Cloud Computing What Accountants Need to Know

This article answers some of those questions and explains the history and futz ere of the cloud. The easiest way to think about cloud computing is as doing business on the W be, therefore eliminating the need for in-house technology infrastructure-?servers and software to purchase, run an d maintain. Unlike traditional software, which is distributed and deployed Nipponese, cloud applications are designed for Web deployment. They are multivalent (delivered by one vendor to many customers), and users share pr secession power and space that is managed by the vendor.

Terms including “Cooperativeness,” or AAAS, and application service provide r (ASP) often are connected to cloud computing in presentations and articles, but there are subtle difference s between them. (For an explanation, see the “Definitions” box accompanying this article. ) The types of applications available run the gamut-?from tax software to payroll to full enterprise resource planning (ERP) systems-?and m cost often are leased on a subscription model instead of purchasing licenses. DOING BUSINESS IN THE CLOUD Is it worth making the switch?

Vendors and analysts point to several benefits t o switching to a cloud environment. Quick implementation process. Most vendors claim their applications can be up and running in a few minutes because there is no software to install. The implementation process also is EAI sire for companies with multiple locations or remote workers to all have access to the same version of the apple action simultaneously. Anytime access from anywhere with an Internet connection, which again include des the ability for employees to work remotely.

Lower upfront costs. Instead of paying a license fee and for annual maintenance CE, most models allow users to pay as they go (usually monthly, though some require annual contracts). They can ay per user and easily add more users. Vendors can offer their products at a lower cost in this situation because e their systems are built to allow several customers to share infrastructure (both servers and storage areas) in a way that is transparent to users and does not allow those customers access to each others data.

It may be difficult to conduct a cost comparison of doing business Nipponese versus in the cloud unless a company has moved a II its business premises. Some companies may outsource services such as their email and/ or infrastructure support, but still manage their core applications. That being said, realize that the upfront costs include the cost of hardware and IT employees that no longer need to be in-house. Http://www. journalofaccountancy. Com/lessees/2010/act/20102519 4/18/2015 Little or no hardware or maintenance costs . The vendor takes responsibility f or maintaining the software and servers.

This is where things can get tricky. If people who are evaluating the re turn on investment of switching from Nipponese to cloud products by comparing what they are spending now to w hat they will be spending if they switch, it’s not really comparing apples to apples, said Gregory Loftiest, CPA CITY, a senior manager with Die Bailey ALP and consultant to accounting firms and vendors. In an on premise e environment, the customer pays for the hardware, storage space and IT personnel to maintain the system in audit ion to the software.

In a cloud environment, the vendor fronts those costs, so a larger percentage of the Otto I cost of ownership by the customer shifts away from hardware and people and toward software. Some industry a analysts estimate the breakable point Of leasing versus buying the software at about three years. In general, doing business in the cloud should cost less than doing business o ninepins, says Downy C. Shampoo, CPA CITY, founder and managing director of consulting company Enterprise Tech analogies.

He suggests analyzing whether to make the switch as a threaten amortization of upfront costs for an Nipponese application including servers, software licenses and installation plus estimate d maintenance for three years and comparing that to the cost of subscribing to the cloud version of the product f or three years. This can be applied to partial versus full cloud conversions and should be done on an application application basis to determine whether there is cost savings by moving each application to the cloud.

He said factors t consider include: Reduced support costs. Rather than having to employ in-house experts for pro duct support, the vendor typically provides support directly for the customer. Reallocation of resources. IT staff can be reallocated for more strategic project TTS, rather than spending time on system upgrades and maintenance. Easier and more regular upgrades. Vendors can regularly tweak their product s. In many cases, those enhancements are made automatically in the background without disrupting the customers work.

Most vendors provide advance notice to alert customers about the changes and give them t he option Of when to turn new eaters on or off, if they don’t like them or aren’t ready to upgrade. Disaster recovery and backup capabilities. One of the costs incurred by custom mere who keep their data on premise is backing up their data, typically via tape or by contracting a third TTY backup provider. This is another area covered by the vendor in a cloud environment. Often vendors have red ant backup systems so that customer data is replicated in a separate data center in case of fire, flood or o there disaster.

The infrastructure is “shelling” so that when a failure occurs and the backup becomes the prima rye source of information, the yester launches a new backup instance of the data, Lafayette explains. SECURITY AND RELIABILITY CONSIDERATIONS With all this sharing of storage space in the “sky,” one of the biggest concerns expressed by those considering switching over to cloud applications is the safety of their data and their clients ‘ data. It’s a concern cloud vendors have been fighting to overcome for years. How can you know the data is safe?

First and foremost, make sure the vendor uses a data center that has receive d an CPA Service Organization Controls Report (SOC), formerly known as a SASS 70 report. For purposes of HTH s article, a vendor is considered the seer, and the data center is the service organization. The CPA developed the guidance to provide a highly specialized examination of a service organization’s internal control. There are three types of SOC reports: CPA SOC 1: Report on Controls at a Service Organization Relevant to User E entities’ Internal Control over Financial Reporting.

