Category: risk management

Posted on

Criteria for Evaluating QuickBooks Hosting Providers: Going Beyond Pricing

Criteria for Evaluating QuickBooks Hosting Providers: Going Beyond Pricing

When a small business elects to run their QuickBooks desktop edition software in the “cloud”, it makes sense to work with an experienced provider – a company with the people and the experience to keep the QuickBooks desktop software working properly and securely.  The keys to selecting the best provider for the business are often hidden in the experiences of others; experiences which reveal issues that may significantly impact vendor selection and which have nothing to do with the price of the service. Criteria such as system performance, responsiveness to technical issues, resources for self-help, and knowledge of support personnel – these are the things that more frequently and directly impact the customer experience and, ultimately, the customer’s loyalty.

While Intuit supports QuickBooks Enterprise in terminal server and Remote Desktop environments, they only support the license when it is deployed for the single business organization the license was issued to. If a business has lots of different users on the platform and those users don’t belong to the one company who “owns” the infrastructure and the license, then the implementation is non-compliant and won’t be supported. Intuit also doesn’t offer direct support for QuickBooks Pro and QuickBooks Premier editions in remote desktop implementations, yet the software will work perfectly well in that environment. There are a few quirks and tricks to using the software in this manner, however, so provider technical experience specifically with QuickBooks is essential.

When working with a company providing managed application hosting services and not just managed server platforms, it generally means that the provider is taking responsibility not only for the server/network/infrastructure, but also for the setup, configuration and maintenance of system users and security, and the installation/management/maintenance of the applications running on the server.  When a business elects to outsource this level of service to any 3rd party, there are a variety of areas in addition to pricing which should be thoroughly explored prior to signing the service agreement.

When evaluating potential service providers, research the provider’s offerings and performance directly as well as evaluating the public’s perception of them, considering these 4 areas:

  1. Technology
  2. Innovation
  3. Business Practices
  4. Customer Satisfaction

The technology evaluation relates not only to the systems and tools applied to the service delivery, but also to the systems or tools applied to assist the customer with dealing with the service.  Too often, providers pay more attention to their ordering systems than their service delivery, believing that a quality customer experience rests more with simple purchasing processes than with a functional and well-performing application service.  Others may focus on delivering the best and highest quality application service, yet relegate their clients to sending emails or making phone calls to place service orders or request service information.  The providers who score the highest points in this category are those who recognize that both elements – service delivery and service administration – are critically important to providing a quality overall customer experience.

The innovation evaluation looks at the actual service infrastructure and delivery. This includes features as well as limitations.  One of the pitfalls of being an application service provider is the inertia created with existing systems and customers.  Once the platform is in place and there are a bunch of users on the systems, upgrading and updating the underlying technologies can be a tremendous challenge.  I have often related this as being like trying to change tires on a moving truck.  Unfortunately, systems age and lose functionality, compatibility, support, etc.

Keeping the platform updated isn’t the only element involved with scoring provider innovation.  Even more important than simple change management supporting status quo, true innovation speaks to efforts directed towards crafting a better, more functional and more useful solution delivery.  Many skilled technicians can set up a terminal server for remote access to QuickBooks using the “standard” tools available, but it takes more skill and understanding to create a service which offers more and better capability than everyone else.  The point isn’t that the provider is changing QuickBooks software in any way – that’s not really an option.  Rather, it is in how the provider elects to architect their systems and solution, and whether they are attempting to improve the experience and deliver with a unique approach rather than a generic one.

With increased competition and as some provider platforms experience challenges either due to age or capacity, certain “interesting” practices have emerged.  I now look at these business practices as part of the process of evaluating providers.  In the early days of hosting and application delivery, the business practices of various providers had some similarities, but not any more.  The practices which frustrate me most and which always cause me to score the provider with low marks in this category relate almost exclusively to transparency – or lack thereof.  Here are two scenarios which I’ve seen come up with some frequency, and which (in my opinion) are indications that the provider may not necessarily be one you want to work with.

