Connect with us

Accounting

5 cybersecurity best practices for accountants

Published

on

There are striking similarities between the roles and responsibilities of accountants and cybersecurity professionals, particularly in their need for precision, data protection, and thorough scrutiny before adopting new technologies. Both are working with sensitive information in highly regulated environments, making trust a cornerstone of client relationships. 

As digital landscapes evolve and cyber threats become increasingly sophisticated, accounting professionals must prioritize solutions to combat this and expand their skill sets to include a proficient understanding of cybersecurity. By learning about and incorporating cybersecurity best practices into their firms, accountants can work to protect clients’ sensitive information while boosting their technological skills in an ever-growing digital world. 

Here are five cybersecurity best practices that can help accountants enhance and maintain client trust. 

1. Evaluate and vet third-party vendors and technologies. One of the first steps toward developing a comprehensive understanding of your potential cybersecurity risks is assessing your tech vendors — both the ones your firm is already working with and any that you consider for future work. Their cybersecurity practices have a direct impact on your firm, regardless of how safe and secure your own systems are. 

Find out if the vendors you work with have clear plans in place to not only protect from cybersecurity threats but also to quickly fix any problems that arise. Additionally, if your firm is working with multiple vendors and utilizing multiple platforms, determine how well they work with each other to ensure proper coverage.

2. Adopt a security-minded approach as part of firm culture. Accounting firms manage vast amounts of financial information for their clients, and this makes them a prime target for cybercriminals. 

While cybersecurity is not an accountant’s main job, it is important for all firm employees to take an active role in staying vigilant and knowing how to identify potential security threats. Phishing attacks remain one of the most common methods of cybersecurity intrusion since these attacks rely on human error — the area that is most vulnerable to a lapse in security.

p1a4dgvv3o1i4shms1kdo1hnr18fpe.jpg

3. Address human error quickly and completely. We’re all human, and we all make mistakes. Therefore, human error is still one of the most common ways for cybercriminals to bypass security protocols and gain access to protected information. Accounting firms need to make sure all employees are up to date on the latest cybersecurity protocols, and this information should be updated with regularity. 

Some common steps that can be taken include:

  • Hosting company-wide trainings to educate employees about cybersecurity best practices.
  • Limiting employee access to certain data and requiring different levels of permission to keep data secure.
  • Adding multiple levels of security — such as multifactor authentication or physical passkeys — to make it more difficult for bad actors to access sensitive information.

4. Prioritize process automation and security integration. Having a dedicated security team to provide regular updates to employees and handle any threats that arise is critical to protecting internal and client data. 

An internal security team is ideal because they will know firsthand — and in greater detail — what needs to be protected and which controls to implement, but for smaller accounting firms a virtual chief information security officer can be just as proficient for vetting, implementing, and maintaining and implementing cybersecurity solutions. Leaders will have to consider what makes the most sense for their firm, including whether or not workers are remote, in-office, or working in a hybrid capacity. 

Once a solution is identified and implemented, prioritize a comprehensive onboarding process to make these new processes and procedures as efficient and effective as possible.

5. Develop and implement risk management plans. As the cybersecurity landscape continues evolving, it will be necessary to maintain an understanding of where improvements can be made and where risks may be inadvertently introduced. The key for managing risk is to think proactively about gaps and risk vectors.  In some instances, this may require investments in new solutions if legacy systems cannot keep pace with necessary enhancements. While this may sound costly, it is certainly less than the costs — both monetary and reputational — of a data breach.

For firms looking to update or overhaul their tech stacks, this provides an opportunity to consolidate disparate systems into fewer, multifunction solutions. This kind of consolidation aids in cybersecurity efforts by reducing the number of different locations where data is stored — therefore reducing the amount of locations where an intrusion could occur.

Conclusion

While learning and implementing cybersecurity may sometimes present as a challenge, accountants should remember that they don’t have to do it alone. Cybersecurity professionals and trusted partners are there for support — be it with implementing new systems or dealing with a potential hack. Having a proactive approach to cybersecurity is in line with what it means to be an accountant — a trusted advisor and agent of client’s sensitive data.

Continue Reading

Accounting

IAASB tweaks standards on working with outside experts

Published

on

The International Auditing and Assurance Standards Board is proposing to tailor some of its standards to align with recent additions to the International Ethics Standards Board for Accountants’ International Code of Ethics for Professional Accountants when it comes to using the work of an external expert.

The proposed narrow-scope amendments involve minor changes to several IAASB standards:

  • ISA 620, Using the Work of an Auditor’s Expert;
  • ISRE 2400 (Revised), Engagements to Review Historical Financial Statements;
  • ISAE 3000 (Revised), Assurance Engagements Other than Audits or Reviews of Historical Financial Information;
  • ISRS 4400 (Revised), Agreed-upon Procedures Engagements.

The IAASB is asking for comments via a digital response template that can be found on the IAASB website by July 24, 2025.

In December 2023, the IESBA approved an exposure draft for proposed revisions to the IESBA’s Code of Ethics related to using the work of an external expert. The proposals included three new sections to the Code of Ethics, including provisions for professional accountants in public practice; professional accountants in business and sustainability assurance practitioners. The IESBA approved the provisions on using the work of an external expert at its December 2024 meeting, establishing an ethical framework to guide accountants and sustainability assurance practitioners in evaluating whether an external expert has the necessary competence, capabilities and objectivity to use their work, as well as provisions on applying the Ethics Code’s conceptual framework when using the work of an outside expert.  

