Cloud Computing

With 2012 just around the corner, the JofA gathered the three technology keynote speakers from the AICPA’s 2011 Practitioners Symposium/TECH+ Conference to talk about tech trends heading into the new year. The nearly 90-minute conversation covered a wide range of technical issues critical to all CPAs.

Participating in the call were:

• David Cieslak, CPA/CITP, aka Inspector Gadget, a principal with Arxis Technology.
• Randy Johnston, executive vice president of both Network Management Group Inc. and K2 Enterprises.
• Rick Richardson, CPA/CITP, founder and CEO of Richardson Media & Technologies.

Moderating the call were:

• J. Carlton Collins, technology and accounting systems consultant and author of the JofA’s monthly Technology Q&A column.
• Jeff Drew, senior editor covering technology for the JofA.

The JofA is presenting the online version of the conversation in 10 installments released over a nearly two-month span. Each part focuses on one major topic and features audio clips from the conversation. Part three takes a detailed look at cloud computing.

The complete schedule is available at the bottom of this article and at journalofaccountancy.com/tech.

Collins: Let’s turn our attention to cloud computing for a minute. Everybody’s talking about it, but the concept’s not really new. It’s been around since the 1970s. We used to refer to it as “time sharing,” when you shared time on a mainframe computer. And since then it’s been called numerous things, like remote job entry, network computing, Web-based solutions, software as a service, and most lately, today, it’s called cloud computing. And it seems like with this title that the concept is really starting to take off. Rick, can you tell us, what’s the difference now that’s making cloud computing so popular?

Audio: Click here to listen as Rick Richardson outlines why cloud computing is now becoming popular.

Richardson: Well, Carlton, I guess there are two or three things I’d like to comment on. The first is just how easy it is to use. Most of the vendors that are now providing cloud-based service provide it for collaboration and for synchronization. And in both of those cases, some of that happens literally automatically—that is, mobile devices will sync to the cloud, whatever service they happen to be going to, without the user even having to do anything.

And from a collaboration perspective, one of the ones I like the best in that environment is the new Google Apps. They have literally redefined what collaboration means when two users can be working on a document and actually see the other user make the change on their screen. So it’s pretty incredible in that regard.

The second is not needing anywhere near the storage space we used to need in mobile and semimobile and desktop devices. If you think about it, there are several services the cloud provides, and one of those is storage—the ability to put, as an example from a personal perspective, all of your music and entertainment, your books, all the rest of that stuff in a cloud service, where it’s maintained there. If you (have) 30 or 40 gigabytes’ worth of music, you don’t have to buy 30 or 40 gigabytes in your player that sits with you remotely. It’s all covered in the cloud, and you can buy a device that’s a lot lighter, a lot less expensive than we had to do before.

Third is the whole issue of the software products that are being offered and operated in the cloud. We call that software as a service, although that definition gets used pretty broadly, depending upon which software company you’re talking about. But products like accounting and tax compliance and planning, they’ve been available in stand-alone modes forever. They’re now available from both known and brand-new vendors we’ve never seen before, with products that offer so much more integration than we ever had before. I think it’s just going to really change the way we work.

Collins: That’s interesting, Rick. Do you think CPAs should be concerned about storing large quantities of tax returns or their accounting system data out in the cloud?

Richardson: Well, I would guess one of the things that we can’t forget is the whole issue of security and backup, and that is—that has to be a certain portion of the discussion. The other part of the discussion—and we’ll probably get into this as we cover other topics downstream, but, you know, if you’re now relying on someone in the cloud to provide you with a service and they go down, you know, you’re—we’re used to having this computer in front of us, and you turn it on and it works. And when it doesn’t work, you go sit at another computer. But here, now, your service is up in the cloud, you don’t know where it is. You go to sign into it, and it’s not there.

So I think both of those issues become important, the security for getting into it, the backing of it up properly. The health care people are worrying about it the same way from the HIPAA [Health Insurance Portability and Accountability Act] requirements with respect to health records.

Collins: OK. Dave, what’s your take on cloud computing?

Audio: Click here to listen as Dave Cieslak discusses the benefits of cloud computing.

Cieslak: Well, actually, I’ll kind of share from maybe a different perspective and just talk about some of the benefits of cloud computing, and I appreciate what Rick was sharing there. It definitely supports mobility, as we’ve kind of been touching on that topic throughout our discussion so far. But really, just the ability to have anywhere, anytime access. And I know that’s maybe terminology that we’ve used for a lot of years. We’ve been saying, “Won’t it be exciting when you can have anywhere, anytime access?” And we’ve used remote control products and so on and so forth.

But really, I would say this is truly taking what we’re doing from an application and a data perspective and truly transitioning it outside our four walls and making it—really giving us the opportunity to have that kind of ubiquitous anywhere, anytime access. So I really think that is still a real standout as we think about how the cloud can change how we work and how we go about doing what we’re doing.

