Helping Small and Midsized Businesses Succeed in a Technology-Driven World

Four Essential IT Risks and Recommendations

Based upon the CPA Horizons 2025 report, accounting professionals seem to agree that the profession's core purpose-making sense of a changing and complex world-remains relevant today and for the future. Several of the report's "insights and directions" have always been and will continue to be part of the profession, such as pursuing lifelong learning, seeking global appreciation, taking pride in the profession, acting as a trusted attester and advisor, providing a good value proposition, and addressing changes in the marketplace. As a result, many CPAs will easily incorporate improvements recommended in the report in order to enhance client relationships and service delivery.

Technology is one insight and direction that continues to challenge the profession-specifically, the charge to "understand and leverage relevant technology in conjunction with core CPA competencies to deliver superior services." There is no question that many CPAs have significantly enhanced the technology used in their day-to-day practices in order to increase the value proposition of thenwork. Cloud computing, smartphones, electronic confirmations, and electronic work files represent just some of the technologies that CPAs have readily adopted.

But what about the technologies adopted by CPAs' clients? How have CPAs adjusted their service offerings and advisory services to help clients succeed in this new and complex technological world? Larger companies appear to have acquired service-delivery expertise through mergers or acquisitions in order to address these issues. What about small and midsized businesses (SMB)? Do their challenges require the same degree of advanced technical skills as those of larger entities?

The Changing Face of Business Technology

Technology is changing, as is the process by which companies purchase and use it to achieve business objectives. Although these changes affect organizations of all sizes, they are especially pronounced in the SMB market. The rise and availability of cloud computing enables SMBs to shift their focus from the detailed management and configuration of technology parameters, which some would argue do not generate direct business value, to the evaluation and selection of vendors that can provide these capabilities for a variety of financial and operational solutions, including requisite security and privacy protections. In other words, rather than focusing on nontraditional skills that require a significant amount of technological knowhow, SMBs can increasingly focus on selecting and managing an appropriate vendor that can deal with technology in order to achieve business objectives.

This shift provides significant opportunities for CPAs working for and advising SMBs to assist these businesses in navigating the implementation of these new requisite skills in order to succeed in this new technology-dependent world. CPAs and other financial advisors can leverage their core governance, risk management, and general business acumen to help businesses navigate the challenges that result from disruptive technologies.

Providing Guidance on Four IT Risks

George Westerman, a well-respected research scientist at MIT'sCenter for Digital Business and author of IT Risk: Turning Business Threats into Competitive Advantage, blogged that "being able to talk about IT Risk is essential if you are going to make the right decisions about how you use technology in your business" ("How to Have the IT Risk Conversion," Jun. 28, 2013, http://blogs.hbr.org/2013/06/howto-have-the-it-risk-conver/). He described four essential risks: availability, access, accuracy, and agility. Three of these directly relate to the AICPA's Trust Services principles and criteria. The following sections discuss how CPAs can help SMBs address these risks and what baseline knowledge CPAs need to provide these services.

Availability-facilitating SMB planning and preparation for contingencies. SMBs have always relied on CPAs to help them in times of disasters; these requests have usually occurred after a crisis and have focused on helping businesses file insurance claims and facilitating the operational recovery of the business. Unfortunately, many businesses find that their ability to continue operations is significantly hampered unless they properly plan for contingencies and disasters in order to make their business available to customers and continue sales and service delivery.

Many SMBs erroneously believe that business continuity is limited to restoring technology and ensuring that the business has some type of insurance. Although this is partly true, business continuity planning (BCP) is more encompassing, and it is integral to successful SMB business management. At its core, BCP focuses on understanding potential business impacts, identifying risks resulting from such business impacts, and ensuring that risk mitigation strategies are implemented to enable the business to successfully navigate the risks.

