data is prohibitively costly or ineffective, or both, Schroeder said. “There is an adage that if you protect toothbrushes and diamonds the same, at the end of the day you will have more toothbrushes and fewer diamonds,” he said. “Businesses need to understand which of their data is like toothbrushes and which is like diamonds, and apply security controls commensurately.”
The big asset challenge
Data is generated by sources as diverse as websites and social media networks, emails and texts, voice and video files, and innumerable business transactions and processes. The development of faster computer processors and software applications has made it possible for organisations to aggregate and analyse large amounts of data, or Big Data, to uncover patterns and other insights that can help drive better, and quicker, business decisions.
The proper mining and application of data, big and small, can create great value for organisations, but only if they know how to manage it. Organisations that implement strong data-management policies can leverage data to increase productivity, control costs or improve the effectiveness of their marketing and sales efforts. Failure to handle data correctly can lead to poor business decisions based on bad or incomplete information, the loss of crucial information due to security breaches or improper storage, or even regulatory or legal problems.
To mitigate those risks, organisations need to develop a strategic plan to ensure that they meet internal, legal and compliance-related requirements for data retention and usage. Organisations also need to vet vendors and their own security procedures to provide as much protection as possible to their confidential corporate and customer information.
The results of the 2013 North America Top Technology Initiatives survey show that US and Canadian accounting professionals recognise the importance of data management and security efforts with their employers and clients. The US results show that CPAs are aware that their organisations might not be as prepared as they had thought to protect their far-flung data and mobile assets in a rapidly expanding galaxy of cyber-threats and criminal activity.
Organisations that employ best practices for data management and security can lower their risk of a data breach but by no means eliminate it. Given that reality, organisations need to implement cyber-attack detection and response procedures that fulfill all regulatory, legal and competitive obligations for the stewardship of confidential customer information. Those public accounting firms, businesses, and other entities that can minimise data and security risks while maximising the value of their data assets will have a competitive edge in the marketplace.
—Jeff Drew (firstname.lastname@example.org) is a CGMA Magazine senior editor.