This is the first in a series of FAQ-style blogs. We will ask the questions that are often put to AdvanceTrack founder and MD Vipul Sheth when he speaks to accountants, and gives you his answers.

Q: How secure would my client data be if I worked with AdvanceTrack?… How rigorous is your security?

A: There’s a very straightforward point at which to begin this answer: as MD of this business, I want to be able to sleep soundly at night. As a consequence, we’ve created processes and technology that allow us to be satisfied that we’ve done everything realistically possible for our organisation to demonstrate that we look after clients’ data in a secure manner.

In terms of testing the rigour of our processes, we have a multitude of certifications that provide external assurance. These include ISO 27001 and ISO 27701, which cover information security management and privacy information management respectively. Our people, and the way in which we work are audited every year to show what we’re doing and prove that the information is safe and secure. It also covers situations where there is a problem and how we look to resolve it.

We share information between us and accounting practices through ‘the cloud’, and we have very secure ways of maintaining security levels.

Of course, you’re only as secure as the people you work with. Our teams are trained to be sensible with how they deal with information – we also have failsafe access restrictions… even I can’t access everything. There are physical security protocols too – such as the banning of camera-enabled phones in the office.

If you’d like further detail about AdvanceTrack’s approach to security, or have more questions for Vipul and the team, then feel free to get in touch by clicking here.

It’s a question that not many accountants are asking, but if neglected, it’s something that can have disastrous consequences.

It’s not enough anymore to sit there and say “hackers only target hard cash, like banks and credit cards” because whilst they may still be true to some extent, let’s look at all the data accountants tend to have: The financial data of your clients’ businesses.

That’s your clients’ livelihood and hackers have caught on this. They’ve realised that they can monetise all kinds of data, especially sensitive data belonging to your clients’, which means we have some catching up to do to make sure this is all protected!

We’ve already covered ways to stop using email to send sensitive information, and now it’s time to look at how you can continue to improve your firm’s internal security.

Look at who has access, and to what

When you’re sending sensitive documents to someone, be it through Dropbox, Google Drive or a client portal, you of course need to give your client access to then view that information.

That’s great, but how do you continually manage this? If access management is left unchecked, you could find that clients have access to areas they no longer need access to, or worse, they’re not entitled to have access to, but because it was left unchecked, they still do.

The problem here is that you need to consistently make sure that your clients only have access to the things they need access to, so that they don’t have the wrong privileges when they don’t (or no longer) need them. Better yet, if someone needs a higher level of access, it’s always a great idea to communicate any special or higher risks associated with that, so that they are educated on the policies and procedures you have in place to protect their accounts and their data.

Check your passwords

When talking about security, one of the most popular questions I’ve seen is “how often do you change your password?” But a more pertinent question would be “how many accounts do you have that re-use the same password?” The answer always surprises me.

Often, password re-use is one of the biggest security issues people have. Do you remember the LinkedIn hack of 2012? Hundreds of millions of users had their account passwords breached, but it presented a bigger problem for those who were using that password for other systems like Dropbox, Facebook and Outlook. Worse, a lot of the times, the hacker succeeded because of this.

Because of the beauty of password managers like LastPass, you don’t necessarily need to remember all your passwords, which gives you the opportunity to make them more complex without the pressure of potentially forgetting which letter was capitalised, or which letter was substituted for a number. A trusted system to manage all of your passwords gives you far more security that before.

Also, with two-factor authentication, you can add an extra layer of security to your password. This has become much more prominent with companies like Google and even Xero. Because banks have been using it for a long time, we’ve become much more accustomed to using two-factor authentication on a daily basis.

Another thing to be particularly careful of is usernames and passwords of past employees. It’s highly recommended that you delete these and change passwords so that any past employees, disgruntled or otherwise, aren’t tempted to log in again remotely.

Bringing your own device to work

Ever since the iPhone first launched, the way we work has been transformed. Instead of bringing your own laptop to work, people are now bringing what is practically a computer in their pocket!

