SaaS changed where applications live. It didn’t change where work happens.
Over the last decade, CPA firms have embraced cloud-based applications at a rapid pace. Tax platforms, document management systems, practice management tools, client portals and collaboration software are increasingly delivered through a browser rather than installed on a local server.
As a result, many firm leaders are asking a reasonable question: If so many applications are now SaaS-based, do hosted desktops still serve a purpose?
It’s a fair question. Years ago, hosted desktops primarily solved an application access problem. Firms needed a way to provide secure, reliable access to tax and accounting software without maintaining infrastructure in every office. Most firms can now access many of their critical applications from virtually anywhere.
Client data is still accessed by employees, contractors, seasonal staff and remote team members, while security policies, regulatory requirements and AI governance responsibilities remain firmly in place.
The role of the hosted desktop hasn’t disappeared. Its purpose has evolved.
For many CPA firms, the value of a hosted desktop is no longer centered on application delivery. Instead, it’s about creating a secure, controlled workspace where work can happen consistently, regardless of where employees are located or what devices they use.
SaaS Solved Application Access. It Didn’t Solve Governance.
The shift to SaaS has unquestionably made technology easier to consume. Firms can deploy new applications faster, reduce infrastructure maintenance and provide users with access from virtually anywhere.
At the same time, regulators continue to focus on how firms protect sensitive information rather than where applications are hosted.
IRS Publication 4557 reminds tax professionals that protecting taxpayer information is both a legal obligation and a business necessity. The guidance emphasizes access controls, multifactor authentication, audit trails, encryption and limiting access to sensitive information based on business need.
Similarly, IRS Publication 5708 outlines requirements under the FTC Safeguards Rule, including written information security programs, risk assessments, multifactor authentication, service provider oversight and ongoing monitoring of security controls.
The FTC’s Safeguards Rule reinforces many of the same themes by requiring financial institutions, including tax and accounting firms, to implement administrative, technical and physical safeguards designed to protect customer information.
Notice what these frameworks have in common. They focus on controlling access to information, monitoring activity and reducing risk. They do not simply assume that because an application is cloud-based, the security challenge has been solved.
That distinction matters because SaaS changes where software runs. It does not automatically govern how client data is accessed, handled or shared once users log in.
The Modern CPA Workforce Doesn’t Work in One Office
Technology isn’t the only thing that has changed. The way CPA firms build and support their workforce has evolved as well.
Many firms now rely on a mix of:
- In-office employees
- Remote employees
- Seasonal tax professionals
- Contractors and consultants
- Specialized third-party providers
Firms also continue to navigate ongoing talent shortages. AICPA data shows the number of accounting graduates in the United States fell to 55,152 in the 2023-24 academic year, continuing a trend that has pushed firms to explore new staffing models.
Large firms are responding to these challenges in different ways. PwC has publicly stated that it expects to reduce U.S. entry-level hiring while expanding the use of offshore delivery centers and AI-enabled efficiencies.
None of these workforce strategies is inherently risky. The challenge is ensuring that workforce flexibility does not create unnecessary complexity when it comes to security, compliance and access management.
As workforce models become more flexible, creating consistency around how client data is accessed and protected becomes increasingly important. A hosted desktop helps firms establish that consistency by providing a standardized workspace regardless of a user’s location, device or employment status.
Browser-Based Applications Don’t Eliminate Endpoint Risk
One of the most common misconceptions about SaaS is that moving applications to the cloud automatically reduces endpoint risk. In reality, sensitive information can still move far beyond the application itself.
Users may:
- Download files locally
- Store documents on unmanaged devices
- Transfer information through personal storage services
- Copy data into AI tools
- Access systems from devices outside the firm’s control
The application may reside securely in the cloud, but the work itself often extends beyond the browser window.
NIST continues to identify risks associated with remote access and BYOD environments, noting that personally owned and third-party-controlled devices frequently introduce additional security challenges because organizations have less control over how those devices are configured, secured and monitored. The guidance also highlights virtual desktop infrastructure as an effective way to support remote access while reducing the likelihood that sensitive information is stored on endpoint devices.
For CPA firms, that distinction is important. A SaaS application determines where the software runs. A hosted desktop helps determine where the work takes place.
AI Is Making the Workspace Relevant Again
Artificial intelligence is creating another reason for firms to rethink how work is performed and governed. Two-thirds of professionals across tax, accounting, legal and anti-fraud disciplines believe AI could save hundreds of hours annually, while 77% believe AI will significantly transform their profession within the next five years.
The productivity opportunities are significant, but so are the governance challenges. Many firms are now evaluating questions such as:
- Which AI tools are approved?
- What client information can be used?
- How should usage be monitored?
- What safeguards should be in place?
Those concerns are not just about AI. They are fundamentally about data governance.
IBM’s Cost of a Data Breach research found that 20% of organizations surveyed experienced a breach tied to shadow AI, adding an average of $670,000 to breach-related costs.
As firms adopt AI, maintaining visibility into how sensitive information is accessed and used becomes increasingly important. A controlled workspace can help firms apply policies, monitoring and access controls more consistently across users, devices and locations.
What Hosted Desktops Deliver Today
Hosted desktops are increasingly being used to support business objectives such as:
- Centralizing client data
- Reducing endpoint risk
- Supporting offshore and seasonal staff
- Simplifying onboarding and offboarding
- Maintaining consistent security controls
- Improving visibility into user activity
- Supporting compliance initiatives
While hosted desktops still play an important role in application delivery, many firms now view them as a way to create a more secure, consistent and manageable workspace.
Azure Virtual Desktop is one example of how hosted desktop platforms have evolved to support these priorities. Microsoft’s platform emphasizes centralized management, security controls, conditional access, multifactor authentication and support for a wide range of endpoint devices.
Microsoft’s security guidance for Azure Virtual Desktop also highlights recommendations around access control, logging, encryption and separation of security boundaries for different user populations.
Whether a firm uses Azure Virtual Desktop or another hosted desktop solution, the broader principle remains the same: supporting flexibility without sacrificing control.
The Desktop’s Role Has Changed
The debate is no longer about whether applications belong in the cloud. Most already do.
Instead, CPA firms must determine how they will support a workforce that increasingly includes remote employees, contractors, seasonal staff and AI-enabled workflows while maintaining control over client information.
The challenge isn’t application access. It’s creating a secure, manageable environment where work can happen consistently, regardless of where employees are located or which tools they use. That is why hosted desktops continue to play an important role for many CPA firms.
SaaS changed where applications live. It didn’t change where work happens.
Does a Hosted Desktop Make Sense for Your Firm?
Every CPA firm approaches technology differently. Some are focused on supporting a growing remote workforce. Others are evaluating staffing strategies, AI initiatives or changes to their application stack.
If you’re evaluating whether a hosted desktop still makes sense for your firm, the answer often depends less on the applications you use and more on how work gets done.
The right approach starts with understanding your firm’s goals, workflows and risk profile.
Our team works with CPA firms every day to navigate decisions around hosted desktops, cloud applications, security and workforce flexibility. If you’re exploring your options, we’re always happy to share what we’re seeing across the industry and help you think through the approach that best fits your firm.