The CPA Journal

THE CPA AND THE COMPUTER

By Ken Burstiner and Frank DeCandido

An Application Service Provider (ASP) is defined by the ASP Industry Consortium (IDC) as “a business that delivers and manages applications and computer service from remote data centers to multiple users via the Internet or a private network.” The software is licensed, not purchased, and the consumer maintains ownership of the data, which is stored and run on the ASP’s servers and network. ASPs will typically base their fees on usage, such as the number of users accessing the system or the connection time. Using an ASP has many advantages as well as disadvantages (see the Exhibit).

The ASP marketplace continues to expand. A survey conducted by Jupiter Research in 2001 reported that “one in three companies will shift at least 20% of the web development budgets to ASPs in the next two years.” In addition, Sovie and Hanson of Mercer Management Consulting state that certain optimistic analysts predict a global ASP market of $20 billion by 2003.

ASPs are frequently used in three areas of an organization’s information technology infrastructure: enterprise resource management, which incorporates financial reporting, financial management, and general ledger; human resources, which includes benefits, enrollment, and retirement plans; and sales-related applications, which include e-commerce, sales, customer services, and customer relationship management.

Advantages

Based on the results of a survey of CIOs, CFOs, and CEOs conducted by the IDC, the primary reasons for companies to use ASPs are agility and flexibility. Shorter implementation schedules and more flexible human resource allocations are also major advantages. Developing in-house applications requires significant resources, such as manpower and time. ASPs can help increase the productivity of an organization’s IT resources by reducing development costs and shortening the time necessary to implement new software applications. For example, an IT department may spend six to 18 months programming a new application that has already been developed and tested by an ASP. Other advantages include one-stop shopping and support, lower capital investment for software, scalability for business growth, lower cost of entry for high-end applications, and usage-based costing that simplifies budgeting.

An inherent benefit of a shared platform is that the ASP installs software modifications to the applications based upon the needs of its customers. Therefore, companies using ASPs benefit when another company requests an improvement to the software.

Disadvantages

Sending highly confidential and irreplaceable data to an offsite location has inherent risks. Companies are concerned about privacy, communications, ownership, and the financial stability of the ASP. All of these issues have critical legal, monetary, insurability, and ethical ramifications which a company should resolve before hiring an ASP. IT-related concerns, such as the loss of data due to equipment failure at the ASP, can be mitigated since most companies provide suitable methods for backup and recovery.

Another major disadvantage is that an ASP may provide only standardized applications, which are insufficient for some companies’ requirements. Similarly, the ASP may make upgrades or implement changes to the applications that are not specifically requested, which can require additional testing and training.

Analyzing Business Models and IT Structures

An organization needs to determine if using an ASP conforms with its short-, medium-, and long-range goals. Another issue to consider is an organization’s culture and human resources. Senior management should be enthusiastic advocates of the project, and staff members should be included in the decision-making process. In addition, the ASP’s facility security and its privacy policies are critical considerations.

Analyzing Information Technology Infrastructure

Before deciding whether to use an ASP, an organization should always determine if it has the appropriate hardware and software, then calculate the cost of upgrading its systems. Analyzing current applications is accomplished by considering the legacy applications and their effect on the organization’s operations (the ASP may not support nonstandard applications). Updating older applications has a significant cost in time and resources, and the staff may not be able to utilize the new applications without training.

Hiring an ASP does not release an organization from maintaining an IT infrastructure, since the ASP is a remote part of a network. If the two sides’ technologies are incompatible, then upgrading to meet the communication requirements of the ASP can be an expensive proposition.

It is also vital to determine the capabilities of an organization's IT staff or consultants. An ASP may require a level of expertise unavailable in certain organizations.

Analyzing the ASP Itself

The ASP decision is similar to merging or acquiring another company. It is important to perform a complete technical, financial, and legal analysis of the ASP. At a minimum, the following investigatory tactics should be considered:

Reviewing the ASP’s financial statements, looking at its capitalization, and performing ratio analyses

Scrutinizing the ASP’s long-term viability

Performing background checks of the ASP’s management

Analyzing the specific features of the ASP’s disaster recovery plans (it should include multiple sites, power grids, communication grids, different carriers and loops, and staffing)

Determining if the ASP is responsible for providing technical support, maintaining the application, and specifying all aspects of the arrangement

Estimating installation times, and the frequency of patches and upgrades

Analyzing the physical location of the ASP—

ensuring that the area is served by adequate communication and power networks

determining if visits are necessary, required, or discouraged

confirming that physical security measures are in place.

Security Issues and Disaster Recovery

An organization should also determine its own security requirements and analyze the ASP’s ability to meet them. The following issues should be considered:

The physical location and accessibility of the ASP facility

The visitation policy, which includes who is permitted into the ASP facility, and when

The privacy of the data

Establishing security guidelines to prevent unlimited accessibility to sensitive data via the Internet

The ASP may be a target of hackers and other third parties, such as competitors

The legal and ethical obligations, as well as insurance policy provisions

The security procedures and guidelines of the ASP

The ASP facility’s disaster recovery requirements

Disaster plans that have been tested and verified by a third party

Outside consulting firms that provide proper support and guidance and have requisite knowledge demanded by an ASP solution.

Contracts

One of the most important steps when hiring an ASP is writing a comprehensive service level agreement (SLA). An SLA is a contract that provides organizations with a detailed description of the level of service to be provided. A typical SLA, for example, will refund service fees for failing to meet uptime parameters or other contractual obligations.

SLAs should specify their performance measurements and the basis for these measurements. They should describe upgrade and application change policies and address backup and disaster recovery plans. An SLA should also contain an out clause and a nondisclosure clause covering the user’s data. Additionally, written notice of breaches, tracking of measurements, testing plans, and escrow agreements should also be important parts of SLA contracts.

The ASP Relationship

It is important to maintain an open dialogue with the ASP. A trusting relationship is vital for a positive working relationship. Performance reviews should be conducted at least twice a year, to share improvement ideas. If contract breaches or technical problems occur, be prompt with specific details, to ensure that the problem can be resolved quickly.

The ASP decision is best considered in tandem with a company’s overall business and operational objectives rather than solely as part of its IT plans. It is a long-term decision that affects an organization’s core competencies and operational controls, and has significant financial and legal ramifications. The ASP option provides organizations—regardless of size and industry—with the ability to better manage their IT infrastructures. Significant analysis and investigations must be completed before making this critical decision. Careful planning and analysis should occur before, during, and after implementing an ASP solution. Privacy and security issues are paramount, because an outside company will have access to sensitive data.

Before making a final decision, an organization should perform due diligence on the ASP’s facilities, its financial history, and its references. A careful review of the security and disaster recovery capabilities of the ASP is also essential. In addition, all legal and operational issues, such as signing a nondisclosure agreement and an SLA, must be resolved.

Ken Burstiner, CPA, is a tax manager at Quellos Financial Inc., New York City. Frank De Candido, CPA, is a vice president for Prudential Financial, Inc. Both are members of the NYSSCPA Technology Assurance Committee.

Editors:
Paul D. Warner, PhD, CPA
Hofstra University

L. Murphy Smith, DBA, CPA
Texas A&M University

This Month | About Us | Archives | Advertise| NYSSCPA

The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.