We’ve covered the CPA firm of the future. But what about the firm of today? What does a CPA firm need to have, technologically, to keep up in late 2017?
If your firm isn’t in position to use the Watson supercomputer, there are still ways to leverage technology to deliver the best possible services for your clients. That was a major area of concern in the session “The CPA Firm of Now,” headed up by longtime VSCPA instructor Randy Johnston of K2 Enterprises, at the VSCPA’s Technology Conference, held Oct. 30–31 at the American Society of Civil Engineers’ Bechtel Conference Center in Reston.
One of Johnston’s main ideas is what he calls “collaborative accounting,” in which some automated data is entered by clients into a firm’s hosted system, before the firm produces financials and value-added business guidance. The idea that automation can free up time for firms to provide greater advisory services isn’t a new one, but it’s most often applied to the Big Four. And all it requires is investment in software and a slight shift in thinking about services.
“The easiest way to think about this is that most firms have made their money from compliance — stuff you have to do, tax and audit,” Johnston said. “But business owners are happy to pay for things that make their lives easier, that make you more money. That’s what collaborative accounting does. It allows you to track things and improve the business.”
That freed-up time isn’t just in the area of data entry. Payroll and dashboards are other areas where some well-considered automation can open up new areas for forward-thinking firms. And practice-management software is another opportunity to assess your time expenditures, with quality options for firms of all sizes.
Johnston cited BQE Core, Karbon and Intuit Pro Line as viable options for smaller firms, while Commercial Logic PowerPM, Star, APS and Practice Engine work well for larger firms. All of those products have made improvements in recent years and, as Johnston put it, are now “ready for prime time.”
Another area Johnston focuses on is document management. For many firms, this area provides an opportunity to ramp up productivity. Considering how your firm currently processes electronic and paper-based documents for any number of transactions and it’s easy to see the potential for efficiency gains.
Johnston refers to the evolution of these products as the “industrialization” of knowledge work. As the industrialization process takes place, more work can be performed by less knowledgeable team members at a lower cost. The commoditization of inputs and processes then leads to scalable methods and outputs.
For accounting firms, the first stage of this was the industrialization of process tracking, where software started to be used to know what was occurring (think products like Practice CS, pfx Practice, Doc.IT and Office Tools). Then came automation, where firms began to standardize and simplify those processes through products like ShareFile, FirmFlow, eFileCabinet and Conarc iChannel.
That evolved into the conditions that led to the uptick in intelligence software like XCM, Workstream and Canopy Tax. The next phase is predictive analytics, where software will be used to automate, maximize efficiency and predict future outcomes.
The extensive lists of product recommendations are business as usual for Johnston, who also gave a technology update at the Virginia Accounting & Auditing Conference in Roanoke and Falls Church. But his message has a new urgency, stemming from his belief that the systems he describes are almost required for firms.
“If you’re staying the same, you may actually be falling behind. You do not hear me argue that way very often,” he said. “Most of the time, change has cost, but lack of change, in this case, has greater cost. I’m not a fan of change for change’s sake. A lot of times, I wonder what people are gaining when they go to the latest, greatest bright lights. But this year, it’s strategic for where the firms are going.”
That’s underscored by the technologies Johnston chose not to include in his presentation. When it comes to topics like artificial intelligence and machine learning, he takes a “Show me” attitude when it comes to passing along recommendations to CPAs. He won’t recommend a product if it’s not useful for the firms he’s talking to in its current form.
“I’m not including a lot of topics that are bleeding edge,” he said. “Blockchain, artificial intelligence, machine learning — I do not know of a single product that has delivered in those areas. It’s the idea of the CPA firm of now.
“Next year, we’ll talk about those topics, because some things have delivered, but if people are pursuing those items right now, they’re probably wasting time, because they’re going to find there’s nothing there. I try to hit people there on the leading edge, and I don’t mind going to the bleeding edge. But right now, it’s a nonexistent edge. It’s just a lot of talk around it in the area of public practice.”
An offshoot of the technology discussion is the rise in telecommuting policies, another topic Johnston touched on in his session, “Working Effectively From Anywhere.” He pointed out that the global economy means that your customers are spread across the globe, and there’s no reason your employees can’t be as well.
