The K2 Team: Accounting Technology Talk and More!


AWEB

The Future’s So Bright, We Have to Wear Shades

Times read: 98

05/06/08

There’s a very interesting article by Andy Kessler on the editorial page in the Wall Street Journal this morning which discusses the coming war in technology; the link is here. While Microsoft and Google are the armies currently fighting the skirmishes around the future of technology, this is really simply a proxy war about how we will use technology in the future. Just as there are different methods of transporting goods around the country (think: rail vs. truck vs. airplane), there are also different models of computing (browser vs. local vs. mobile). Processing power (thanks to Moore’s Law), bandwidth, and wireless technology have changed the level of real time information sharing. HP has even come out with a laptop (HP Compaq 6720t) which is designed to be used as a thin client into corporate systems and which doesn’t even have a hard drive!.

Many accountants are rightly concerned with the security and information control implications of using online services for their mission-critical applications. While these are legitimate concerns, the reality of our digital infrastructure has generally made these concerns less of a problem now than in the past. High speed internet is getting faster. Last week, I received a flyer from my local telephone company offering a fiber internet connection which would have 25Mbps down/10Mbps up connectivity to my home.

While I’m still mulling over whether or not I really need that fast a connection at home since my current connection is 10Mbps down/1Mbps up through my cable provider, it’s really interesting that this level of service is now available in Knoxville, Tennessee, which, although a nice-sized city, is admittedly not one of the first cities you think of when you imagine fast internet speeds. My current internet connections (cable and Sprint wireless) continue to impress me with the speeds which are possible; my cable connection averages 8 Mbps down, 970K up whenever I test the speed, and my wireless connection (backup) has been running over 1.1 Mbps down/300K up on the road lately with EVDO Rev A.

Anecdotal evidence suggests that telecommunications and other utilities are also more reliable than we have had in the past. Where I used to reboot my router and modem every morning, I now go for months without rebooting these devices, and they seem to just work now. My collaboration with others within K2 suggests that their experiences are similar: I have noted only two critical outages among the team during the first four months of the year. When I started my career 15 years ago, we would have two or three power outages during the busy season which would shut us down and cause us to lose work. While utilities aren’t sexy, they certainly seem to have made significant improvements in the last generation.

If you haven’t tried some of the latest evolutions in Web-based applications, here are some for your consideration:

While the future direction of computing hasn’t been finalized, there are really interesting things happening in technology, and some things (like those pages or CD’s for reference materials) are on the way out. The future appears to offer more choices for how tools are delivered to users, which will make it much easier to work from anywhere – even a condo in the middle of the Pacific Ocean.

Brian Tankersley is a CPA and CITP based in Knoxville, Tennessee. You can learn more about him at www.bftcpa.com.

Share My Voice 

Issue with QuickBooks 2008 (or Lacerte or Proseries Tax) Not Starting

Times read: 365

04/14/08

Note: This document was forwarded from Intuit Support to the QuickBooks Rapid Response Team. Any questions or concerns on this should be addressed to Intuit QuickBooks Support. - Brian

A NON-SECURITY WINDOWS UPDATE THAT WAS DISTRIBUTED BY MICROSOFT THIS WEEK MAY CAUSE QUICKBOOKS 2008 TO STOP OPERATING.

If you're affected by this problem, when you launch QuickBooks you may see the QuickBooks Splash Screen for a second or two, but the software doesn't open. Or, you may see an error message referring to the Web Connector failing to initialize, and the software won't run.

This problem may also be affecting Lacerte and Pro Series software (not a good week for that to happen). This could also cause a problem for users who are trying to install QuickBooks on a computer that received this Windows update.

Do NOT uninstall and reinstall QuickBooks (and disregard any advice from a technical support person to uninstall and reinstall). This is not a QuickBooks file problem that requires reinstallation to cure.

The problem is a .NET 2.0 problem arising from this latest Windows Update. Microsoft moved this .NET 2.0 Service Pack 1 into the “high priority and critical” section of Microsoft updates. This means that more people updated than would have if it had remained lower in the priority sections.

If you're running QuickBooks 2008 on Windows XP, you can uninstall and reinstall .NET 2.0. If you're running QuickBooks 2008 on Windows Vista, you cannot uninstall and reinstall .NET 2.0, but you can fix it.

Step by step instructions on replacing or repairing .NET 2.0 for Windows XP and Windows Vista are available at the following URL:

http://support.quickbooks.intuit.com/support/Pages/KnowledgeBaseArticle/1009275


Share My Voice 

Laptop Security for Accounting Professionals

Times read: 351

04/05/08

Laptop theft appears to be a cottage industry in the US. Consider these facts:

• According to Safeware Insurance Agency, more than 750,000 laptops are stolen every year. This translates into more than 1 billion dollars in lost property and according to the study more than $5 billion loss of proprietary information.

• According to the FBI, a whopping 97% to 98% of stolen computers never return to their rightful owner.

• From 2005 to 2006 there was an 81% increase in the number of companies reporting stolen laptops containing sensitive information (2006 Annual Study: The Cost of Data Breach. Ponemon Institute, LLC, 2007).

• The average business loses about 5% of its laptop inventory to theft. Top law enforcement agencies aren't even immune. The FBI reportedly experiences three to four laptop thefts a month.

