Accountancy firms have not just changed where they work. They have changed how work gets done.
Client communication, bookkeeping, payroll, tax preparation, audit workflows, approvals, document sharing, internal collaboration, and reporting now happen across a growing mix of cloud platforms and browser-based tools.
That shift has helped firms become faster, more flexible, and more responsive to clients. But it has also created a quieter problem.
Many firms no longer have a complete view of every application employees are using to access, process, or share client data.
That is the Client Data Access Gap.
It is the difference between the systems a firm officially manages and the tools employees actually use to get work done.
For accountancy firms, that gap matters. Not because technology is the problem, but because visibility is now a basic requirement for protecting client data.
What is the Client Data Access Gap?
The Client Data Access Gap appears when a firm’s real working environment becomes wider than its approved technology list.
On paper, the firm may have a controlled set of systems: Microsoft 365, Xero, QuickBooks, Sage, payroll platforms, client portals, e-signature tools, CRM, practice management software and file-sharing systems.
In reality, employees may also be using browser-based tools, free trials, AI assistants, note-taking apps, personal productivity tools, or department-specific software that has never gone through a formal review.
Most of the time, this does not happen because people are trying to bypass security. It happens because they are trying to serve clients, meet deadlines, simplify admin, and remove friction from their day.
But every additional application creates new questions:
- Who is using it?
- What client data is being accessed, uploaded, or shared?
- Has the application been approved?
- Is multi-factor authentication enabled?
- Are credentials being stored and shared securely?
- Does the user still need access?
- Is the firm already paying for a similar tool elsewhere?
If those questions cannot be answered, access decisions are being made with incomplete information.
That is where risk starts to build.
Why this matters for accountancy firms
Accountancy firms hold some of the most sensitive information a business can share with an external partner: financial records, tax data, payroll information, bank details, business plans, confidential correspondence and client documentation.
That makes access control more than an IT housekeeping task. It is tied directly to client trust, professional reputation, operational resilience and commercial risk.
A single weak access point can create consequences far beyond one application.
A shared password can make activity difficult to trace. A former employee can retain access to a cloud platform after leaving. A team can start using an AI tool without checking whether client information is permitted. A department can subscribe to another SaaS product that duplicates an existing tool, creating extra cost and another unmanaged login.
None of these scenarios are unusual. They are the kinds of practical problems that appear when firms grow, teams move quickly, and technology adoption happens faster than governance can keep up.
The challenge is not to stop people using useful tools. The challenge is to make sure the firm can see and control the access points those tools create.
Password management is still essential, but it is no longer the full picture
Strong password management remains a foundation of good security.
Employees need a safe way to create, store and share credentials. Firms need policies, reporting, administrative controls and a better way to reduce weak, reused or unmanaged passwords.
But modern secure access now has to go further than the password vault.
As SaaS and AI adoption grows, firms need a clearer view of the wider access environment. They need to understand which applications are being used, which tools are approved, who has access, and where unnecessary risk may be hiding.
This is where Secon’s partnership with LastPass becomes particularly relevant.
LastPass Secure Access Essentials is designed to help lean IT and security teams strengthen access and credential security without adding unnecessary complexity. It focuses on three core outcomes:
- Discover the apps and AI tools employees are using
- Control access so the right people have the right level of access
- Simplify secure access across the applications and systems employees need
For firms that need deeper visibility, LastPass Business Max includes SaaS Monitoring and SaaS Protect, supporting organisations that need greater control over SaaS usage, Shadow IT, Shadow AI and access management.
For accountancy firms, this moves the conversation beyond “Do we have a password manager?” and towards a more useful question:
Can we see and control access across the tools our people actually use?
Shadow IT is also a cost issue
Unapproved or unmanaged SaaS is often discussed as a security risk, but it is also a budget problem.
Many firms are paying for tools that are underused, duplicated, over-provisioned or no longer needed. Different teams may subscribe to similar platforms. Former employees may remain assigned to paid licences. Free trials may quietly become recurring costs. Apps may be renewed because nobody has clear usage data to challenge whether they are still needed.
This is where visibility can help both IT and Operations.
For IT Owners, better visibility shows where controls need to be tightened.
For Operational Leaders, it connects cyber security to business efficiency, supplier management and cost control.
The same visibility gap that creates access risk can also create unnecessary spend.
What accountancy firms should review
A useful starting point is to ask ten simple questions:
- Do we know every SaaS application currently used across the firm?
- Do we know which AI tools employees are using?
- Do we know which systems contain, process or share client data?
- Do we have a clear process for approving new applications?
- Are passwords and shared credentials managed securely?
- Is multi-factor authentication applied consistently?
- Are user permissions reviewed regularly?
- Are leavers removed from every relevant system?
- Are there duplicate or underused tools we could remove?
- Can we evidence sensible access controls if asked by a client, auditor, insurer or regulator?
If the answer to several of these questions is unclear, the firm may not have a password problem alone. It may have an access visibility problem.
How Secon and LastPass can help
Secon has partnered with LastPass to help organisations strengthen secure access in a practical and manageable way.
For accountancy firms, the value is not simply in storing passwords more securely. It is in building a clearer picture of the applications, users and access points that sit around client data.
That includes helping firms understand where SaaS and AI usage may be creating unmanaged risk, where access policies need to be improved, and where simpler secure access could support both productivity and protection.
The goal is not to add complexity. It is to help firms regain visibility and control as the way they work continues to evolve.
You can use our Accountancy Firm SaaS Visibility Checklist to assess whether you have clear visibility across SaaS apps, AI tools, users, credentials and access risk.
Next Steps
If your accountancy firm is using more SaaS and AI tools than ever, now is the right time to ask whether your access security has kept pace.
Book a conversation with the Secon team to discuss where visibility, credential security and access control could be strengthened across your firm.
