There’s no arguing that “cloud computing” is gaining a great deal of momentum. Worldwide, cloud services revenue is forecast to reach $68.3 billion in 2010, a 16.6% increase from 2009 revenue of $58.6 billion, according to analyst firm Gartner Inc. So what does this mean to the accounting profession? What are the benefits and risks? Who are the vendors in the proverbial sky, and how do you know you can trust them with your data—or your clients’ data, for that matter?
This article answers some of those questions and explains the history and future of the cloud.
The easiest way to think about cloud computing is as doing business on the Web, therefore eliminating the need for in-house technology infrastructure—servers and software to purchase, run and maintain. Unlike traditional software, which is distributed and deployed on-premise, cloud applications are designed for Web deployment. They are multitenant (delivered by one vendor to many customers), and users share processing power and space that is managed by the vendor.
Terms including “Software-as-a-Service,” or SaaS, and application service provider (ASP) often are connected to cloud computing in presentations and articles, but there are subtle differences between them. (For an explanation, see the “Definitions” box accompanying this article.) The types of applications available run the gamut—from tax software to payroll to full enterprise resource planning (ERP) systems—and most often are leased on a subscription model instead of purchasing licenses.
DOING BUSINESS IN THE CLOUD
Is it worth making the switch? Vendors and analysts point to several benefits to switching to a cloud environment.
Quick implementation process. Most vendors claim their applications can be up and running in a few minutes because there is no software to install. The implementation process also is easier for companies with multiple locations or remote workers to all have access to the same version of the application simultaneously.
Anytime access from anywhere with an Internet connection, which again includes the ability for employees to work remotely.
Lower upfront costs. Instead of paying a license fee and for annual maintenance, most models allow users to pay as they go (usually monthly, though some require annual contracts). They can pay per user and easily add more users. Vendors can offer their products at a lower cost in this situation because their systems are built to allow several customers to share infrastructure (both servers and storage areas) in a way that is transparent to users and does not allow those customers access to each other’s data. It may be difficult to conduct a cost comparison of doing business on-premise versus in the cloud unless a company has moved all its business off-premise. Some companies may outsource services such as their e-mail and/or infrastructure support, but still manage their core applications. That being said, realize that the upfront costs include the cost of hardware and IT employees that no longer need to be in-house.
Little or no hardware or maintenance costs . The vendor takes responsibility for maintaining the software and servers. This is where things can get tricky. If people who are evaluating the return on investment of switching from on-premise to cloud products by comparing what they are spending now to what they will be spending if they switch, it’s not really comparing apples to apples, said Gregory LaFollette, CPA/CITP, a senior manager with Eide Bailly LLP and consultant to accounting firms and vendors. In an on-premise environment, the customer pays for the hardware, storage space and IT personnel to maintain the system in addition to the software. In a cloud environment, the vendor fronts those costs, so a larger percentage of the total cost of ownership by the customer shifts away from hardware and people and toward software. Some industry analysts estimate the break-even point of leasing versus buying the software at about three years.
In general, doing business in the cloud should cost less than doing business on-premise, says Donny C. Shimamoto, CPA/CITP, founder and managing director of consulting company Intraprise TechKnowlogies. He suggests analyzing whether to make the switch as a three-year amortization of upfront costs for an on-premise application including servers, software licenses and installation plus estimated maintenance for three years and comparing that to the cost of subscribing to the cloud version of the product for three years. This can be applied to partial versus full cloud conversions and should be done on an application-by-application basis to determine whether there is cost savings by moving each application to the cloud. He said factors to consider include:
- Reduced support costs. Rather than having to employ in-house experts for product support, the vendor typically provides support directly for the customer.
- Reallocation of resources. IT staff can be reallocated for more strategic projects, rather than spending time on system upgrades and maintenance.
- Easier and more regular upgrades. Vendors can regularly tweak their products. In many cases, those enhancements are made automatically in the background without disrupting the customer’s work. Most vendors provide advance notice to alert customers about the changes and give them the option of when to turn new features on or off, if they don’t like them or aren’t ready to upgrade.
- Disaster recovery and backup capabilities. One of the costs incurred by customers who keep their data on-premise is backing up their data, typically via tape or by contracting a third-party backup provider. This is another area covered by the vendor in a cloud environment. Often vendors have redundant backup systems so that customer data is replicated in a separate data center in case of fire, flood or other disaster. The infrastructure is “self-healing” so that when a failure occurs and the backup becomes the primary source of information, the system launches a new backup instance of the data, LaFollette explains.
SECURITY AND RELIABILITY CONSIDERATIONS
With all this sharing of storage space in the “sky,” one of the biggest concerns expressed by those considering switching over to cloud applications is the safety of their data and their clients’ data. It’s a concern cloud vendors have been fighting to overcome for years. How can you know the data is safe?