• More than half of the stolen laptops are stolen out of offices so almost nobody is really immune to the risk of having their laptop disappear. 90% of laptop theft is committed by insiders.

Clearly people with confidential information on their laptops need to take measures to make sure that the thieves will not be able to access this confidential information. Regulations like Gramm-Leach-Bliley, HIPAA, Canada’s PIPEDA, the EU Data Directive, Sarbanes-Oxley, and state security breach notification laws can impose criminal penalties for those compromise other’s confidential information. Whole disk encryption is certainly a solution people with confidential information on their laptop should consider. This is clearly an important issue but not the subject of day’s post.

Today’s post is focused on technology that can improve the chances of recovering a stolen laptop from 2% to over 75%. This is technology that is widely available and proven to work. It involves loading software on your computer that allows your computer to let you know where it is when it has been stolen.

This software is called “track and trace software.” It is designed for people who have laptops with lots of confidential information and for companies who are losing lots of laptops. It works by loading software on your laptop that uses an Internet connection to tell you where it is after it is stolen. There are lots of these products (ex. Computrace LoJack, XTool Laptop Tracker, CyberAngel, and more) and some are loaded at the bios level so they still work even if the hard drive is reformatted.

Absolute's Computrace product will instruct you laptop upon its first connection to the Internet to send Absolute its IP address every 15 minutes. With that information, Absolute's staff, working with law enforcement, tracks down the laptop.

Absolute's product also includes technology that customers can use to destroy data remotely in case the laptop can't be recovered in time. The deletion technology can be policy-based. IT can instruct the laptop to delete sensitive data if it remains off the corporate network for a certain period of time.

Another tool, XTool Tracker, has similar features to Absolute’s Computrace but also has lots of other methods to help recover your stolen laptop. These guys are really serious about getting your laptop back. The following is a list of the things the software can do to try to recover your laptop:

Internet Connection Information In most situations, the Local IP and the Public IP information is enough to recover a lost or stolen laptop. Once it has been determined by our recovery team that this information is reliable, a tracking report is produced so that the police can subpoena the Internet service provider to obtain the contact information associated with the IP addresses.

WiFi Connection Information Since there are so many sources of "free" wireless connections available today, it is easily assumed that a stolen laptop will be connected to one of these sources. WiFi information is used by the XTool Laptop Tracker to make sure that the Internet information collected is reliable and that it can be used to obtain from the police a subpoena.

Telephone Connection Information If an unauthorized user connects your monitored laptop to a telephone line, the XTool Laptop Tracker will place a call to a toll free number at their monitoring center. The monitoring center will then obtain the phone number used to place the call using ANI-Caller ID; even if the caller ID is blocked at the calling location.
Remote Forensic Collection and HoneyPot Collected Information Using an advanced forensic collection tool, the XTool® Recovery Team is able to identify the unauthorized user (name, email, address, etc). This information is then transmitted via Internet or through a telephone connection. The main advantage of this technique is that it does not require a subpoena and has proven successful in cases where the primary tracking methods are not viable.

GPS Information GPS is becoming more popular and some laptop manufacturers are even shipping units with a built-in GPS device. XTool® Laptop Tracker has the ability to detect any type of GPS device connected to the monitored laptop and relay this information to the XTool® Monitoring Center to track. By default, this option is deactivated. However, since the information collected by a GPS is useful even when the laptop has not been reported lost or stolen, the customer wishing to monitor GPS activity can activate this feature without filing a theft/loss report.

Camera Information Some laptops are now made with built-in cameras. XTool® Laptop Tracker has the ability to detect a camera connected to a laptop and can take a snapshot of the unauthorized user that is then relayed to the XTool® Monitoring Center. A picture of the unauthorized user not only quickly leads to the location of the thief but can be used as evidence in case the laptop is sold to a 3rd party.

So why take a chance? If you have confidential information on your laptop, failing to implement some type of control procedure could end up costing you time and grief, create problems with customers and clients, cost you your job, or even land you in jail. These tools work and just could save the day.

William C. (Will) Fleenor, CPA.CITP, Ph.D.
Member, K2 Enterprises, LLC
will@k2e.com



Share My Voice 

ALERT! QB Accountant’s Copy Issue with Importing Edits

Times read: 304

03/14/08

Since today is March 14th, many of my friends who do taxes for a living are working away trying to get those client trial balances adjusted so they can complete those last-minute C and S-Corp tax returns. If you’re one of those accountants who uses the great functionality of the Accountant’s Copy in QuickBooks (and you know who you are), read on. If you aren’t using Accountant’s Copy (e.g. you don’t have files with a file extension of QBX, QBY, and QBA in your QuickBooks directory, please ignore this issue).

Here’s the Issue:

Unpatched systems using the QuickBooks 2008 Accountant’s Copy can sometimes fail to import edits when converting data from a QBY to a QBW file (e.g. importing the Accountant’s Change file into the client’s production QuickBooks file).
This happens only under certain circumstances (some examples below). This can be a very small problem if the accountant has made very few edits. However, there is also the chance of losing large sets of data when an accountant makes extensive edits.

QuickBooks 2008 Update Release 5, due March 13, 2008, addresses most of the existing circumstances under which the above issue occurs. However, we know that not all ProAdvisors install all releases for many reasons (such as the extreme workload compression we all experience this time of the year).