  • A business has signed a one-year service agreement with a hosting provider, and has been required to prepay that annual contract.  The business was not provided with a demonstration or evaluation system prior to executing the service agreement; they simply trusted the information provided by sales.  After a few months on the service, the performance and support are so poor that the business wants out of the annual agreement, even though high service levels and support responses were part of the contract.  In order to be allowed to end the service agreement and stop paying for the service, the business was told they would have to not only buy out a portion of the remaining contract, but also sign an agreement not to communicate the service problems they experienced or the exit agreement terms with anyone. (*please note that I am essentially in agreement about having to buy out a committed term agreement, at least in part, but applying a gag order? Not so much).
  • A business is using the services of a hosting provider, and has a need to know details of their delivery (like server operating system version) in order to verify compatibility with a new software product they wish to purchase.  Before the business customer is allowed to obtain the information, the provider requires that they sign an agreement promising not to disclose the information they may receive to any other party.  (*note: While I recognize that this type of agreement is desirable to protect proprietary information, it is more often used to prevent the prospective customer from disclosing something potentially negative, and it certainly doesn’t do much in terms of building trust.)

The final evaluation is on customer satisfaction, where anecdotes and information is collected from both current and past customers of the provider.  Admittedly, much of this information I scour from various forums and discussion groups and interviews but it is truly amazing what you can learn about a business simply by listening to customer stories in various social venues.  The picture these stories paint is often (frequently!) very different from the “happy sunshine and rainbows” testimonials you find on websites and in marketing brochures.  Of course, who would buy from a provider who says their “support is great until you’ve been with us for a month, and then we pretty much don’t care about you any more”.  Also, people tend to be more vocal when they’re mad about something, so there is often more negative than positive out there in the social realm, so weight that carefully.  But the fact that certain provider names come up more often than others is the clue; when you don’t see the provider name come up in these discussions, it usually means they’re simply not making people mad.

There is a lot to consider in selecting the right service provider for the business, and the items listed above are just part of it.  While there are some (few) standards among application service providers, it is still what some might refer to as an “emerging” model and will continue to evolve with the market demand and technology.

For now, businesses just need to know that their solution provider is trustworthy and willing to communicate honestly and completely. Selecting the right provider – a provider who supports their business and model with full transparency to the client –  will help the business move forward just as the wrong provider is more likely to hold it back.  While pricing is an important and unavoidable aspect of the discussion, businesses should also put some focus on these other elements which help to reveal how the provider works with their customers, and to determine whether or not they can (or will even try to) meet your requirements now and in the future. 

Make Sense?

Joanie Mann Bunny FeetJ

Posted on

Technology and Tools for Accounting Professionals

Joanie Mann Bunny FeetTechnology and Tools for Accounting Professionals

old_school_ledgerThere was a time not so long ago when accounting professionals focused more on tabulation and summarizing of information than on analysis.  Accounting for businesses, in particular, required collecting myriad papers and receipts and other transaction documents, summarizing the information, translating it into journal entries, and finally posting those numbers to the big bound book which represented the business general ledger.  With the work required to gather and enter all of the information, professionals necessarily focused their efforts on making the process as efficient as possible by attempting to structure the workflow and manage the paper.

When those efforts are compared to today’s approach which involves digital documents, intelligent data collection tools, automated workflow solutions, online accounting and data analysis, it is clear that the processes for accounting for business activities have not really become simpler.  In fact, much of the enabling technology has served to complicate certain processes, which drives users to find even more “solutions” to address these new problems.  It (IT) is a bit like the Wonka Everlasting Gobstopper, which never gets finished and never gets smaller.  IT simply changes things – regularly and often.

Back then – before the Internet and digital imaging, or even Personal Computers – high technology wasn’t the focus because it didn’t exist in the realm of business in general.  I suppose you could call business solutions at that time “low” technology, where mainly mechanical solutions were introduced to address various business problems.

old_school_filecabinet

As an example, prior to the advent of digital imaging and electronic documents, one of the primary requirements of the business was to organize and store paper documents.  Over time, a wide variety of filing, foldering and labeling solutions have been developed, all oriented towards making the storage and later retrieval of paper documents easier.  For some businesses, letting go of the paper is a hard thing to do.  Years and years of training in keeping paper files has left many business owners and managers wary of working without physical paper documents.  Investments in office space, filing cabinets, storage folders and personnel to organize, file and retrieve all of the documents is only a partial measurement of the cost of managing paper, and large numbers of businesses continue to operate in this manner.