First and foremost, make sure the vendor uses a data center that has received an AICPA Service Organization Controls Report (SOC), formerly known as a SAS 70 report. For purposes of this article, a vendor is considered the user, and the data center is the service organization. The AICPA developed the guidance to provide a highly specialized examination of a service organization’s internal control. There are three types of SOC reports:
- AICPA SOC 1: Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting. These reports, prepared in accordance with Statement on Standards for Attestation Engagements (SSAE) no. 16, Reporting on Controls at a Service Organization, are specifically intended to meet the needs of user entities’ management and their auditors, as they evaluate the effect of the controls at the service organization on the user entities’ financial statement assertions.
- AICPA SOC 2: Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and/or Privacy. These reports, prepared using the AICPA guide Reports on Controls at a Service Organization over Security, Availability, Processing Integrity, Confidentiality, or Privacy (currently under development), are intended for users that have a thorough understanding of the service organization and its internal controls. These reports can form an important part of the users’ oversight of the service organization; vendor management; and internal corporate governance and risk management.
- AICPA SOC 3: Trust Services Report (Trust Services Principles, Criteria, and Illustrations) (AICPA, Technical Practice Aids, vol. 1, (TPA sec. 100) commonly referred to as SysTrust reports). These reports are designed to meet the needs of users who want assurance on the controls at a service organization related to security, availability, processing integrity, confidentiality, or privacy but do not need the level of detail provided in a SOC 2 Report. These reports are general use reports and can be freely distributed or posted on a website as a seal.
A vendor that undergoes such an examination is stringently evaluated on its controls over the system or service it provides to user entities. The controls address the components of a system which include:
- Infrastructure. The physical and hardware components of a system (facilities, equipment and networks).
- Software. The programs and operating software of a system (systems, applications and utilities).
- People. The personnel involved in the operation and use of a system (developers, operators, users and managers).
- Procedures. The programmed and manual procedures involved in the operation of a system (automated and manual).
- Data. The information used and supported by a system (transaction streams, files, databases and tables).
As a result of these engagements, vendors receive a comprehensive audit report that includes a description of the system prepared by the service organization, the suitability of the design of the controls for an AICPA SOC 1 or SOC 2 report in a type 1 engagement, and in a type 2 engagement, the operating effectiveness of the controls over the system.
LaFollette suggests asking vendors for a copy of their SOC 2 report, if unrestricted, and/or their SOC 3 report.
Best practices also include using a third-party monitor, such as McAfee Secure or Comodo HackerGuardian, to test the security of the vendor’s Web applications on a daily basis. Look for that logo and the date-tested stamp on the vendor’s site.
Another important consideration is unscheduled downtime and how easily customers can access their own data. There’s a concept of “five 9s” in the cloud world, which relates to “uptime,” or how often the system will be accessible by users—99.999% uptime, which amounts to 5.26 minutes of total unscheduled downtime per year. This does not include scheduled downtime, which many vendors say they set during weekends or overnight to limit interruptions to users. This is often guaranteed as part of service-level agreements and, depending on the contracts, customers could be credited if the guaranteed performance is not met. The percentage of uptime has continued to climb over the years as providers place continued importance on this factor as a selling point (or deterrent) based on public perception. Some vendors are starting to say “no nines,” meaning their systems are never down, but LaFollette points out that most internal office networks don’t even come near “five 9s” of unscheduled downtime in a year.
Of course, the cause of downtime can lie with the customers if they don’t have ample bandwidth or any Internet access, since access to data is driven by a company’s ability to access the Web.
Jim Bourke, CPA/CITP, partner in charge of technology at WithumSmith+Brown, compared the amount of bandwidth necessary when moving from on-premise to a cloud environment as upgrading from a garden hose to a fire hose. You will need a big, wide open pipe to ensure reliable access to your data and applications around the clock. While the specifics will vary depending on the applications you use, the point is that the more of your business you do in the cloud, the more important it becomes to make sure your Internet connectivity is reliable.
Bourke recommends choosing an Internet service provider that provides the largest amount of affordable bandwidth in your area. Prices vary tremendously across the country, but $100 to $200 a month is well worth it for reliable access, he says. On top of that, whichever company you choose, also consider paying for a secondary or backup provider.
Many CPA firms choose telephone companies as both their primary and secondary providers, which is OK as long as they aren’t the same one, or even related. But choosing a cable company as a secondary may be a better choice and may even provide faster speeds, Bourke says.
Another obvious issue of concern is around data ownership and migration. What happens to your data if you switch vendors or a vendor goes out of business? Think of this the same way you would with online photo storage and sharing companies. Can you get those photos back if you want to? Be sure to ask vendors about their exit strategies and how much it may cost you if you choose to take your data elsewhere. Transferring data from one system to another is rarely easy. Also, will the vendor help you migrate your data to them from your current applications?
WHERE WILL IT GO FROM HERE?
Because there are so many Web-based applications, it’s likely that most accountants have at least a small percentage of their data in the cloud even if they don’t realize it. It’s just a matter of when they will switch completely. LaFollette predicts that will happen in five years, adding that in 10 years there will be almost no premise-based software.
A recent survey of more than 1,000 accounting firms by CPA2Biz, the AICPA’s marketing arm, found that 70% of respondents plan to increase their use of Web-based applications in the next six to 18 months. (CPA2Biz has partnered with several cloud vendors as part of its “Trusted Business Advisor Program.” They include Bill.com, Capital Confirmation, Copanion, Intacct, Paychex and XCM Solutions. See the “Vendors” sidebar for a list of other cloud vendors.)
