7 security questions to ask prospective accountants

7 security questions to ask prospective accountants

illustrated padlock Header imageHeader imageHeader imageHeader image

This article is part of our Customer Voice blog column, which offers tips and valuable resources from our expert customers.

Most business owners regard their accountants as business advisors on a wide range of company decisions, which is why I firmly believe that accountants have a responsibility to handle data properly.

Technology has brought enormous benefits to the accounting industry, from cloud-based accounting software to tax software innovations. With all the benefits provided by technology, however, comes the threat of abuse by hackers. The prevalence of data breaches means that companies need to implement better security measures as they provide critical services like tax and accounting.

That's why many firms, including my accounting firm, are taking every opportunity to improve their firm's digital security, with some firms even hiring full-time staff with strong cybersecurity credentials.

To help you, as a business owner, identify a security-conscious accounting firm, I've outlined 7 good security questions that you can ask prospective accounting partners to discover which will safeguard your financial data.

How will we exchange files?

Exchanging files over email can be risky. It is not best practice to rely on email to send or receive your financial statements, tax documents, or other confidential information from your accountant.

First, it's not secure, which leaves your documents vulnerable. Imagine carrying your financial statements in a see-through briefcase through a public place, like a mall. This is essentially what happens when you use a non-encrypted medium like email to transfer sensitive information.

Second, sharing files by email can be unreliable, since server issues or aggressive anti-spam features can block important attachments or emails.

A more secure solution would be to use a secure file sharing application. Having a centralized document sharing solution with strictly controlled access makes your information secure and is a more efficient way of working, too.

What measures have you taken to secure your network?

Accounting firms are a treasure trove of financial and personal information about client companies and their employees. During the coronavirus pandemic, tax professionals and accountants have seen an increased number of such attacks.

Precautionary measures security-conscious accounting firms may take to protect their network from unauthorized access include routing network traffic through a virtual private network (VPN) or installing antivirus software and anti-malware programs on their company devices. Company policies could include avoiding accessing confidential information over public WiFi networks and implementing strong password policies.

How do you control access to sensitive data and login credentials?

At our firm, we authenticate logins for any accounts containing data for our firm or our accounting clients. This ensures that all employee logins to areas with sensitive data are properly verified, authenticated, and recorded.

Recycling passwords or storing passwords in spreadsheets, though convenient, are more risky behaviors. Use of a password manager to manage login credentials is another good indicator. Whichever option an accountant uses, the concept is the same: make passwords unique, strong, and secured with a centralized password management tool.

Beyond passwords, ask prospective accountants about their usage of multi-factor authentication measures. More commonly known as two-factor authentication (2FA), this layer of login security requires secondary verification on a separate device, using a hardware-based security key or confirmation code that's texted or emailed to you.

What training does your staff undergo so they remain vigilant?

Security awareness training is vital for companies across all industries, but especially in the financial sector. Often, efforts to bolster a company’s security posture emphasize software and other technological solutions while ignoring vital security training for employees.

As crucial as software choices and tools are, it is equally important that your prospective accounting partner understands the importance of employee security awareness.

Accounting staff should receive regular training on how to spot these scams and what to do if they suspect foul play. If they do not, they can fall prey to a malicious breach attempt.

If a security incident occurs, do you have a data recovery plan?

As you consider partnering with an accountant or accounting firm, it's important to ask potential partners about their data recovery plan after disasters or security incidents occur.

A data recovery plan (DRP) is a set of company policies that outlines how to recover data quickly and securely in the event of a natural disaster or artificial threat. It's this 'get back to normal' plan that minimizes the risks associated with a data breach or systems outage. A good DRP includes steps to recover critical applications and documents and quickly access secure data backups.

How do you secure your firm's physical devices?

Since most of our daily transactions are digital, it's easy to neglect physical security. After all, hackers are only focused on digital targets, right?

Actually, this concept is misinformed and can damage both accounting firms and their clients. Physical devices are a favorite target for cybercriminals because they're easy to leave poorly secured or unsecured. As more companies adopt bring-your-own-device (BYOD) policies to let employees work from home, securing devices that are used for fulfilling job duties is vital.

Ask your potential accounting partner how they train employees on best security practices for all devices used for company business. This means that strong passwords must protect employee laptops and smartphones and be remotely manageable (and wiped) if someone steals the device. Biometric measures like Face ID and PINS are also an excellent way to prevent unwanted device access.

What happens to files once you're done with them?

Once data is no longer needed, what does your accountant do with it? Asking them about their data retention policies can help avoid future problems related to unprotected or unsecured data. A good data retention policy ensures that firms don't hold on to data indefinitely. Even old financial data can cause significant damage in the wrong hands. Check your accountant's data retention policy to ensure they are handling all your data appropriately.

Know the right security questions to ask your accountant

As a business owner, it's imperative to partner with an accounting firm that prioritizes data security. Your accounting partner must take precautionary measures to mitigate the loss or misuse of your data because of their critical role within your business. When you partner with a security-conscious accounting firm, you’ll be able to rest easy, knowing that your data is being protected while you grow your business.

The information provided on this page does not, and is not intended to constitute legal or financial advice and is for general informational purposes only. The content is provided "as-is"; no representations are made that the content is error free.