Estimated reading time: 5 minutes, 12 seconds

Software as a Service (SaaS) offerings for CPA firms have been slowly emerging from the shadows, and are now front and center for many categories. Although the risks of any solution should be understood and evaluated before deploying any solution in a production environment, many CPA firms do not understand how the points of potential failure associated with SaaS applications are fundamentally different than the typical points of failure associated with traditional, on-premises applications.

SaaS Markup
(Click Image to Enlarge)

Figure 1 – By confirming that a website is using HTTPS for secure web browsing and inspecting its third-party SSL encryption certificate, users can gain comfort that a service’s website is legitimate and that data is encrypted while being transmitted from the service provider to the end user. This example shows the digital certificate for the portal for CCH’s Global fx service.

In addition to payroll solutions made available on a subscription basis, there are many other examples offerings for accountants in public practice, including:

  • Global fx, Intelliconnect, and Accounting Research Manager from CCH, a Wolters Kluwer business,

  • Virtual Office CS, the Enterprise Suite, and RIA Checkpoint from Thomson Reuters Tax & Accounting,

  • GruntWorx and GruntWorx Pro from Copanion,

  • QuickBooks Online from Intuit,

  • Intacct’s on demand financial system,

  • Hosted Customer Relationship Management offerings such as Dynamics CRM on Demand from Microsoft and SaaS applications like, and

  • Capital Confirmation’s CONFIRM validated bank confirmation service.

Many on-demand applications offer advantages over traditional, on-premises installations such as:

  • Many applications require only a high speed internet connection and a web browser to operate

  • In most cases, no software must be installed on the client computer.

  • Updates and patches are installed automatically by the service provider

  • Users can access their applications and data from almost anywhere at almost any time.

  • Most service providers have technical staff monitoring system operations and security around the clock, 365 days a year.

  • Some service providers offer unlimited support and training for their on-demand offerings with extended hours of availability.

Despite these attractive features, there are risks associated with SaaS offerings which are different than on-premises offerings, including:

  • Since a company’s applications are made available from centralized servers, data from all users is hosted together on a company’s computers. Users may want to inquire about policies and procedures which prevent unauthorized users from viewing their data.

  • Users may want to view disclosures and independent tests of a company’s security and privacy policies.

  • Disasters and other service provider business interruptions can easily impact customers worldwide.

  • Some applications may not be available as locally-installed applications, which means that users should have a plan for how they will back up, restore, and convert their data in the event of a service disruption.

  • Most SaaS applications provide access to applications and data from anywhere, allowing remote workers to have the same tools as their co-workers in the office while retaining the convenience of a remote/home office.

Organizations such as the SANS Institute ( provide sample policies and illustrative security standards for application service providers. These are free from the SANS website at, and a direct link to the page for the SANS security policy project is CPA’s evaluating online services should consider this guidance, as well as many other questions such as:

  • Is the company stable and well-capitalized?

  • How has the company dealt with past interruptions and contingencies (e.g. hurricanes, earthquakes, power blackouts, etc.)?

  • What is the organization’s service level agreement (SLA), or its stated policies regarding availability and interruptions of the applications? Are there any penalties for failing to meet these standards? Has the company ever had to make payments under these provisions?

  • What is the company’s plans for a catastrophic failure at its primary data center? Does the provider have multiple sites, mirrored servers, and structured plans for a contingency? How far apart are the primary and backup data centers? Is there a concentration of risk here in the event of a catastrophe? For example, if a company’s primary data center was in San Jose, and the backup data center was in Santa Clara (less than ten miles away), this might provide good protection against a small, localized power or internet outage, but might not provide adequate protection against a widespread power outage, a coordinated attack against fiber optic backbone cables, or a significant natural disaster like a major earthquake.

  • Are there any third-party security audits of the company’s policies and procedures (e.g. SAS 70 Type II)? Have you read the audits to confirm that the audit covers the organization’s internal procedures, and not just the general controls over the data center where its servers are located?

SaaS Markup2
(Click Image to Enlarge)

Figure 2 - Copanion’s website features SSL encryption for confidentiality, extended validation by a third party to thwart phishing attacks, and numerous security and privacy certifications.


  • Is all data stored in encrypted databases where the end user has sole control to the mechanisms of decrypting the data, or do the company’s technical personnel have access to confidential information? Is access to data logged and reviewed for propriety?

  • What are the organizations policies for hiring, retaining, and terminating personnel?

  • Is there any kind of extended authentication, certificate validation, or IP address verification available to mitigate the risk of a compromised username and password?

  • What kind of identification and verification is required for a provider’s help desk to reset a user’s password? How do these procedures prevent someone posing as a staff person from obtaining unauthorized access to confidential information?

  • Does the provider make any assertions about their compliance with federal and state privacy regulations which may apply (e.g., HIPPA, Gramm-Leach-Bliley, IRC § 7216, etc.)

Just as many people make different decisions about whether to purchase or lease capital assets such as buildings, equipment, or vehicles, software as a service offers CPA’s a way to outsource the management and delivery of software applications and reduce the complexity of their internal technology infrastructure. While these solutions may not meet the needs of all firms, SaaS should be considered as an alternative to traditional on-premises deployment, and the market share of SaaS offerings should increase significantly over the next five years.


Last modified on Sunday, 02 June 2013
Read 6662 times
Rate this item
(0 votes)

Visit other PMG Sites:

click me
PMG360 is committed to protecting the privacy of the personal data we collect from our subscribers/agents/customers/exhibitors and sponsors. On May 25th, the European's GDPR policy will be enforced. Nothing is changing about your current settings or how your information is processed, however, we have made a few changes. We have updated our Privacy Policy and Cookie Policy to make it easier for you to understand what information we collect, how and why we collect it.
Ok Decline