By Scott H. Cytron, ABC
Quickly approaching its 21st year, the annual list of Top Technology Initiatives from the American Institute of CPAs is anticipated by the accounting profession and service providers as an issues-related technology benchmark for firms, companies and the clients/customers they serve. With just a few months shy of the release of the new 2010 list, three of the initiatives from 2009 merit a bit more discussion: Secure Data File Storage, Transmission and Exchange; Electronic Data Retention Strategy; and Customer Relationship Management (CRM).
Secure Data File Storage, Transmission and Exchange
Even though firms and companies work hard to secure employee, stakeholder and customer data, no system is impenetrable. According to the AICPA, secure data file storage includes strategies to mitigate risk, such as encrypted storage disks and laptop hard drives, digital certificates, secure channels, and Virtual Private Networks.
While data security is by no means a new topic, the fact that it appeared third on the list underscores its importance. As a result, what are firms doing to secure their clients’ data and how are they promoting this?
“Our firm is beginning to take the steps to model ‘safe behaviors in data security for our clients,” says Michael S. Kridel, CPA.CITP, CFF, CFC, a partner in Litigation & Valuation Services, and Information Technology, for Daszkal Bolton LLP in Boca Raton, Fla. “Our most prevalent enterprise-wide initiative is focused on providing access to clients on a transaction-by-transaction basis to a secure file transfer portal.”
Kridel, who regularly writes on accounting and technology-related topics for various publications, cites LeapFILE as one of the service providers to manage secure file transfers. He expects to open a firm-centric client portal in 2010 to accomplish several objectives.
“It allows our clients flexibility in receiving or transmitting documents at their convenience, from wherever they are, and enables clients to transfer larger files to us,” he says. “A portal also demonstrates our concern for our clients’ privacy and financial security, while provoking questions about electronic data security. This gives us an opportunity to add value through additional client education.”
Larry Hessney, CIA, CISA, works in Enterprise Risk Management & Technology Services for Freed Maxick & Battaglia CPAs, PC, affiliated with RSM McGladrey. His own firm’s best practice solutions for secure file storage transmission and exchange enables him and his associates to advise clients on how to appropriately scope and apply similar controls for their organizations.
“In today’s highly regulated environment, we help clients in multiple industries comply with the requirements set by the Payment Card Industry standards, Gramm-Leach-Bliley Act, Sarbanes-Oxley, HIPAA, Safe Harbor, and various other privacy and data protection laws,” says Hessney.
For example, the firm frequently reviews a client’s control design and effectiveness for secure file storage during IT Auditing, InfoSec consulting, SOX and SAS70 projects.
“We also educate our clients about secure file transmission, whether it is secure ftp or an e-mail encryption program such as ZixMail. We provide assistance in helping clients implement new controls and technologies to assure compliance, as well as help clients measure and certify their compliance to these various standards and regulations.”
Customer Relationship Management (CRM)
Although CRM was ranked as the last item on a short set of five “honorable mentions,” many accountants might tell you it’s at the end of the list because they don’t understand CRM and don’t know what to do about it. While there are simple CRM programs (ACT!, actually, is considered a rudimentary CRM system) to something much more robust, (such as Sage CRM), this is one technology that often sits on a shelf gathering dust.
The good news is that CRM was included on the list, which means the accounting profession still has interest in pursuing its advantages.
Lee Martinez, a consultant offering Sales Management, Sales Process Improvement and Executive Coaching through his company, QVP - Top Line Results, has a great deal of experience working with firms and companies on implementing CRM systems. He offers a three-step guide to using CRM effectively:
1. Have a specific “end game” for CRM.
2. Keep it simple.
3. CRM should fit your business process.
“Many companies get into CRM to “develop client relationships,” but what exactly does that mean?,” asks Martinez. “For an emerging company, it may mean revenues; for an established company, it may mean profit per customer. In either case, what is the business strategy to develop client relationships, how will success be measured and what are the business processes to support the strategy?”
