F
or accounting professionals, SAS stands for Statement on Auditing Standards, and for other business professionals, SAS stands for Statistical Analysis Systems, a software suite that many organi-zations use to analyze business data. SaaS, however, is not a typo but an acronym for the Software as a Service deployment model that has received much attention recently. Google’s popular Gmail e-mail service is an example of a free SaaS. Users simply need a browser and Internet access to use Gmail to send and receive messages. Gmail main-tains all the mail on its servers, which facil-itates anytime, anywhere access. Similarly, businesses can adopt SaaS solutions (i.e., renting the service instead of buying the soft-ware) and use applications via a browser. SaaS is one of the delivery models for cloud computing, which allows subscribers to use a third party’s systems to perform comput-ing needs via the Internet. SaaS subscribers and users of cloud computing can be com-pared to utility customers who purchase the electricity they need rather than installing on-premise generators. The “power grid” for cloud computing is the Internet.SaaS solutions have become increasingly popular because service providers charge a low monthly fee for various business soft-ware, including accounting, customer rela-tionship management (CRM), payroll/human resources (HR), e-mail, and business ana-lytics. Facing limited resources to leverage information technology (IT) in today’s econ-omy, small businesses can use ePeachtree or QuickBooks Online to process transactions and view financial data anywhere for as low as $9.95 per month. Mid-size firms can sub-scribe to enterprise resource planning (ERP) services from NetSuite without the huge price tag of an in-house system.
Although personal Gmail is free, busi-nesses can pay $50 per user per year for using Google Apps, including Gmail for
Business, Google Calendar (for agenda management and scheduling), Google Docs (documents, spreadsheets, and presenta-tions), and Google Sites (web pages). In October 2009, the city of Los Angeles signed a five-year, $2 million contract to use Google Apps instead of maintaining its own systems in-house. According to Randi Levin, the city’s chief information officer, “The ability to get whatever infor-mation the city needs, whenever they need it, on whatever device they need it will fun-damentally change the way the city works and enhance productivity greatly. … In a fiscal crisis it is difficult to find tech-nology solutions that will save money with-out requiring a significant capital with-outlay to achieve those objectives” (Elinor Mills, “Los Angeles Gets Its Google Apps Groove,” CNET, August 20, 2009, news.cnet.com/8301-27080_3-10313846-245.html). As a result of the contract with Google, 17,000 of the 30,000 L.A. city employees will migrate to Google Apps. The $2 million price tag for 17,000 users is equivalent to $23.53 per user per year.
Using the SaaS solution, the city esti-mates that it will save $13.8 million.
SaaS solutions can create a win-win situation for both service subscribers and providers. SaaS subscribers simply need a browser to use the application software hosted on the provider’s servers and access all of their own data. In contrast to expen-sive in-house systems, subscribers are free from the burdens of upfront purchas-es, data storage issupurchas-es, never-ending soft-ware updates and upgrades, backup rou-tines, and system troubleshooting. For the providers, the on-demand computing and time-sharing of system resources allow them to serve numerous subscribers, making the low monthly fee a sustainable business model. Furthermore, many SaaS providers offer the flexibility of cus-tomization so that subscribers can simply select the features they need. For example, QuickBooks Online and ePeachtree both offer numerous predefined charts of accounts for various industries for sub-scribers to choose from. If subsub-scribers can-not find their industry on the list, they can
SaaS: What Accountants Need to Know
T
E C H N O L O G Yt h e c p a & t h e c o m p u t e r
use one that most closely resembles their business and make modifications to meet their needs.
The Internet not only hosts a large ware-house of data and information, but also offers numerous applications from SaaS providers today. The SaaS deployment model has been applied in many business applications and the pay-as-you-go charge will continue to attract customers due to its affordability. Nevertheless, when com-panies adopt a SaaS solution, they also outsource some of their system security controls, including the protection of impor-tant business data. This article aims to help accounting professionals understand SaaS and discusses the issues that organizations need to evaluate before adopting this soft-ware deployment model.
Benefits of SaaS
SaaS solutions offer the benefits of fast deployment, no software maintenance, sys-tem scalability, and no upfront infrastruc-ture investment. This affordability makes SaaS solutions more popular among small and mid-size businesses. The Burton Group conducted a survey of 318 organi-zations in North America regarding the use of SaaS solutions (Craig Roth, “SaaS Implementation Survey: Where, When, and How to Use SaaS,” The Burton Group, 2008). Exhibit 1 reveals that its negation of the need for in-house software mainte-nance is the top reason (57%) why firms adopted SaaS solutions, followed by faster system rollout and access from anywhere. More than 20% of the survey participants have adopted SaaS solutions for account-ing/billing applications. Exhibit 2 shows the vendors that offer SaaS solutions for accounting/finance applications.
