Choosing a new CPA firm for your business can be a difficult process. Financial objectives and the financial health of your business are focal points during an evaluation. However, there is one other important aspect to consider: how the CPA firm is going to handle your sensitive financial information. To help you, we have written five quick questions with explanations that you should ask any CPA firm. Answers to these questions may build confidence that your accountant is safeguarding your financial information or may help you avoid a poor decision before it is too late.
- Where are you storing my financial data?
Where your data is stored greatly impacts risk. Therefore, financial data should be stored on systems running modern security products. A real-life example would be a private data center with Endpoint Detection and Response (EDR), a ransomware defense product.
- How and where is my data being backed up?
Financial operations are the engine of many businesses, so they need to be reliable. Your CPA should explain how they are taking backups and what kinds of disaster plans, if any, are in place. An emphatic response builds confidence that your data will be safe and accessible whenever needed. A hesitant response begs a more important question: is my data being backed up at all?
- What access method(s) does your staff use to access my data?
An 8-character password can be hacked in less than an hour. Passwords alone are no longer adequate to authenticate users. Modern firms should be using Multi Factor Authentication (MFA), which requires a second (sometimes even a third) method of authentication. Push verification, code generators, hard tokens, and SMS codes are examples of secondary authentication methods.
- How do you ensure my data is not lost or transferred insecurely?
Data without proper encryption can be intercepted by bad actors. Using encryption in email or file sharing should be the default when transferring financial data between your business and CPA firm. Any secure email platform worth its salt automatically applies encryption to emails using a configurable set of parameters. This added layer of security prevents security breaches in the event of a lapse in judgment by employees.
- Does your staff undergo annual cybersecurity training?
The main channel by which hackers access corporate systems is phishing. This attack generally begins when an employee clicks a suspicious link in an email. Cybersecurity training demonstrates the red flags to look out for when working online. Taking this one step further, some organizations even employ fake phishing campaigns to put staff cybersecurity training to the test.
These questions won’t evaluate the financial capabilities of a new CPA provider, but they can still help you narrow down your choices. Robust IT and cybersecurity practices are strong indicators that your new CPA firm will give your business the diligence and care it deserves. Working these into your evaluation will help you arrive at a sound decision and prevent a disastrous business decision.
At CPA Solutions, we make sure to uphold these best practices ourselves and are supported by ProSource to ensure both our team and systems are always up-to-date on the best methods of keeping your data secure.