The error may occur under the following circumstances on unpatched systems:

  • If reconciled account names contain special characters

  • If the accountant enters and then modifies a journal entry

  • If the accountant modifies a deposit, then enters a new line

  • If the accountant enters an account number that duplicates a number that the client has entered while the accountant has the file



Here’s what you should do:

1. If you are using the Accountant’s Copy feature, you should download and install all available updates for QuickBooks 2008 as soon as possible.

2. You should also advise your clients of the risks here, and pay extra attention to confirm that your client’s adjusted trial balance (e.g. after importing the QBY file) matches the values on the accountant’s final adjusted trial balance.

If you have questions about this, please read Intuit KnowledgeBase Article #1009092, or contact Intuit support.




Share My Voice 

Serious Security Issues for Accountants, Part 3 – Keeping the Bad Guys Out of Your Online Data

Times read: 333

02/27/08

And yes, almost all of it is online.

True, the personal information stored in your phone, PDA, and laptop is not always online. We do turn these devices off when we’re requested to (well, most of the time). But as for the corporate data (including customer, vendor, and employee data) in our primary data storage location – yes, that hardware is typically and continually connected to the Web. If your service techs, employees, or consultants can get to it without being on-site, then it is online.

So where can we safely store this data? Before everything went online, the safest place was often somewhere within our brick-and-mortar business offices. Most businesses, large and small, still store their own corporate data internally. Imagine a CPA firm storing all its confidential corporate data (including clients’ tax and other financial data) on the servers of the company that provides the tax software. For the most part, that just doesn’t happen.

But wait, there is a major change underway in the way businesses acquire and utilize technology that will impact where the corporate data is stored. Software as a Service (SaaS) is rapidly emerging as clear alternative to the traditional approach to acquiring and using business software. With SaaS both the software and the underlying data are hosted at a remote site. All the client needs is a good Internet connection and a Web browser. Some believe the move to SaaS will turn out to be as important as the advent of personal computers. All business software (accounting, CRM, tax compliance, spreadsheets, etc.) appears to be heading in this direction.

In some cases the benefits of SaaS are turning out to be huge. Lower costs, improved reliability, very significantly improved functionality, ease of access, and improved security are some of these benefits. Yes, improved security is a benefit of hosted solutions.

So why wouldn’t a small or midsize business simply hire a provider to host its software and data? Following are the concerns we frequently hear from participants:

  1. I’m not sure the hosting entity will be careful about keeping my data safe from physical loss. Do you really think you have a better backup system than a well-established data hosting vendor does? Think again.
  2. I’m concerned that the hosting entity might mine my data. I am under a legal requirement to keep this stuff confidential. You should read the hosting agreements, they strictly prohibit this behavior. This is just not going to happen. It would be suicide for a tax software company to, for example, use a CPA firm’s client data for any reason.
  3. I’m concerned about cost. There’s very little chance that hosting will cost more than your current in-house systems. Remember to compute TCO. How much is all that remote access setup and management costing you? Those costs disappear when you use hosted solutions.
  4. Performance won’t be as good. Sure, this can be an issue – but only if you adopt an outsourced solution that requires large amounts of data to be moved back and forth on a continual basis. Most SaaS solutions have solved this problem, even for companies and firms with less-than-stellar bandwidth to the WAN.
  5. What about fault tolerance? What happens when the hosting entity goes down? Fault tolerance – don’t you just love that term? The answer is simple: If the hosting entity goes down, you can’t work. But how is that so different from what happens when your current system goes down? Presuming you have redundant Internet, what is the likelihood of your host going down for an extended period versus that of you going down for an extended period? The SaaS vendor wins, hands down. There is no way your system can have a lower risk of failure. That’s your vendor’s business, and its future depends on it. The few glitches we have seen to date (remember the brief Lacerte issue last year?) have been just bumps along the road to where we are today.

This brief posting has only scratched the surface by revealing one of the benefits of having an outside expert host your primary applications (including the underlying data). That benefit is improved security. For most, the real driving forces behind SaaS are improved functionality, ease of use, and cost savings. However, it is important to recognize this significant opportunity to improve the security of your corporate data by putting it in the hands of people who protect it for a living.

Get ready. The SaaS train is coming, and you are going to enjoy the ride.
Thanks,
Will

William C. Fleenor, CPA.CITP, Ph.D.
Shareholder, K2 Enterprises, LLC


Share My Voice 

Dear K2: Issues With Word 2007 and My Mouse

Times read: 529

02/14/08

Dear Brian:

I’m having issues with Microsoft Word 2007. When I start Word 2007, everything looks OK, but the mouse won’t select many of the things on the screen (e.g., I can’t use the scroll bar on the right-hand side of the screen, many options won’t work, and some of the toolbar buttons won’t work). When I try to exit Word, Windows tries to recover from a “crash” and automatically restarts – so I can’t ever get completely out of Word.

Help!

Edward in Elkton


Dear Edward:

I’ve had the same issue on my computer. This problem seems to happen to me every month or two, but I work with a lot of add-ins in Word, and it’s possible that some of those are not working well together. The problem is generally related to corruption in Word’s registry settings, which indicate the options that are loaded when you start Word. Here’s how I would try to work with this:

1. Click on the Office Button (upper-left corner) and select Word Options, then select Add-Ins. Disable any add-ins that are not “known good” applications. (This is my first step, and it sometimes works, but not always.)