These reports, prepared in accordance with Statement on Standards for Attestation Engagements (SEA) no. 16, Reporting on Controls at a Service Organization, a re specifically intended to meet the needs of user entities’ management and their auditors, as they evaluate t e effect of the controls at the service organization on the user entities’ financial statement assertions. Http:/ /www. journalofaccountancy. Com/lessees/20TH/Cot/20102519 217 CPA SOC 2: Report on Controls at a Service Organization Relevant to Security y, Availability, Processing Integrity, Confidentiality and/ or Privacy.

These reports, prepared using the CPA guide Reports on Control sat Service Organization over Security, Availability, Processing Integrity, Confident laity, or Privacy (currently under development), are intended for users that have a thorough understanding of the service organization and its internal controls. These reports can form an important part of the users’ over sight of the service organization; vendor management; and internal corporate governance and risk manage NT. CPA SOC 3: Trust Services Report (Trust Services Principles, Criteria, and Ill striations) (CPA, Technical Practice Aids, Volvo. , (T PA sec. 100) commonly referred to as Estrus t reports). These reports are designed to meet the needs Of users who want assurance on the controls at a service organization related to security, availability, processing integrity, confidentiality, or privacy but do not need the level of detail provided in SOC 2 Report. These reports are general use reports and can be freely district butted or posted on a website as a seal. A vendor that undergoes such an examination is stringently evaluated on its c intros over the system or service it provides to user entities.

The controls address the components of a system w which include: infrastructure. The physical and hardware components Of a system (facilities, equipment and networks). Software. The programs and operating software of a system (systems, applicant actions and utilities). People. The personnel involved in the operation and use of a system (develop RSI, operators, users and managers). Procedures. The programmed and manual procedures involved in the operate on of a system (automated and manual). Data.

The information used and supported by a system (transaction streams, files, databases and tables). As a result of these engagements, vendors receive a comprehensive audit rep rot that includes a description of the system prepared by the service organization, the suitability Of the design Of the e controls for an CPA SOC 1 or SOC 2 report in a type 1 engagement, and in a type 2 engagement, the operate nag effectiveness of the controls over the system. Lafayette suggests asking vendors for a copy of their SOC 2 report, if unrest acted, and/or their SOC 3 report.

Best practices also include using a thirdly monitor, such as MacAfee Secure or Commode Headquartering, to test the security of the vendor’s Web applications on a daily basis. Look for that 10 go and the attested stamp on the vendor’s site. Another important consideration is unscheduled downtime and how easily cue stokers can access their own data. There’s a concept of “five As” in the cloud world, which relates to “uptime,” or how often the system will be accessible by uptime, which amounts to 5. 6 minutes of total unscheduled downtime per year.

This does not include scheduled downtime, which many vendors say they set during weekends or overnight to limit interruptions to users. This is often guaranteed as part of serviceable agree nets and, depending on the contracts, customers could be credited if the guaranteed performance is not met. The p argental of uptime has continued to climb over the years as providers place continued importance on this factor a s a selling point (or deterrent) based on public perception. Some vendors are starting to say “no nines,” meaning their systems are never down, but

Lafayette points out that most internal office networks don’t even come near “five as” of unscheduled downtime in a year. Http://www. journalofaccountancy. Corn/less_Jess/201 0/act/20102519 Of course, the cause of downtime can lie with the customers if they don’t have e ample bandwidth or any Internet access, since access to data is driven by a company’s ability to access the Web Jim Bourne, CPA/ CITY, partner in charge of technology at Withiest+Brown, compared the amount of bandwidth necessary when moving from on premise to a cloud environment a s upgrading from a garden hose to a fire hose.

You will need a big, wide open pipe to ensure reliable access to your data and applications around the clock. While the specifics will vary depending on the applications you use, the point is that the more of your business you do in the cloud, the more important it becomes to make sure you our Internet connectivity is reliable. Bourne recommends choosing an Internet service provider that provides the I arrest amount of affordable bandwidth in your area.

Prices vary tremendously across the country, but $1 00 to 5200 a month is well worth it for reliable access, he says. On top of that, whichever company you choose, also consider eying for a secondary or backup provider. Many CPA firms choose telephone companies as both their primary and sec Andrea providers, which is K as long as they aren’t the same one, or even related. But choosing a cable company a s a secondary may be a better choice and may even provide faster speeds, Bourne says.

Another obvious issue of concern is around data ownership and migration. W hat happens to your data if you switch vendors or a vendor goes out of business? Think of this the same way you woo old with online photo storage and sharing companies. Can you get those photos back if you want to? Be sure to ask vendors about their exit trainees and how much it may cost you if you choose to take your data else where. Transferring data from one system to another is rarely easy.