Are Accounting ASPs your Friend or Foe?
Written by John J. Xenakis for
CFO.com,
Nov 15, 2000.
Here's what we found when we looked at three accounting applications
service providers.
If you need new accounting or financial software, an ASP (application
service provider) can be an easy and inexpensive option. Instead of
purchasing accounting software and computer equipment and bringing
them in house, you outsource the entire project to an ASP via the
Internet.
For this report, I checked out Intacct from Intacct Corp.(http://www.intacct.com), NetLedger from NetLedger Inc. (http://www.netledger.com), and Great Plains Accounting from the ASP
ManagedOpts.com. Intacct and NetLedger are Internet-only accounting
systems, while Great Plains is also available for traditional on-site
licensing from Great Plains Software Inc. (http://www.greatplains.com). Other Internet-only accounting systems that
you can check out for yourself are ePeachtree (http://www.epeachtree.com) and eLedger (http://www.eledger.com).
Internet-only systems like Intacct and NetLedger are easy to sign up
for. You just go to a Web site, and sign up. For either service, you
can play around with a demo account for a few weeks, in order to
familiarize yourself with how the system works and decide whether it
will work for you.
There are some concerns with ASPs. For example, if your accounting
data is on someone else's computer, can you easily get to it? Can your
competitors hack into the ASP's computer and see your data?
Even worse, what happens if your ASP goes under, as so many dot-com
companies have been doing recently? If the ASP goes out of business,
will you lose your accounting system? Will you lose the rest of your
business, too? At the very least, you should have a plan in place to
recover your data quickly from the ASP, if it goes under.
The risk of an ASP going belly up is certainly a concern to Richard
Brenner, a business consultant in Cupertino, Calif., who evaluated
the Internet-only accounting system from Intacct. He wanted to use it
for his own business, replacing Intuit Inc.'s QuickBooks (http://www.quickbooks.com), which had served as his accounting software
for ten years, and also to recommend it to some of his business
clients who need a new accounting system.
But Brenner is also concerned about security.
"One of the biggest fears that we have and our customers have is that
the system is not secure," says Brenner, CEO of the Brenner Group
(http://www.brennergroup.com).
Brenner checked out Intacct's computer systems and found that although
all customer data is stored in the same large Oracle database, the
company is using Oracle's standard security features, with the result
that Brenner believes that each customer's data is fully secure. He
also checked out the firewalls and other features of Intacct's
configuration. "I talked to all my customers about it, and they came
away reassured," he says.
Indeed, Richard Stiennon, research analyst at Stamford, Conn., based
Gartner Group, agrees that Intacct checks out for now, but indicates
that every ASP must be given a thorough technical security check, and
these checks must be repeated frequently during the life of the
contract.
"Watch how the ASP saves on costs," says Stiennon. "The ASP will be
trying to spread their cost by hosting their services on the same
computer as other customers. If my financials are on the same
database, on the same disk drive, as a competitor, then does someone
from my competitor have access to my data?"
Stiennon and the Gartner Group provide a detailed "Security Test" that
you should apply to any ASP. See the Security Test at the end of this
column.
What about classical accounting systems? While Intacct and NetLedger
are brand new, Internet-only, ASP-only accounting systems, Great
Plains Accounting is a classic midrange accounting system that's been
around, in one form or another, since the early 1980s. These days,
Great Plains and other classic systems are also being offered by
ASPs. The ASP installs the accounting system on its own equipment and
offers Internet access to its clients.
Folio Corp., a manufacturer of trade show exhibits, decided to go with
Great Plains ASP service in early 1999, when the company needed a new
accounting system after having acquired two other companies.
"We didn't seek new financial systems with the ASP model in mind
initially," says Dan Lubin, VP of IS, for the Worcester, Mass.,
company, "But we had to put together integrated financial systems to
support our recent acquisitions."
Folio hired outside consultants to select new financial systems, and
narrowed the choices down to J. D. Edwards, Solomon Software, and
Great Plains Software. Then Folio started talking to ManagedOps.com
(at that time known as the Taylor Group), a Bedford, N.H. based Great
Plains reseller which wanted to start an ASP service. Folio ended up
being the first customer.
Although cost was a consideration in selecting an ASP, it wasn't the
major consideration.
Lubin had originally planned to hire a staff and build a data center
to house the computer equipment.
But by going to an ASP, "we had to add zero head count," says Lubin.
The firm does have a small technical project team to manage the
relationship, but "I didn't need to build a help desk, I didn't need
to build a data center, and I didn't need to hire programming experts
in Great Plains and SQL."
Pricing
Like Lubin, most people who go to the ASP model for accounting
software are not doing so solely to save money. More important are
factors like fast implementation, avoiding capital investment, and not
having to hire an expensive, highly specialized technical staff that
can install and maintain the software.
That's not to say that pricing is not a factor. It is. Keep in mind
that these systems are all priced by the number of users who can
access the system. So end users will need to be alert to every user
linked to their system.
Intacct costs $49.95 per user per month, while NetLedger is priced at
$4.95 per user per month, with an additional $9.95 per month to use
the payroll module.
ManagedOps.com provides Great Plains for $450 per month per user, for
users that enter data into the system. There's a second level, users
who only need to display or print reports, and for them, the charge is
$50 per month.
The difference in price reflects the complexity and functionality of
the products.
In addition, Great Plains and other classical accounting systems can
be customized for your business, provided that you're willing to pay
some stiff consulting rates to the ASP.
