Tuesday, February 9, 2010 | Modified Tuesday, February 9, 2010 19:07 Pacific/Honolulu
CPAs' Primer on Enterprise Business Intelligence
CPAs' Primer on Enterprise Business Intelligence
In this podcast, Donny Shimamoto, CPA.CITP and Rob Fisher, CPA.CITP discuss why CPAs are prime for getting involved in BI initiatives and touch on the terminology and methodology of a BI initiative. The implementation of an Enterprise Business Intelligence (BI) framework provides value, insight and reliability of numbers to an entire organization. BI improves internal decision-making through the use of BI analytics and can maximize your information assets to increase profitability.
Tuesday, February 9, 2010 | Modified Tuesday, February 9, 2010 19:11 Pacific/Honolulu
Teaser - CPAs' Primer on Enterprise Business Intelligence Overview
Teaser - CPAs' Primer on Enterprise Business Intelligence Overview
In this feature clip, Donny Shimamoto, CPA.CITP and Rob Fisher, CPA.CITP provide an overview to why CPAs are prime for getting involved in BI initiatives and touch on the terminology and methodology of a BI initiative. The implementation of an Enterprise Business Intelligence (BI) framework provides value, insight and reliability of numbers to an entire organization. Internal decision-making through the use of BI analytics and maximization of your information assets can increase profitability.
Friday, October 17, 2008 | Modified Tuesday, June 30, 2009 12:04 Pacific/Honolulu
Components
A description of the components provided by each of the vendors is provided below.
| Phone System Component | AastraLink RPTM http://www.aastralinkrp.com/ |
DLink VoiceCenter |
|---|---|---|
| Base Unit | AastraLink RPTM 500 Base Unit List Price: $1649  |
DVX-2000MS List Price: $1,599.99  Find out more |
| Gateway | AastraLink RPTM 540 Gateway List Price: $319  |
DVG-3104MS List Price: $339.99  Find out more |
| Basic IP Phone | Aastra 6751i RP List Price: $139  - 3 Line LCD display - Programmable Speed dial keys - Full Duplex Speaker phone Find out more |
DPH-125MS List Price: $139.99  - 2 Line LCD display - Full Duplex Speaker phone Find out more |
| Enhanced IP Phone | Aastra 6753i RP List Price: $189  - 3 Line LCD display - 6 Programmable keys - Up to 6 user lines - Full Duplex Speakerphone - Dedicated headset jack - Backlitdisplay - Supports optional expansion modules Find out more |
Not Available |
| Operator IPPhone | Aastra 6757 CT RP List Price:$399  - Full 144x128 pixel display - 12 Programmablekeys - Up to 9 user lines - Full Duplex Speakerphone - Dedicated headset jack - Backlitdisplay - Cordless mobility with included handset unit - Supports optional expansion modules Find out more |
Not Available |
| Phone Kits -Base Unit - Gateway - Phone(s) |
Aastra Starter System 3-Phone (one each) Kit List Price: $2,400 (save $295) |
DVX-2000MS-5 5-PhoneVoiceCenterTM Kit List Price:$2,499.99 (save over $139) DVX-2000MS-10 10-Phone VoiceCenterTM Kit List Price: $3,199.99 (save over $139) |
| Additional Information | AastraLinkRPTM Fact Sheet ComparativeAastra RPTM Phone Matrix |
Friday, February 12, 2010 | Modified Friday, February 12, 2010 13:56 Pacific/Honolulu
FDICAlert_20090830
Ask a CPA.CITP
Kala – October 2009
Many of you have probably heard myself or fellow CITP Ron Gouviea speak about data breaches and privacy over the course of this year. Unfortunately, this threat appears to be growing and evolving.
• You and Ron give presentation that scare us, but is the threat real?
YES! There is a very real threat. In fact, the FDIC just issued a security alert on 8/26/09 to all financial institutions warning them of the “increase in the number of reports and the amount of losses” resulting from cyber-criminal activity. The Washington Post (8/25) and LA Time (8/27) both also published related stories with examples of a Texas company that lost $1.2M to EFT fraud, a Pittsburgh school district that lost $700,000, and an electronic s firm in Louisiana that lost $100,000.
