outsourced IT management – Page 2 – Cooper Mann Consulting

March 10, 2016March 10, 2016

SEC Watchful Eyes Focus On Cybersecurity and Protecting Personal Information

SEC Watchful Eyes Focus On Cybersecurity and Protecting Personal Information #cybersecurity

Information privacy used to be a fairly simple thing. Systems – what systems there were – weren’t so interconnected and information wasn’t so easy to share with thousands (millions) of people all over the world. Security used to come down to gaining physical access to the information, which was usually on paper. If you couldn’t get to the paper, you couldn’t get to the information. Yet those very analog days are long gone, and most of us have come to recognize that our personal information assets are no longer so tangible that we can touch them and feel them and keep them secured safely in the lockbox in the closet. What’s disturbing about the landscape of security in the cyber-world is that it is risky to trust not just the systems but the users – including the folks you want and need to trust – with your personal information. It isn’t that you can’t trust anyone these days. You just can’t trust that everyone is taking the precautions necessary to protect YOUR information. You need to be sure.

Trust has always been an essential element in business and finances, and in every business relationship there is some element of it present. The prudent customer performs necessary due diligence before entering into any business arrangement, but there are often factors taken for granted in the review; factors which are overlooked or remain unconsidered, often due to an essential level of trust which is placed with the other party. This is among the issues identified by the SEC as it relates to broker/dealers and their recognition of the importance of securing their clients personal information. Yet recognition of the risk and responsibility isn’t always enough, especially with the number and makeup of bad actors out there. As the threat landscape changes, so must the approaches and technologies used to protect information from those threats.

Consumers place a high level of trust with their financial advisors and generally provide them with a great deal of personal information, and the broker-dealers and advisors generally recognize the importance of protecting the personal information they are entrusted with. The problem is that these entities too often approach the problem of information security and protection as something with static and unchanging requirements. Compliance in establishing a baseline of protection is met. A lack of ongoing diligence required to adjust to new threats and changing conditions… not so much. According to a summary report on the subject issued by the SEC in February 2015, the “vast majority” of examined broker-dealers and advisors have adopted written information security policies, yet the report goes on to discuss additional measures and constant reviews which should be applied to better guard the personal information of consumers.

Most of the examined firms reported that they have been the subject of a cyber-related incident. A majority of the broker-dealers (88%) and the advisers (74%) stated that they have experienced cyber-attacks directly or through one or more of their vendors. The majority of the cyber-related incidents are related to malware and fraudulent emails.

National Exam Program Risk Alert issued By the Office of Compliance Inspections and Examinations (“OCIE”); Volume IV, Issue 4 February 3, 2015

Among the agencies placing focus on the issues of cybersecurity and personal information protection is the SEC. Within the SEC (Securities and Exchange Commission) is an office called the Office of Compliance Inspections and Examinations (OCIE). The OCIE exists to “protect investors through administering the SEC’s nationwide examination and inspection program”. Registered entities examined by this office (in Washington, DC and the Commission’s 11 regional offices) include broker-dealers, transfer agents, investment advisers, investment companies, municipal advisors, the various national securities exchanges, clearing agencies, and certain self-regulatory organizations (SROs) such as the Financial Industry Regulatory Authority (FINRA) and the Public Company Accounting Oversight Board (PCAOB).

In February 2015, OCIE published a summary of observations of the findings from a SEC-sponsored Cybersecurity Roundtable which included SEC Commissioners and staff as well as industry representatives. The roundtable discussion, held in March 2014, focused on the important part cybersecurity plays in preserving the integrity of the market system and protecting customer data. On the heels of the roundtable came a Risk Alert published by OCIE, in which it announced a series of examinations and tests aimed at the identification of cybersecurity risks and assessing the preparedness of the securities industry to meet the challenge. After all, federal securities laws require registered investment advisers to adopt written policies and procedures reasonably designed to protect customer records and information.

The watchful eyes of the SEC are looking directly at broker-dealers and advisers, bringing additional attention to messaging about the requirement for these entities to protect consumer personal information. The message is more likely to be heard when it includes the threat of censure and big fine. In September 2015 the SEC charged an “investment adviser with failing to adopt proper cybersecurity policies and procedures prior to a breach”. According to the SEC release, the firm “failed to establish the required cybersecurity policies and procedures in advance of a breach that compromised the personally identifiable information (PII) of approximately 100,000 individuals, including thousands of the firm’s clients.” Also in September, the OCIE communicated another Risk Alert notifying of their intent to focus on cybersecurity compliance and controls, including information about the next round of examinations which will include more testing to evaluate firms’ implementations of procedures and controls around information protection and cybersecurity.

