These two entrepreneurs say "don’t outsource accounting,” RDP risks, and remote accountant policies

Outsource Everything But Accounting.png

Stories in this episode

53% of accountants’ clients ready for Making Tax Digital launch — Accountancy Daily — Significant numbers of accountants’ clients are still struggling to prepare for the advent of Making Tax Digital for VAT, which is now only six months away, according to the Association of Accounting Technicians (AAT)

Outsource Everything but Accounting, Quality Control and Sales — Entrepreneur — Michael Houlihan & Bonnie Harvey argue that "It’s almost impossible to get... critical numbers in a timely manner from an outsourced accountant.” Sounds like an opportunity! `

Warns of Hackers Using Remote Desktop Protocol, Is Your Business at Risk? — SmallBiz Trends — According to the FBI, use of Remote Desktop Protocol as an attack vector has increased, and intrusions are difficult to detect. 

6 Things Your Remote Accountant Policy Should Include (But Probably Doesn’t) — AccountingFly  — Here are six excellent items to include in your policy about working with remote staff. — Also check out this related story on the legal liability of freelance remote accountants.

Outsourced CFO Engagements: A Risk/Reward Perspective for CPA Firms — CPA Practice Advisor — Outsourced CFO work is a lucrative practice area, but firms must be sure to assess the risk of these client engagements.

Transcript

Cloud Accounting Podcast E40: These two entrepreneurs say "don’t outsource accounting,” RDP risks, and remote accountant policies

This episode of The Cloud Accounting Podcast is sponsored by Elefant. As a listener of this show, I'm pretty sure you've already embraced technology, and practice efficiencies, but sometimes, it's hard to find training in those areas. Some of you look to your state societies to get CP credit, but those tend to be tax-, or audit-focused, and, quite frankly, from what I've heard, pretty boring.

Thankfully, our friends at Elefant have created education for tech-savvy accountants, and bookkeepers, like yourself. They offer training on platforms like Xero, QuickBooks, and Zapier, webinars on topics, like cryptocurrency, and firm marketing; have all-star instructors, who not only understand technology, but are using it to run their own practices.

Just for you, Elefant has a special offer for Cloud Accounting Podcast listeners. Visit ElefantTraining.com/CAP - that's E-L-E-F-A-N-T training dot com slash CAP - to receive 50 percent off your first webinar. That's ElefantTraining.com/CAP for 50 percent off your first webinar. Elefant, building better practices, one bite at a time.

Welcome to the Cloud Accounting Podcast, a show for accountants, and bookkeepers using cloud technology to make their jobs more strategic, and impactful. I'm Blake Oliver-.

And I'm David Leary. Blake, how's it been? I feel like I'm on a vacation for a couple days, but it feels like it's been forever.

It has magically become fall here in Los Angeles. It is cooling down. I can ride my bike. I'm not sweating. This is why we live in LA. It's amazing.

Livin' the dream. Awesome. Should we jump in?

Let's do it. What do ya got?

This is a little bit UK-focused. I don't know how many of you have been following, but the UK has a mandate that, as of April 1, 2019, all the VAT taxes need to be making tax digital. What they've done, they have a bigger initiative in the UK that's gonna make all taxes, and interactions with the government, when it comes to financial information, digital.

I remember, at QuickBooks Connect, at the UK, a little while ago, the person that's driving that effort gave a keynote. It was very like a Silicon Valley ... Super-dreamy ... You wanted to move to the UK, just so you could be part of this making tax digital effort. That's how dreamy it was.

Wait, wait, hold up, hold up. Making tax digital, what does that actually mean? That means filing taxes. No, you can't use paper anymore; you've gotta file electronically?

The short answer, yes. They're getting rid of all paper.

There was something else in there, about ... We were talking to somebody about this in Australia, where they're doing something similar? They've gotta do it with software, right? You can't just go online, and fill out a form. Is that right?

Exactly. I think, in Australia, when we were talking about this, it was they have one-touch payroll, which would be like filing your 941, every single time you cut a paycheck, and paying your payroll liabilities.

Wow.

That's something that nobody's gonna do that by hand, so, it's gonna have to be done with software. [inaudible] in the article, which is interesting about this article, the title: "53 Percent of Accountants Say Their Clients are Ready for the ..." this launch of making tax digital, which is actually higher than I would've expected, just based on the pace of change to new software.

