Steven R. Berger, a shareholder at law firm Vedder Price, warned of the threats posed by technology in his presentation on legal and ethical issues at the Foundation for Accounting Education’s Auditing Standards Conference Webcast on Nov. 1.

“COVID-19 has reshaped the practice,” he said, with the result that “life has changed for all of us.”

One of the many challenges occasioned by this reshaping is the dependence on technology. Combined with the move to remote and hybrid work in many cases, Berger stressed that, despite the potential threats to accountants' compliance with auditing standards and ethical obligations, “our ethical obligations do not change.”

“Our lives have changed ...,” he said. “We are never going back to the way it was. Is it better or worse?”

The challenges of remote work are complex, he said, as there is no universal approach. He cited four ethical risks involved in remote work—independence, confidentiality, competence and communication—that need to be addressed as the profession performs “traditional audit work with untraditional processes and procedures.”

“Remote work increases risk,” he said. “You are not sitting with your colleagues,” which is why communication matters when it comes to working on a remote accounting team. He also said that competence in new technologies is key to understanding client and accounting firm systems, and that confidentiality risks are greater with new technologies.

“The accountant must be competent in technology in order to supervise other accountants in compliance with ethical obligations [and be] extra attentive to any risks of confidentiality posed by remote locations,” he said. “Employees shouldn’t be working in Starbucks, airports or airplanes” where hotspots are not secure or "people could be looking over your shoulder,” he said. “Remote work does not change obligations of supervision.”

With regard to the risk to independence, Berger detailed how remote work can threaten it.

Citing an AICPA rule providing that a member must document the safeguards employed to eliminate or reduce threats to an acceptable level, he focused on two particular threats to the performance of non-attest services for an attest client: management participation and self-review.

“Accountants who play a role in setting internal controls or implementing processes for audit clients may create independence problems,” he said. “You cannot review your own work. You cannot take a fee or a commission.”  

He specifically mentioned bookkeeping, payroll and other disbursement services performed for attest clients that can create self-review and management participation threats to independence. He also singled out hosting services, a non-attest service which can lead to the CPA’s maintaining internal control over the client’s data or records.

“Hosting services are a bigger threat in the remote world,” he said. “The client may say, ‘Can you take this over?’ If you are the only place where that data may be found, you are a non-attest service, [which can] impair your independence by participating in management.”

“You have to be honest with yourselves over what you can and cannot do,” he said.

Turning to the issue of cybersecurity, he asserted that rapid digitization has opened the door to a wave of cybercrime, such as data breaches at clients and accounting firms.

“Make sure you don’t cause [a breach] by accessing [clients’] data,” he said, warning practitioners of the dangers of unsecured devices such as laptops and mobile phones, which can be stolen or hacked. “You need to take a look at how your employees are working remotely,” he said, urging organizations to issue company devices only and to conduct periodic phishing tests.

Berger recommended avoiding the use of public file-sharing services such as Dropbox, using a virtual private network, establishing safeguards, and training employees in these processes and procedures. In addition, he said, “You need to look at what resources you have and constantly upgrade them.”

Every firm should also have a cybersecurity risk manager to oversee implementation of safeguards and enforcement of the cybersecurity program, he said, and firms must have a rapid response system in place to be triggered immediately upon discovery of a breach. He strongly encouraged the acquisition of cybersecurity insurance, “an essential element and cost of the practice.”

Berger then elaborated on many of the issues in the context of e-discovery in the remote work environment. One element that had not mentioned previously was the use of texting in the business environment.

“Texting is very dangerous,” he said. “You should not be giving business advice in a text,” as it  can be considered evidence and can be subpoenaed. Professionals should also be wary of the ethical risks posed by videoconferencing in e-discovery by being sure that they know who is on the call, being aware of what is on the screen during the call, and ensuring that the call is secure and being conducted with a company device.

He termed many of the elements of what he discussed “the risks of technology incompetence.”