In December 2008, Gartner Inc. con-ducted a survey of users and prospective users of SaaS solutions from 333 enterpris-es in the United Statenterpris-es and the United Kingdom. Gartner found that 58% of orga-nizations planned to maintain current levels of SaaS applications and 32% planned on increasing their use in the next two years. A 90% retention rate indicated that the majority of SaaS subscribers were pleased with SaaS solutions. Gartner also conduct-ed a global SaaS survey from 258 partici-pants across eight countries worldwide in summer 2008. The global survey indicated that more than 40% of participants have
already adopted SaaS solutions for over three years and nearly 90% of survey respondents were satisfied enough to maintain or expand their use of SaaS solutions. The survey par-ticipants in North America showed a greater confidence in SaaS solutions than their coun-terparts in Europe and Asia. Specifically, 15% of North American participants indi-cated that they would significantly increase new SaaS investment and 62% expected a slight increase.
Potential Issues with SaaS
The adoption of SaaS solutions does not eliminate system security threats for sub-scribers. In fact, the Burton Group’s sur-vey revealed that “greater security risks” was the top reason (48%) why businesses did not use SaaS solutions. In addition, some companies had a false sense of secu-rity when they adopted SaaS solutions. For example, the Burton Group estimated that more than 95% of large organizations had disaster recovery processes (DRP) for their on-premise systems, but only 55% of large organizations had DRP for SaaS solutions. In addition, 23% of organizations admit-ted that they had no SaaS controls at all. In November 2007, Salesforce.com, a web-based CRM service provider, warned its customers that they might be the targets of some phishing scams after one of its employees was tricked into
divulging a corporate password. With the obtained password, the perpetrators were able to access names, e-mail addresses, and telephone numbers of Salesforce’s cus-tomers, and they sent out fake invoices. The security threats relevant to in-house systems can also affect SaaS solutions.
Exhibit 3 shows the five-year trend of
major system security breaches and inci-dents identified in the 2008 CSI Computer Crime and Security Survey (www.gocsi. com/forms/csi_survey.jhtml). Almost all of the major system breaches and incidents in Exhibit 3 are also security threats to SaaS solutions. Furthermore, the phishing scam at Salesforce reveals that SaaS solutions are susceptible to social engineering: Perpetrators can deceive the staff of SaaS solution providers into divulging confi-dential information.
Another important issue is the difficulty of integrating SaaS solutions with existing applications. Many companies become frus-trated soon after they adopt a SaaS solution because their critical business information is not accessible from the new application (Simon Peel, “Simplify Software as a Service [SaaS] Integration,” December 2008, itresources.whatis.com/document;95283/ tech-research.htm). In order to reap the full benefits of any IT tools, including SaaS solutions, businesses need to consider the data interface between SaaS solutions and existing
Source: Burton Group Survey
EXHIBIT 1
Reasons Why Firms Adopt SaaS Solutions
No in-house maintenance Shorter rollout time
Usable anywhere via Internet Faster improvement cycles Short-term financial benefits Lower long-term cost
Company Software/Services Applications
Adaptive Planning Adaptive Planning On-demand budgeting, forecasting, and reporting solutions Allbase Allbase Suite ERP software for small to mid-size companies
Aria Systems Aria Billing Platform Subscription and recurring billing platform with CRM capabilities Avalara AvaTax OnDemand Sales tax management services
AvidXchange AvidInvoice and AvidBill On-demand billing (A/P) management system for firms of all sizes CCH ProSystem fx Suite Tax software for professional firms
Chrome River Chrome River Expense Expense management for professional service firms
Concur Concur Audit Custom-tailored auditing service for managing and validating receipts Concur Concur Expense Employee expenses management services
Concur Concur Invoice On-demand A/P management Convey Taxport Managed Services 1099 tax reporting services
Corefino Corefino Complete accounting system with audit readiness and tax filing assistance for small to large companies
DataSIGN DataSIGN Accounting On-demand enterprise solutions for the sign manufacturing industry Epicor Epicor Retail Software as All-inclusive program for retail companies
a Service
Everest Software Everest On-Demand ERP system for small to medium-sized companies FreshBooks FreshBooks Invoicing and time-tracking services
Icon Systems IconCMO Web-based church management software, including accounting, contributions, and membership
Intacct Various solutions Financial management and accounting applications for businesses of all sizes Intuit PayCycle Online payroll services for small businesses
Intuit QuickBooks Online Accounting systems for small businesses
Intuit Quicken Online Financial management software for individuals and small businesses Intuit TurboTax Online Tax return preparation and filing software for individuals and small businesses Kyriba Corp. Treasury and Cash Treasury management system with an emphasis on cash and liquidity
Management Solutions management Microsoft Dynamics CRM Online CRM software NetSuite Netsuite SuiteCloud ERP systems Oracle Oracle CRM On Demand CRM
Paylocity WebPay Online payroll services
Plexus Plex Online ERP ERP software for manufacturers; 350 modules are included in the package QAD QAD On Demand ERP software for manufacturers
Sage ePeachtree Accounting systems for small businesses Salesforce.com Salesforce.com CRM
Thompson Reuters SaaS for CS Professional Accounting, tax, and engagement management Suite
Zoho Zoho Office Suite SaaS invoicing and CRM among numerous other applications
EXHIBIT 2
back-end systems, such as account-ing/financial applications or ERP systems. Liz Herbert, a senior analyst at Forrester Research Inc., pointed out that the integration tools for SaaS solutions evolved later, but integrating popular SaaS applications such as Microsoft Dynamics, NetSuite, and Salesforce with existing applications is becoming more fea-sible. In particular, major SaaS vendors have worked to standardize their web-based appli-cation programming interfaces, permitting easy integrations with other applications (Megan Santosus, “Your SaaS Integration Toolbox,”www.channelprosmb.com/ article/482/Your-SaaS-Integration-Toolbox).