2. (Advanced Users Only) If step #1 doesn’t work, you will need to close all Office applications (hit Ctrl-Alt-Delete, select Start Task Manager, and shut down the WinWord.exe application. You will then need to delete some registry keys as detailed in Microsoft support article #921541. If step #1 doesn’t work, step #2 almost always works for me.

If the steps given in the knowledge base article don’t work, you may need to uninstall and reinstall Microsoft Office 2007.

I trust this will help you get things back up and going smoothly.

Best regards, Brian

Brian Tankersley, CPA.CITP is a CPA, speaker, and consultant based in Knoxville, Tennessee. He teaches continuing education classes with K2 Enterprises, instructs CPA review classes for Becker CPA Review, and blogs about accounting and technology matters on his website at http://blog.bftcpa.com.


Share My Voice 

In Software Licensing as in Taxation, Two Plus Two is Not Always Four.

Times read: 488

02/05/08

I recently wrote an article about a friend who purchased Office 2007 in the early days of busy season. This license is called an “OEM” license, and cannot be transferred to a new computer. In my case, Rhonda bought three copies of Office 2007 with three laptops. When those laptops wear out, have Diet Coke spilled on them, or are otherwise retired, the “rights” to run Office 2007 cannot be transferred to the replacement hardware (e.g. the license goes with the hardware instead of being portable to whatever hardware you choose to use, as you might have with a “Standard” or “Full” license.) Other license types include “Upgrade”, “Academic”, and various forms of volume licensing.

Just as many of us have learned with taxation, two plus two doesn’t always equal four in the world of software licensing. If one purchases one kind if license, you may get additional rights (such as the right for employees to install software on their home PC’s, the right to upgrade and downgrade to earlier or later versions, etc.). Just as structuring a transaction for tax purposes is very technical and can have huge implications for the total cost of ownership of an acquired business, the subject of software licensing is very technical, and one really needs to work with an expert when you are trying to meet your organization’s needs so that the type of license you purchase meets ALL of your needs for the software.

With that in mind, an industry peer (Ken McClelland at Network Management Group) wrote this excellent explanation of the difference in OEM and “Open Licensing with Software Assurance” – two opposite ends of the spectrum in terms of rights imparted to the user (thanks to NMGI for letting me repost this). [BTW, these guys have a site where they recommend hardware for CPA firms and other professional service organizations at http://www.nmgi.com/techrecs/ which receives rave reviews. One participant who paid $350 for a one day class I taught recently wrote that “The hardware site (www.nmgi.com/techrecs) was worth the cost of the seminar by itself.”] Let’s get to the question:

Q. Why is it cheaper to buy an “OEM” license of Microsoft Office with a new computer instead of purchasing a copy through a volume licensing program like OpenLicense, or than purchasing the copy of the software at retail in a computer store. If it’s all Microsoft Office (and the same version), why do I care what kind of license I purchase?

A. An OEM license is cheaper because you don’t get all the “rights” that you receive with Open Licensing.

  1. With OEM you do not have any downgrade rights (if you wanted Office 2003 but they only bundle with 2007).
  2. With OEM the license is tied to that PC….cannot be transferred to another PC if the user upgrades hardware.
  3. Open License with Software Assurance would allow for any upgrades for free as long as the software assurance is kept current and up to date. If you own xx07 and xx08 comes out you have no additional expense to upgrade.
  4. Proof of ownership is much simpler under Open License as all licenses are documented on the Microsoft eOpen website. Also as mentioned, a single license key.
  5. If you have Office under Software Assurance (SA is an add-on which gives you automatic upgrade add-on for the volume licensing plan)…you get work at home rights which allow employees to install Office on their home system for only the cost of install media. They have rights to run the software on their home pc as long as they are employed by your firm and Software Assurance is kept current (!)
    [Word and Excel as an employee benefit – wow!]

A subsidy promo just ended (Jan 31) on Microsoft Office that you could have got up to $150 / license that could have been used for your local reseller to provide services.

Currently, the promotion is that you can get Office Enterprise for the price of Office Pro. Max 249 licenses.

Basically it boils down to determining which if any of these features are important to your firm and choose the appropriate licensing strategy. BTW - A better comparison would be to take Open License price (with no Software Assurance) vs. the OEM. Price for the Office Pro 2007 should be somewhere around $430 – so your new delta would be $170 or so.

Note: Software Assurance can be added to the OEM license as long as it is done during the first 90 days of ownership.

Well said, Ken. That’s exactly why we need an expert in this stuff. Thanks for doing such a great job on this, BTW.

Brian Tankersley, CPA.CITP is a CPA, speaker, and consultant based in Knoxville, Tennessee. He teaches continuing education classes with K2 Enterprises, instructs CPA review classes for Becker CPA Review, and blogs about accounting and technology matters on his website at http://blog.bftcpa.com.

Share My Voice 

Help, Help, It's Tax Season and I'm Being Upgraded!

