Despite security enhancements from Microsoft, CPA firms are likely to disable the controversial Recall feature in Windows 11, which uses AI to create a precise record of user activity, but leaders concede there is little they can do about potential indirect tracking via third parties that still have it enabled. 

Recall, debuted by Microsoft about a year ago, works by taking a screenshot of a user’s desktop every few seconds and then uses on-device large language models to allow a user to retrieve items and information that had previously been on their screen. Following a major public backlash on privacy and security grounds, the company delayed the feature’s implementation to address people’s concerns. 

Last September, Microsoft said that Recall will now encrypt snapshots and other associated information, and will only be able to be used within a Virtualization-based Security Enclave (essentially, a way to isolate a specific program inside the processor so that whatever happens inside stays inside, even if the rest of the machine is compromised, comparable to a panic room but digital) At the end of last month, after testing the feature for select users, Microsoft rolled it out for general availability for Windows 11. Microsoft has been urging people to upgrade from previous versions and said it would be shutting down support for Windows 10 in October. 

valerybrozhinsky – stock.adobe.c

Cory Wolf, director of offensive security with cybersecurity consulting firm risk3sixty, said these new changes have allayed many concerns about the Recall feature between when it was first launched and now. He noted that the initial release was indeed a major security challenge, adding that Microsoft rushed it without going through the typical insider preview process and so did not account for the security issues, but has improved the solution since then. 

“That was why everyone was freaking out, it was clear they did not do any security around it, did not go through previews and at the time it was a real security risk. Now it is going through the proper channels of Windows preview, they added content filtering, they added the virtual machine component … at least from a cybersecurity perspective, it’s really worked out and they’ve improved it quite a bit,” he said. 

Despite these changes, however, some firms are still opting to disable recall on their devices, such as California-based Navolio & Tallman LLP. Though they intend to soon get laptops specifically optimized for AI solutions, IT partner Stephanie Ringrose said that, for now at least, they’re going to disable the feature. 

“We started with the hardware that has the new processor, so that as technology comes out that has more AI in it, we’re set up for success. … So we’re open to new technology. Another part is we like to be on the leading edge, but we’re not necessarily on the bleeding edge, so initially [Recall] does not seem like something we need right away, so our plan currently is to disable it,” she said in an interview. 

Top 50 firm LBMC will also be disabling Recall, according to chief digital and technology officer David Maynard. He raised concerns about the security implications, such as the inadvertent storing of sensitive data via screenshot captures, the use of LLM-powered indexing opening up the possibility for prompt injection attacks, insider threat risks of administrative access being misused, as well as compliance and legal exposure under data protection laws. 

“With specific regard to Microsoft’s Windows 11 Recall feature, we are closely monitoring its development and capabilities as we do all other tools. Microsoft is a trusted partner and delivers some of the most powerful enterprise tools. That said, all evolving technology tools present unique challenges that merit thorough scrutiny, especially for professional services firms handling high volumes of confidential and regulated data. … We are currently disabling Recall by policy across all internal devices, even though it remains in preview. Our experts are also considering the broader implications of using LLMs in enterprise settings and continuing to test the Recall functionality in non-production environments to inform both internal and client-facing recommendations,” he said in an email. 

Still, while firms can take action for themselves, the indirect third party risk remains. While one user might disable Recall, anything shared with someone who has enabled it will be saved to their device, which could still result in data leakage and cyber incidents. Imagine someone from a firm with Recall disabled talking about sensitive matters with a vendor who does have it enabled; now imagine that vendor getting hacked and the attackers getting that sensitive data despite the firm itself protecting on their end. 

Ringrose said that while there are measures a firm can take, there are limits to how much they can control third parties. The firm can have open communications and be vigilant about their data but there is only so much one can do. 

“This [applies to] almost all technology when communicating with outside parties, that you cannot really control what every third party uses on their side. I think there’s a couple different things we can do on the client side, [like] more education as you communicate with them… you have open discussions with them on how they intend to use it and help be an advisor if [the risks] come up,” she said. 

