Xenakis on Technology

Are Accounting ASPs your Friend or Foe?

Written by John J. Xenakis for CFO.com, Nov 15, 2000.

Here's what we found when we looked at three accounting applications service providers.

If you need new accounting or financial software, an ASP (application service provider) can be an easy and inexpensive option. Instead of purchasing accounting software and computer equipment and bringing them in house, you outsource the entire project to an ASP via the Internet.

For this report, I checked out Intacct from Intacct Corp.(http://www.intacct.com), NetLedger from NetLedger Inc. (http://www.netledger.com), and Great Plains Accounting from the ASP ManagedOpts.com. Intacct and NetLedger are Internet-only accounting systems, while Great Plains is also available for traditional on-site licensing from Great Plains Software Inc. (http://www.greatplains.com). Other Internet-only accounting systems that you can check out for yourself are ePeachtree (http://www.epeachtree.com) and eLedger (http://www.eledger.com).

Internet-only systems like Intacct and NetLedger are easy to sign up for. You just go to a Web site, and sign up. For either service, you can play around with a demo account for a few weeks, in order to familiarize yourself with how the system works and decide whether it will work for you.

There are some concerns with ASPs. For example, if your accounting data is on someone else's computer, can you easily get to it? Can your competitors hack into the ASP's computer and see your data?

Even worse, what happens if your ASP goes under, as so many dot-com companies have been doing recently? If the ASP goes out of business, will you lose your accounting system? Will you lose the rest of your business, too? At the very least, you should have a plan in place to recover your data quickly from the ASP, if it goes under.

The risk of an ASP going belly up is certainly a concern to Richard Brenner, a business consultant in Cupertino, Calif., who evaluated the Internet-only accounting system from Intacct. He wanted to use it for his own business, replacing Intuit Inc.'s QuickBooks (http://www.quickbooks.com), which had served as his accounting software for ten years, and also to recommend it to some of his business clients who need a new accounting system.

But Brenner is also concerned about security.

"One of the biggest fears that we have and our customers have is that the system is not secure," says Brenner, CEO of the Brenner Group (http://www.brennergroup.com).

Brenner checked out Intacct's computer systems and found that although all customer data is stored in the same large Oracle database, the company is using Oracle's standard security features, with the result that Brenner believes that each customer's data is fully secure. He also checked out the firewalls and other features of Intacct's configuration. "I talked to all my customers about it, and they came away reassured," he says.

Indeed, Richard Stiennon, research analyst at Stamford, Conn., based Gartner Group, agrees that Intacct checks out for now, but indicates that every ASP must be given a thorough technical security check, and these checks must be repeated frequently during the life of the contract.

"Watch how the ASP saves on costs," says Stiennon. "The ASP will be trying to spread their cost by hosting their services on the same computer as other customers. If my financials are on the same database, on the same disk drive, as a competitor, then does someone from my competitor have access to my data?"

Stiennon and the Gartner Group provide a detailed "Security Test" that you should apply to any ASP. See the Security Test at the end of this column.

What about classical accounting systems? While Intacct and NetLedger are brand new, Internet-only, ASP-only accounting systems, Great Plains Accounting is a classic midrange accounting system that's been around, in one form or another, since the early 1980s. These days, Great Plains and other classic systems are also being offered by ASPs. The ASP installs the accounting system on its own equipment and offers Internet access to its clients.

Folio Corp., a manufacturer of trade show exhibits, decided to go with Great Plains ASP service in early 1999, when the company needed a new accounting system after having acquired two other companies.

"We didn't seek new financial systems with the ASP model in mind initially," says Dan Lubin, VP of IS, for the Worcester, Mass., company, "But we had to put together integrated financial systems to support our recent acquisitions."

Folio hired outside consultants to select new financial systems, and narrowed the choices down to J. D. Edwards, Solomon Software, and Great Plains Software. Then Folio started talking to ManagedOps.com (at that time known as the Taylor Group), a Bedford, N.H. based Great Plains reseller which wanted to start an ASP service. Folio ended up being the first customer.

Although cost was a consideration in selecting an ASP, it wasn't the major consideration.

Lubin had originally planned to hire a staff and build a data center to house the computer equipment.

But by going to an ASP, "we had to add zero head count," says Lubin. The firm does have a small technical project team to manage the relationship, but "I didn't need to build a help desk, I didn't need to build a data center, and I didn't need to hire programming experts in Great Plains and SQL."

Pricing

Like Lubin, most people who go to the ASP model for accounting software are not doing so solely to save money. More important are factors like fast implementation, avoiding capital investment, and not having to hire an expensive, highly specialized technical staff that can install and maintain the software.

That's not to say that pricing is not a factor. It is. Keep in mind that these systems are all priced by the number of users who can access the system. So end users will need to be alert to every user linked to their system.

Intacct costs $49.95 per user per month, while NetLedger is priced at $4.95 per user per month, with an additional $9.95 per month to use the payroll module.

ManagedOps.com provides Great Plains for $450 per month per user, for users that enter data into the system. There's a second level, users who only need to display or print reports, and for them, the charge is $50 per month.

The difference in price reflects the complexity and functionality of the products.

