Accountants losing track of their own data is irresponsible. Accountants losing track of their client's data is a blunder that can threaten the entire firm if not addressed quickly. This was the lesson learned by "Mark," a senior associate at a respected CPA firm, as he worked on an audit for "XYZ Corp."
During initial discussions with the audit clients, Mark became uneasy about data requirements — though he considered asking for less information, he feared that might give the impression his analysis wouldn't be thorough. So, he instead reluctantly accepted the more extensive data dump provided by XYZ Corporation in the form of a USB drive.
Despite his reservations about the overwhelming amount of information, Mark justified his acceptance of the drive by convincing himself that having access to
all the HR data would enable him to provide a more comprehensive analysis — even if it went beyond the audit's scope.
Unfortunately, Mark later misplaced the USB drive after leaving the client's office, a realization made worse by the fact that not only did it contain data pertaining to terminated employees and access revocation, but it also held a wealth of personal information, including Social Security numbers, addresses and other highly sensitive details belonging to current employees. The consequences of losing such valuable data, he knew, were tremendous.
Mark desperately retraced his steps, searching every nook and cranny, but to no avail, all while his mind raced with thoughts of compromised security, identity theft, as well as the potential legal ramifications to which he had inadvertently exposed himself and XYZ Corporation.
Filled with a mixture of guilt, regret and fear, Mark pivoted and made a firm decision to confront the situation head-on. He immediately reported the data breach to his supervisor, laying bare the full extent of the incident and accepting full responsibility for his oversight. His boss was disappointed but recognized the gravity of the situation and assured Mark it would be addressed with the utmost seriousness and transparency, starting with activating an incident response team to mitigate the impact of the breach.
Mark's firm promptly notified the affected individuals, extending guidance and support to protect their personal information. The firm also engaged the services of a reputable cybersecurity company to conduct a thorough investigation, identify vulnerabilities and establish safeguards to prevent similar incidents in the future. Meanwhile, XYZ Corporation instituted strict protocols to ensure secure data sharing and handling during audits, and diligently educated their employees on data privacy and cybersecurity best practices.
This real-life account came from Schellman, a Top 100 CPA firm specializing in IT audit and cybersecurity. Schellman CEO Avani Desai noted that the incident underscores the importance of implementing robust security measures such as encryption, access controls and secure storage at every stage of the audit process. It is important to not compromise when it comes to the security and privacy of client data, even if it means asking for less than initially offered.