Times read: 686

01/25/08

Note: This e-mail represents a combination of approximately three e-mails I have received in the last two months. I have taken some editorial license with the facts here to bring out some additional points


Dear Brian

I have just ordered 3 new laptops and without even thinking purchased Office 2007. We have 13 machines, a mixture of desktops & laptops in our office and only the 3 new ones will have Office 2007. Am I going to have backward compatibility issues? I really do not want to upgrade everyone in the middle of tax season. Your thoughts would be very much welcome.

Thanks,

Rhonda in Rockwood


Dear Rhonda in Rockwood:

Good to hear from you again. I hope you and your team are well.

The biggest issue with adopting MS Office 2007 on short notice is going to be MS Access (as usual - just because there is so much structure created by the user in this application). I'd stay away from Access 2K7 if you're doing much with Access – simply because it has a new file format, and because of the nature of the automation in Access, it will be the application most likely to have “issues” with a new file format. If you're really concerned about it, considered uninstalling the OEM edition of MS O2K7 and installing O2K3 from your MS Action Pack (assuming you have enough licenses?) This would let you completely avoid the issue until after tax season.

If you decide to go with O2K7, it shouldn't be that big of an issue. With a few add-ins, you should actually be able to get by with half on the old version and half on the new version. Here's what I would do:

1. Download the Office 2007 compatibility pack from the MS Site, and put it on all of the non-Office 2007 PC's. This should eliminate 99% of the incompatibilities between the Office 2003 and the Office 2007 PC's. [you should do this whether or not you use O2K7 on the new PC's] Link to the download is here: http://www.microsoft.com/downloads/details.aspx?familyid=941b3470-3ae9-4aee-8f43-c6bb74cd1466&displaylang=en

2. On the O2K7 machines, install the PSchmid.net Ribbon Customizer. This gives you the old O2K3 dropdown menus in O2K7 for free for 30 days, and you can then buy it for $30/workstation (e.g. $90) right after the 30 days is up (and after the cash starts rolling in next month). The download is at http://www.pschmid.net/office2007/ribboncustomizer/starter.php

Highly recommended - it saved the sheetrock in my office.

3. Install the "Save as PDF or XPS" extensions for O2K7 on the "new" PC's with Office 2007. This will let them save the Word, Excel, and Powerpoint files as Acrobat files (e.g. PDF). Free from Microsoft.com - http://www.microsoft.com/downloads/details.aspx?FamilyID=4d951911-3e7e-4ae6-b059-a2e79ed87041&DisplayLang=en

4. There are some interactive flash reference apps which let you click on the old command in the drop-down menus and shows you the command in the new menu structure (e.g. the ribbon). They are at:

+ Word:http://www.microsoft.com/downloads/details.aspx?FamilyID=9044790b-4e24-4277-b714-66d7b18d0aa1&DisplayLang=en
+ Excel: http://www.microsoft.com/downloads/details.aspx?FamilyID=89718abd-2758-47b3-9f90-93788112b985&DisplayLang=en
+ PowerPoint: http://www.microsoft.com/downloads/details.aspx?FamilyID=bef41dc3-8e28-4282-82d4-cec2f416cd40&DisplayLang=en
+ Outlook: http://www.microsoft.com/downloads/details.aspx?FamilyID=cc37cc1e-028d-4d30-9093-96cc6513eca1&DisplayLang=en
+ Access: http://www.microsoft.com/downloads/details.aspx?FamilyID=b9574c72-657f-438c-9de9-f8f70dd2d40d&DisplayLang=en

I love O2K7, and have been using it for a couple of years – and am looking forward to being able to teach it in classes instead of O2K3 – however, I would approach any unplanned last-minute conversion with a healthy amount of concern.

Best regards, Brian (from NYC)

Brian Tankersley, CPA.CITP is an independent consultant and is an associate with K2 Enterprises. He can be reached at brian@k2e.com. Brian also blogs at http://blog.bftcpa.com.

Share My Voice 

Serious Security Issues for Accountants - Part 2 - When Was the Last Time You Changed All Your Secure Personal Passwords?

Times read: 573

01/18/08

Is it even advisable to change all your passwords at one time? Are there any risks involved in changing all your passwords at one time? If you do this regularly, does this mean you need to get a life?

Based on a brief review of the literature (in other words, a short Google search), there does not appear to be a lot written about changing all your passwords at one time. In one of its knowledge base articles, Microsoft points out that you should “Change your passwords regularly. This can help keep criminals and other malicious users unaware. The strength of your password will help keep it good for a longer time. A password that is shorter than 8 characters should be considered good only for a week or so, while a password that is 14 characters or longer (and follows the other rules outlined above) can be good for several years.” Now there is an interesting thought, not changing passwords for several years. Quite a bit different from the concept of changing all your passwords at once and, on top of that, doing it regularly throughout the year.

One thing appears to be clear: The better the quality of the password, the longer its useful life. For example, if you intend to log on to a site only one time and are absolutely not willing to provide any confidential information, then a short password to get you through the door will do. Even a six-character password will take hackers hours or more to break with most technologies. Long before that happens, you will be off the site, never to return.

On the other hand, passwords for confidential corporate, client, customer, and personal financial information should clearly be the best possible. My primary personal bank allows me 20 characters, using all but the special characters. I use all 20. After all, if you are using password management software to create and manage your secure log-ins, then long, randomly generated passwords will be no more difficult to create and use than short ones. And oh, by the way, if you intend to change your passwords regularly, remember that the road to hell is paved with good intentions. Exactly how long has it been since you changed your most secure passwords?