SMBs already expect their CPAs to help them navigate business risks; thus, financial advisors are well positioned to assist with BCP activities. In many aspects, the development of a BCP is similar to the discipline required to develop an SMB's business plan. Sometimes the SMB might not have the resources or the management time to develop a BCP. Moreover, management sometimes lacks the independent or industry perspective needed to truly assess the risks facing the organization, as well as knowledge of realistic strategies that can minimize the risk CPAs can help a business understand the impact of a disaster from both an operational and financial perspective, including the need to have appropriate technology backup resources.

But the BCP is more than just technology: CPAs can also help SMBs plan for the impact on employees and their ability to continue contributing to business operations. They can also recommend strategies and help management decide among various alternatives. CPAs can assist with training and awareness components as well. For those SMBs that already have a BCP, CPAs can help them benchmark against evolving practices that reflect the new realities of today's business environment.

Access-assisting SMBs in developing an effective information security function. Access and the protection of information has always been a core skill required of CPAs. Whether assessing the possibility of external or insider abuses, businesses continue to rely upon CPAs to provide them with data-protection strategies while considering the cost benefits of control implementation. Access and data-protection issues are key considerations in traditional CPA services, including-but not limited to-financial statement audits, Sarbanes-Oxley Act (SOX) internal control engagements, and fraud prevention.

Many SMBs and their CPAs believe that information security is more about technology than business process; for the most part, however, this is incorrect. This belief places SMBs in danger of not deploying scarce resources to implement the most effective method of managing security. It is frue that information security management requires a certain element of technological understanding and professional judgment; however, many reputable organizations, along with technology vendors themselves, have developed configuration and implementation guides to help SMBs navigate technology-related alternatives. Because they lack an understanding of what is available and believe that technology is the primary factor in managing security, many businesses chase expensive and ineffective solutions offered by technology providers that view the business as just another revenue stream.

CPAs can help SMBs implement and manage an appropriately sized information security governance program in order to ensure that the business is managing information security risk effectively. CPAs can assist with the financial review of information security investments by developing an appropriate reporting package, which can facilitate review by those with governance responsibilities. Financial advisors can also perform the due diligence of vendors and partners to ensure that data are protected.

As with other aspects of an SMB, successful process implementation and monitoring is key. CPAs can help bridge the gap between levels of an organization, representing both owners (whether a board of directors, direct shareholder, or executive management) and the technology department. This can include developing a set of policies and expectations based upon industry guidelines and practices- for example, a CPA can adapt configuration guidelines from organizations such as the National Institute of Standards and Technology or the Center for Internet Security to reflect the needs of a particular SMB. Some organizations, such as the Federal Trade Commission, provide guidance specifically tailored to SMBs; CPAs can help interpret these guidelines and facilitate the supervision and monitoring of these practices. Operational procedures can then be developed to ensure adherence to these expectations, including the use of tools that SMBs can effectively deploy.

CPAs can also assist SMBs by performing selected information security oversight functions, such as determining compliance with established policies and measuring progress on previously identified issues. The facilitation of an information security risk assessment that leverages well-recognized audit-related frameworks, such as the AICPA's Trust Services and the Control Objectives for Information and Related Technology (COBIT) framework, can also help empower clients to leverage good security practices in order to seize the business opportunities offered by the evolution of technology.

Accuracy-ensuring the completeness and accuracy of data. Due to their involvement in various audit and assurance services, CPAs are well recognized for their ability to verify the completeness and accuracy of data. From an external financial reporting perspective, CPAs ensure that the information is presented in accordance with U.S. GAAP. From an internal management accounting perspective, CPAs ensure that the information being used to support decision making is reliable.

The advent of "big data" and data-driven decision making has significantly increased the need for more reliable information. Although many businesses have attempted to consolidate their data into a core system and implement database-management tools, the use of end-user computing to supplement centrally protected data continues to grow. In some organizations, groups of users need to meet regularly to standardize how data are used and what a particular term referring to data means-for example, when referring to an address, one part of an organization might consider the term to mean the customer's home address, whereas another part might consider it to mean the customer's business address.

