Randolph Johnston

Smartphones and Tablets

How using mobile technology strategically in your firm can make your team more productive, better managed and improve your ROI.

August 1, 2011
by Randolph Johnston, MCS, MCP


In last month’s column, I revealed how mobile technologies can empower your business. In this article, I show you how to use mobile technology to better manage your staff, help them be more productive and improve your return on investment (ROI).

Choose a strategy, choose a problem and solve it. Dashboards, time and billing and invoicing solutions, expense tracking and mobile payroll are a few examples of how accounting applications have been mobilized through Software as a Service (SaaS), browser applications and native applications. You need to develop a strategy that aligns with your business plan’s strategy and tactics, by choosing a high-value problem and solving it. However, before you have your organization jump into mobile technology too deeply, think about the controls needed on the data, the devices and the access provided to employees.

Control Procedures

Consider and define key procedures for deploying mobile devices initially and to new employees. How are the devices set up, how do we install applications, how do we keep unwanted applications from being installed? How do we protect and control client data, grant access to our network resources and deploy applications? What happens when we lose a device, terminate an employee, or have a device stolen?

SAS 78 (Statement on Auditing Standards No. 78 is known as "Consideration of Internal Control in a Financial Statement Audit: An Amendment to SAS No. 55) defines control activities as those policies and procedures that help ensure that management directives are carried out. Examples of common control activities found in many small businesses include:

  • Requiring dual-signatures on checks;
  • The three-way match between purchase orders, receiving reports and accounts payable invoices; and
  • Requiring management approval of increases in customers’ credit limits.

SAS 78 continues by defining the following five interrelated components of internal control (see Figure 1):

  1. Control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure.
  2. Risk assessment is the entity’s identification and analysis of relevant risks to achievement of its objectives, forming a basis for determining how risks should be managed.
  3. Control activities are those policies and procedures that help ensure that management directives are carried out.
  4. Information and communication are the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities.
  5. Monitoring is a process that assesses the quality of internal control performance over time.

CPA firms can also consider control strategies, such as IT general controls and access controls implemented at the SaaS application level to mitigate mobile device risk.

Five Interrelated Components of Internal Control Framework

Falling under the umbrella of accounting controls are four different types of control activities:

  1. Preventive controls: Preventive control activities are those activities that are designed to avert a control objective from being or not being achieved. An example would be User IDs and passwords over computer systems to prevent unauthorized access to applications and data;
  2. Detective controls: Detective control activities are used to identify instances where undesirable actions have occurred.  An example would be exception reports indicating attempts to gain unauthorized access into computing resources to expose, after-the-fact, unsuccessful attempts by users to gain access to applications and/or data;
  3. Deterrent controls: Deterrent controls are intended to discourage individuals from intentionally violating company policies or procedures.An example would be warning messages displayed by software applications advising of potentially hazardous actions; and
  4. Compensating controls: Compensating controls are used to counteract a known internal-control weakness.An example would be an alert or an exception report indicating expenditures over a certain level.

Consider implementing and maintaining an effective internal control structure for mobile applications using the four distinct phases.

  1. Defining specific organizational objectives;
  2. Assessing the risk to the organization of not meeting the defined objectives;
  3. Responding, as appropriate, to the assessed risk; and
  4. Monitoring to ensure that objectives are met over time.

There are clearly issues using mobile technology, particularly for tablets and smartphones: security of the device and data, screen size, slower data entry on smartphones and tablets, synchronization of files, connectivity, standardized deployment, organization of applications, training, projection limitations, unwanted applications installed by the user, malware and anti-virus protection, application updates, battery life, weight, and theft that triggers security breech reporting are all issues in mobile deployment.

Protection and control of the data, losing a device, terminating an employee or theft can all be risks to firm and client confidential data. Multi-factor authentication, encryption of the device or at a minimum pin codes or swipe patterns should be enabled to protect the data. Security breach laws apply to these mobile devices and you should check your state regulations to help set and comply with your firm’s strategy in this area.

Screen size is the key limiting factor. Smartphones have become small enough that they conveniently fit in a pocket or a handbag. Today’s tablets are often too heavy or too large to be conveniently carried, but are typically smaller and lighter than most portable computers. Vendors introducing five-inch and seven-inch tablet models argue that the screens are large enough and the units are lighter and more portable than the 10-inch versions. Netbooks may get close to tablets in size and weight if external keyboards are added to a tablet. However, no Netbook today can get close to the battery life or instant-on capability of a tablet, while touch screens are still a notable differentiation. Sensitivity to touch, whether too sensitive or not sensitive enough, is an additional consideration. To do serious work in the field, more speed, a 10-key pad and larger or secondary screens become a factor, leading us to 15” and 17” notebooks and greater weight.

Why Smartphones and Tablets Are Not All That Peachy

Smartphones and tablets are best visualized as content consumption devices and are not very good for data input. Entering data is possible, but you will be much more time efficient on a laptop or desktop than on a tablet. That said, laptops may not be portable or accessible enough for all situations. The touch input for typing may be too slow to be effective. The small screen size and “thumbing” of messages on smartphones may be too cumbersome or time consuming. The weight of a tablet may be too heavy for people with hand problems or arthritis. However, on the whole, the portability and accessibility of smartphones and tablets make them useful tools.

What to Consider Before Investing

Mobile technology cost of ownership is clearly higher than the initial investment of $300 to $900 per device. On-going operational costs for connection contribute to the cost of ownership. Training is not automatic, and must be considered. See the Mobile Deployment Checklist as a starting point of items to consider. Don’t fall into the trap of being enamored by the technology. Build a business case for the investment, estimate the costs, identify the risks, and estimate the return.

Acquire a few products, possibly from different vendors and implement your planned applications, test your procedures and internal controls. This developmental sandbox will help you find out what works, what doesn’t, what is helpful and what the issues are. Purchasing a few products for testing is usually more effective than reading reviews and research. After everything is working properly, back up, wipe the devices clean and implement from scratch or deploy applications as planned. Test control procedures as if a device has been stolen. Assume an employee has been terminated or just doesn’t return to work. How is the mobile device handled? Test the procedure. When all seems to be working as planned, deploy the mobile technology to a test group. Get feedback, improve your processes, change items as needed and then deploy to your team. This process doesn’t have to take months or years, but a few weeks or months testing can save thousands of dollars and hours.


While mobile technology can make your team more productive, a well-managed mobile technology can improve your return on investment.  Enjoy the sizzle and convenience of mobile technology, but at the end of the day, use the technology to manage the business better, serve clients better and make team member’s lives better, and only then will you have a winning formula.

Rate this article 5 (excellent) to 1 (poor). Send your responses here.

Randolph P. Johnston, MCS, MCP is executive vice president at K2 Enterprises. He is a nationally recognized educator, consultant and writer with over 30 years of experience in strategic technology planning, systems and network integration, accounting software selection, business development and management, disaster recovery and contingency planning and process engineering. Please note the product recommendations and advice as expressed in this article are solely the author’s and in no way reflect the views of the AICPA or CPA Insider™.