I think, cuz it's a survey of the clients ... Actually, the reason I feel ... I'm really suspect of it, is if you get down deeper in the article, it talks about the ... I'll read this quote, exactly. "Clearly, there are more than 50 software providers that already have recognized compliance software. This is some way short of the 150 providers, who have said they will provide software that's compliant."

There's a disconnect, right? How can so many people be ready, or say their clients are ready, if a lot of the software providers still are not ready? Either they're switching everybody to the software providers that are, or accountants are just not estimating the real effort, here, and maybe aren't as ready as they think they are.

This'll be an interesting one to watch, as the turn of the year comes, and as April 1st comes. Has making tax digital become a big April Fool's joke, you know? This could be a ... It's just one watch. I think it's reasons to watch, because I know a lot of states are starting to go down this path, here in the US. I think it's one to watch on these requirements, and how they roll out, and how people actually implement, and comply, ultimately.

Yep. At most, about half are there. They've got six months to go. We'll see what happens in six months.

Some are confident, some of their clients ... One in seven said none of their clients would be ready. You have some clients say that they're fully ready, and then, some are saying, "No, we'll never make it in time."

Well, I've got an article that appeared in Entrepreneur, called, "Outsource Everything but Accounting, Quality Control, and Sales." This is by a couple that does entrepreneurial writing, speaking for folks who are entrepreneurs, advising them.

Of course, this article caught my attention, because they say you shouldn't outsource accounting. I worked in outsourced accounting, and I had a firm that did outsourced accounting, so I'm wondering, well, what's their argument here? I think you can outsource accounting.

Basically, their argument is that things are happening much too fast, in a fast-growing business, in a startup, to be dependent on reports that are a month, or even two weeks old. You need to know what's happening daily. They give an example of a critical report that they had in their startup days, called the "Cliff Report," and it was basically a cash flow projection that told them how far they were from the financial cliff that represented bankruptcy, or how much runway they had, before they would go off that cliff.

They say that if you're starting a business, don't outsource; hire a really good in-house cost accountant, and that person will give you the reports that you need, timely, in order to run your business effectively.

That could be expensive, if I'm newer startup, or know I'm a new small business. I think this really should be rephrased- reframed of "Outsource to the correct person."

Yeah. That's what struck me about this is the writers are basically saying that - and maybe this is from experience, and maybe this is where the profession has failed - that, "It's impossible to get critical numbers in a timely manner from an outsourced accountant." That's a quote.

I think that's not the case anymore. If you're using the right technology, if you're in the cloud, then you can absolutely get those numbers to your client by the 10th of the month. The problem is that we've got just so many folks doing bookkeeping, and accounting on old systems. Yeah, then you're lucky to get it 30 days after the end of the month.

That's actually a great quote. We should print that out, put it on T-shirts, frame it. It should be the driving mantra.

What's the quote?

It's almost impossible to get these critical numbers in a timely manner from an outsourced accountant.".

Yeah.

Basically, if you're not working at your firm to make your firm debunk that statement, what are you doing?

Yeah.

That's a horrible impression of our space.

I would love to hear from our listeners, if you are running an outsourced department, outsourced accounting team, what is your target for getting the numbers out to all of your clients? Is it the 15th of the month? Is it the 10th? Is it the 5th? Is it different, depending on how much they are paying you? What plan they're on? It certainly was, for me. I really would love to know, so, please, get on Twitter, and tweet at us.

Yeah, I think this is a really strong statement. What about the rest of it? They're talking about quality control, and sales?

Yeah. The other two areas that you shouldn't outsource is ... One is quality control. If you're a product-based business, it's totally fine to outsource manufacturing, and fulfillment, and all that, but you should have the product sent to you, so that you can inspect it, and make sure that it's good, before you deliver it to customers. I can't see a fault with that.

Then, of course, sales. You're never going to be able to hire somebody on a contract basis to do sales for you, nearly as well as you will be, because you're passionate about the product, hopefully, if you started the business. This is a problem that a lot of accountants face, as they go out into business for themselves. They say, "Oh, I don't wanna do sales," and then, they try to hire somebody else to do it, or they try to contract it out. It just never works. You've gotta really believe in it enough to go out, and make your own sales-

Learn that skill, right? That part. that skillset, is part of your inventory.

Yeah, that was the number-one thing that I learned, when I had my own firm, was how to sell, how to talk to business owners. Totally worth it, but also horribly painful, for many years, until I figured out what I was doing.

No, that's a good article. I think you're right, people are gonna read this article, and have takeaways for their own firm, with the exception of the outsourcing your own accounting. I guess, if you have your own firm, maybe you should still do that for your own firm.