old_school_desk

The technology applied to processing the work has also changed, in many ways even more dramatically than the technology applied to collecting and storing the information.  Take the simple processes of tabulation (to arrange in tabular form; condense and list) and summing (adding up) information, for example.  Previous generations didn’t have computers and spreadsheet software to perform the work.  Rather, individuals would painstakingly handwrite each transaction entry into a ledger or on a columnar worksheet, and would then have to manually add each column and then cross check footer totals to ensure accuracy.  Back then, the machines used to perform the addition/subtraction were mechanical devices and could not perform multiplication or division.   These adding machines were first hand-cranked devices, later replaced with shiny new electrical ones (weighing approximately 20 lbs each).

old_school_telephone

Even voice communications have changed dramatically over the years.  Many people don’t remember a time when having multiple phone lines in the business meant having multiple telephones, and the concept of a PBX (Private Branch eXchange) didn’t exist.  Every phone would be hard-wired to an incoming line; if you wanted to answer a call, you had to use the right phone.  This became difficult in an office with many people, so solutions such as the “fabulous extendo-phone” was invented to allow anyone in the office to access the phone from their desk.

The technology available to businesses today is astounding, and offers amazing potential and benefit.  On the other hand, technology rarely (truly) makes things simple or easy – it more frequently serves to shelter certain users from the complexity while delivering new workloads and concerns to others.  It’s rather like energy – it isn’t created or destroyed, it just changes form [law of conservation of energy].  Business is like that, particularly where information technology is involved.  The underlying requirement doesn’t go away, just like a business’s requirement to account for financial transactions and activities,  and the need for the business to capture and retain documents isn’t changed.  How the process is managed, and which tools or mechanisms are applied to the task is what changes.

Make Sense?

J

onewrite-accountant_apparatusOne-Write System Revolutionizes Accounting.  These guys had the right idea, they just didn’t have the cloud.

Posted on

Cloud IT: Hiding Complexity and Risk

jmbunnyfeet

Cloud IT: Hiding Complexity and Risk

Cloud computing and Internet technologies have delivered previously unimagined capability for even the smallest of businesses – capability to compete, build brand recognition, and reach markets in remote geographies.  The mantra for businesses used to be “location, location, location”, but it’s become connectivity – perhaps even more than location – which now delivers business opportunity.  As technology has evolved, allowing businesses and consumers to connect regardless of time or place, the complexity of the systems and networks have also increased dramatically.  Where a business could once easily identify their various vendors or business service providers, the identification of those involved in the service ‘delivery chain’ are no longer so easily recognized.   Among the benefits of cloud computing technologies is the ability to reach beyond traditional boundaries.  The risk for many businesses is in not fully understanding how, and with whom, those boundaries are being crossed.

For many an enterprise, the convenience and efficiency introduced with cloud computing models overshadows the increased risk potential.  Service level agreements and vendor contracts are assumed to be sufficient to protect the business and its information assets, yet recent events (such as the recent reveals of PRISM and the actions of the National Security Agency) should cause businesses to look a little deeper at their entire provider network.  It’s not that the average business should be concerned about government snooping of their emails, but they should be aware of who has access to their systems and data, and which entities are responsible for which parts of the system.  It’s only prudent to know the details, and it is the best first step to mitigate business risk.

Enterprise Clouds are complex, sophisticated entities which invariably rely on a daisy-chain of third parties and contractors to help build, run and maintain their Cloud provider’s systems. The organizational and technical complexities are additive, resulting in increased systemic risk. Systemic risk is the least visible and hardest to eliminate, and those risks become real when the providers’ systemic risks become [yours].

The question is, how well does your Cloud provider manage the ecosystem of contractors and third parties that are farther down the food chain? This is even more relevant in the globalized workforce, where, paradoxically, Cloud and related technologies have greatly facilitated the outsourcing and offshoring of work to low-cost countrieshttp://www3.cfo.com/article/2013/6/data-security_prism-national-security-agency-edward-snowden-cloud-implications-vendor-management

Before executing a service agreement with an outsourced provider, make certain that the details of facility, connectivity, network, equipment, and other elements of the delivery and system are spelled out.  Business subscribers should know where the various points of failure exist, and which company is responsible for dealing with each.  If a carrier fails and connectivity to the data center is lost, the hosting service provider may be powerless to impact the situation, even though access to service is part of the SLA and requirement.  If a hosted software product has a vulnerability or fails to perform, the developer of the product is likely responsible, rather than a hosting service provider.  The point is that there are often multiple players in the delivery chain, and customers should be aware of this reality prior to engaging with the service.