The problem with this is if your personal device has got malware on it (which you may not be aware of in the first instance), as soon as you connect to the company wi-fi, you’re at risk of transferring that malware to everyone else. That’s the servers, the files, the emails, everything.

Now I’m not saying you need to implement a rule where people have to leave their phones at home, but it’s worth having the conversation with your employees so that they’re aware of the risks and the steps they can take to make sure their own devices are protected.

Give everyone training

Everything I’ve said so far ties back to training, and make sure you have firm-wide policies and training on security. That way you’re making sure your entire team is on the same page when it comes to how to handle data, how to keep data secure and what steps to take if things go wrong.

Why risk the vulnerability of data, when there are tools and support out there to keep your firm secure?

New European data rules may seem abstract and scary to the accounting world, so Kevin Reed has spoken to two practitioners about the work their firms have been through to get to grips with GDPR

From processors to controllers, through to the right to be forgotten and data portability, the new European rules for data protection under the acronym GDPR seem more akin to a science-fiction plot than compliance.

But it is very real, and very close. From 25 May, the new rules set out to create a world in which personal data is much more rigorously controlled, protected and understood. For accounting practitioners, who handle and process reams of personal information for and on behalf of clients, it may feel more like another layer of red tape that gets in the way of performing their role.

We have spoken to two accountants about the work their practices have undertaken to get to grips with GDPR, and the upshot and ramifications of their efforts.

Donagh Waters is a partner at Dublin-based McInerney Saunders. The six-partner practice provides a range of services to clients beyond accounting audit and tax, including forensic investigation and wealth management.

What approach did your practice take to ‘dealing with’ GDPR?

The first time we became aware of it was last summer. We formed a steering committee of two partners to begin the process. We’ve always been taxed about how we manage data protection – we were conscious that in the past the way to trip up was over client money… now it’s client data. After forming the committee, the next thing was to educate ourselves. We attended lots of events. The tone set at the top is important – which is why we’ve had two partners on it. It would be easy to delegate, but we preferred partners to cascade it down the organisation.

What actions did you deem as required, and how did you then manage the project?

We were trying to understand how it applies to us. For example, in the past we’ve outsourced outside of the firm so were conscious about covering that in our engagement letters. And having that in our engagement letter we had contractual obligations in place with the outsourcer as well… The Irish Data Protection Act makes us conscious of the importance of confidentiality. With nothing in place GDPR would feel like scaling Mount Everest. I put together a ‘personal data map’. This was to look at the flow of personal data into the organisation and out – it was an interesting exercise.

Within our business it’s secure – but we found it’s more about how it comes in – do we have consent to process it? And then when it leaves to an external party such as a specialist tax expert, it’s then a question of how it is accessed. It’s important to close down any weak points around data flow; for example, a client engages you to do their payroll. But the real issue is not ‘corporate’, it’s personal data of employees and your client. So, are their employees aware their data has left their employer? We’re the data processor, not the controller. So there’s a [responsibility] on them as data controller.

What stage are you at?

From 25 May you can’t access our data apart from using an authorised device. No data will be held on the laptops, so when you use it you’re logging in through our secure portal. Data can’t be taken from it unless you had passwords to access the portal. If a laptop is stolen, we’re pretty sure there’s no data on it. Then you need to consider paper files: now our policy is they can’t be left anywhere unsecure – if taken outside the office they must be brought back that day. We’re not at the end of the journey yet.

One of the things to do is around policies and procedures and making sure they’re completely updated. Apart from that, it’s make sure agreements with staff and checklists go to all suppliers, we update contracts of employment and then finally, staff awareness and education – why we do what we do – so they can appreciate why we do it.

Did you consider the project as ‘just compliance’, or have you been able to leverage your efforts to become a better-organised practice?

It has forced us to think carefully about security and data security – it’s been a very interesting exercise. This project has touched on law, data protection and IT, and I wouldn’t hold myself to be an expert on it all! It will be difficult at the start, but [the new way of working] will become the norm. Have you used the experience to advise clients on GDPR?