If you are not using password management software, you are not using secure passwords nor are you administering them securely. There is really nothing else to say on this topic.

My guess (based on teaching contacts with thousands of accountants each year) is that you probably need to change all your passwords at one time, and that that time is now. A fresh start is always available in this game. Starting fresh forgives all the sins of lack of due diligence with respect to managing passwords in the past. Now all those poorly managed passwords (ones written in a little black book and placed in file drawer 2, weak ones, reused ones, and the list goes on) no longer work.
I do have an opinion on whether or not you should make a regular wholesale change of all your passwords, but I don’t intend to publish it until someone responds. If you want to hear my voice, you must speak up.

Thanks,
Will
William C. Fleenor, CPA, CITP, Ph.D.
Shareholder, K2 Enterprises, LLC
will@k2e.com


Share My Voice 

Serious Security Issue for Accountants - Part 1 Thumb Drives

Times read: 608

01/11/08

As accountants we are trained to keep the information of our clients and our companies confidential. We expect this of ourselves and others also expect we will act with due diligence. The "First Digital Decade" (see Bill Gates 15th and final CES Keynote, 1/6/2008, for more info the First Digital Decade) has brought about significant changes in the ways we store and transport confidential information. Many accountants have embraced the new technology without properly addressing the related security risks (this comment is based on casual empiricism gained from providing CPE to over 30,000 accountants each year). These weaknesses in our business practices are widespread and extremely serious. This is the first (i.e. Part 1) in a series security risks faced by accountants as we enter the “Second Digital Decade.” Each post will focus on a specific security risk and on the alternatives for addressing that risk.
Thumb Drives - Also known as flash drives. They are everywhere. They have replaced floppy drives and even CDs for the “sneaker net” method of moving data. A 4 GB flash drive could easily contain the accounting records (ex. client QuickBooks files) and tax records of dozens of companies and the related payroll tax information on hundreds of employees. Statutory laws and regulations impose criminal penalties for mishandling this information. Security Breach Notification Laws (now in effect in 34 states), Sarbanes Oxley, HIPAA, and state board regulations are just some examples of such laws.
These drives are easy to lose and easy to leave behind at a client or customer location. The consequences of losing a thumb drive with confidential information are severe and often require direct notification of everyone whose information is on the drive (including all the employees of all the companies whose QuickBooks files are on the drive). Criminal penalties can result from failure to comply.
Are accountants addressing this issue? Are staff accountants given proper training? Do companies and firms have policies for protecting data that is stored on portable devices? Are thumb drives containing confidential data routinely encrypted to protect the data? Form many accountants, the answer to all these questions is no.
The solution is simple: Clear policies, employee training, and secure flash drives. IronKey.com is “best of class” with respect to secure flash drives. Watch their online demo; it’s well done and informative, even if you decide to buy a different brand of secure flash drive. As an added benefit, it is such a cool device that you will feel like James Bond when you use it. There are dozens of other secure flash drives and software you can buy to secure existing flash drives (ex. Pointsec mobile, Code Red, TrueCrypt, Lexar JumpDrive, Sony Micro Vault, and hundreds more).
It’s time to get serious about flash drive security. You need a policy, you need the right hardware and software, and you and your staff need training. This is not brain science and it’s not rocket surgery. Failure to comply results in serious business risk.
Thanks, Will
William C. Fleenor, CPA.CITP, Ph.D.
Shareholder, K2 Enterprises, LLC


Share My Voice 

The Perils of Poor Power

Times read: 503

01/03/08

I’m in the midst of moving my office to some new space (larger, nicer, more comfortable, etc.), and the process of building and moving to this new space has brought up a big technology issue that many of us don’t consider on a regular basis – electric power. Unless you live in Hawaii, you’re probably used to having a plug-in heater underneath your desk to keep warm. You may also be using a nice laser printer at your desk, and even be using fluorescent light bulbs to be more environmentally friendly (at least on the electricity). Since it was 12 degrees (yes, Fahrenheit) when I headed out of my driveway this morning in Knoxville, Tennessee, I’m guessing that many of you are using those heaters today.
Please stop, and check your desk now. If the heater, laser printer/copier, microwave, or fluorescent lights are on the same breaker as the computer, talk to someone about getting a dedicated circuit for the computer equipment. My experience dealing with technology (including my own bricked five year old PC) suggests that the hardware failure rate for systems which are on the same circuit as any of these devices is higher than that for people who are not on the same circuit as these devices. While this is anecdotal evidence only, many users in small offices may not be familiar with the issues that can be caused by these devices. Here’s what happens:
1. Heater or Printer draws large amounts of current during its warm-up or operation.
2. This drop in current disrupts, or “browns out” the power to the electronic equipment. While these brown-outs may not seem like that big of a deal, they cause big problems on the circuitry of computers and other electronic devices (for that matter, static electricity is an issue as well).
3. After hundreds of these “brown outs”, the electronic equipment dies a painful death (and you and your people wonder why you seem to have so many issues with hardware).
Some solutions to these power problems include:
1. Dedicated breaker and separate outlets for all computer equipment. While this may be cost-prohibitive, this is the preferred solution. I had this done in my new space, and can’t wait to get all of my stuff over there so I can have my printers in the same room as my computers and my space heater.
2. Uninterruptable Power Supply. Filtered power with battery backup (e.g. a UPS) is a requirement for all server applications anyway, and a good idea for all workstations. Today I purchased a 1300VA/780 watt UPS for the low price of $165 (APC model BX1300LCD at Office Depot). Trust me – it’s cheap compared to the cost of downtime.
3. Surge protection for everything that touches the network. While it may seem paranoid to put surge protection on your cable TV wire, phone jack, electric power, and network cable, I’ve seen numerous situations where there was ONE device plugged into a network which wasn’t covered by surge protection, and a lightning strike used that unfiltered plug to push a huge surge through a network, taking everything (and I mean EVERYTHING) out.
While this isn’t a huge shock for most of you, I wanted to mention this today so you public practitioners can get your electronics separated out before the year-end surge hits (no pun intended) for 2008.