Ultimately, the business with mission critical data in the possession of a 3rd party service provider should have a healthy helping of doubt as to whether the provider has full control over their environment.  Business owners, managers and CFOs should recognize the increased necessity of evaluating risk within their provider systems and in provider/vendor relationships, to keep trade secrets secret and prevent intellectual property from becoming the property of others.

Joanie Mann Bunny Feet

Make Sense?

J

Posted on

Many Companies Are Negligent About SAP Security, Researchers Say – CIO.com

Is your hosting service provider helping to keep your critical business applications secure?  It is not enough to simply harden machine images and develop policy-driven access; application hosting providers need to understand the vulnerabilities introduced by each and every application in the environment.  Otherwise, the system could be exposed to threats directed specifically at the application environment and opportunities it presents.

Many hosting providers will offer customers service for any business application they have, and often provide those services with no significant experience or expertise in dealing with configuration or security issues specific to those applications or environments.  Consider the following report from IDC which indicates that numerous SAP deployments remain vulnerable to attack or intrusion, even though SAP has improved security of the products. The problem rests not exclusively with the SAP applications, but also with the approach to implementation of systems and security around those applications.  Understanding the various vulnerabilities introduced with SAP products is the first step to securing them.  Certainly a skilled IT solution provider is likely to offer a high level of service and capability, but there may be issues presented by various products (like SAP) which introduce additional or unique considerations, and it is important for the service provider to be aware of and address them.

Joanie Mann Bunny FeetMake Sense?

J

IDG News Service — SAP has significantly improved the security of its products over the past few years but many of its customers are negligent with their deployments, which exposes them to potential attacks that could cripple their businesses, according to security researchers.

The biggest issue is that companies expose insecure SAP services to the Internet — not only HTTP services, but also critical administrative interfaces, Alexander Polyakov, chief technology officer at ERPScan, a developer of security monitoring products for SAP systems, said Tuesday.

Between 5 percent and 10 percent of companies that use SAP products expose critical services to the Internet that shouldn’t be publicly accessible, Polyakov said. This happens because they want to enable remote management or because of improper configurations, he said.

Most of the services have vulnerabilities that can be easily attacked, Polyakov said.

Publicly available exploits exist for many SAP vulnerabilities, including some that are part of Metasploit, a popular security testing tool.

The percentage of companies with exposed SAP services differs from country to country. The situation is better in North America and Europe and worse in the Asia-Pacific region, Africa and Latin America, Polyakov said. However, even 5 percent translates to a very large number of companies, he said.

via Many Companies Are Negligent About SAP Security, Researchers Say – CIO.com.

Posted on

HIPAA Privacy and Security and the Cloud

jmbunnyfeet

HIPAA Privacy and Security and the Cloud

Is your cloud solution or hosting service HIPAA compliant?  This is among the most frequently asked questions from professionals shopping for cloud hosting service.  Unfortunately, it is also among the questions most frequently answered with ambiguity, or with naiveté.  The problem is that many businesses dealing with HIPAA compliance responsibilities as it relates to protection and security of personal health information may not fully understand their responsibilities as they extend to outsource IT and other service providers.  In the case of HIPAA compliance, many providers suggest their compliance without truly understanding what it means, and are introducing significant risk to their business and subscribing customers because of it.  With recent changes in rules relating to protection and control of personal health information, it is not just the health care provider, the health plan, 3rd party administrator or others that process health insurance claim information which must agree to provide adequate controls – the requirement may fully extend to business associates of these entities… possibly including their cloud service or hosting solution providers.

