From the August 2013 digital issue.
Cloud server based hosting of applications which have historically run on desktop or laptop Windows computers is a hot trend with accounting professionals. CPA Practice Advisor recently completed the 2013 Reader Survey, which will be featured in a future issue, and reveals that just under 10% of survey participants have their network hosted completely in the cloud (either hosted by a primary vendor or a specialized hosting company).
Although accountants have been experimenting with the cloud for some time, the pace of change has accelerated in recent years. The primary responsibility for maintaining a secure operating environment lies with the service provider, but tax and accounting professionals are still ultimately responsible for all data given to them by clients.
Accountants are not very tolerant of problems in the cloud, whether they are unwittingly self-created due to a lack of IT knowledge, or due to service provider failures. We believe that stability and support are at least as important to prospects as the breadth of products which the company is willing to host for customers.
2013 Reviews of Hosting Providers
CPA Practice Advisor looked at 7 Applicaiton Hosting
Some of the major attributes we looked for included:
- Quality, Reliability, and Redundancy of Hosting Facilities - We looked for features such as colocation in a Tier 2 or higher public data center, backup data centers (and an assertion about whether the backup location is a cold site, a warm site, or a hot site).
- Types of Hosting Offered, as well as membership in software publisher certifications/programs for those commercially hosting their applications. The three types of hosting typically offered include:
- Hosting of a single application
- Hosting of dedicated virtual server
- Other types of hosting
- Software Applications Supported
- Client Accounting Products such as QuickBooks Pro, Premier, and Enterprise, Sage 50 US, Sage 50 Canada, and Sage 100 ERP.
- Support for Add-on Applications - Users should also confirm that any third party applications they use are also supported in the hosting environment. Examples of such applications include ODBC drivers, importing tools, as well as any other applications which automatically access and write data to the accounting software database.
- Professional Tax and Accounting Tools like the Thomson Reuters CS/ES Suites, the ProSystem fx and Axcess suites from Wolters Kluwer/CCH, as well as products from other professional tax and accounting publishers such as Drake and Intuit.
- Security and Regulatory Compliance requirements were also considered. Key features to look for from a hosting provider include:
- US-Based Servers (commonly required of tax preparers by regulations under IRC §7216) - (Although The CPA Practice Advisor is not widely distributed in Canada, it is important to note that Canadian accounting professionals (including Chartered Accountants, Certified Management Accountants, Certified General Accountants, and Certified Professional Accountants) have regulatory requirements which make it preferable to host data for Canadian citizens and companies in Canada. Two providers, Cloud 9 Real Time and InsynQ, offer services with separate, Canadian-based data centers for use by accounting professionals in Canada.)
- HIPAA and PCI compliance, which are required of those handing healthcare patient data and those accepting credit cards. While not all organizations need HIPAA/PCI compliant systems, the requirements of these certifications place a greater emphasis on securing data, which is desirable by all users. (It is important to note that some accounting applications include a provision in their end user license agreements which put users on notice that they are neither “HIPAA-ready” nor “HIPAA-compliant”. Such applications commonly require users to agree that the end user is solely responsible for compliance with all applicable state and federal privacy laws related to medical or health information.)
- Third Party Security Reviews in the recent past, including SOC 1 Type II and SOC 2 Type II evaluations (commonly referred to as SSAE 16 engagements). (While we would prefer a SOC 2, Type II examination (which uses Trust Services Criteria), some providers provided a SOC 1, Type II examinations (which focus primarily on Internal Control over Financial Reporting [ICFR]). A short article on SOC reports which provides some explanation of the two reports is at http://bit.ly/soc-1-2-3.)
- Support and Self-Service Assistance
- Service Hours and availability of off-hours emergency support
- Service Delivery Options, including web, chat, and telephone support.
- Location of Call Centers providing technical support (e.g. onshore or offshore).
- Automation of End User Administration and setup and provisioning of new customers without the manual intervention of technical support personnel.
A common misconception is that users should not worry about backing up their data because the hosting provider creates a backup of their data for them. While many hosting providers profess excellent backup procedures, we have no way of testing the accuracy of their statements or the ability of the provider to retrieve data from backups. We believe that users should, wherever possible, make their own local (on end user’s premises) backups of any data stored in the cloud, including data stored by hosting providers. Local backups under the control of the end user protect against unexpected catastrophic loss of data due to unforeseen circumstances such as hosting provider bankruptcy.
It is important to remember that third party hosting providers are not the only solution for hosting a suite of business applications. Some software publishers such as Thomson Reuters and Drake offer cloud-hosted versions of their traditional application suites, and others, including Intuit and Thomson Reuters, offer versions of traditional accounting firm applications which run in a web browser. These suites are run from in-house data centers operated by each company, and represent a software as a service alternative to the traditional, on-premises applications. Larger firms with an in-house IT department may find it more economical to run their own hosting platform to deliver applications to employees across the country.