Mission-critical SaaS solutions must be available at all times. Consequently, a third potential issue of SaaS solutions is the reli-ability of services. Accessing business data on the servers of SaaS providers can be interrupted when Internet service is cut. A system failure at a SaaS provider will also prevent subscribers from retrieving their own information. An attack on SaaS providers by hackers can make the servers unavailable to legitimate users. For example, on August 6, 2009, Twitter and Facebook were severely disrupted by denial-of-service (DoS) attacks. Hackers who were trying to silence a single blog-ger put the entire Twitter website out of service during their DoS attack. Subscribers must pay attention to the guaranteed uptime in the service-level agreement (SLA) when they select a SaaS provider. Failure to address the uptime issue of SaaS solu-tions in the SLA and a lack of business continuity planning can result in a serious disruption of operations and loss of revenues.
Questions. Potential subscribers are
advised to get satisfactory answers from a provider to the following questions before jumping on the SaaS bandwagon: ■ Does this SaaS solution satisfy the busi-ness’s needs?
■ Can this SaaS solution work with the data from the company’s other existing applications?
■ Does this SaaS solution comply with SAS 70 and Sarbanes-Oxley (SOX) sec-tion 404?
■ What is the guaranteed uptime? ■ Does this application offer the scala-bility for upgrades? (“Scalascala-bility” means the flexibility to upgrade or expand at a lower incremental cost in the future. In
other words, SaaS subscribers do not pay for excess capacity up front.)
■ Does the service provider have dual systems running in case a disaster hits? ■ Are the servers located in areas not prone to a disaster?
■ How frequently does the provider per-form backup routines?
■ How does a user download or export the data and reports from the SaaS solu-tion? What are the file types (e.g., spread-sheet or database) offered for data down-loading?
■ How long does the free customer sup-port last?
■ How can a user contact customer sup-port (e-mail, toll-free, or chat room) and how long will it take to get a reply?
Implications of SaaS for Accountants
The demand for SaaS solutions has increased because the costs of in-house sys-tems can be prohibitively expensive, espe-cially for small and mid-size businesses. Because the SaaS deployment model is sim-ilar to that offered by application service providers (ASP) during the dot-com boom, some are wary about the future of SaaS. A few even predict it will fade away like ASPs did. Nevertheless, there are two reasons that SaaS is here to stay. First, most companies during the dot-com era believed that their IT operations and business applications were strategic assets and were reluctant to out-source their IT functions. Now, the ever-increasing pressure to improve the bottom line makes nearly any form of outsourcing worth considering. Many companies now view various IT functions as commodities rather than core competencies. This new mindset has made SaaS solutions more attractive today than ASPs were in the past (Jeffrey Kaplan, “Software-as-a-Service Myths,” BusinessWeek Online, www.taleo. com/news/media/pdf/194En_BusinessWeek SaaS.pdf). Second, the current recession has forced many firms to cut their IT expendi-tures, making the pay-as-you-go deployment model very appealing. Bruce Richardson of AMR likened on-premise ERP systems to big, expensive, gas-guzzling vehicles at a time when customers want lean, energy-effi-cient, and easy-to-use SaaS solutions (“ERP Leaders and SaaS: Mainframes Versus PCs Redux?” www.amrresearch.com/content/ View.aspx?pmillid=22150). The Burton Group and Gartner Inc. surveys confirmed
that SaaS has become a popular and thriv-ing software deployment model in recent years.