Some of the largest breaches reported to HHS have involved business associates. Penalties are increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation. The changes also strengthen the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification requirements by clarifying when breaches of unsecured health information must be reported to HHS. http://www.hhs.gov/news/press/2013pres/01/20130117b.html

HIPAA guidelines and rules exist to protect and secure personal health information, a requirement growing in importance with advancements in technology, electronic health records, e-billing solutions, and cloud computing adoption.  Where the regulations were once focused on the entity directly involved in generating or processing the information, the view is now extended not only to 3rd party administrators, but also to the technology solutions and providers involved.  When a “covered entity” (an entity with a responsibility to protect and secure personal health information [PHI]) makes a decision to move this information to the cloud, a number of important and complicated issues must be addressed in the agreements with the service or solution provider.  These issues include security and privacy of information (including providing individuals the right to access and request changes to the stored information), tools which may be provided to allow the customer additional security protection, encryption of data at rest and in transmission (and who holds the keys), data location, return of data, disaster recovery, and service levels.

Cloud provider contracts and business associate agreements with cloud providers are not one-size-fits-all and should be negotiated carefully to protect PHI in a manner that accurately reflects the capabilities of the parties http://www.americanbar.org/content/newsletter/groups/labor_law/ebc_newsletter/12_winter_ebc_news/ebc12winter_cloud.html

The provider delivering cloud hosting services to the business may now be considered to be a “business associate” under HIPAA, meaning that the responsibilities of the Customer (the “covered entity”) also extend to their service provider. For any business operating under a HIPAA compliance requirement, moving to the cloud must necessarily involve a detailed discussion and set of agreements that spell out the “business associate” relationship as well as the details of the service delivery and accepted performance levels.

Joanie Mann Bunny FeetMake Sense?

J

Posted on

QuickBooks In-House Hosting Services for Accountants

QuickBooks Hosting Services for IT-Capable Accountants

DIY-SelfHostingSmall businesses in large numbers are looking to the cloud as a platform to deliver solutions for the problems of escalating IT costs, mobility, and remote access to business data. The cloud is also becoming the recommended platform for the delivery of services from accounting and bookkeeping professionals, as the benefits of remote data access and real-time collaboration nicely address the requirement for accounting pros to exchange and share information with their business clients. One of the popular “cloud” hosting solutions addressing a collaborative accounting model is a hosted application approach to using Intuit QuickBooks desktop products. While accounting professionals may be aware that QuickBooks can be hosted by 3rd party providers, many firms are not aware of what is referred to as the “self-host” model, which is a QuickBooks hosting model for accounting firms with some in-house technical capability.

For small businesses and many accounting service providers, working with a 3rd party hosting provider makes a lot of sense, as the host has the infrastructure and the support organization necessary to service large-scale hosted customer requirements.

On the other hand, there are a lot of accounting and bookkeeping firms which have skilled in-house IT personnel who are more than capable of creating a hosting environment to serve not only their internal needs, but also to meet basic requirements of the QuickBooks-using clients they work with. It makes sense to explore the possibilities of implementing a “self-hosting” model for client access to QuickBooks, overcoming the cost and other barriers involved with 3rd party hosting services.

When an accounting firm works with a number of clients with QuickBooks desktop edition files, the firm has to install and manage not only their own software products, but also the relevant QuickBooks software products in use by the various clients (must have the right QB program in order to open the QB data file). This often puts an undue burden on the internal IT systems of the practice which has its own internal-use software and systems to support. With an internal hosting approach, the firm can provide standardized/centralized application hosting services to their clients, building their own “economy of scale” on the platform and reducing the IT management while achieving all the real-time and remote access benefits of an outsourced hosted model. The firm does not experience a retail cost for a hosting solution, and the cost to host the client is generally offset through the efficiency gained at the firm level through direct access to client data and applications.

The technical model for delivering hosting services to a relatively small client base is not overly complicated. Commercial service providers have complex architectures because they must serve a large and diverse client base, and they never really know what sort of devices (computers and printers) or connectivity the customer may have. Commercial providers have to be prepared to deal with any and all situations, where a “self-host” firm needs only to concern themselves with supporting their particular client users and use cases. Additionally, when the solution is offered as part of the accounting or bookkeeping service, the support requirements of the customer tend to be focused during mutual working hours, as opposed to the 24×7 support demanded of the commercial host.

As accountants and bookkeepers search for solutions to improve efficiency, increase profitability and differentiate services, it makes sense for those serving QuickBooks desktop clients and having an in-house IT capability to explore becoming a QuickBooks self-host. It is one possible way to eliminate cost as a barrier to working closer with QuickBooks desktop clients while providing the mobility and collaboration businesses need.

 

Make Sense?

Joanie Mann Bunny FeetJ