Gathering information on information security and privacy practices is not always easily accomplished for the SEC OCIE. FinCin (US Dept of the Treasury Financial Crimes Enforcement Network), on the other hand, seems to get more reports of breaches from broker-dealers than does OCIE. Maybe it is due to the advisor wanting to take more the role of the victim rather than admittance of culpability in any way, but the OCIE reports that roughly 65% of broker-dealers that acknowledged receiving fraudulent emails, for example, reported them to FinCen, yet perhaps 7% or fewer actually reported the information to law enforcement or other regulatory agencies. It is the public report of the breach which gets the attention, and which continues to spur the efforts within the OCIE.

Public reports of cybersecurity breaches occur with too much frequency. Sadly many of these events are due to failures or weaknesses in basic controls – failures which might have been identified if testing and review of basic processes, systems and controls was part of regular procedure. With some of the largest data breaches possibly resulting from hacking of 3^rd party vendor systems and platforms, review and assessment of vendors and suppliers must also be folded into the realm of consideration. Failure to protect personal information of consumers and clients is risk to not just the firm or the client, but also to the entire market. Risk reduction and management is among the focus areas for OCIE, a charter which supports the recent creation of the Office of Risk and Strategy, and which recognizes the challenge in gaining the information necessary to effectively inform the SEC and the market on cybersecurity issues.

jmbunnyfeet Make Sense?

June 30, 2015May 19, 2017

Two Ways to Get QuickBooks in the Cloud

Get QuickBooks in the Cloud: Hosted QuickBooks Desktop or QuickBooks Online

cloud-computing Running applications online, or “in the cloud” using today’s parlance, is top priority for a lot of businesses. It’s not that these organizations have a burning desire to post their financials to the web, which is what a lot of folks thought was going to happen when we first suggested they use their financial applications online. Rather, business owners and managers have begun to recognize and experience the benefits of connecting their various locations, remote and mobile workers with real time access to business applications and data. Further, centralization of IT coupled with outsourced IT management and subscription service pricing has introduced financial and operational benefits which make businesses more cost-efficient as well as more agile. From being the basis for foundational process and workflow improvements to allowing the repositioning of IT costs from capex to opex, online application services are proving their value in various ways every day.

The evident popularity of cloud solutions is clearly visible in one small corner of the global software marketplace: the small business accounting solution market. Intuit’s QuickBooks product, almost a default go-to with entrepreneurs and small business owners, is still the most prevalent accounting solution in use by US small businesses. While there may be growing usage of other applications on the web, such as Xero or FreshBooks (both are awesome SaaS apps that do what they do quite well), there is equally strong growth in Intuit’s own SaaS version of QuickBooks. The SaaS applications are easier to localize for different places in the world – different languages and currencies – so international use of these products is likely to continue to grow. Even more to the point, these solutions address functionality and pricing levels which are acceptable to entirely different classes of users that previously wouldn’t even consider buying accounting software to do the books (like freelancers and solo/soho operators), so the overall size of the market of “businesses who use accounting or bookkeeping software” is actually growing.

Intuit’s QuickBooks Online edition is a true SaaS solution that is quite different from the desktop-based QuickBooks. While QBO has gained tremendous popularity, it has yet to reach the user numbers the desktop products have. The desktop solutions boast not just a particular range of functionality, but integrated applications and add-ons, and – perhaps most importantly – being a foundation for a wide variety of financial and business record keeping, bookkeeping, accounting, operationally oriented and reporting processes. To sum it up: it’s embedded. People know the software, the data is in a known format, and the product is simply part of how the business operates.

Once a solution is as entrenched as QuickBooks is – kind of like the entrenchment Microsoft Word and Excel have in the productivity area – it doesn’t go away very quickly and only when the value proposition is much greater… and maybe not even then. Rather, folks find ways to make the solution they want work for them. This is where hosting comes in and meets with the market’s demand for running applications (yes! even desktop applications!) online, as managed subscription service.

