Data Security Accountability in Finance: Legacy Software Risks - Palladium

Who is Accountable?

If you consider which division within a business deals with the most sensitive and confidential information, it’s hands-down the finance division. They have access to customer, vendor and employee data that needs to be kept confidential and secure. The question that needs to be asked, is who is responsible if some of that personal information is lost or corrupted because legacy software is being used by the finance division?

The Protection of Personal Information Act (POPI) is pending, with experts speculating that it’ll be implemented early next year. Stephen Corrigan, CEO of Palladium Business Solutions, says Chief Financial Officers, Chief Information Officers or even the business’s accountants could find themselves in the firing line if the company runs foul of the act. “Businesses that run legacy accounting software will be unable to comply with POPI as they are simply unable to protect their data. They’ll also find themselves unable to adhere to either the King Report on Corporate Governance or the International Financial Reporting Standards – and they may not even be aware of it.”

Corrigan says: “Ignorance is no excuse. All stakeholders need to know whether the accounting software that the business is using was developed using obsolete technology. One of the biggest risks when using outdated software technology is that all too often they have to run in Administrator mode, giving every single user unlimited access to all of the business-critical information, regardless of their seniority (or lack thereof) within the business. This puts their data at risk of being accessed and potentially shared by any employee with basic user rights.”

“I believe that software vendors have a legal and moral obligation to tell clients that they are using software based on redundant technology and to explain the implications thereof. Furthermore, I believe that accountants, CIOs and CFO need to educate themselves about the software that the business is using to ensure that it’s a supported technology.”

In fact, Corrigan takes it a step further, saying that auditors also have a responsibility to highlight any potential risks to the business when conducting corporate reviews. An auditor doesn’t just report on the numbers, they also report on risk to the business and any potential risk to it that can affect the future sustainability and continuity of the business. “Running on outdated accounting software is most definitely a risk to any business. And at least half of South Africa’s biggest businesses are running this type of software.”

He explains what he means by software based on outdated technology: “Some accounting software is developed using a programming language that has not been updated since 2007. Ten years down the line, that software is unstable and unsupported. When you consider the cyber security threats that have emerged this year alone, you can see how this software might be highly vulnerable to attack.”

Corrigan says there are two primary reasons for businesses still using these types of software despite the inherent risks: “Firstly they might be unaware that their software’s underlying technology hasn’t been updated or supported in over 10 years. But it’s also possible that they are simply afraid of the investment (and change) involved in upgrading to more modern accounting software.”

He says it’s highly unlikely that a software vendor would reveal to potential clients the risks they face if they continue to use legacy software that’s unstable, volatile and is putting the business at risk of security violations, as well as not being compliant with POPI or other legislation. “It would create absolute mayhem in the business environment.”

Things to consider when choosing accounting software:

– Is your data protected?
– Is the software developed using a current programming language?
– Can you ringfence who has access to which data?
– Check the software’s ability to comply with POPI, GDPR and other legislation.

Corrigan concludes: “At one point in time, it was said that nine out of 10 accountants were recommending products that were developed using legacy software. In my opinion, those accountants can be held liable for any loss to those businesses caused by that use of discontinued software.”

This article was written by Alison Job and originally appeared on