The ethical accountant – managing digital data risks

aat comment

Crisis can be the mother of invention, as was clearly demonstrated during the Covid-19 pandemic. But it can also be the author of confusion.

As the world has lurched towards a digital-first approach to business, there have come additional risks and responsibilities for accountants.

The updated AAT ethics code makes clear that accountants could leave themselves vulnerable if they fail to manage the additional responsibilities that come with the digital age.

Have you read AAT’s new ethics guidance?

All AAT members are bound by AAT’s Code of Professional Ethics, so have you seen the four new guidance notes?

View guidance

The recently revised code states: “Data privacy laws are also becoming increasingly strict in support of individual privacy, in part as a reaction to data mining by the tech giants, and it’s essential that professional accountants are fully conversant and compliant with those laws. Failure to do so can result in serious professional and financial repercussions.”

And the likelihood of data breaches or other lapses in cyber security were made even more possible during lockdown when millions of workers shifted daily employment from the office to their homes.

Get cyber security-certified

The Government’s National Cyber Security Centre (NCSC) offers all UK businesses with support to help them manage the additional risks associated with home working. NCSC says its Cyber Essentials certificate provides accountants with the documentation to ‘reassure customers that they have put measures in place to secure their IT against cyber-attacks; attract new business with the promise they have independently verified cyber security measures in place; and have a clear picture of their cyber security level’.

Vertis Accounting was recently awarded its Cyber Essentials certificate, which it says supports its existing data protection measures.

The company states: “We have always gone to great lengths to protect this data and have implemented a range of different measures including, but not limited to, expertly supported systems with malware and virus prevention, use of complex passwords, multi-factor authentication and a considered choice of hardware and software suppliers. But it is important to be ever vigilant and to test our control measures to ensure that they remain appropriate and effective.”

List your vulnerabilities

If obtaining the NCSC certificate is a step too far, Tony Gandy, Visiting Professor, London Institute of Banking and Finance & Visiting Professor, Ulster University who worked with AAT in devising the code of ethics, says an effective, if somewhat simple approach, is to list all the areas where the firm may be liable to data breaches.

Gandy says: “Making a checklist of what to do to protect is useful. Firms need to challenge themselves and thing through everything because in recent history seen specific targeting of the technology that people forget about. You might think about your main server but what about telephone networks?”

The ethics code also encourages accountants to ensure ‘engagement letters are accurate and current, including any references to third parties (software, platforms, contractors) and up to date privacy policies’.

Gandy reminds accountants that they need to be able to deliver on their promises to clients: “If you have said you provide cyber security then make sure you are able to honour it.”

While there is reasonable concern about the need to protect data, Gandy says that Cloud service providers will likely offer more security than those afforded under traditional servers.

He says: “Cloud providers employ a lot of very clever people, and they have greater depth in understanding the challenges. Moving to the Cloud is not just about outsourcing storage but also means additional expertise.”

Train to ingrain

Moving to the Cloud might mean extra data protection, but it can do little to manage how employees behave online. The rise and rise of social media as a means of attracting new business and providing much needed online presence. Yet the reverse is the possibility of devastated reputations because of an ill-advised Tweet.

Mark Lee, chartered accountant and mentor to accountancy firms, recommends firms adopt the same approach to manging social media presence as they take to anti-money laundering training.

He says: “The money laundering regulations impose obligations on accountants to operate specific procedures. It’s no good simply specifying these in a handbook, document or page on the intranet; everyone has to receive training to ensure they understand their obligations.”

He adds: “I would suggest that the same is true of a firm’s social media policies. Regular updates are also required, and these should be interactive and participative.” 

Are staff social distancing?

Accountants are also managing the challenge of keeping the personal and professional lives separate on social media. The ethics code says work and private accountants should remain distinct and warns accountants to be ‘cautious that mixing can reduce inhibitions and even innocent actions, or statements can be misconstrued e.g. be wary about befriending clients on platforms which are not designed for professional networking’.

The AAT says accountants must have policies related to social media usage which should be developed through consultation with employees and trade unions if applicable.

It states: “Policies, the risks with social media and cyber security should be part of inductions and ongoing training, and fully understood by staff members.”

One unnamed accounting firm has implemented social media platforms across the business but is clear on how staff uses them and the information they relay.

A spokesperson says: “We use the policy to lay out the framework that our staff can be comfortable working within. Everyone should know the difference between what it is appropriate to talk about and what might cause some issues. Beyond that, we want our staff to have the freedom to both enjoy social media and make the experiences enjoyable for the people they’re interacting without the fear of inappropriate representation of the firm, for example, pics of them drunk in nightclubs.”

AAT says members must develop comprehensive policies to manage their digital presence and online data as a priority because while there are many benefits to increased digital processes, accountants must ensure these are used responsibly. Failure to do so could prove costly.

Boxout:  The digital ethics compliance checklist

1. Get cyber-secure.

2. Ensure policies and client agreements are up to date.

3. Clearly separate the personal and professional online.

You can download the new AAT guidance notes here.

Gill Wadsworth is AAT Comment’s news writer.

Related articles