Running your QuickBooks desktop online via a hosting provider is how businesses take advantage of the best benefits of SaaS without actually converting to a SaaS application. They retain investments in training, process and integration yet introduce mobility, remote access and office connectivity, centralized information and predictable costs. QuickBooks-using businesses need to know about hosting their QuickBooks and the providers who can offer anything from standardized to extremely customized service.

As technology continues to evolve at ever-increasing rates, businesses will continue to be faced with new paradigms for doing business. Some will adopt early and some will adopt later, and some simply won’t adopt. Certainly the market as a whole doesn’t adopt as quickly as software companies would like, but then that’s always the way it is. Customers will do what works for customers, and right now hosting is working for QuickBooks customers.

Joanie Mann Bunny Feet Make Sense

March 10, 2015

EMV and Retail – Your Trusted Advisor Should Be Advising You about This

EMVChipCard There is ‘big change a comin’ for retailers, merchants and any business that accepts credit cards for payments, and there are a great many businesses that are completely unprepared for it. The change, what is being referred to as the “Payment Networks’ Liability Shift”, goes in to effect in October 2015 and places the burden of liability for fraud squarely on the shoulders of the merchants and card issuers who are not compliant with certain payment system security standards. Accounting professionals and Trusted Advisors – here’s one of those things you should be helping your clients with. Help them get informed, trained, and prepared. Help them to understand the risk and decide on a course of action. This is part of what makes a trusted advisor: they got your back.

The way things generally work in the US today, a fraudulent charge on a credit card is likely to end up being covered by the credit card company (the issuer). Starting in October, retailers are supposed to be able to accept payment cards with EMV chips (named for the founders of the standard: Europay, MasterCard and Visa), and must process those cards using the compliant technology that takes advantage of what the chip processing and security offers. If these conditions aren’t met – like having a POS or payment terminal not capable of reading the EMV chip – the merchant is on the hook for the fraudulent transaction. Given the volume of credit card and payments fraud in the country you’d think that most merchants would already be ready for this, but replacing all the POS and terminal equipment could be pretty costly. It may take a bit of analysis to understand the real risk and compare that to the cost of compliance. Certainly it makes sense to always be in compliance, but there are always factors which influence how quickly (or how completely) compliance may be met.

The liability shift is part of the influence being leveraged to get businesses to adopt newer and more secure models of electronic payment acceptance and processing. It is simply the case that the magnetic strip on a credit card isn’t good enough any longer. The new EMV Chip reading payment terminals require that the card be inserted and processed by the terminal rather than simply swiping the magstrip across a reader. Over 40 years of using the magstrip approach has helped to earn the United States a top spot on the leaderboard for credit card and financial fraud, and we seem to be lagging behind in adoption and implementation of the EMV technology even though it has been shown to seriously curtail fraud even as payment card usage increases. The EMV chip process, which encrypts information about the card so that even the local POS system doesn’t get access to it, is far more secure and is being widely adopted and used in Europe, Canada, Latin America and the Asia/Pacific regions. Now the clock is ticking for US businesses to get ready to either update their systems or accept the liability for not doing so.

The shift in how payment cards are made and processed is simply one of many changes which will continue to occur as technology and human ingenuity continue to be applied in both good and not-so-good ways. Recognizing that the pace of change is increasing, businesses must find ways to remain informed and prepare for those changes which will impact the business operation and sustainability. This is among the essential roles the trusted advisor plays, and the current imperative simply underscores the growing need for such advisors by business large and small.

jmbunnyfeet Make Sense?

August 28, 2014

Following the Rules: Users and Licensing for Hosted QuickBooks

I have said many times before that the licensing for QuickBooks desktop editions appears to be a bit complicated, and a lot of that may have to do with the fact that so many people use QuickBooks in so many different ways. With a solution like QuickBooks (or Microsoft Office or other really popular and widely used software products) there is a tendency for folks to want the flexibility of accessing their software regardless of what computer they are using. Also, especially in businesses, there is the habit of installing software on a computer and then allowing anyone sitting at the computer to use the software. In some cases these approaches are okay with the software vendors, but in most cases they’re not. Yet too often, the small business owner doesn’t find out what the actual rules of using the product are until they try to deploy the software with a hosting service provider (because nobody ever actually reads the EULA, do they?). If the provider has any credibility at all, they will enforce the licensing rules of the software, but that doesn’t always sit well with the customer.

picture-hostedQB This situation rears its ugly head quite frequently in the QuickBooks hosting world. Perhaps it is because there are a lot of possible working models involving QuickBooks users, or maybe it’s simply a matter of people not seeing the value of paying for what they want to accomplish. Either way, service providers find themselves being challenged every day in trying to explain to a customer why they need to have more than one license for QuickBooks and more than one service account if they want more than one person to access the hosted solution.

