What is the most common IT mistake accountancy practices make?

By far the most common is letting client data move via email attachments rather than a controlled secure-share platform. We see this at almost every practice we audit. The fix is straightforward — adopt a client portal or M365 secure-link sharing as the only approved channel, and train the team on it.

Do accountancy practices need Cyber Essentials?

Practically, yes. Most accountancy professional bodies (ICAEW, ACCA, AAT) increasingly expect their members to demonstrate basic cyber hygiene. Many lender, broker and corporate client panels now require Cyber Essentials as a precondition. Cyber insurance also typically requires it.

How long is acceptable for an accountancy backup recovery?

For most small accountancy practices, a recovery time objective (RTO) of 4 hours and a recovery point objective (RPO) of 1 hour is reasonable. During tax season the RPO should tighten to 15 minutes — losing a morning's work in late January is genuinely painful.

Should accountancy practices store client files locally or in the cloud?

For small to mid-sized practices, cloud-first is now the right answer in almost every case — typically Microsoft 365 with SharePoint and Files On-Demand. Local-only storage adds backup complexity, single-points-of-failure, and access friction for hybrid working without a meaningful security gain.

What's the biggest security risk for an accountancy in 2026?

Account takeover via phishing remains the single biggest risk in 2026. Attackers target accounting staff specifically because they often have authority to move money, access to multiple client systems, and frequent legitimate communication with HMRC, banks, and software vendors that's easy to impersonate.

← All insights

Blog 9 May 2026 7 min read

7 IT mistakes Manchester accountancy practices keep making

I've spent the last year onboarding accountancy practices across Greater Manchester. The same seven mistakes show up almost every time — and most of them are quick to fix once someone actually points at them.

By Reece Johnston, Junior Technician

Editorial illustration of a calculator, stack of folders, and a pie chart with one slice broken off — representing common IT issues at accountancy practices.

Quick disclaimer: I'm the most junior tech on our team. I've spent most of the last twelve months on the front line of accountancy onboardings, getting our smaller-practice clients set up and running. Brett asked me to write down the patterns I keep seeing, because apparently fresh eyes see things the more experienced team has stopped noticing.

Here are the seven mistakes I see at almost every accountancy practice I onboard. None of them are dramatic. All of them are real.

1. Client data still moves by email attachment

The single most common pattern. A client emails over their year-end papers as a PDF attachment. The accountant replies with the draft accounts as another attachment. Sometimes there's a password on the PDF — the password is sent in a follow-up email two minutes later.

Why it matters: Email is the most-attacked channel in a typical accountancy practice. Account takeover means an attacker reads months of client correspondence with full visibility of who's about to send what to whom.

The fix: Make a secure-share platform the only approved channel for client documents. Microsoft 365 secure links work for most small practices. Bigger ones go for a proper portal (Iris OpenSpace, Inflo, Bright Manager). Train the team to never send a sensitive attachment, and configure DLP rules to flag it when they do.

2. Shared logins for the practice software

I cannot count how many times I've found a single Iris/Sage/CCH login being used by three or four people simultaneously, with the password written on a Post-it. Sometimes the partner's login is being used by their PA for everything because "it's quicker than getting our own."

Why it matters: No audit trail. No accountability. If a client file is altered after the fact, no one can prove who did it. And if the credentials leak, every user is suddenly an attack surface.

The fix: Every user gets their own named login. The cost difference for individual seats is usually trivial compared to the audit risk. Most modern practice software supports SSO via Microsoft 365 — turn it on.

3. Backups that have never been test-restored

"We've got backups" is what every practice says. "We've test-restored a backup in the last 90 days" is what almost none of them say.

Why it matters: A backup you've never tested is just hopeful storage. We've found practices where the backup hadn't actually run successfully for eleven months — nobody noticed because the dashboard had stopped emailing alerts.

The fix: Quarterly test restores, with the result documented. If your MSP doesn't routinely send you test-restore evidence, ask for it. If they can't produce it, that's the answer to your next question.

4. No MFA on the partner email accounts

This is the one that genuinely scares me. Junior staff usually have MFA enforced because that's how IT rolls it out. Then someone says "the senior partner finds it a faff" and an exception gets granted. The senior partner has the highest-value email account in the building, and it's the one without MFA.

Why it matters: Account takeover of a partner email is the precursor to invoice fraud, payroll fraud, and client redirection scams. The attacker reads enough emails to impersonate the partner convincingly, then sends a "change of bank details" email to a client at the right moment.

The fix: No exceptions. Passwordless authentication via the Microsoft Authenticator app is genuinely faster than typing a password — it's not a productivity tax once you've used it for a week. We covered the wider problem of MFA fatigue attacks recently — worth a read for partners specifically.

5. Personal devices used unmanaged for client work

Hybrid working has normalised this. The bookkeeper does some weekend prep on her personal laptop. A partner answers client emails on her personal iPad on the train. None of these devices are managed, none have the practice's security tools on them, and at least one of them probably has the kids' games installed.

Why it matters: Client data leaving the controlled environment is a regulatory issue under UK GDPR, and the practice has no way to wipe the device if it's lost or sold.

The fix: Either issue managed devices for any client work (the usual answer), or implement a proper BYOD policy with mobile application management — so practice apps run in a managed container that can be wiped without touching the user's personal data.

6. The "office computer" that runs unsupported Windows

Almost every practice has one. The desktop in the corner of the back office that runs the old version of Sage, or controls the dictation system, or scans the post into the document management system. Nobody updates it because "it just works." Nobody's noticed it's running Windows 10 with a 2024 patch level.

Why it matters: Unsupported operating systems get exploited. The office computer with the old practice software is often connected to the network with the same access as everything else, so once it's compromised the attacker is inside the perimeter.

The fix: Either upgrade it to a supported OS, or isolate it on a separate VLAN with no internet access and no general network access. Document why the exception exists and review it every six months.

7. No plan for what happens if the office goes

"What's your plan if the office floods this weekend?" usually gets a laugh and a "well, that won't happen." Then I ask: "What about a Storey Brothers level fire two doors down? Power outage that lasts three days? Internet down for a week?"

Why it matters: Tax season has zero tolerance for downtime. A practice that loses access to client systems for five working days during late January faces real client-relationship damage and missed filing deadlines.

The fix: A simple, written, one-page continuity plan. Where would people work from? How do they get access? Who calls clients? The plan doesn't need to be sophisticated — it needs to exist and be tested. We help clients run a tabletop exercise once a year, and it always surfaces something useful.

The pattern behind all seven

None of these are exotic. None require a big budget. They're all the result of "we've always done it this way" running into "the world's actually changed."

If you recognise more than two of these in your own practice — and most do, when they're honest — it's not a crisis, it's just a starting point. Most of them are sub-£1,000 fixes once you have a competent MSP supporting the practice properly.

If you'd like a quiet conversation about where your practice currently sits — no judgement, no scare-selling — drop us a note. We work with about a dozen Manchester accountancy practices and we'd much rather have an honest 20-minute call than try to sell you a checklist.

#accountancy#manchester#security#smb

Run an accountancy practice in Greater Manchester?

We support a dozen practices across Manchester, Stockport, Trafford and Tameside. Genuinely happy to do a 20-minute call with no pressure and a useful answer either way.

Talk to a human