However, Internet-only accounting systems use an entirely different
mass audience business model where no code customizations are
permitted.
Of course, both kinds of systems allow you to customize forms,
displays and reports.
Misgivings
As I was preparing this column, several misgivings arose. You can
decide for yourself whether my misgivings are important to you, or
whether you feel I'm being overly anxious.
First, NetLedger was the only software company willing to even
estimate how many paying customers it has -- 2,000 paying customers,
and 35,000 that have tried the free online demo. I commend Stephen
Wolfe, VP of product management at NetLedger, for his openness about
this figure, which is very important for getting a sense of a vendor's
credibility.
Intacct and ManagedOps.com were unwilling to give me any clue as to
how many paying users they have, but since they're priced quite a bit
higher than NetLedger, my (unproven) assumption is that they have far
fewer users.
However, I did speak to a ManagedOps competitor, Genesis Innovations
(http://www.genesisinnovations.com) of St. Paul, Minn., who tells
me that they have nine paying customers using their Great Plains ASP
service, and over 1,300 trying out their full- featured demo.
Now all of these vendors have 100-200 employees, and so have $5
million to $15 million going out each year just for payroll and
related expenses. How many paying customers do the ASPs need to
continue to meet their payroll after the investors start demanding to
see some profits? Do the math yourself, and you'll see why I'm
concerned.
There are millions of small businesses in the U.S., so there's no
doubt that any of these vendors could survive, if only it can get even
a tiny market share. But that hasn't happened yet, and no one appears
to be even close.
What about free demos? Intacct and NetLedger let you try out their
online accounting systems for free for a few weeks, with a demo
account, as does Genesis Innovations. ManagedOps.com appeared to be
shocked! shocked! that I even suggested such a thing as a free online
demo of their systems, and refused to even consider it. So it appears
that some ASPs are willing to permit demos, and some aren't.
I believe that online demo versions are going to be increasingly
important marketing tools for all ASP vendors.
In fact, online demos can alleviate the risk of switching to a new
accounting package sight unseen. One of a financial officer's worst
nightmares is that a new system simply won't work.
According to Charles Chewning of Solutions Inc., a Richmond, Va.,
based consultant who evaluates accounting software products, failure
of an accounting system happens pretty often. "I just talked to
someone who got [a major vendor's product], spent $80,000, and got rid
of the system because they didn't like it," says Chewning. "The cost
of a failure is quite substantial -- much more than the cost of just
the software."
What this means to me is that vendors have an obligation to users to
become increasingly generous in providing as much information online
about their products, including extensive online demo capabilities, in
order to give users the opportunity to "live with" the system before
making a full commitment to it.
Gartner Group's Security Test
The Gartner Group has provided a test that your technical staff should
apply
to any ASP that you're thinking of using. A "no" answer to any of these
questions represents a serious vulnerability that will put applications and
data at risk.
* With regard to the ASP's network layer, does the ASP require the use
of two-factor authentication for administrative control of all routers
and firewalls?
* Support 128-bit encryption and two-factor authentication for the
connection from the customer's local area network to the ASP
production backbone? Provide redundancy and load-balancing services
for firewalls and other security-critical elements?
* Perform (or have an experienced consulting company perform)
external penetration tests on at least a quarterly basis and internal
network security audits at least annually?
* Show documented requirements for customer network security (with
audit functions) to ensure that other ASP customers will not
compromise the ASP backbone?
* With regard to the ASP's operating system (OS) platform (usually
Windows NT or Unix), can the ASP provide a documented policy for
hardening the OS on its Web and other servers? (Hardening an OS
entails: eliminating any unnecessary OS services (e.g., Telnet or
FTP), disabling all communications paths that are not needed (e.g.,
TCP/IP ports), installing all required security patches and
minimizing system administration accounts and access to system
logging/auditing.)
* If the ASP co-locates customer applications on physical servers,
does it have a documented set of controls that it uses to ensure
separation of data and security information between customer
applications?
* With regard to the actual accounting application software, does the
ASP review the security of scripts and integration code that are added
to the commercial applications it provides? How is it done? Provide
application or transaction-based intrusion-detection services?
Document the security standards and processes used for creating
interfaces to other systems on the ASPs systems?
* With regard to operations, does the ASP perform background checks
on personnel who will have administrative access to servers and
applications? Show a documented process for evaluating OS and
application vendor security alerts and installing security patches and
service packs?
* Use write-once technology for storing audit trails and security
logs? Show documented procedures for intrusion detection, incident
response and incident escalation/investigation?
* Have membership in the Forum for Incident Response and Security
Teams (FIRST) (http://www.first.org/about/first-description.html).
or use a security service provider that is?
* Use "hot site" failover services that have the same security
operations and procedures?
* Provide authentication services for system users?
* Have documented processes for adding, removing and validating
security keys for all users?
* When using outsourced authentication services, does the outsource
agent have a documented process for managing and validating member
security keys?
* With regard to end user services, does the ASP security staff
average more than three years of experience in information/network
security?
* Do more than 75 percent of the ASP's security staff have CISSP (see
http://www.isc2.org/isc2faq.html) or other security industry
certification?
* Can the ASP show documented help desk procedures for authenticating
callers and resetting access controls?
(This is a modified version of an article that originally
appeared on
Nov 15, 2000
on
CFO.com
at
this location.
)
|