Different people at different times: The Concurrent User approach

One of the arguments people make for not having licenses for all of their users is that they don’t actually need everyone in the system at the same time. The belief is that there should be licenses enough only for the number of concurrent, or simultaneous, users that will access the system, yet each individual human being/user should have a login to the system with the software available (for convenience, of course). A QuickBooks 3-user license, they believe, should be able to be used by any number of business users as long as no more than 3 of them are in QuickBooks at any given time.

While the customer may be making a reasonable argument, it all falls down when you consider the license agreement for QuickBooks. Each user of the product is supposed to have a specific license. A business with a 3-user license (or 3 single-user licenses) for QuickBooks has the rights to allow 3 people (unique human beings) to use the software, not any combination of people as long as they number no more than 3 at a time. There is to be no sharing of licenses, and there is no “concurrent” licensing model: each person/user/human being is supposed to have their own license for the product no matter how often they access it.

Look but don’t touch: The Read-Only User approach

Another of the arguments people make for not licensing all of their users is that there is somehow a belief that if you don’t actually enter information, then you aren’t really using the software. This often comes up in situations where an accounting professional works with their client, or when business owners want to occasionally see what’s going on in the company. The approach centers on the concept of what a “user” is and suggests that users are the people entering or changing the data, and people only viewing that information aren’t really “users” at all. When the bookkeeper opens QuickBooks and enters an invoice, the bookkeeper is recognized to be a user. But when the business owner opens QuickBooks to view the financial statement or see the bank account balance, isn’t the business owner also a user? Yup, they sure are. Any person that actually opens the program on the computer is a user, regardless of what they do when the program is open. Just looking around at the data still requires that the program be open, and opening the program requires a license.

Two Fer: But the other hosting company lets me…

Just because you can do something doesn’t mean that you should. So, just because a different hosting provider might let you get away with things that aren’t right (but perhaps are convenient or cost saving in the short-term) doesn’t mean you should expect a different host to allow the same thing. If your current host says things like “as long as you don’t tell us…”, you should be concerned. This often comes up in a hosting scenario where there is an outside accounting or outsourced back-office professional working with a hosted client business. The outsourcer will want to access the client books, so they will want to have a login and access to QuickBooks software on the host system.

The trouble starts when the outsource professional doesn’t want to have to pay for their own service or licensing, yet they want to be able to login to the system and run QB just like the client does. Falling sometimes under that attempt to leverage a concurrent user approach (see above), these outsourcers just aren’t realizing that the benefits of accessing their client information and working in real-time with that data is often valuable enough to support the cost of a hosted account and license. Instead, they want their access to be free of charge and not be bound by silly rules of licensing, often because their client won’t want to pay for the accountant service in addition to their own.

This is when the “if you don’t tell us” stuff comes in – where the service provider may suggest to the accountant or outsourcer that they can simply login as the client and nobody would be the wiser. I’ll fess up and say I have even entertained this idea with clients a few times but always shy away from discussing it in-depth. While it is basically true that the service provider doesn’t generally know which exact human being is sitting at the other end of that remote desktop connection, that doesn’t mean that it is okay to leverage it into an abuse of services or licensing.

Two or more people sharing a single login just isn’t good ju ju, and it’s usually against a whole bunch of licensing rules and rights of use. The funny thing is that many customers who initially leverage their service in this manner end up finding it was a really bad idea. I saw a scenario a few years ago where a business allowed their outside auditors to share the logins of regular employees in the finance department. When an employee tried to login to their remote desktop, they opened the session the auditor had open – exposing the employee to a lot of data that was not theirs to see but which the auditor user in QB had access to. The company called it a security breach and it was on their part – and it was allowed to happen because they shared their remote desktops with the auditors rather than giving the auditors their own accounts with their own security profiles. What seemed like a good, cheap approach on one day rapidly turned into a big issue the next, and the service provider had no power to prevent it from happening.