LBMC took a similar position, saying that it can’t really control what other parties do, so they need to be careful about what they, themselves, disclose to outside parties. 

“LBMC can control only its devices, not third-party assets. Management and understanding of Recall’s implications are necessary before sharing information,” said Maynard. 

But at the same time, the two said it’s not that much different than any other communications technology. Yes, third parties might capture sensitive data through Recall, but the same thing could happen with irresponsible emails or file shares too. In this respect, while the firms intend to have controls over the use of the feature, they would be no different than the controls they would require for any other new technology.

“It’s like email, you know? It’s like any form of communication—you’re putting something out there. And so it’s a little bit open to what that third party is using,” said Ringrose. 

Maynard raised a similar point: while LBMC will be thoroughly evaluating Recall for safety, it does so for every new piece of technology it potentially could adopt. At a high level, every new tool under consideration—whether developed internally, by a third party, or as part of a widely used platform—is assessed using a phased model. The evaluation model encompasses infrastructure and compatibility review, security review, privacy and data governance review, legal and regulatory risk assessment, ethical and professional standards alignment, cybersecurity and AI committee input, governance and approvals process, a test phase with controlled rollouts, then training, usage, policies and compliance integration. 

“Window 11 Recall is just one of many emerging technologies that highlights the need for organizations, especially those in regulated industries like accounting to have a structured enterprise-wide process for evaluating new tools. At LBMC we view every innovation through a multidimensional lens balancing potential benefits with security, privacy, regulatory and ethical considerations. Our approach is part of a broader, proactive framework that involves cross functional expertise from cybersecurity, AI, legal, compliance and operational leadership. This is how we ensure new technology aligns not only with our internal standards, but with the expectations of the clients and industries we serve,” he said. 

Wolf, from risk3sixty, said that while the risks from improper use are real, at this point they are not dramatically greater than other solutions. He noted that many CPA firms already have third party risk management programs and it wouldn’t be difficult to work Recall into these already existing controls. However, he said it might be more of a lift for those who do not already have these programs in place. 

“So when doing vendor questionnaires and audits they should bake in Recall, things like doing security awareness training around Recall, that should be baked into that, but it definitely needs adjustment … for smaller firms that do not have one. Contractual obligation is their best recourse. It’s no different than sending something to a noncompany email for example, the risks are still the same,” he said. 

There was similar thinking regarding remote work and bring-you-own-device policies. Many firms already have specific security policies in these areas, and while Recall is a factor in both cases, there appears to be little need to carve out an entire new set of policies specifically for this feature. Firms should be diligent with their cybersecurity overall, said Maynard, which includes accounting for Recall but no more than other tools. 

“For accounting and advisory firms, any tool that touches client data must be evaluated not just on features—but on trust, integrity, and compliance. We believe that by embedding subject matter expertise into every phase of the evaluation process, firms can strike the right balance between innovation and responsibility,” he said.

The U.S. firm of Grant Thornton is adding Grant Thornton Netherlands to the multinational platform it launched earlier this year, in a deal that is expected to close later this year.

In January Grant Thornton Advisors combined with Grant Thornton Ireland, in its first step to create an integrated international firm. In late April it announced agreements with GT firms in Luxembourg, the United Arab Emirates and the Cayman Islands.

The platform is backed by an investor group led by private equity firm New Mountain Capital, which acquired a majority stake in Grant Thornton in March 2024, after selling a majority stake in Top 100 Firm Citrin Cooperman that it had acquired in 2021.

As a result of the PE investment, Grant Thornton took on the alternative practice structure that is common to those deals, with Grant Thornton Advisors offering non-attest services, and Grant Thornton LLP offering audit and assurance services. GT Netherlands’ audit practice will join the latter.

The Dutch firm brings close to 800 professionals in eight offices to the platform’s almost 13,000 team members in 60 offices. Its CEO, Marcel Blöte, will remain in his current position as head of that geography.