The cloud services industry is poised for strong growth through 2014, when worldwide cloud services revenue is projected to reach $148.8 billion, with the financial services and manufacturing industries being the largest early adopters of cloud services, Gartner reported.
“There’s a transition period. Right now we’ve got one foot on the boat and one foot on the dock, and it’s difficult to get stretched. At some point you have to let go and go one way or the other,” LaFollette said. “How do you go from Point A to Point B? When do you make that leap? There’s no one right answer. My advice is to look at some of the things out there right now and see what you can start using. If I were going into practice today, everything I did would be cloud-based immediately.”
People often associate cloud computing with Software-as-a-Service (SaaS) or the application service provider (ASP) model. There are subtle differences, however. While some vendors describe the terms differently, the following brief explanations were provided by Gregory LaFollette, CPA/CITP, a consultant to accounting firms and vendors:
What Is SaaS?
Generally speaking, SaaS is developed and hosted by the SaaS vendor, and the end-user accesses it over the Internet. Unlike traditional packaged applications that users install on their computers or servers, the SaaS vendor owns the software and runs it on computers in its data center. The customer does not buy the software but rather rents it, for a periodic fee, typically monthly. SaaS products are multitenant-based (many users access the same software at any given time) and generally unavailable in a traditional “premise-based” form.
How Is SaaS Different From an ASP? SaaS evolved from the application service provider (ASP) model. When ASPs were first offered in the early 1990s, they offered essentially the same thing SaaS vendors offer today: hosted applications delivered over the Internet. The difference is generally agreed as being in the development process (SaaS is built from the ground up to be multitenant).
Vendors in the Cloud
An increasing number of applications that accountants and their clients need to conduct business are available in the cloud. These include, but are not limited to, bill management, enterprise resource planning (ERP) applications, payroll, sales tax, tax preparation and workflow.
CCH, Intuit and Thomson Reuters all released Web-based versions of their tax preparation applications last year. Executives from all three companies stressed their commitment to bringing more of their applications to the cloud moving forward. (See “Vendors Get SaaSy” on the Sept. 21, 2009, AICPA CPA Insider e-newsletter.)
CPAs don’t need to be aware of every cloud application that exists, but they do need to be aware of some of the options, especially for the types of applications specific to the profession. Following is a partial list of vendors and products in the tax and accounting space:
Bill Management and Payment for Businesses
Billing Boss/Payment Boss (SageSpark)
Customer Relationship Management (CRM)
CNG Online (Cabinet NG)
GoFileRoom (Thomson Reuters)
Intuit Online Payroll (formerly Paycycle)
Payroll CS (Thomson Reuters)
Sales and Use Tax
ProSystem fx Suite: Software as a Service (CCH)
SaaS for CS Professional
Suite (Thomson Reuters)
SAP Business ByDesgin
Thomson Reuters Virtual Office
GoSystem Tax RS (Thomson Reuters)
Intuit ProLine Tax Online
ProSystem fx Tax—The Next Generation (SaaS Version) (CCH)
FirmFlow (Thomson Reuters)
ProSystem fx Workstream (CCH)
An increasing number of applications that accountants and their clients need to conduct business are available in the cloud. These include, but are not limited to, bill management, enterprise resource planning applications, payroll, sales tax, tax preparation and workflow.
Worldwide, revenue from “cloud computing” services is forecast to reach $68.3 billion in 2010, according to analyst firm Gartner Inc.
The cloud services industry is poised for strong growth through 2014, when worldwide cloud services revenue is projected to reach $148.8 billion, with the financial services and manufacturing industries being the largest early adopters of cloud services.
Benefits of working in the cloud include quick implementation, anytime access, lower upfront and maintenance costs, and easier and more frequent updates.
Security and reliability remain top concerns for CPAs switching to a cloud environment. There are several questions you should ask a potential vendor before making an investment in their products to ensure these concerns are minimized.
Alexandra DeFelice (firstname.lastname@example.org) is a JofA senior editor.
To comment on this article or to suggest an idea for another article, contact Alexandra DeFelice, senior editor, at email@example.com or 212-596-6122.
- "Vetting a Vendor: Questions to Ask Before Making an Investment," Oct. 2010, page 52
- “Replacing SAS 70,” Aug. 2010, page 32
Use journalofaccountancy.com to find past articles. In the search box, click “Open Advanced Search” and then search by title.
“SAS 70 the Next Generation: Planning for the New Service Organization Standards” (#780225)
- AICPA Controllers Workshop East, Nov. 11–12, Orlando, Fla.
- AICPA Practitioners Symposium and TECH+ Conference, June 13–15, Las Vegas
Cloud computing Web Seminar series, cpa2biz.com/cloudwebinars
Transforming Your Client Accounting Services , cpa2biz.com/WhitePaper
For more information or to make a purchase or register, go to cpa2biz.com or call the Institute at 888-777-7077.
More from the JofA:
Find us on Facebook | Follow us on Twitter