I've actually talked to people in our space, who have their own firm, and they actually don't like doing their own books, and they have somebody else do their books for them[crosstalk].

That's pretty funny.

Yeah, it's the shoemaker's kids, right, and their shoes. That phenomenon.

I'm about six months behind on my own books. I'm doing that, too. Hey, let's not get stuck on this. You've got a great, interesting article on security.

Yes. This just came out this morning. The FBI warns hackers are exploiting remote desktop protocol, so, RDP. I think this could be another article filed under the 'Quit Trying to do Pseudo-Cloud.' If you want remote, you need remote, you need your clients remote, you probably should move to SaaS. You need to move to online accounting systems, your SaaS cloud-based apps, and move on, away from these older protocols.

They said these attacks have been increasing since 2016, and they do have some lists on ... Actually, before we do that, just to work backwards. Remote desktop protocol, do you wanna define that, from your terms?

I haven't used it all that much, myself, but I did, when that was the only way I could access a computer at work. This is the program in Windows, remote desktop protocol, which you load that up on your laptop, and you can remote into that desktop computer at the office. You just put in your username, and password, and you get in.

Yeah, and it's super-convenient. You could set that up on your client; from your home, or your office, you could just get in there, and control ... It's like having a long keyboard, and mouse, and you can control your client's computer.

The problem is, in order to do that, you're kind of leaving a door open. Hopefully, somebody with the right key can open that door, but, if your passwords are weak, people can just get in, and then, they just have full control over that computer.

That's the problem, because it uses your username, and password that you use to log into the computer. A lot of people make that really easy, because they don't wanna have to remember a big, long password. If you're using 'Password1234' as your login, or your company name is your login, or something, it's pretty easy for a hacker to run a brute-force program that cracks that password, right?

Yeah, and then the FBI goes on, in the article, to talk about, apparently, there's different kinds of ransomware, and they talk about that. I think it's just ... For most people, it's ransomware, it's ransomware, right? It does get into some details on that, but it does have some ways to protect yourself. It's a lot of the things we've talked about here, right?

I don't like to say ... To folks that are comfortable using remote desktop, and they're not ready to move to a completely cloud environment, there are some better alternatives that will still give you what you want, with better security, like a hosting solution, where you use a virtual desktop that you remote into.

They can prevent these kinds of attacks because their servers ... A great example is AbacusNext, for instance. Their servers are monitoring for attacks, and if somebody keeps trying to log in, and they're just trying to brute-force, by trying different password combinations, they'll get locked out. That company is monitoring security in a way that your PC at the office is not set up to do.

Yeah, in a way, why doesn't Windows just have this built in? Like after 10 password tries, it's disabled, and somebody has to manually re-enable it on the physical machine. I don't know ...

Because, then, everybody would be calling Microsoft, saying, "Why am I locked out of my computer?"

Yeah, definitely; definitely. Then, a lot of this is use two-factor authentication, strong passwords. It's the typical stuff we talk about, feels like every week, on here. Have a good, reliable backup strategy. There's some logging mechanisms, where you can keep track of who's logged in, and where, and you probably should enable those, so you can review those logs.

Yeah, use a password manager. That's such an easy way to improve the quality of your passwords. If you're using easy passwords because you have a hard time remembering them, sign up for LastPass, and then, auto-generate really complex, long passwords that are 12 characters, or more, that are random. Then, you just have to copy/paste those from LastPass, whenever you log in. That is such a simple way to increase your security just dramatically. Get your whole team doing that.

Oh, totally agree. You got another one?

Yeah. This is from Accountingfly, my favorite site for people looking for remote accounting work on their blog. This article is called, "Six Things Your Remote Accountant Policy Should Include but Probably Doesn't." Let's go through the list, shall we?

Number one, restrict work to VPN/remote-desktop-unapproved hardware. Oh, hey, that's what we were just talking about. The idea is you don't want your remote accountants using their own laptops, which may include software that has been compromised to log in to your apps. You provide them with a computer, and only allow them to log in to those cloud apps on that computer.

Number two, unify remote access via a single client portal. For instance, here at FloQast, we use an app called Okta, which is a single-sign-on application. I have to log into Okta, before I can get into any of our cloud apps. I can't get into Expensify without going through Okta first. I can't get into Google Apps without going through Okta first; everything possible.

The benefit is that Okta is restricted to two-factor authentication, so I have to get a code on my phone to log in to Okta. If I ever left the company, then our administrator can just disable my Okta access, which automatically kicks me out of all the 20 applications I have access to.