“Joining forces with Grant Thornton Advisors empowers us to deliver enhanced value for clients as a diversified platform poised for growth and expansion,” Blöte said in a statement. “We’ll be able to offer our people extremely attractive paths for career development, while maintaining our hallmark entrepreneurial culture and commitment to quality. Collectively, we will ensure our status as a top 10 firm in our market well into the future — one that can flexibly respond to a dynamic market and changing regulations.”

“By uniting with preeminent high-growth firms such as Grant Thornton Netherlands, we’ve established a world-class service provider platform spanning multinational markets,” said Jim Peko, CEO of Grant Thornton Advisors, in a statement. “We will continue to solidify our standing as the industry’s destination of choice for clients and team members alike, providing a singular experience focused on quality and unparalleled service delivery.”  

“We welcome Grant Thornton Netherlands to our expanded platform,” said Steve Tennant, managing partner of Grant Thornton in Ireland, who leads international M&A on behalf of Grant Thornton Advisors, in a statement. “The Dutch firm brings complementary ambition and talent as we look to extend our capabilities, services and geographic reach to benefit our clients and our people.”

“We’re bringing the highest quality and fastest-growing firms together into one truly integrated global platform,” said Andre Moura, a managing director at New Mountain Capital, in a statement. “Grant Thornton Netherlands is a perfect example of this — delivering the quality, expertise and industry specialization integral to the world-class client experience we’re creating.”

Grant Thornton isn’t the only international network that has member firms consolidating. Last October, the U.S. and U.K. firms of RSM International announced plans to combine by the end of 2025. KPMG is also reportedly looking to combine many of its member firms around the world, reducing the number from over 120 in 2023 to between 30 and 40 by the end of 2026, according to the Wall Street Journal, and last year its U.K. and Swiss firms merged into a $4.4 billion firm.

The Association for Accounting Marketing bestowed several awards at its annual AAM Summit in Phoenix May 13, including the 2025 Marketer of the Year and inducted a new member to its Hall of Fame. 

Kristen Lewis, managing director of marketing at EisnerAmper, received the 2025 Marketer of the Year award, recognizing a marketing professional who has shown outstanding performance in the field. 

Bonnie Buol Ruszczyk, president of BBR Companies, was inducted into the AAM Hall of Fame, honoring marketing professionals with at least fifteen years of professional experience with a minimum of 10 years in the accounting field who are known for their outstanding accomplishments as leaders of the association and in the profession.

Ruszczyk, a member of Accounting Today‘s 2024 Top 100 Most Influential People, was recognized for her work with BBR in influencing best practices in firm differentiation, diversity, equity and inclusion initiatives, and professional development.

Additional individual award recipients included Arlene Labrador, business development director at Cherry Bekaert, honored with the 2025 Business Developer of the Year award; Alex Miller, an AAM member since 2016 and part of its DEI Committee, receiving the AAM Volunteer of the Year award; and Kaelynn Guzman, digital marketing manager at Pannell Kerr Forster of Texas, accepting the Rookie of the Year award.

AAM also handed out 16 more awards during the Summit’s award ceremony.

The categories and winners were:

• Advertising Campaign: GHJ
• Business Development Initiative: Rehmann
• Client Experience: McGuire Sponsel

Content Marketing Campaigns

• Internal Audience: Doeren Mayhew
• External – Talent Recruitment: WilkinGuttenplan
• External – Brand Awareness: James Moore & Co.
• Inclusion Impact Program or Initiative: Baker Tilly

Events

• Budget above $25,000: Baker Tilly
• Budget below $24,999: JLK Rosenberger

Innovation & Strategic Achievement

• Emerging Tech or Tech Advancement: PBMares, LLP
• Marketing Innovation or Breakthrough Marketing: Baker Tilly

Integrated Branding Programs

• Firm revenue above $40M: Rea
• Firm revenue below $40M: Brown Plus
• Video and Multimedia: McGuire Sponsel

Website

• Budget above $60,000: UHY
• Budget below $59,999: McKonly & Asbury

For the category awards, a panel of marketing professionals, including many from the Society of Marketing Professional Services, evaluated 68 submissions to select the winners. They judged entries based on achieving specific goals, strategic execution of projects, and the generation of measurable outcomes.