• If the FDIC is warning the banks, why do I need to worry?
Notice above that these are not banks that had the losses, but their customers. The cyber-criminals typically send an e-mail with an attachment or link to someone with access to online banking (commercial or private). The e-mail either installs spyware or takes the person to a phishing site that allows the person’s username and password to be captured—an event that may or may not be detectable—so you may not even know that you’ve been breached until the money start disappearing from your bank account.
• I’m a small company do I really have to worry?
As you can tell from the attack method above, if you get e-mail, you are potentially open to attack. Individuals and small companies are probably at higher risk for detecting an attack because their bank accounts may not get as much attention from their bank as larger company accounts. Financial losses may also impact a smaller company much harder than a larger one, so the potential damage caused by a loss could be devastating to a small business.
• Ok you got me scared again, how can I protect myself?
Small companies and CPA firms can utilize some of the best practices and security solutions that Ron and I have mentioned in our presentations (download my Aug ’09 presentation from: [URL]). Larger companies should join us at this month’s HSCPA Technology Advocacy Seminar to learn more about Hawaii’s ID Theft Laws and enterprise approaches and solutions to mitigating this risk.
Another great resource is the AICPA’s Generally Accepted Privacy Principles (GAPP). Adaptable for use by both large and small companies, this guidance provides a great framework that you can use as a starting point for building your privacy and compliance program. (There are also materials customized for use by CPA firms either internally or to help their clients!) Find it all at www.aicpa.org/privacy.
If you are feeling overwhelmed or are not sure how to proceed, don’t hesitate to contact me at donny@myitk.com. I’ll help get you on the right path to privacy and security.
Friday, February 12, 2010 | Modified Friday, February 12, 2010 14:04 Pacific/Honolulu
PCIDSS_20091104
Ask a CPA.CITP
Kala – December 2009
Earlier this year, the Payment Card Industry (PCI) Security Standards Council issued Data Security Standard (DSS) version 1.2 affecting all entities involved in accepting and processing credit card transactions. Additionally, MasterCard increased its compliance requirement for level 2 merchants to require an on-site review by a Qualified Security Auditor (QSA) by 12/31/2010. These changes emphasize the increasing risk of financial fraud and increasing need for organizations to protect their (and their customers’) data.
• I only use standalone terminals with dedicated phone lines, do I need to be compliant?
Yes, the requirements are much lower for you, but there are still requirements related to: security policies, handling of materials that contain credit card information (e.g. printed terminal transaction lists), and other physical safeguards.
• What are the compliance requirements?
Compliance requirements vary by merchant level, and merchant levels vary by card type, but the general practice is to require that an entity is in compliance with the strictest level that it assesses at of all cards that it accepts. The VISA levels are currently the general standard and they are:
Level 1 = Merchants with > 5M transactions
Level 2 = Merchants with between 1M and 6M transactions
Level 3 = Merchants with between 20,000 and 1M e-commerce transactions.
Level 4 = Merchants with < 20,000 e-commerce transactions or < 1M non-e-commerce transactions
In general, the requirements represent information security best practices and take into consideration the complexity and risks associated with the processing environment.
• What do I need to do for compliance?
All levels of merchants should complete the PCI DSS Self-Assessment Questionnaire. Lower level merchants or merchants with simpler processing environments may not have as much to document, but should still complete selected sections of the questionnaire to document the controls that they have in place. If there are any direct control weaknesses, you can also document compensating controls. (Sound familiar? Yes, PCI compliance is very CPA friendly work—primarily controls focused, not technology focused.)
Depending on the merchant level, you may be required to have an on-site audit performed by a QSA and have quarterly network security scans performed.
• How do I get started?
Start by getting familiar with the new standards at http://bit.ly/3J9zIN and from the same site, you can download a copy of the self-assessment questionnaire to start seeing if you can complete it. If you are having difficulty completing the questionnaire you may consider hiring a CITP or CISA to help you either review your answers or help you document compliance. By identifying any control weaknesses before a breach happens or before an auditor comes in, you can reduce your risk of incurring any penalties or sanctions by the credit card companies. Additionally, if you do have a breach, Hawaii’s ID Theft Laws can impose additional fines and damages, so better to be safe than sorry.