The moral of this story is simply that following the rules is the right thing to do and most reputable hosting service providers will try, even if they don’t end up doing it really well. There are always going to be those who figure that the risks don’t measure up to the potential rewards, so they will do what they choose to do. I’m always left wondering about those guys; if they have no problems breaking these rules, I wonder what other rules (or confidences) they are willing to break. Hmmm.

Make sense?

July 16, 2014April 20, 2017

Accounting for Point of Sale

There are a lot of solutions available to help retail businesses get business done. From touch screen technology to mobile credit card and payment processing, retailers have many choices when it comes to selecting the right technology for the establishment. But even the best point of sale system can lack the critical element that makes it truly valuable for the business. This critical element is integration to a trusted accounting and finance solution. While the POS system may include a level of basic accounting functionality, the reality is that a dedicated financial application will perform better in the long run.

Just as specialized line of business applications are used to handle operational functions, the financial application should be considered to be the “line of business” solution for the accounting and finance department (even if it is a department of one). This system not only services essential processes like receivables management, bill payments and bank account reconciliation, it serves as the basis for payroll, financial, tax, performance and other reporting. Further, the financial systems are often the first and primary source of analytical data, illuminating KPIs and cash flows and ultimately the business value.

The point of sale application generally handles the selling of and payment processing for goods and services sold by the business. Whether it is composed of registers and terminals connected to a host system, PCs running POS software, or mobile phones and tablets running mobile payment processing apps like Square or GoPayment, point of sale addresses the retailers need to capture and record sales and payment information, sometimes customer information, and often inventory information.

The data from the POS solution must make it to accounting in some manner, yet point of sale applications are too-often approached as a standalone business requirement, somehow disconnected from other aspects of the business including the back-office. Sales and items may be recorded in the POS system, yet only summary sales data ends up being re-keyed into the accounting system. Centralized inventory management is all but nonexistent in these cases, and gross sales total are often recorded rather than individual transactions and receipts being transmitted to the accounting system. The process of re-keying information from the POS to accounting systems is not only an efficiency-killer, it is also introduces a great potential for errors. When the business elects to conserve on data entry and post only summary information to the accounting system, valuable detailed sales and transaction data may be lost.

The right approach to bringing point of sale together with accounting is to automate the process of integrating POS data with accounting on a regular basis – with AUTOMATION being the key. Rather than establishing a process that requires manual entry of information from either system, a data integration solution is the best approach, with an import/export solution running second. The point is the elimination of manual re-entry of information.

There are numerous tools available that can take formatted POS data and import it into products like QuickBooks, for example, where it can be properly accounted for. While QuickBooks Point of Sale integrates with QuickBooks desktop products, other POS solutions can also connect with QuickBooks if the right integration tool is selected, and there are quite a few available. Check with the POS vendor and ask about a direct integration with QuickBooks desktop or whatever financial system you use. If there isn’t a packaged integration solution available, then check out products like Transaction Pro Importer, which can automate a variety of data import processes and ease the burdens moving external data into QuickBooks. pointofsale

The other factor in getting point of sale data to accounting is actually getting it there… transporting the data from the POS location to where the accounting system lives. In many situations it is not desirable to keep the accounting system on the same computers as the point of sale systems, and in some cases it isn’t even possible. But there is generally a way to get the information in a form that makes it possible to transmit it in some manner. Among the most popular approaches to solving the “getting the POS data from here to there” problem is to use a data sync solution like Dropbox.

If the point of sale data can be exported or output to a file on a PC hard drive, then it may be able to be stored in a Dropbox folder on that PC. At the home office where the accounting system resides, the operator would access the sync’d files from the local PC Dropbox folder and import the data to QuickBooks. For QuickBooks Point of Sale there is an option to create a “mailbag” of sorts from the POS data of a remote store, which QuickBooks POS at the home office would pick up from the Dropbox folder and push to the QuickBooks financial application.

For businesses using POS systems like Micros or POSitouch and others, there is likely a service or application that will produce the POS data for import to QuickBooks or other financial system, pulling POS data files placed in the Dropbox folders by the POS app or performing the function as a web service or SaaS integration.