Until next time, Happy (audit) trails.
Brian Tankersley, CPA.CITP


Share My Voice 

Audit Hardware and Software

Times read: 543

01/03/08

One unexpected benefit we received by visiting so many CPA firms in 2007 was solving day to day technology problems that seem to be present in most firms. The key technologies we observed not installed properly at CPA firms this year include: surge protection and UPS, cabling, multiple monitors, backup systems, firewalls, and security systems. These technologies are all fairly well established, and the rules and understanding of how to deploy most of these technologies have been consistent for over ten years. More recent changes in how to setup firewalls and security with greater protection would be the exception to this statement. So please listen to my first point of this month’s article: check your existing technologies to make sure that they have been installed properly. Every firm we have been to in 2007 has these problems. We were so shocked by this trend of improper implementation; we have actually created a series of articles on how to do these basics properly. We suspect your firm has these issues and others as well, but in this article, we are only going to address the key issues of technologies for your auditors.

Technology tools to make audit teams more productive have become easier to use and more sophisticated at the same time. The key issues for field auditors include 1) Connection to other auditors and sharing files and equipment in the field, 2) Connectivity back to the office and to the internet, 3) Security of data and their equipment, and 4) Maintaining productivity while in the field. We will provide a cookbook of products to consider later in this article, but first let’s address these four key areas.

Connection to other auditors and sharing files and equipment in the field – Issues of easily connecting computers in the field have plagued auditors for some years. This continues to become more critical as auditors spend more time out of the office, and audit engagements occur in more months of the year. The best solution we have found in this category is Colligo Workgroup Edition. This Canadian vendor has made peer-to-peer networking simple. We refer to it as networking for CPAs as opposed to networking for techies. Colligo allows for configurations for use in the office and field, and emulates several server technologies to make connections work easier and correctly.

Connectivity back to the office and to the internet – Some firms have gone so far as to prohibit connection to client networks, use of wireless and WAN data cards. We understand this from a security risk perspective, but it is killer for auditor’s productivity. We prefer to run appropriate levels of protection in firewalls, virtual private networks (VPN), and encryption for wireless. WAN cards have become fast enough that we can create our own links without using client’s networks, and this also keeps us from dealing with belligerent IT departments that don’t want outsiders to connect to their LANs. The downside is that not all markets have the true high speed access of WAN cards available.

Security of data and their equipment – With the high profile headlines of theft of data as well as identity theft, CPA firm laptops are great targets for criminals. We prefer to use a product like PGP Universal Series 200 that encrypts the entire laptop drive, any USB used, and any email that is sent. Additionally, we prefer to have all wireless connections using 802.11i or WPA2 encryption along with a VPN encryption. If all of these encryptions are in place, hackers will have to break through several levels of security to get to any communication. The encryption used by PGP has yet to be broken, so the theft of a laptop with an encrypted hard drive should not produce any useable data for the criminal.

Maintaining productivity while in the field – The issue here is driving up realization while producing a better end product, and not giving the extra profitability away in future audit engagements. We know it is painful, or in some cases impossible for auditors to carry all equipment listed below to a remote engagement via an airplane. Consider shipping equipment when long engagements are going to be remote where the client can’t provide comparable technical facilities. For auditors who drive to clients, this equipment is easily carried in a car. The key pieces of technology that can help with productivity are: multiple monitors, scanners, and internet connectivity. If you have internet connectivity, you can also gain access to firm files, email, internet research, and possibly voice over IP (VOIP).

Remember, specific products mentioned below were among the best choice at the time the article was written, and given as examples of what works. Review for successor or superior technology when you are ready to make your purchase. What technology tools in both hardware and software can make your auditors more productive?