If you are feeling overwhelmed or are not sure how to proceed, don’t hesitate to contact me at donny@myitk.com or (808) 735-8324.
Friday, February 12, 2010 | Modified Friday, February 12, 2010 14:20 Pacific/Honolulu
SaaS_20090630
Ask a CPA.CITP:In-House versus Cloud Solutions
Kala – December 2009I recently received an e-mail from a fellow CPA asking about “cloud computing” or “Software-as-a-Service” solutions and its implications to business operations. Her e-mail started off:
…I would be interested in knowing more about the movement toward [cloud computing]. One of my clients uses a database that is [cloud]-based, and my two biggest concerns are that 1) they won’t have access to any of their information should there be a problem with Internet access and 2) they may not be able to adequately retain their records should they ever decide to switch from this vendor. In addition, it is also very expensive in my opinion.
Her questions were all questions that we as CPAs should be asking our clients as they look to these types of cloud-based applications (especially financial-related applications).
• How can we guide clients when they are looking at Cloud solutions– security, data access, etc.?
It is important to make sure you’re doing your due diligence in understanding who the vendor is and how they are providing the service. Look at the software itself to determine whether it provides the necessary logical access controls and security (e.g. encryption) to prevent unauthorized access both by external parties and the vendor themselves.
Also investigate how the vendor is hosting the software. Is it in a reputable hosting company or is the vendor doing it in-house? Does the hosting company have a SAS 70 or similar information available that assures you that the data center is operating has proper internal controls in place for security and reliability?
• Are there certain types of software that should never be considered to be used strictly through the Internet?
I’m inclined to say no to this, but this is a very grey area. It depends on the risk tolerance of the client. Because you don’t have physical control or access to the data, there is a risk that you may not be able to access the data under certain extreme circumstances. So it comes back to diligent vendor selection. Sometimes it may be hard for us to get physical access to a vendor’s data center, and because of this, clients may prefer to have their data “in-house” where they know they have access to it. However, there is then the higher burden of making sure that the data is secure in our own office/network. Thus it’s a question of which risks the client thinks they can more easily mitigate: vendor or in-house.
• Vice versa, are they certain types of software or situations that work really well as Cloud solutions?
I’ve found that when you have people that work outside of the office a lot that the Cloud solutions work well because of the ubiquity of Internet access. Also for clients that don’t want to have to deal having their own servers, it also eases their maintenance burden. Other than that, I think both Cloud and in-house solutions work well in pretty much all situations. In my firm, for our operations we use approximately 60% in-house and 40% Cloud—however we are probably going to move more toward Cloud as we move forward.
• What steps should be taken when the client is considering a change in vendors from one web-based package to another?
You would follow all the normal things you would do for an in-house package, the only difference is that once you terminate the “old” vendor, you potentially don’t have access to that data anymore. Thus the exit strategy is one of the things that I look for when going through vendor selection. Just like when setting up a partnership entity, make sure you have the exit strategy figured out BEFORE starting the business relationship.
Lastly there is her concern about cost. Generally the cost of a Cloud solution should be less than in-house to make sense. I usually like to analyze this as a three year amortization of in-house up-front costs (server, software license, installation services, etc.), plus estimated maintenance for three years. I compare this to the three year cost of the Cloud solution. The cost difference, should be one factor (in addition to the business continuity, security, and data access concerns mentioned above) in deciding whether to go with an in-house or Cloud solution.
I hope that helped provide some guidance to anyone else that may be helping a client through a Cloud decision or considering a Cloud solution for their own company. If you have any other questions, please e-mail them to me at donny@myitk.com.
Donny C. Shimamoto, CPA.CITP, is the founder and managing director of IntrapriseTechKnowlogies LLC, a Hawaii-based CPA.CITP consulting company dedicated to helping its clients leverage strategic technologies, proactively manage their business and technical risks, and enable balanced organizational growth and development. Donny is the current Chair of the HSCPA Technology Advocacy Committee and a member of the AICPA IT Executive Committee. Donny was also the first Certified Information Technology Professional (CITP) in the State of Hawaii, and was named to CPA Technology Advisor’s “40 Under 40” list in 2007. Donny welcomes comments and feedback via e-mail at donny@myitk.com.
