Guide to Evaluating SaaS Technology and Close Software
The process of buying software is similar to intercompany accounting: there are multiple stakeholders, roles, and responsibilities, with everyone trying to do the best for the company. Your focus is bringing the best solution into the organization to solve an immediate need while also considering long-term scalability. Being specialized in our craft of accounting, we are focused on finding a solution that will work, regardless of the technology.
As you start down the path of looking into financial close software to solve a challenge, there are a few key things you can do to get ahead of questions from different internal stakeholders, one of the key ones being IT.
IT generally has fairly broad responsibilities across the organization, from onboarding or offboarding employees, maintaining production or development environments, deploying new changes to production, and maintaining security standards and certifications. When it comes to introducing new software into the mix, IT teams prioritize a few key questions:
- Are they aligned with our technology strategy?
- Will the software provider maintain the same level of security and compliance we commit to our customers?
These are the high-level questions, but if we break down each question there are specific things your IT team is looking for that can impact your business.
Are They Aligned with Our Technology Strategy?
Vendor Hosting Type
Understanding how and where your software and data is hosted and managed can lead to the most positive outcome for your project. It’s important to align the vendor’s software with your company’s vision and strategy as well, which may mean that certain vendors are disqualified upfront.
For a long time, larger companies would only run on-premise software; this has changed for the better, but it’s worth exploring when evaluating any type of software: how capable is my current IT team to implement and support new technology or integrations? How much do I want to rely on a vendor to do?
Typical Hosting Types
Cloud and SaaS
Cloud and Software as a Service (SaaS) are fairly broad terms, but in essence, it means hardware and/or software that is hosted by a 3rd-party in a location other than your own office or data center. Generally, in the mid-market, companies aren’t looking to host their software; they prefer a company that does this for a living, is a technology expert and can offer the best support for you to then support your customers and business.
Most of the time SaaS goes hand in hand with the concept of multi-tenant software, which means that you will be on a platform with other customers with allocated resources and regular upgrade schedules, ensuring you are always on the latest and greatest.
Single-tenant is an offering that can allow you to have a separate instance of the software on shared or dedicated hardware. Everything comes with a tradeoff of course – with single-tenant architectures, you can gain some control over when releases are available in your environments, but you also run the likely risk of not being as up to date as possible with the software. In the mid-market space, we see very few vendors offering this type of solution, nearly all opting for a multi-tenant SaaS approach for consistency and scalability.
On-premise, or on-prem, means you have to buy a license or a subscription to use software that you then run on your hardware with your own IT, database, network, and infrastructure teams supporting. This is very unusual now in the mid-market space, with most customers (and customers’ IT teams) preferring a software provider to also host the software and manage those additional responsibilities.
Additional Vendor Hosting Topics
Data Center Location
This dictates where your data is physically going to be saved when you import, process, or save information in an application. You can sit in the US, do business with a Canadian software company, and have your data stored in Germany; it’s important to understand where your data will reside, even if it’s at the country or state level. Depending on your industry and business requirements, this could be a big deal or a non-issue. We often see requirements from government agencies and more regulated companies, with a need to host data in a country or region.
Backups, Disaster Recovery, Redundancy
How frequently is your data backed up to a secondary device or location in the event the primary location was unavailable? Typical concerns are power outages from natural disasters, where a primary site may be unavailable for a duration and a backup site needs to be used. Intraday and nightly backups are fairly common, with backups saved for 30 days before purging.
Will the Software Provider Maintain the Same Level of Security and Compliance We Commit to our Customers?
You have a requirement for your customers to meet certain minimum thresholds of support, security, and compliance. When it comes to purchasing software, it’s only natural that when you are evaluating software vendors that you are asking those providers to also adhere to those similar standards.
SOC 1 and SOC 2
SOC stands for Service Organization Control 1 and Control 2. SOC reports provide assurance that you have a secure chain with solid financial and security controls in place upstream and downstream. You should insist your current and prospective providers make their SOC 1 and SOC 2 type 2 reports available to you.
General Data Protection Regulation (GDPR) addresses the movement of personal data outside of the European Union (EU). If you are in the EU, it’s important to consider if your provider is able to adhere to GDPR standards and has an EU data center. If your provider is in the United States without an EU data center, you will want to review the Schrems II decision to see what impact that may have on your software provider.
US-focused, Health Insurance Portability and Accountability Act, determine standards on how to protect sensitive patient health information. If you are in the healthcare business and your provider is processing this type of data, it can be necessary for them to also be HIPAA compliant.
Security and Authentication
If someone was able to intercept your message or had a hard drive with your data, could they read it? If something is unencrypted, such as free text, others would have no issue understanding what data was there. This is where encryption comes into play; by adding a level of security around a message, file, or data to safeguard even if someone had access to that data, they could do nothing with it, couldn’t read it, or action it.
When considering software providers, you’ll want to ensure they can provide confirmation your data would be encrypted in flight (on the way from your source system to their application) and at rest (once it gets to their application and is saved).
Normal encryption algorithms are AES 128 and 256, where brute force attacks to try and crack those would take millions, or billions, of years.
Single Sign-On (SSO) enables your company to control application authorization across the company through a central place. This simplifies daily life where you don’t need a separate ID and password; it’s just your normal company ID and password that allows you to access many different services and applications. SSO is also a security measure where employee access can be revoked across multiple devices and applications at once should it be needed.
When you are looking at financial close software, it’s important to know who will be administering your new application’s user provisioning. Who will be setting those users up? What access do you want them to have? Typically, application administration falls on the business to perform.
Software isn’t something you are buying every month or even every year. Security and compliance rules change, and there is a lot to keep up with. Engage your IT team early in the process, get their feedback, and let them help guide you on supporting the best technology choice for your company. Trintech prioritizes compliance as an ongoing responsibility rather than an achievement, enabling your Office of Finance to stay ahead of regulatory requirements. Discover our approach to compliance and how we bridge the gap by providing systems of accounting controls and intelligence to customers.
Written by: Michael Uram