1) Hardware
a) Laptop – a larger screen is better, extended life battery, and both wireless LAN and WAN built in is better – HP, Toshiba, Lenovo, Dell, Apple
b) Cell phone/combination PDA – better to have remote email access in these devices as well. This is needed less if the soft phone below is included – Treo 700, Blackberry, HP iPaq, Sprint PPC-6700. Add software like PDAnet if high speed connectivity is not included with your phone
c) High Speed WAN Card - to connect the audit team to high speed cellular service – Novatel Merlin S620 on Sprint
d) Wireless Firewall – better if it supports the high speed WAN card as well as hard wired connections – Kyocera KR1
e) Production quality portable scanner OR a multi-function (MFP) scanner/printer – Canon DR-2580C, Fujitsu fi-5120C, Fujitsu ScanSnap S500 or HP 4315
f) A second monitor when the engagement is going to keep people out for more than two days – ViewSonic ve710b, Planar 1500
g) Encrypted USB for backup of files on a regular basis – Lexar JumpDrive® Secure II, JumpDrive® TouchGuard™ SAFE PSD S1100 OR use of the encryption software below
h) Network Attached Storage (NAS) – larger disk device to save and share all files from a single location – Maxtor Shared Storage Drive H01P200 (or larger)
i) Surge protection – to share the limited power available. APC PNOTEPROC6 for in line protection, a PER8T to share with all.
j) Optional keyboard – in case the auditor wants to work from a large keyboard, but this is unnecessary with larger laptops
k) Optional 10-key with USB connection – Targus PAUK001U
l) Your auditors may be happier with a larger laptop with the 10 key built in
m) Locking cables – although these are only marginal defense try Targus PA400U
n) Optional mouse that always stays in the portable bag, but some find the built-in mice as productive.
o) Universal power adapters – so you can recharge your laptop, cell phone and other electronic devices – iGO everywhere 130 with the appropriate tips
p) Roller style of bag – that can hold all of the above and make them easier to move – TravelPro Platinum 4 #9422 or Wenger Patriot. Perhaps GearGrip LCD Shield Harness bags from CaseAce Products for monitors only like the GGLCD1K.
2) Software
a) Audit Engagement Management Software – CCH Engagement, CaseWare or CSI Engagement CS
b) Practice Aides – PPC eTools advisement/template software
c) Research software – CCH, RIA, BNA
d) Specific audit tools - ACL, IDEA, Monarch, AuditWatch, ActiveData, AuditMaster, ProfitCents etc.
e) Productivity software for word processing, spreadsheets and email – Microsoft Office
f) Software to create PDF files – Adobe Acrobat
g) Software to handle multiple monitors – Ultramon, MultiMon (www.realtimesoft.com), PivotPro
h) Peer to peer networking software to make field connections and sharing easier – Colligo WorkGroup
i) Encryption software to protect your hard drives, USB and email – PGP Universal Series 200
j) Backup software – to copy all files easily – Second Copy (www.centered.com), Allway Sync (www.allwaysync.com)
k) Softphone software – allowing your remote auditor to connect to your VOIP phone system directly – typically supplied by your VOIP vendor
3) In the office
a) Remote access to the server including files, document images, and email – Citrix or Terminal Server
b) Scheduling software, possibly covered in your workflow solution – XCM solutions
c) Voice Over IP phone system – Cisco, Avaya, 3Com, InterTel
d) Confirmation letter solution – Capital Confirmation
e) Audit budgeting software – Excel, CCH Practice, CCH Practice Management, CSI Practice CS
f) Time and Billing system with remote time and expense entry - CCH Practice, CCH Practice Management, CSI Practice CS
g) Docking stations for the laptop, properly surge protected, possibly with dual monitors (total of three monitors with laptop screen) - Targus ACP50US
h) Second set of mice, keyboards to minimize setup and tear down time
i) High speed production quality scanners to turn client paper documents into electronic files – Fujitsu fi-5750C or Canon DR-7080C

With this selection of hardware and software products you have a formula for success. However, as an audit manager, IT manager or firm administrator, you must help your auditors picture how this equipment will work for them. Preparation before leaving the office will be a necessity. An auditor should carry all of the necessary files to the field on their laptop or NAS, with all supporting documentation scanned in advance, and organized in the engagement management software. All of the appropriate equipment can be transported in a wheeled bag.

When the audit team arrives on the first day of the engagement, they can set up their tools either together or separately depending on the client designated workspace. Complete setup should take place in less than 15 minutes. The setup process would be:

1) Set up the surge protection
2) Connect the wireless access point with firewall to power and either:
a) Your WAN card
b) The client’s network with a cable
3) Attach the NAS to the wireless access point
4) Connect the first laptop
5) Start the peer to peer network sharing software
6) Check connectivity to the NAS
7) Check connectivity to the internet
8) Continue the setup process by setting up the scanner/MFP printer
9) Set up the second monitor for the first laptop
10) Begin connecting all other laptops to the network
11) Plug in the cell phone/combination PDA to power and/or establish a VOIP connection
12) Test all other laptop connectivity to
a) Share files
b) Share the printer
c) Share the scanner
d) Internet
e) VOIP

You are now ready to begin running the engagement management software using files on a laptop or on the NAS. Make sure that the shared resources are not connected via the audit manager’s machine since the manager will frequently move from one audit engagement to another, and could easily take key needed resources with them when they leave.

Only a few of the software and hardware tools named above are beyond what a typical auditor carries today. The new tools include: WAN card, second monitor, peer to peer networking software, encryption software and a softphone. The total cost of additional hardware and software to make field auditors more productive is roughly $300 for software and $1,200 for hardware. Ongoing costs for the WAN card are currently around $60/month. Most audit teams will gain enough billable time in the first engagement to justify these expenditures, plus your firm will be better protected with all data off-site encrypted. Using the right technology tools will increase the realization across all audits and keep your auditors in better communication with the firm.




Share My Voice