Friday, February 12, 2010 | Modified Friday, February 12, 2010 14:30 Pacific/Honolulu
Article For PBN
CPAs Specializing in IT Bridge Business and Technology
There are a lot of information technology (IT) professionals and system vendors out there that have very good technical knowledge, but if they don’t understand the potential business issues and impact of technology on a given business process, they may make recommendations that introduce risk into your organization or negatively impact your financial transaction processing. CPAs specializing in IT can help to ensure that technology risks such as information security and data integrity are managed. They can also support the implementation process to ensure that a strong internal control environment is maintained and that the flow of information from a customer’s first inquiry to the point where it hits your financial statements is streamlined. Kathleen M. Grey, chief financial officer of Missouri Corporate Credit Union, noted that their CPA who specializes in IT was able to provide “a holistic approach to [their] organization’s information security needs, helping [them] to bridge the gap between the ‘tech’ side of IT [and] the practical management of day-to-day activities.”
No matter what phase you are at in your IT project, you should get a CPA involved. In addition to helping evaluate return on investment (ROI) and other financial analyses of a project, CPAs specializing in IT can help to identify and reduce risks related to: information security, privacy, regulatory compliance, data integrity, data quality, internal controls, decision support, and the management of the flow of transactional data from source systems to financial reporting. Because of their experience in working with a variety of systems and technical environments, CPAs specializing in IT can also help to sort through the plethora of vendor promises, sales pitches, proposals, and product literature to provide an independent and objective perspective on the true benefits that a technology can reasonably deliver. In other words, they can bring a balanced perspective to the table that helps to ensure that you make informed technology decisions while addressing business risks and maximizing opportunities.
At Catholic Charities Hawaii, through a capacity building grant, a CPA specializing in IT helped the organization to establish a five-year vision and identify the technologies that would support the optimization of its business processes. The CPA oversaw the development of a request for proposal (RFP), and assisted in the selection of an accounting system vendor. He helped to ensure that the selected software was capable of supporting the finance department’s operations and that it also integrated cleanly into the charity’s overall financial management and decision support information architecture. During the implementation, the CPA also served in a quality assurance role to ensure that the charity’s business and technical risks were adequately managed, and that data was properly integrated and structured to support the organization’s long-term operational, compliance, and financial reporting requirements.
Agility and flexibility are key competitive advantages for small businesses. CPAs specializing in IT can help small business owners to streamline accounting and operational processes; minimizing the time spent doing paperwork, allowing them to focus on growing their business by responding quickly to market developments and spending more time with their customers. Additionally, they can also help small business owners ensure that the accounting software used by the business provides accurate information and useful reports, which enables them to make more intelligent business decisions supported by facts and not “gut feel”.
By including a CPA specializing in IT on your organization’s board, advisory group, management team, project team, or even just as a consultant, you can help to ensure that the IT-based projects that you undertake achieve real business results—streamlining operations and maximizing productivity, while managing risk and financial returns.
by Donny C. Shimamoto, CPA.CITP
Donny is the founder and managing director of IntrapriseTechKnowlogies LLC, a Hawaii-based consulting company dedicated to helping small businesses and middle market organizations leverage enterprise technology, risk management, and organizational development strategies. Donny was the first Certified Information Technology Professional (CITP) in the State of Hawaii, was recognized as one of Hawaii’s Top High Tech Leaders by the Pacific Technology Foundation and the Technology News Network, and was recently named to CPA Technology Advisor’s “40 Under 40” list. He welcomes comments and feedback at donny@intraprisetechknowlogies.com or reach him by phone at (808) 735-8324.