Because CRM technology identifies clients who produce the most revenue, the most profit, the buying patterns that produce high-value clients, and other key business performance metrics, Martinez says companies must think carefully about their short- and long-term goals, while managing CRM for various functions.
“Often, companies get into CRM to manage sales and marketing. Research by CSO Insights magazine found that more than 80 percent of sales leads are mishandled and 50 percent are discarded. Sales and Marketing expenses can easily reach 50 percent of a company’s annual expenses, so it’s reasonable to expect better performance. No matter the ‘end game’ for CRM, you must take a holistic view of the business, the selling process, the people factor, the strategy to achieve the end game and the measures of success.”
Martinez says the easiest way to approach process is to examine work flow, interdependence, bottlenecks, what's working and what's not working.
“The analysis may present newfound visibility into your business; like a GPS, it will tell you exactly where you are, as well the next step is to determine where you want to go. Determine what is essential to the process, automate it, control it and then successively refine it. The last part, ‘successively refine,’ is precisely why the process need not be perfect.”
Electronic Data Retention Strategy
Often, accounting firms want to jump right in and begin consulting on a certain technology or business process. While this approach might work in some cases, the strategy behind the technology is also very important – perhaps more important nowadays with respect to data and document retention strategies.
As more firms and companies – and the clients and customers they serve – go paperless, the process of creating, implementing and managing these strategies goes way beyond something as basic as the length of time a file must be kept. Today, in fact, there are huge legal ramifications.
Kridel says “spoliation” – the intentional or inadvertent destruction of data or documents after the firm knew or should have known that litigation was occurring or imminent – has become a hotter topic with each passing year.
“The penalties for failure to adopt, implement and consistently apply appropriate and relevant retention policies can result in significant, adverse consequences to the firm and/or its client that is a party to litigation or regulatory investigation,” he says. “The firm must carefully select, document, train personnel, and execute policies and technical physical and electronic methodologies to mitigate the risks of document destruction. Each firm or company should also consult with counsel and their insurance companies to gain both guidance and agreement as to any policy that may be adopted.”
Another part of electronic data retention strategy concerns eDiscovery. Hessney believes business owners need to be concerned with eDiscovery due to legal requirements that make the recovery of e-mail and other records “fair game” for civil lawsuits in today’s business environment.
“Business owners need assistance to assess their existing practices as they relate to eDiscovery laws where they do business,” he says. “Once this gap assessment is complete, accounting firms can assist them in designing appropriate eDiscovery controls and data retention policies that are right-sized for their business.”
Kridel believes eDiscovery is very closely aligned with the paradigms of data and document retention, and spoliation. Federal Rule of Evidence 26 was revised in December 2006 to accommodate a shift in the federal courts’ definition of “best evidence.”
“eDiscovery must be viewed no differently than traditional discovery processes – the only difference is the ways and means by which it will occur and the many opportunities for inadvertent spoliation,” says Kridel. “Many states have not yet modified their rules of evidence to accommodate the nuances of eDiscovery, including definitions of eEvidence. However, based on the trends, each state will have no choice but to address this sooner than later.”
Kridel advises that each business, and, quite possibly each individual, should be aware that anything read, written, transmitted or stored electronically can be searched and likely recovered. Businesses should evaluate how they store information and documents, the duration for storage and the procedures for responding to subpoena.
“An increasingly important part of this is to evaluate how data may be stored on media and devices that are not in the physical control of the business, including handheld devices, removable electronic storage, Internet storage and employee-owned computers and storage that may access the businesses’ networks and systems. This further complicates the data/document retention formula and places a greater burden on management.
“Perhaps more important, enterprises must train and re-train their personnel in proper “e-mail hygiene,” continues Kridel. “E-mail, as we all should know by now, never goes away; it just goes further. It is critically important that businesses consult with their attorneys to gain some degree of comfort that their decisions support their best interests.”
Look for the AICPA 2010 Top Technology Initiatives sometime this spring; in the meantime, review the 2009 list and see how your firm or company measures up.