As Johnston put it, “You need to think globally to remain competitive. This is not optional.” Virtual office tools allow CPAs to remain connected to their organization no matter where they are, as long as they can connect to the Internet.
“You have the potential of recruiting people that you might not otherwise have,” Johnston said. “If you hire people that live farther away and have them as team members, or you retain people who maybe are retiring out and want to go live in Florida but want to work a little bit for you, you can do that.
“What also happens is that you can access experts from greater distances, perhaps for short-term projects but perhaps for longer-term usage as well. It’s being able to get to more people more readily and getting the right talent more readily.”
Johnston refers to various combinations of technology products and corporate policies as a “virtual office,” a combination of off-site live communication and address services that allow users to reduce traditional business costs while maintaining business professionalism. Telecommuting can lower operating and real-estate costs by $11,000 per employee, and telecommuters are 7 percent less likely to consider leaving their job.
So what do you need to create your virtual office? Johnston recommends the following tools:
- Unified communications to stay in contact
- Remote access to files and documents across all devices
- Security to keep information private
- Applications or cloud services to support remote work
- Collaboration tools to work with colleagues, both in and out of the office
Virtual desktops are the key to getting those tools in one place. These tools offer a traditional desktop experience delivered from a centrally managed service or cloud provider. The major players include VMWare (which the VSCPA uses), RDS, Citrix and Amazon WorkSpaces.
A lightweight, but powerful laptop is crucial to a telecommuter’s toolkit, along with a webcam and maybe a headset for video conferencing. You’ll also need a smartphone which can be used as a Wi-Fi hotspot, so a reputable national carrier such as Verizon Wireless or AT&T is a good choice. An external mouse and USB battery are helpful, as is a second screen if you can pull it off.
“Multiple screens is a productivity thing we’ve recommended since the late 1990s,” Johnston says. “Over the last 10 years, as portable computers have gotten lighter, you can actually carry a second screen, plus a computer, and be lighter than traditional ‘heavy’ laptops.”
Collaboration tools are another key component to a successful telecommuting program. They allow for far-flung teams to meet face-to-face and work together in real time. Cisco WebEx, GoToMeeting, JoinMe and Adobe Connect are among the major players in that field, while the Slack behemoth is gaining more and more market share among messaging apps.
Those tools are essential in keeping telecommuting employees engaged and accountable.
“There are people who are going to be self-starters and there are people who clearly are not. They’re going to need to be managed more,” Johnston said. “And you’re going to have to have the tools to keep work visible along the way.”
That’s just one of the compelling arguments against telecommuting. While it can help your company retain top talent and enhance productivity, it doesn’t work for everyone. Even with the tools mentioned above, it’s hard to replicate the nature of face-to-face collaboration, and it’s hard to build a company culture when employees are scattered.
It can also be difficult to get employees on the same page when they’re working remotely. Technology can help remedy that, but only to a point.
“People are what they are,” Johnston said. “You can teach them, but part of it is the way you have the interactions. It’s easy for a home-based worker to become detached from the organization.”
And working from home can have other, less obvious drawbacks for employees.
“One of the problems with remote working is that some people wind up gaining weight at home because you snack,” Johnston said. “Other people gain more weight on the road because of the food available. It’s absolutely a 10-pound problem, like the freshman 10 from college.”
Keeping Your Digital Fence in Order
For many VSCPA members, cybersecurity is a matter best left to technology officers and the information technology (IT) department. But what about our sole practitioners and smaller shops? What about our members’ small-business clients? For that matter, what about the router that sits on your shelf at home?
Val Steed, CPA, CITP, offered advice for people in those boats at the Technology Conference. Steed, a shareholder at K2 Enterprises, went through the most important cybersecurity developments for small businesses in his session “Good Fences Make Good Neighbors.”
In this day and age, the Internet is a never-ending source of material for Steed’s presentation. But in this case, the timing was even more serendipitous, with the session coming just weeks after Belgian security researcher Mathy Vanhoef revealed the Krack vulnerability in the widely used WPA2 traffic encryption protocol. Steed calmly revealed his advice for fixing that vulnerability in your own home or business, including a quick cost-benefit analysis.