Friday, February 12, 2010 | Modified Friday, February 12, 2010 14:54 Pacific/Honolulu
IsYourDataProtected
Is Your Data Protected? Increasing Data Security and Confidentiality Risks Require a CPA’s Attention
CPA firms and their clients are operating in an environment in which there is a tremendous amount of electronic documents, communications, and confidential data sitting on computers and networks that are connected to the Internet. Privacy and security threats are also increasing, putting Internet communications and computer data at risk at an alarming rate. At the same time, laws and regulations with significant penalties have been passed or are being passed by states, the Federal government, and industry groups increasing the consequences of data breaches and privacy violations.
This year’s AICPA Top Technology Initiatives (www.aicpa.org/toptech) survey found that CPAs around the nation are focused on this issue. The top three initiatives for 2009 are:
1. Information Security Management
2. Privacy Management
3. Secure Data File Storage, Exchange, and Transmission
All of these initiatives work together to ensure a well managed and secure computing environment.
Information Security Management is “an integrated, systematic approach that coordinates people, policies, standards, processes, and controls used to safeguard critical systems and information from internal and external threats.” Sound like something your IT person should be focused on? True, but CPAs need to be involved in identification of data/information to be protected and determination of the level of protection needed for different classes of data that may be at greater risk.
Privacy Management “involves the strategies and safeguards used to protect the privacy of an organization’s records that include resources, restricted assets, personnel, client, and customer personally identifiable information.” This definitely falls under the realm of the CPA since most of this data is kept in the accounting department or in a CPA firm’s records for its clients. CPAs are also the ones that normally have to wade through all of the regulations and standards to extract compliance requirements and build internal controls to ensure and monitor compliance. To aid in this the AICPA just released an exposure draft of Generally Accepted Privacy Principles (GAPP) that can be used by CPAs to structure their firm or organization’s privacy compliance program.
Secure Data File Storage, Exchange, and Transmission initiatives seek to mitigate the risk of stored data being altered to commit fraud, data being intercepted by an unscrupulous person during transmission, and exposure from the loss of data due to theft or loss of a portable device (e.g. laptop, mobile phone). Data encryption, secure communication channels, and other security solutions can help to mitigate these risks. While your IT person may be great at keeping your computers and network running, these types of security solution generally require a security specialist when being implemented for more than just a few users. There are also personal data security solutions that you as an individual can use to help ensure that the data you work with is secure, that do not require the involvement of an IT person.
The bottom line is that CPAs need to be actively looking at data security and confidentiality risks for themselves and the organizations they work for. You don’t need to become a security expert, but you do need to have enough of an understanding of the compliance requirements and potential financial impacts (e.g. fines/penalties) to ensure that you are helping to minimize your clients’ or organization’s risks in this area.
Your IT person definitely needs to be your partner in addressing this risk, but also don’t be afraid to call in a consultant to help you since these issues can be multi-faceted and it can be easy to overspend on a security solution that doesn’t really address your risks. If you do use a consultant, make sure that they are someone that has experience in both risk management and security—and preferably not a security solutions vendor—this will help to ensure that you get an objective perspective and that they help you identify the solution that is the best fit for you.
Want more information? Have some questions? Join us at the HSCPA’s Xth Annual Conference on June 12, 2009 at [location] where a panel of experts including: Ron Gouveia, CPA.CITP of Carr, Gouveia + Associates, CPAs, Inc., and myself will be on hand to discuss this timely topic and answer your questions.
Donny C. Shimamoto, CPA.CITP, is the founder and managing director of IntrapriseTechKnowlogies LLC, a Hawaii-based consulting company dedicated to helping small businesses and middle market organizations leverage strategic technologies, proactively manage their business and technical risks, and enable balanced organizational growth and development. Donny also works with larger organizations as a trusted business advisor, facilitating organizational strategic planning and execution, IT governance and planning, enterprise architecture, information architecture and assurance, business process improvement, and business intelligence initiatives.
Recognized as one of Hawaii’s Top High Tech Leaders by the Pacific Technology Foundation and the Technology News Network, Donny was also the first Certified Information Technology Professional (CITP) in the State of Hawaii, and was named to CPA Technology Advisor’s “40 Under 40” list in 2007.
Donny welcomes comments and feedback via e-mail at donny@myitk.com or reach him by phone at (808) 735-8324.