So, you know, Rick talked about data and reviving just kind of a foundation for backing up our data. I guess the good news is if we lose a device, we don’t … end up losing our data, because … its main domain is in the cloud. And so we really … look at the device a lot more as a—I don’t want to call it a throwaway—but not near as maybe risky if that device gets misplaced, because maybe less and less of our key confidential, critical data is residing on physical machines that we’re tasked with protecting.

So some of the other benefits, I think (include) reduced internal IT costs. All of this is part of a trend that … I think that all of us are observing, just this ongoing commoditization of IT. As you look at IT in general, I think consumers and businesses alike are saying, “Do we really need to pay specialists … and consultants and so forth?” versus how much of this really has turned into more of a kind of a commoditized retail transaction. And so as we think about the network infrastructure, the computing infrastructure and how much of that can be commoditized, well, part of that is happening through this cloud-computing initiative, or this cloud-computing migration that’s under way.

So, another part of that, the organizations have much more predictable costs. It’s a lot easier to—actually it’s frictionless, we’ll say—even to do upgrades, because it’s being upgraded for you in the background. You’ll always be enjoying the latest and greatest versions because the vendor’s taking care of that. So when I log on, I’ll always be using the latest apps. I’ll have access to my data. I’ll know that the data’s been backed up and secure. I don’t have to worry about it necessarily being misplaced if my device is misplaced. There’s no product installation. I literally just fire up a Web browser, and potentially, I’m straight away working with my key applications and that data.

And I think one of the things, as we’re talking with a number of our clients, and even just kind of thinking through our own internal approach to things, I think the simple reality is, if we were to start an organization today, start a company today, start in business today, I think we’d all probably agree that it would be cloud-based. We’d try to do anything and everything that we could via the cloud. And really, I think the only kind of drag on that whole equation, the only thing maybe holding us back a little bit from that, is the fact that many of us have a lot of pretty entrenched infrastructure. So we’re in this transitional window where we’re going to be moving more and more, piece by piece into the cloud. But clearly, the benefits are there, and clearly there’s a lot of incentive and motivation to get there.

Collins: Well said, well said. The thing I like most about what you said, Dave, is—and I’m looking forward to it—when I don’t have to run to the computer store every year or two and purchase new versions of all the products and take time to install them in my system. That’ll be a good day for all of us, I think. Randy, can you tell us about some cloud solutions that CPAs should be using, and maybe explain why they need to operate in the cloud to be effective?

Audio: Click here to listen to Randy Johnston discuss several cloud solutions for CPAs.

Johnston: Carlton, pleased to do so, and there are hundreds compared to the dozens of just a couple of years ago. And I will name some products specifically just as good examples. But let’s start with a pretty sophisticated solution, called ClusterSeven, that actually does spreadsheet controls. That’s one of the top initiatives of technology that was in the survey by the AICPA this past year or so. ClusterSeven allows cell-level control of formulas and data not only in spreadsheets, but also in (Microsoft) Access databases and so forth. (It’s) a pure cloud app to get that done and (a) very affordable application for that particular situation.

You’ve got business analytics running in the cloud that way, which is really also interesting. I’ll pick on BizTools Pro as an example of that. (It) is a QuickBooks-enabled analytic product. But the analytics products run from the small to the large. And, Carlton, probably you as well as anybody know about so many of the accounting software products now available in the cloud, from the entry-level products like Xero or QuickBooks Online on up through an Intacct or a NetSuite or an SAP Business ByDesign. There’s a dozen-plus of those products today that are quite effective.

For public practice listeners, Capital Confirmation does a wonderful job of being a software-as-a-service product that handles audit confirmations, and not only, say, cash, but also heading into AR [accounts receivable] and AP [accounts payable], and they’re doing a validation and verification of all small business addresses and so forth, and that’s a pretty innovative type of thinking.

But I’d like for our listeners to also spot, every cloud product I’ve talked about is what would be called, traditionally, software as a service. It’s a product that runs in a browser. It’s multiuser, multitenant, and I typically set a lot of the hosted applications aside, even though they might be marketed as software as a service. So further, like with what Rick Richardson said earlier, you can do tax in the cloud with products like GoSystem RS or document management in the cloud like GoFileRoom, just to name two products that work as a pure task offering.

And beyond that, we could go on and on and on. Probably the best way to think about it is there is probably a fast solution for every business need that you’re looking at today. Some of the weaker ones tend to be in areas like point of sale or manufacturing and distribution, and those will be a little harder for some people to get past. Dave is also spot on right. If you can throw everything out from the past and start off into the future, you would probably solve your business issues with cloud solutions today. But right now we’re going to go through a period where we’ll probably run hybrids—some things in-house, some things up in the cloud—and there will be a transition period. And for some, they will build their own private cloud by keeping the infrastructure internal but mobilizing their things through browsers to tablets, to phones and other situations.

