July 21, 2020
Michael Shultz
This article originally appeared in FEI Canada. It’s a 5-minute read.
Cybersecurity is top of mind for everyone in the C-Suite, and over the last few years, it’s become a priority for accounting and finance leaders. There’s been a growing drip of news stories about financial or customer data theft, whether it’s from leaked online folders of spreadsheets, exposed databases, unpatched servers, or errant logins.
Fraudsters are using sophisticated email attacks to take advantage of broken accounts payables approval processes. Internal fraud from the exploitation of manual journal entries and other accounting processes remains a significant risk, especially as transactional volumes continue to rise.
A recent survey by Protiviti found that 84% of CFOs and VPs of Finance now see cybersecurity as a priority in their function, as it becomes a core part of operational risk management. IT and CISOs are looking for ways to partner with Finance to reduce cyber risk.
The fact is that Finance and Accounting are frequently targets of cyber-criminals, and with an organization that has so many manual processes and legacy applications, it can, in some cases, be a ripe target.
One study by The Ponemon Institute now puts the average cost of a breach at around $3.9 million when all is said and done—not to mention the lingering brand and reputational damage that arises from one.
Many finance and accounting functions still run legacy software, which in some cases hasn’t been patched or upgraded in years, creating risk. Spreadsheets with sensitive financial and customer data are still often stored on file servers or in email, which can create vulnerability. No wonder the scope of audit has expanded to mitigate cybersecurity risks and put more controls in place.
Too often, breaches and fraud can take a long time to discover—or remain undiscovered. In cases where there is a security event around accounts payable, it may take months to notice the issue (if it’s discovered at all) if there isn’t robust automated reconciliations and variance analysis in place.
One study by the study by the American Accounting Association found an 80% to 90% higher incidence of fraud in companies with material weaknesses.
But as finance leaders take more control of cybersecurity, there are multiple opportunities. First, in terms of proactively tackling fraud, whether stemming from an internal or external cyber event, the latest accounting automation technology that can minimize risk is more accessible than ever.
Technology like robotics, account reconciliations, journal entry automation, and high-volume automatic transaction matching can enable Accounting to significantly reduce exposure. For example, it’s easier than ever to automate risky areas like manual journal entries. Accounting can use automation so they can focus on investigating high-risk accounts by letting automated rules certify low-risk ones.
AI and machine learning can match high-volume transactions across areas like PO to invoice, bank to accounts receivable, and credit card. This allows teams to easily match the whole population no matter the volume, screening for problems, while anomalies can be quickly rooted out, investigated, and acted upon. Dashboards can show trends and variances on accounts, or exceptions on accounts and transactions, so Accounting can immediately focus on hunting down issues before they get out of control.
With centralized automation in place, the accounting team can cut spreadsheets around areas like reconciliations, often by 80% or more—reducing the risk of sensitive data being left out on file shares, inadvertently emailed, or otherwise left unattended.
Finally, moving risks and controls checklists and matrices out of spreadsheets, documents, files, and folders is critical to ensuring that testing and updates are manageable. With an increasing array of risk and controls in scope, most A&F teams are into a centralized easy-to-update store that acts as a centralized repository for all controls across all locations: a “one-stop-shop” for the organization’s overall risk and control universe.
As A&F moves more systems to the cloud and continues to build their new modern digital landscape based around best-of-breed applications, they can and must ensure they select vendors that provide the right and most stringent certifications, like SSAE 18/ISAE 3402 SOC 1/2/3 and ISO 27001:2013.
In the process, it’s essential to ensure those vendors have the right security, controls, and resources in place to appropriately safeguard their data and processes. By asking the right questions and getting the correct answers, Accounting can tap into cloud applications providers that have SecOps resources, data centers, controls, and disaster recovery protocols that are often hard to cost-effectively achieve with in-house systems and personnel running on-premise systems.
The sweet spot is selecting an accounting automation solution that meets the most rigorous security standards and can improve cybersecurity and reduce cyber-fraud risk by eliminating spreadsheets and manual accounting processes, all in one fell swoop.
However, understanding the intricacies of the latest standards, certifications, and what to look for in a provider’s cybersecurity footprint can often be complicated for accounting and finance leaders. It’s essential to understand what certifications to look for and what they contain, and establish a cloud provider checklist in partnership with IT.
We created a guide to help accounting and finance leaders ensure their providers meet the most rigorous standards as they move to the cloud. Get your copy here.
About the Author