Category: Internal Control

A Report from the AICPA/CPA.com Blockchain Symposium

I was fortunate to be selected to participate in the AICPA/CPA.com Blockchain Symposium, which was held May 2, 2018 at the AICPA offices in New York.   This meeting, which included leaders from around the profession, including practitioners, educators, consultants, and AICPA leadership, was the kickoff of an effort by the profession to address the accounting, auditing, tax, and regulatory issues associated with distributed ledger technologies and assist members in understanding how they work, where they make sense, and what issues they should evaluate associated with their use.  The 64 participants were divided into three working groups for each of two sessions addressing accounting, auditing, tax, legal/regulatory, education, and privacy.  Prior to the symposium, each participant was asked to submit questions related to unresolved issues surrounding blockchain ledger technology and its use in the profession.  The groups evaluated these questions and created a list of possible strategies for a report which will be issued by the end of May.  AICPA will create working groups and an action plan in June, and the initial deliverables will be released at the end of November.

We discussed a wide range of issues where practitioners, clients, regulators, and taxing authorities need guidance to make it possible for us to do business more easily.  Some of the items which I recorded in my notes include the following:

  • The general understanding of the basic terms and concepts related to blockchain needs improvement in the profession.
  • It is clear from observations and behaviors viewed by the participants that cryptocurrencies and ICO’s are a major focus of law enforcement agencies and regulators, while the lack of guidance and caselaw makes it difficult for practitioners to hang their hats on available precedents to make good decisions.
  • Because it’s such a new area with new risks, there are clear issues related to client acceptance, what constitutes sufficient competent evidential matter, and how transactions should be recorded and disclosed for book and tax.
  • Authoritative guidance from the profession is clearly needed – perhaps an accounting/auditing guide for crypto-based ledgers and ICO’s?
  • The profession needs to work with many regulators to address the unresolved regulatory issues with agencies like the SEC, IRS, FASB, PCAOB, and numerous state departments of revenue and securities regulators. There are many unaddressed issues like
    • What represent constructive receipt of a token?
    • Is a token a security, an asset, a liability, an expense, revenue or something else?
    • How does one calculate the accounting and tax basis of bitcoins received in exchange for mining currency?
    • How can we get some “safe harbor” guidance for these unresolved issues so that we can deal with this rapidly emerging area?
  • Unfortunately, we see the possibility of state-by-state regulation of this area instead of federal leadership, which could make it very difficult for the US to take a leadership role in this area.
  • Many countries are ahead of the US in the adoption and implementation of regulations in this area, and one participant cited regulatory frameworks from the governments of Singapore and Switzerland as possible templates to be considered in the US.

I also think it’s important to address the fearmongers who say that blockchain, artificial intelligence, and machine learning will be the end of the accounting profession (to that, I say “balderdash”).  When I started in the profession in 1992, I did everything on 5, 7, and 14 column papers with a mechanical pencil and a 10-key adding machine.  Upon graduation, I was told by a friend that computers and the internet were going to end accounting.  In the 2000’s, I was told that my job was going offshore, and I would need to do something different to make a living.  Over the last few years, I’ve been told that artificial intelligence, machine learning, and blockchain are going to end jobs for US accountants.  My response to is that it’s 2018.  I’m still here, and am not going anywhere, and the world is becoming grayer instead of black and white – so accountants are going to be needed to make good decisions in this area.  While I do see many practitioners who clearly have not adopted technologies and methods to make their work more efficient (including one practitioner I recently saw who was working off a five-column pad), these emerging technologies will require changes to how we work, banishing the last few adding machines to the museums or the scrapheap.

It is clear to me that our profession must rethink how we work, what we do, and effectively “disrupt ourselves” before we fall so far behind that our work is irrelevant.  Many things have changed or will change – basic account classification/coding will be done by AI or user-programmed rules into applications like Xero, QuickBooks Online, or Sage Accounting, data will be entered using OCR tools like Receipt Bank, and the advanced technologies and analytical tools used by Wall Street financial services companies will find their way into our toolboxes.  The purpose of the work we all do ten years hence will be similar, yet the low-level tasks we perform will be different – in ways many of us cannot imagine.

I was absolutely blown away at the top-notch practitioners in the group, who were clearly deep thinkers and technicians who were at the absolute top of their game.  I also enjoyed the banter back and forth in the group, which was very collegial, and while there were politics in the room (as there is with any meeting of this type), it was as apolitical of a meeting as I have seen at this level in the profession.  In addition to the partners, I had the pleasure of meeting some exceptionally bright managers and senior managers who were members of the group.  These people remind me that, despite the rumors to the contrary, our profession is continuing to advance in this fast-moving world, and it gives me great hope about the bright future of the accounting profession.

It’s Time for Two Factor Authentication, SaaS Vendors. NOW, not later.

You’ve heard about the security issues at a number of organizations in the last few weeks.  Thankfully, there haven’t been any breaches at software companies who serve professional accountants (except maybe for Evernote – although I don’t know that I would put HIPAA or taxpayer data in that service).  One of the important things that is coming out of this is that major software vendors like Evernote and Google are planning to implement a security approach called “Two Factor Authentication”.  While I won’t go into much detail on how it works (although there’s a good Wikipedia article here), the basics are as follows:

Security tokens, like the RSA SecurID above, have a formula which generates a new six digit code every minute that is used as a one time password.

There are three basic ways to validate someone’s identity

  • Something they know (username, password, PIN, etc.)
  • Something they have (cell phone, RSA token, USB key, etc.)
  • Something they are (biometric identification like fingerprinting, face identification, or iris scans).

Historically, we’ve used only one factor of authentication – a username and password – to access most online systems.  While this is adequate for some information types, the sophistication of phishing attacks and other techniques used by the “bad guys” requires a more sophisticated approach to security.  Two factor authentication normally requires users to validate their credentials to two servers – one which controls the username and password, and a second which validates that they have a particular device or item through a one time password.

I’ve used a number of two factor authentication devices in my career, including:

All of the devices worked well, and I still use some of them to authenticate to many services.

One important point is that the use of factors other than passwords (something you know) is not a panacea.  Use of any of the items listed above in lieu of a password doesn’t accomplish anything.  The real benefit comes from using these tools in ADDITION to a username and a password.  Even if a person with bad intent knew your username and password, they would be screened out by the second factor, whether it is biometrics (fingerprint, iris, or face) or a device you have (token, cell phone, smart card, USB key).  Just like high security installations have more than one layer of security, you want the same layers of security verifying that you are really you online.

The ugly reality of the accounting profession is that a significant breach would undermine the confidence that others have in the profession, and could send us back to the ‘90s with some technologies used in business today.  It’s hard enough to be a small business in our economy without having to deal with concerns about security of data.

It’s time for two factor authentication with online services, people.  Ask your vendors about their support for it, and look for opportunities to protect your data with these types of authentication regimes.  It’s time for this technology – we can’t wait for some practitioner to lose their house over an online information breach to deal with this significant issue.

 

COSO releases Guidance on Internal Control Over Financial Reporting (ICFR) for Smaller Public Companies

<p>COSO released an exposure draft of their new document on ICFR in smaller public companies today.&nbsp; For more information, please visit their website at <a href=”http://www.ic.coso.org”>http://www.ic.coso.org</a></p>