In addition, Great Plains and other classical accounting systems can be customized for your business, provided that you're willing to pay some stiff consulting rates to the ASP.

However, Internet-only accounting systems use an entirely different mass audience business model where no code customizations are permitted.

Of course, both kinds of systems allow you to customize forms, displays and reports.

Misgivings

As I was preparing this column, several misgivings arose. You can decide for yourself whether my misgivings are important to you, or whether you feel I'm being overly anxious.

First, NetLedger was the only software company willing to even estimate how many paying customers it has -- 2,000 paying customers, and 35,000 that have tried the free online demo. I commend Stephen Wolfe, VP of product management at NetLedger, for his openness about this figure, which is very important for getting a sense of a vendor's credibility.

Intacct and ManagedOps.com were unwilling to give me any clue as to how many paying users they have, but since they're priced quite a bit higher than NetLedger, my (unproven) assumption is that they have far fewer users.

However, I did speak to a ManagedOps competitor, Genesis Innovations (http://www.genesisinnovations.com) of St. Paul, Minn., who tells me that they have nine paying customers using their Great Plains ASP service, and over 1,300 trying out their full- featured demo.

Now all of these vendors have 100-200 employees, and so have $5 million to $15 million going out each year just for payroll and related expenses. How many paying customers do the ASPs need to continue to meet their payroll after the investors start demanding to see some profits? Do the math yourself, and you'll see why I'm concerned.

There are millions of small businesses in the U.S., so there's no doubt that any of these vendors could survive, if only it can get even a tiny market share. But that hasn't happened yet, and no one appears to be even close.

What about free demos? Intacct and NetLedger let you try out their online accounting systems for free for a few weeks, with a demo account, as does Genesis Innovations. ManagedOps.com appeared to be shocked! shocked! that I even suggested such a thing as a free online demo of their systems, and refused to even consider it. So it appears that some ASPs are willing to permit demos, and some aren't.

I believe that online demo versions are going to be increasingly important marketing tools for all ASP vendors.

In fact, online demos can alleviate the risk of switching to a new accounting package sight unseen. One of a financial officer's worst nightmares is that a new system simply won't work.

According to Charles Chewning of Solutions Inc., a Richmond, Va., based consultant who evaluates accounting software products, failure of an accounting system happens pretty often. "I just talked to someone who got [a major vendor's product], spent $80,000, and got rid of the system because they didn't like it," says Chewning. "The cost of a failure is quite substantial -- much more than the cost of just the software."

What this means to me is that vendors have an obligation to users to become increasingly generous in providing as much information online about their products, including extensive online demo capabilities, in order to give users the opportunity to "live with" the system before making a full commitment to it.

Gartner Group's Security Test

The Gartner Group has provided a test that your technical staff should apply

to any ASP that you're thinking of using. A "no" answer to any of these questions represents a serious vulnerability that will put applications and data at risk.

* With regard to the ASP's network layer, does the ASP require the use of two-factor authentication for administrative control of all routers and firewalls?

* Support 128-bit encryption and two-factor authentication for the connection from the customer's local area network to the ASP production backbone? Provide redundancy and load-balancing services for firewalls and other security-critical elements?

* Perform (or have an experienced consulting company perform) external penetration tests on at least a quarterly basis and internal network security audits at least annually?

* Show documented requirements for customer network security (with audit functions) to ensure that other ASP customers will not compromise the ASP backbone?

* With regard to the ASP's operating system (OS) platform (usually Windows NT or Unix), can the ASP provide a documented policy for hardening the OS on its Web and other servers? (Hardening an OS entails: eliminating any unnecessary OS services (e.g., Telnet or FTP), disabling all communications paths that are not needed (e.g., TCP/IP ports), installing all required security patches and minimizing system administration accounts and access to system logging/auditing.)

* If the ASP co-locates customer applications on physical servers, does it have a documented set of controls that it uses to ensure separation of data and security information between customer applications?

* With regard to the actual accounting application software, does the ASP review the security of scripts and integration code that are added to the commercial applications it provides? How is it done? Provide application or transaction-based intrusion-detection services? Document the security standards and processes used for creating interfaces to other systems on the ASPs systems?

* With regard to operations, does the ASP perform background checks on personnel who will have administrative access to servers and applications? Show a documented process for evaluating OS and application vendor security alerts and installing security patches and service packs?

* Use write-once technology for storing audit trails and security logs? Show documented procedures for intrusion detection, incident response and incident escalation/investigation?

* Have membership in the Forum for Incident Response and Security Teams (FIRST) (http://www.first.org/about/first-description.html). or use a security service provider that is?

* Use "hot site" failover services that have the same security operations and procedures?

* Provide authentication services for system users?

* Have documented processes for adding, removing and validating security keys for all users?

* When using outsourced authentication services, does the outsource agent have a documented process for managing and validating member security keys?

* With regard to end user services, does the ASP security staff average more than three years of experience in information/network security?

* Do more than 75 percent of the ASP's security staff have CISSP (see http://www.isc2.org/isc2faq.html) or other security industry certification?

* Can the ASP show documented help desk procedures for authenticating callers and resetting access controls?

(This is a modified version of an article that originally appeared on Nov 15, 2000 on CFO.com at this location. )