CPAs can help in several ways. Many professionals have already introduced data analysis and mining software into their core audit process and fraud investigation procedures. Data mining techniques can help identify unusual or suspect trends, which can be further investigated using data analysis software. These types of services are particularly helpful in assisting SMBs to remedy perceived control weaknesses or in reviewing the data prior to converting to a new system.

Information reliability can also be facilitated by the review of parameters defined by systems; these parameters are typically used by SMBs to enforce oiganizational policies and serve as traditional and validation checks that help ensure the accuracy and completeness of information. These core application controls take on additional importance as businesses continue to automate many service functions and significantly reduce the human interaction that previously might have identified such anomalies.

Agility-helping SMBs plan for and implement change. The ability to plan for and manage change is perhaps the greatest challenge to the survival of individual SMBs. As SMBs continue to rely on technology solutions to remain on par with larger competitors, they need to overcome challenges that they might not have sufficient resources to address. These challenges can include the following:

* Identifying future technology needs

* Evaluating competing proposals and automated solutions

* Reengineering service delivery and product manufacturing processes

* Identifying regulatory compliance challenges resulting from multistate or international transactions

* Negotiating appropriate service-level agreements

* Designing vendor oversight programs and planning for the conversion to a new system, including-but not limited to-the testing, training, and reconciliation of converted data.

For SMBs, there is perhaps no greater added value than a CPA's technology-related service, which can help the business plan for and implement changes. Because SMBs frequently lack experience in the change life cycle, CPAs can offer these skills. Depending upon the business's resource constraints, services can be adapted to best meet the needs of a smaller client. For example, a preimplementation review that determines to what extent critical controls have been designed into the project process and are being adhered to can represent a cost-effective and timely review for the business. Other initiatives require a greater investment, such as ensuring that key regulatory expectations are being achieved. Review of contractors' billing adherence to budgets is another service that many CPAs can provide.

As many of the more recent technology changes involve some type of outsourcing or move to cloud computing, the development and monitoring of an IT vendormanagement program might benefit many SMBs. Under this program, a CPA designs procedures that the business will use to ensure that it performs appropriate due diligence on its vendors and that it monitors vendors to make sure it receives the contracted services. For those SMBs that are subject to privacy-related regulations, an IT vendor-management program can be designed to help demonstrate to applicable regulators that the SMB has performed the appropriate due diligence and oversight of its vendors to ensure that privacy-related regulations and expectations have been met.

Professional Development

The needs of SMBs in the evolving business environment have made it essential for businesses to engage a trusted advisor to help them navigate technological challenges. Unfortunately, as many such businesses have experienced, even when a competent non-CPA is engaged, a technically attractive and profitable (for the vendor) solution often prevails at the expense of a solution that aligns better with the SMB's business needs.

Many practitioners continue to facilitate business' efforts to comply with various requirements, whether they are related to tax preparation or financial reporting. But do these practitioners truly understand the business risks faced by businesses and how to help them succeed in today's world? Besides implementing automated tools to deliver their services efficiently, to what extent has the profession truly reengineered the services it provides to accommodate the disruptive technologies that are materially impacting profitability and that could potentially challenge the CPA's role as the trusted advisor for financial and other information, as envisioned in the Horizons report?

CPAs must do more than market themselves to businesses; they must develop the necessary skills to serve business in today's complex environment. For some, this includes completing continuing professional education that goes beyond the traditional audit and tax topics. It can also include developing expertise in various software products and controls that are of particular concern to the SMB market. Others might seek to pursue a variety of certifications tailored to their projected needs. As the profession moves toward 2025, it must ensure that the next generation of CPAs has the education and skills it needs to address these challenges and to offer the technologyrelated services that are so desperately needed and desired by SMBs. ?

Joel Lanz, CPA, CIS A, is a sole practitioner and an adjunct professor at SUNY-Old Westbury. He is also a member of Ibe CPA Journal Editorial Board.