“If you have WPA2 devices, if you’re worried, look for patches and updates from the manufacturer,” he said. “This caught someone by such surprise that they might not be out there yet. Second choice would be to get a new device.
“If you’re truly worried, you should take that device out of play right now. If I had WPA2 routers that did not have patches, I would take them out of play immediately. It’s not worth it. You can get two new routers for $500. You can barely get an attorney on the phone to start legal proceedings for that.”
As always, the WPA2 vulnerability is just one item on a buffet of alarming cybersecurity news. The Equifax credit hack also provided Steed with material for his session, and as it turns out, that breach was the result of — guess what? — a missed security patch.
“People get all freaky and think it was the Internet, but that was internal,” Steed said. “That was their network that they maintained themselves. People got in by the Internet, but the problem was with them.”
Steed also points to this year’s WannaCry ransomware attack as a case study in always keeping your software up to date.
“We highly recommend that people keep their systems up to date at all times so they won’t get hit by a vulnerability,” he said. “Most people don’t realize that to be vulnerable to WannaCry, you had to be out of date in your operating system in Windows by over a year or be running on Windows XP. Ninety-seven percent of the systems hit by WannaCry were still running Windows XP, and that makes me so mad.”
On the topic of ransomware, he added: “You absolutely, positively never want to cave in to ransomware. It doesn’t work. The only way to survive that is to have a copy of your data somewhere, format the server and start over. If you don’t have a redundant data copy somewhere, you’re really in trouble.”
Staying current on patches, using complex passwords, being smart about emails that seem off — the common thread in Steed’s presentation is using common sense. But his methods are necessary to combat attackers that will go to outlandish lengths to gain access to sensitive data.
Spearphishing is one technique attackers continue to use to try to get into companies’ systems, because it works — well enough, in fact, that it’s sometimes supplemented with more traditional methods of corporate espionage.
“Spearphishing is incredibly over the top now,” Steed said. “People lay in wait and study your company for months. In some cases, people have gone to work in companies to gain information to eventually spearphish, target them and steal money from the company.”
Steed’s favorite anecdote involves a spearphishing attack that was possible because the attacker gained incredibly detailed information on the company’s financial activities. The story came from a CPA in Oregon who attended one of Steed’s sessions.
“He worked for a big oil company, and the CFO, over a weekend, transferred $8 million to the wrong bank account offshore,” Steed said. “We have all good people — how in the world could that have happened? The spearphishing attacker had figured out that the company owed an invoice.
“They knew the amount, they knew it was overdue, they knew they were arguing. The threat to the CFO was enormous. The CFO could have done one thing — pick up his phone and call someone to make sure the transfer was okay. Everything about this was legit except the bank on the other end.”
Steed also discussed the Internet of Things, a catch-all term for the increasing connectedness of everyday objects that can send and receive data. From sprinklers to HVAC systems to doorbells, these devices can make people’s lives easier, but they’re only as secure as the network they’re connected to. And they can provide an opportunity for attackers to get into your home network.
“A doorbell ringer with a camera on it is an Internet of Things device,” Steed said. “A bad guy who can get into your wireless router can use that to see who’s coming in and out of the home through that door. They can watch your stream and see when you’ve left.”
Steed cited TVs with voice controls as another area of concern and reiterated the importance of a well-secured router.
“I’ve seen so many people set up home routers or business routers and use default administrative passwords, even in today’s market,” he said. “You can’t leave them default. They’re going to be under attack. Routers are constantly under attack.”
Even Steed’s own home router was the victim of an attack a few years ago. He tried to get online one day to discover that his home network, named “The Steeds,” wasn’t available. Checking other data, he realized that some anonymous attacker had gotten into the network and renamed it “The Stupids.”
But even that offered a story to help convince his students to take extra steps to protect their home networks.
“Somebody had taken a shot across the bow,” he said. “They could have done a lot of damage, but instead they just sent a message.
“Don’t tie your router to your family or your business. Call it something like the 101st Airborne, and tell people who ask that that’s what it’s called. The only businesses that should be using their name are the ones that have to, like Marriott, which has lots of people staying in the hotel and looking for their network. Don’t tie it to your business.”