That makes sense. That makes sense.

Number three, limit login locations. You can use IP-address filtering to force your remote accountants to only log in from, say, their city, or state, or the United States, or wherever they live, so that a hacker in Russia can't log in.

That's a good one.

Number four, require training sessions. I think that's something that a lot of people just forget, when you're used to an office environment. You forget that you need to train people extra, when they're remote.

Number five, ensure expectations are communicated upfront, and regularly evaluated. Number six, leave room for flexibility, and updates. A good example of that is if your team, your remote team, is using Slack for team chat, then the question is how often do they need to be on it? How frequently throughout the day? If that's how you're tracking presence - basically, them sitting at their desk - you should define that; say how long they need to be there.

Those are the seven, no, six tips for building out your remote accountant policy. I'll put that link in the show notes. I think it's really well done.

They have the best tip at the end, which is worry about this less, just by recruiting, and hiring the best remote accountants-

People have done it before. Well, that's hard, because not a lot of accountants have actually worked remote, so it's a chicken-and-egg problem. If you wanna recruit accountants that are working in industry now, and are sitting in a cubicle, somewhere, you're gonna have to do a lot of upfront training to get them comfortable with working remote.

Yes, it's definitely a new paradigm.

That's why, probably, the best thing to do to start, if you're building out a remote company, is to just recruit people regionally, so that, if necessary, they can drive an hour, or two, and sit in person with you for at least a couple of weeks; then, go remote. Whereas ,if you hire somebody clear across the country, it's gonna be really hard to train them, unless you've done it before that way.

Got it. I have an article that ... Just a cousin article about this ... We can just put it in the show notes. We don't have to discuss it. It's "Three Legal Liability Tips Freelance Remote Accountants Must Consider."

It's a very cousin-related article to this [crosstalk] shown us.

Actually, there's a lot you need to consider, hiring accountants, out of state, for your firm, because now, with the sales-tax ruling, and more states taxing services, it could create ... Well, it does create nexus for your firm in these other states. You have to file income tax. It gets kinda crazy. You might wanna talk with a firm that has done it before, before you go do it.

Then, do we have anything else? I think you had one more, right?

Yeah, the last article today is called, "Outsourced CFO Engagements: A Risk/Reward Perspective for CPA Firms." This appeared in CPA Practice Advisor. Three authors ... The one I know is - we both know - is Garrett Wagner, a CPA in New York. This is all about the risk of doing advisory services, which I think we were talking about a few weeks ago, right, David?

Yeah, there was a great article you found.

Yeah, so, this is sort of a great follow-up to that. Things that you need to consider, before you offer these outsourced CFO services, or, if you are offering them, make sure that you take a look at this right away. I'll just go through it real quick, and be sure to read the full article to get all the details, because it goes into great detail.

First is you gotta look at your insurance policy. A lot of professional liability policies exclude coverage, when you are acting as an employee, manager, officer, or director of a client, and outsourced CFO services could be construed as doing that. Therefore, if something happens, if one of your VCFOs gets in trouble, you might not be covered. You wanna make sure that you are covered for that kind of stuff.

Then, engagement letters. We talked about engagement letters, last time. You wanna spell out the scope clearly in your engagement letter of what exactly you are doing, and be sure to explicitly disclaim responsibility to detect, and prevent fraud, and make sure that the client knows that you're not gonna do that.

Another great thing to do is make sure that all your clients are insured for internal misappropriations, so, if there is fraud, if their staff are stealing, that you aren't held responsible for it. Then, make sure that you, yourself, are insured for staff misappropriations from your firm. If your person doing bill pay is doing some embezzlement, you need to make sure that you're covered for that.

Then, lastly, definitely make sure that you aren't engaged to do any audit, or review, because VCFO will impact your independence, and you can't do both those things. You may have to make some tough choices.

I think this episode, rather than the making tax digital, has been the outsourced episode. I think everything's about remote access, through outsourcing.

Oh, that's true. We somehow ... We didn't plan this, but it became a theme.

Yes. Cool. Blake, I think that's it. If people want to communicate with you, give us feedback, want to give us an article we should discuss on the show, what's the best way to reach you?

Tweet at me. I'm @BlakeTOliver. How about you, David?

You can tweet at me, @DavidLeary.

David, it was great talking. I'll see you next week?

Yeah, see you next week. Bye everybody.

Automatically convert audio to text with Sonix

Blake Oliver

Los Angeles, California, United States