While I am a big fan of application hosting services and running QuickBooks desktop editions in the cloud, I’m also a realist and recognize that many POS solutions either can’t or shouldn’t be hosted. There are situations where a hosted point-of-sale makes a lot of sense, and then there are cases where no bandwidth or proprietary hardware-based solutions make hosting not even an option. That doesn’t mean that the financial systems shouldn’t be hosted, though, and there are numerous ways to get the sync’d POS exports to the hosted QuickBooks environment, for example.

The key for retailers is to make sure there is a solid process for getting detailed and accurate POS information into the accounting system on a regular basis. Manual entry is never the best answer. With all of the technology and tools available, manually re-entering sales information is a waste of time and is likely to produce errors. The better answer is to use an approach that automates the regular collection of point-of-sale data from all sources, delivering the data in a regular and consistent manner to accounting, and providing the basis for end-to-end automation supporting the integration of the point of sale system data with the rest of the business accounting.

jmbunnyfeet Make Sense?

June 24, 2014November 29, 2017

Justifying the IT Budget: the Cost of Not Spending

“Competitive and ever-increasingly sophisticated in the marketplace”[1] describes a company positioned for long term business survival. Complacency takes the business nowhere but into irrelevance-land, which I think we can all agree is not where most business owners wish to end up… it makes selling the company slightly more challenging. Even in markets which were once firmly held to be localized are now open to new – and new kinds of – competitors, due in most part to advancements the development of information technology (IT) as well as how it is applied. These days, competition is globally facilitated rather than locally, and it’s becoming the standard approach. Welcome to the cloud.

New paradigms in IT capability and use are spawning huge shifts in what were broadly recognized normal or traditional business approaches. This realization has created the need for businesses to radically change their view of IT investment and the value of IT within the organization and operation. Yet IT is rarely an area which gains a strategic focus for investment within most businesses, and is frequently considered to be like a pencil or a particular chair… something the business needs but which has little impact on the company’s ability to compete better. Au Contraire, Mon Frère: Information technology is at the heart of business competitiveness, but justifying the desired investment is the great challenge. Maybe it’s because the focus is always on the great benefits to be achieved with the spend, rather than looking realistically at the impact of not doing it well or at all. Especially with information technology, there is a large potential cost to be paid for not spending adequately.

While business operations are sustained through IT involvement, economic pressures continue to weigh down business interest in funding IT operations. (which is weird, as there is a lot of evidence that the good bet is on those who do just the opposite). This regular spending reduction and cost control plan has good intentions of reducing the overall cost of business operations. The unfortunate reality is that operations are less efficiently sustained and are even more frequently unable to create or manage any level of growth. Reducing all IT spending is only useful when profitability is also improved and quality is maintained, unless it is an effort to simply stay afloat as revenues decline (and it’s recognized that quality will decline as well). But reducing costs does not help the business seeking to remain competitive in a rapidly changing marketplace, and pulling the pins out of the department primarily responsible for at least keeping things currently in operation operating serves only to chip away at the once-solid foundation. It’s a real problem, this difficulty with increasing interest and justifying increased funding for business information technology. And it all stems from the inability of organizations to clearly and with tangible benefit cost justify the investment.

It is this justification – demonstrating IT investment as a strategic asset presenting an advantage over competitors and positioning the business for future success – which requires effort and analysis to fully describe. Information technology is not a set of servers and software, and it is not websites and portals. It’s not click thru rates or SEO scores. Well, it’s all of that, but it is none of that. There is so much to consider and incorporate, and there are many degrees of success which might be experienced along the way. Information technology is a fundamental requirement in each and every business, and dependency upon it is increasing at a startlingly rapid pace, yet we still can’t quite figure out how to put it all on paper with provable numbers.

It might be easier to forecast in little departmental or functional pieces, but that doesn’t provide a total picture of the enterprise. And it’s often really difficult to quantify the impact of not doing something, or doing it only OK rather than really well. When this data does present itself, it often comes too late and in the form of a comparison to the competition, revealing where the business just didn’t meet the mark as compared to others in the same space.

It all boils down to businesses coming to the realization that information technology investment must be made on a continuing basis. The justification for IT funding must be made, and that justification must necessarily be balanced against the potential implications and impacts of not implementing. This is the only formula which can ultimately describe the value of IT investment in the business.

Make Sense?