For hardening extremely sensitive systems, I replace them with thin clients and place them on their own vlan if they need Internet access, or cut them off from the Internet if they don't need access. The thin client will lose any malware, viruses, etc once rebooted, so they are always clean.
Another option if you're just using a cloud-based accounting system is Lightweight Portable Security produced by the US government. It's designed for extreme security.