Collins: Hey, thank you, Randy. How about we throw out a question for all of our panelists, any one of you that wants to jump in on this? Can you give us a small laundry list of those products, services or applications that a CPA in industry or in public practice should look at for transitioning to the cloud, and when should they do that? Do you have like three or four or five key areas that they should focus on now?

Johnston: Well, you know, I’ll pick one, Carlton, and use ShareFile as an example. It’s a product that allows a firm to build a branded portal to transfer large files and so forth easily. A relatively inexpensive product, it solves a security need. (It’s) pretty simple to deploy that and solve a problem very quickly.

Audio: Click here to listen as the panelists discuss security concerns related to cloud computing.

Collins: What are the top security concerns related to cloud computing, and how should they be addressed? Rick?

Richardson: First and foremost, from the security perspective, I think is access protection itself, both login and continuous transmission. Most of us are all familiar with usernames and passwords and protocols for passwords to provide for the longer they are and the harder they are to discover and so forth. But the other issue that’s just as crucial in all this process is you have a continuous transmission of information that needs to be encrypted itself, and finding out how the vendor is providing that and what level of security is pretty crucial.

One of the other concerns that I always have is the company provides me with all this information about how the data and where the data are backed up. Contractually, I want to also make sure in the agreement I have with them that I own that data and that I have the right to be able to remove that data and bring it back in-house whenever I need to. So I think those are three pretty important security issues.

Collins: OK, anybody else?

Cieslak: Carlton, this is David. I’ll jump in a little bit on that one, too. You know, one of the things that we’ve seen in the last few years is many organizations using the AICPA SAS 70 [Statement on Auditing Standards no. 70, Service Organizations] as kind of like their Good Housekeeping Seal of approval and saying, “Our data centers are in good working order. They’re secure.” And really, that honestly, that’s been kind of a reach. I mean, that’s not really what the SAS 70 statement, the auditing standards, was designed for. So I think it’s kind of important to point out that even the AICPA is participating in this process now as well, and they’ve got basically something new called the Service Organization Control Reports [see “Expanding Service Organization Controls Reporting”]. So SOC 1, 2 and 3. And that really is intended to basically kind of step off or springboard off of just some of the good awareness that’s been created around SAS 70, but basically saying, “You know what? We want to create tools and end-user reports that really are more to the point of saying, in fact, this cloud-computing environment is a secure computing environment, and we’re going to give you the standards to measure that against and ultimately report to the end user,” give them confidence that it is, in fact, a secure environment.

So in addition to some of the access controls and the information that Rick was sharing, as you think about the role of the AICPA, and just having some independent verification that you have a solid computing platform, I think these Service Organization Control Reports are definitely going to be a very good resource for us.

Collins: Thank you, Dave.

Johnston: So … Carlton, this is Randy. If I could jump in on this security topic, there’s probably more than just security that’s going to come out of this. ... But one clear risk is large-scale organizations that are providing applications or hosting a lot of different platforms and so forth in the cloud will become security targets. And I think bad guys and hackers will do their best to break into those. And we have seen breaches of that nature so far, and I believe it’ll get worse.

So, you know, again, the large organizations are probably doing a better job than we can in small organizations. They’ve got people and software and specific strategies to watch for all this. But I think that’s a fairly large-scale risk. So we’d like to have the data encrypted at rest in these big data centers. Only some are doing that. Many are not.

Further, we’re also concerned just about the long-term scalability. You know, in theory these cloud data centers can be scaled, but there’s been a number of cloud applications that clearly run out of scale or can’t scale as expected. So that becomes another one of the issues around cloud.

So I wouldn’t want our listeners to think, “Oh, cloud is a panacea. Everything’s got to get there. It’s all going to get there.” And maybe it will, but I don’t see it happening very quickly and smoothly because technical people are learning how to work with these applications. And I believe that one of the issues (is) security holes that they’ve got in their applications or in their authentication procedures, which open some of these resources up to abuse issues. Even simple things like the ability for one company to see another company’s data, which should never happen, unfortunately occasionally can and do happen today.

Also read:

• Part 1: Key Technology Issues for 2012, Oct. 5, 2011
• Part 2: Favorite New Technology, Oct. 12, 2011
• Part 4: Mobile Technologies: Tablets and Smartphones, Oct. 26, 2011
• Part 5: New Revenue Sources for CPA Firms, Nov. 2, 2011
• Part 6: Social Media, Nov. 9, 2011
• Part 7: Software Trends for 2012, Nov. 16, 2011
• Part 8: Security Issues, Nov. 23, 2011
• Part 9: Hardware Trends for 2012, Nov. 30, 2011
• Part 10: Video, Dec. 7, 2011