The functions of accounting systems have evolved from recordkeeping to sup-porting decision making (i.e., MIS) in the ’70s and ’80s, facilitating e-commerce in the ’90s, and extracting business intelli-gence (BI) in the 21st century. IBM’s offer of $1.2 billion to buy Statistical Package for the Social Sciences (SPSS) in July 2009 revealed its plan to enhance its business systems with more analytical functions. SPSS specializes in business analytics that help organizations mine their existing data to identify plausible future trends or causal patterns to enhance operations and profits. IBM sees potential applications for SPSS tools in helping companies prevent fraud, retain customers, and select the opti-mal location for a new store or factory (Peter Sayer, “IBM to pay $1.2B for ana-lytics developer SPSS,” InfoWorld, July 28, 2009, www.infoworld.com/d/ applications/ibm-pay-12b-analytics-devel-oper-spss-944). Oracle, Microsoft, and SAP also offer integrated BI applications in their expensive business systems. According to Boris Evelson of Forrester Research, the timing is ripe for BI SaaS (“BI SaaS Vendors Are Not Created Equal,” Information Management, September 21, 2009, www.information-management.com/blogs/business_intelligen ce_bi_software_as_a_service_saas-10016138-1.html). By using the SaaS model to implement BI applications, small and mid-size businesses can leverage BI tools as well as Fortune 500 companies can. Small businesses could not compete head to head with large companies on IT tools in the past, but the playing field is more level now than it has ever been.
Implications of SaaS for Auditors
If a SaaS provider processes and hosts data for a user’s organization, the user’s audi-tor may need to gain an understanding of the controls implemented by the SaaS provider in order to properly plan the audit. SAS 70 is the authoritative guidance that allows SaaS providers to disclose their controls to clients and their auditors. In addition, the requirements of SOX section 404 make SAS 70 audit reports even more important with respect to the effectiveness of internal controls over financial reporting.
The most effective way a SaaS provider can communicate information about its controls is through a service auditor’s report. There are two types of service auditor’s reports. In a Type I report, the service auditor expresses an opinion on whether the controls were fair-ly presented, whether the controls were suitably designed to achieve the defined control objectives, and whether the con-trols were in place as of a specific date. In a Type II report, the service auditor expresses an opinion on the same items as a Type I report, as well as whether the controls were operating effectively enough to achieve the defined control objectives during a specified period. A Type I report only provides reasonable assurance that the controls are in place over one single day; a Type II report
pro-vides reasonable assurance that the con-trol objectives were achieved during a specified period.
A service auditor’s clean SAS 70 opin-ion, issued by an independent auditor, can create a win-win situation for both SaaS providers and subscribers. For SaaS providers, a service auditor’s clean opinion helps build trust with their clients. On the other hand, without a service auditor’s clean opinion, a SaaS provider may have to accommodate multiple audit requests from subscribers and their respective auditors. Multiple visits from users’ auditors can create unnecessary strain on the SaaS provider. A service auditor’s report ensures that all SaaS subscribers and their auditors have access to the same information.
For SaaS subscribers, a service audi-tor’s clean Type II report from the SaaS
provider offers a detailed description of the SaaS provider’s controls and an inde-pendent assessment of whether these con-trols were placed in operation, properly designed, and working effectively. SaaS subscribers should provide a service auditor’s report for their own auditor’s use in planning the audit of the sub-scriber’s financial statements. Without a service auditor’s report, SaaS sub-scribers’ auditors would likely have for send their staff to the SaaS provider to perform additional audit procedures, which would result in additional charges for the engagement. ❑
P. Paul Lin, PhD, is an associate profes-sor of accountancy at Wright State University, Dayton, Ohio.
System Security Percentage Reporting Threats to SaaS
Breaches/Incidents Solutions?
Denial of service 39% 32% 25% 25% 21% Yes
Laptop theft 49 48 47 50 42 *
Telecom fraud 10 10 8 5 5 Yes
Unauthorized access 37 32 32 25 29 Yes
Virus 78 74 65 52 50 Yes
Financial fraud 8 7 9 12 12 Yes
Insider abuse 59 48 42 59 44 Yes
System penetration 17 14 15 13 13 Yes
Sabotage 5 2 3 4 2 Yes
Theft/loss of proprietary info 10 9 9 8 9 Yes
Abuse of wireless network 15 16 14 17 14 Yes
Website defacement 7 5 6 10 6 Yes
Misuse of web application 10 5 6 9 11 Yes
Bots 21 20 Yes
DNS attacks 6 8 Yes
Instant messaging abuse 25 2 **
Password sniffing 10 9 Yes
Theft/loss of customer data 17 17 Yes
* If the access information for SaaS solutions is stored on the stolen laptop.
** SaaS solutions are susceptible to instant messaging abuse if the SaaS suite contains a messaging component. Survey Data Source: The 2008 CSI Computer Crime and Security Survey
2004 2005 2006 2007 2008
EXHIBIT 3