Have you had requests for advice on the topic?

We feel we’re covered, but we need to [particularly] help [payroll] clients. Some clients have been proactive and sent us checklists asking us to confirm what we do. We’re updating our engagement letters, but I wonder if some clients are not actually reading it. We’ll start reminding clients of their responsibilities under GDPR to get consent.


Nick Millard is senior manager at Accounting4Everything, a small practice based in Paignton, Devon. The practice is led by James Twigger, who won Practitioner of the Year at the British Accountancy Awards 2015.

What approach did your practice take to ‘dealing with’ GDPR?

We downloaded the Information Commissioner’s Office guide to GDPR, and then we accessed the full official regulations. We did this for two reasons – so we’ve got a full copy at hand and to have both full regulations; the UK’s version includes notes and ideas. We went on a training day to provide us some more clarity and information. We got what we needed… and they’re now a client! We have seen some differences on GDPR interpretation [in our studies].

What actions did you deem as required, and how did you then manage the project?

Our first part is completed. We’ve looked at all our software and checked their data policies and privacy policies, against GDPR. Most software companies have GDPR policies in place, or are going through that process. We’re changing some software over because it wasn’t GDPR compliant. For example, we’ve gone with data portal technology that’s UK-based and compliant – it’s all encrypted. We would have done it later down the line and had been looking at it, but GDPR pushed forward the need to do it.

One of the big things has been going through systems, processes and looking at how we hold data and how we contact clients. There are ways of improving what we do using GDPR as the leverage. For example, we don’t want clients to ring us with wage receipts information – it’s difficult to take a record of the call, and it could be anyone ringing up. We’re very aware that it’s easy to hand out and discuss client information over the phone but not very safe to do that. So all [client/employee dialogue] will come through the portal, which will be up and running by the end of April.

What stage are you at?

We have a very detailed three-page data storage policy, which has all our software listed on there; what data we hold on them, the reasons behind the software; their compliance literature (with weblinks to their policy), and then how long we hold the data for. That was the first stage. I’ve also run a half-day training session for all staff.

Did you consider the project as ‘just compliance’, or have you been able to leverage your efforts to become a better-organised practice?

We’ll definitely, 100%, be a better-organised practice because of it. I don’t see it as us being bogged down – there are so many products out there to make yourself efficient. The extra bit of thought and admin [from GDPR] will be offset by providing a better service, and we can help our clients better because we have their information in one place, and know when work’s being done. Our staff can see where we are on a job or client because it’s more structured. The bits ‘in between’ such as handwritten notes and calls that haven’t been tracked – that will now be in our systems and portal. It will be a pain at the start – more work – but once we get past that there’s savings and efficiencies to be made, and a better practice for employees and clients.

The vast majority of accounting professionals see their roles developing as a result of technology in the next few years, according to new research by recruitment consultancy Renaix.

But that is not a bad thing, they believe. In fact, nine out of ten (92%) of the 200 respondents are optimistic about the impact of increased automation on the profession.

Four in five are already seeing an influence from emerging IT on their day-to-day tasks. Advanced data analytics (63%), cloud computing (42%), robotics (17%) and artificial intelligence (15%) were cited by the accountants. Only one in ten (12%) think their role will be completely automated in the near future, with 69% believing automation will make them more efficient and 59% believing it will open up opportunities to provide greater value to clients. Four in ten say it will reduce the transactional work they undertake.

More than half of respondents said they’ll have to up their game on tracking new tech developments, while also developing softer, communication-based skills.

“Finance and accounting organisations have a fantastic opportunity to drive forward digital transformation, empowering all employees to play their part in developing and implementing new ways of working,” said Renaix managing director Paul Jarrett.

“However, to do so effectively, employers need to ensure they are equipping the workforce with the right skills, as well as investing in bringing in the right talent.”