Continue Reading

Accounting

Tariffs will hit low-income Americans harder than richest, report says

Published

on

President Donald Trump’s tariffs would effectively cause a tax increase for low-income families that is more than three times higher than what wealthier Americans would pay, according to an analysis from the Institute on Taxation and Economic Policy.

The report from the progressive think tank outlined the outcomes for Americans of all backgrounds if the tariffs currently in effect remain in place next year. Those making $28,600 or less would have to spend 6.2% more of their income due to higher prices, while the richest Americans with income of at least $914,900 are expected to spend 1.7% more. Middle-income families making between $55,100 and $94,100 would pay 5% more of their earnings. 

Trump has imposed the steepest U.S. duties in more than a century, including a 145% tariff on many products from China, a 25% rate on most imports from Canada and Mexico, duties on some sectors such as steel and aluminum and a baseline 10% tariff on the rest of the country’s trading partners. He suspended higher, customized tariffs on most countries for 90 days.

Economists have warned that costs from tariff increases would ultimately be passed on to U.S. consumers. And while prices will rise for everyone, lower-income families are expected to lose a larger portion of their budgets because they tend to spend more of their earnings on goods, including food and other necessities, compared to wealthier individuals.

Food prices could rise by 2.6% in the short run due to tariffs, according to an estimate from the Yale Budget Lab. Among all goods impacted, consumers are expected to face the steepest price hikes for clothing at 64%, the report showed. 

The Yale Budget Lab projected that the tariffs would result in a loss of $4,700 a year on average for American households.

Continue Reading

Accounting

At Schellman, AI reshapes a firm’s staffing needs

Published

on

Artificial intelligence is just getting started in the accounting world, but it is already helping firms like technology specialist Schellman do more things with fewer people, allowing the firm to scale back hiring and reduce headcount in certain areas through natural attrition. 

Schellman CEO Avani Desai said there have definitely been some shifts in headcount at the Top 100 Firm, though she stressed it was nothing dramatic, as it mostly reflects natural attrition combined with being more selective with hiring. She said the firm has already made an internal decision to not reduce headcount in force, as that just indicates they didn’t hire properly the first time. 

“It hasn’t been about reducing roles but evolving how we do work, so there wasn’t one specific date where we ‘started’ the reduction. It’s been more case by case. We’ve held back on refilling certain roles when we saw opportunities to streamline, especially with the use of new technologies like AI,” she said. 

One area where the firm has found such opportunities has been in the testing of certain cybersecurity controls, particularly within the SOC framework. The firm examined all the controls it tests on the service side and asked which ones require human judgment or deep expertise. The answer was a lot of them. But for the ones that don’t, AI algorithms have been able to significantly lighten the load. 

“[If] we don’t refill a role, it’s because the need actually has changed, or the process has improved so significantly [that] the workload is lighter or shared across the smarter system. So that’s what’s happening,” said Desai. 

Outside of client services like SOC control testing and reporting, the firm has found efficiencies in administrative functions as well as certain internal operational processes. On the latter point, Desai noted that Schellman’s engineers, including the chief information officer, have been using AI to help develop code, which means they’re not relying as much on outside expertise on the internal service delivery side of things. There are still people in the development process, but their roles are changing: They’re writing less code, and doing more reviewing of code before it gets pushed into production, saving time and creating efficiencies. 

“The best way for me to say this is, to us, this has been intentional. We paused hiring in a few areas where we saw overlaps, where technology was really working,” said Desai.

However, even in an age awash with AI, Schellman acknowledges there are certain jobs that need a human, at least for now. For example, the firm does assessments for the FedRAMP program, which is needed for cloud service providers to contract with certain government agencies. These assessments, even in the most stable of times, can be long and complex engagements, to say nothing of the less predictable nature of the current government. As such, it does not make as much sense to reduce human staff in this area. 

“The way it is right now for us to do FedRAMP engagements, it’s a very manual process. There’s a lot of back and forth between us and a third party, the government, and we don’t see a lot of overall application or technology help… We’re in the federal space and you can imagine, [with] what’s going on right now, there’s a big changing market condition for clients and their pricing pressure,” said Desai. 

As Schellman reduces staff levels in some places, it is increasing them in others. Desai said the firm is actively hiring in certain areas. In particular, it’s adding staff in technical cybersecurity (e.g., penetration testers), the aforementioned FedRAMP engagements, AI assessment (in line with recently becoming an ISO 42001 certification body) and in some client-facing roles like marketing and sales. 

“So, to me, this isn’t about doing more with less … It’s about doing more of the right things with the right people,” said Desai. 

While these moves have resulted in savings, she said that was never really the point, so whatever the firm has saved from staffing efficiencies it has reinvested in its tech stack to build its service line further. When asked for an example, she said the firm would like to focus more on penetration testing by building a SaaS tool for it. While Schellman has a proof of concept developed, she noted it would take a lot of money and time to deploy a full solution — both of which the firm now has more of because of its efficiency moves. 

“What is the ‘why’ behind these decisions? The ‘why’ for us isn’t what I think you traditionally see, which is ‘We need to get profitability high. We need to have less people do more things.’ That’s not what it is like,” said Desai. “I want to be able to focus on quality. And the only way I think I can focus on quality is if my people are not focusing on things that don’t matter … I feel like I’m in a much better place because the smart people that I’ve hired are working on the riskiest and most complicated things.”

Continue Reading

Trending