CPAs and ASPs

The certification of business processes in industry is nothing new. Even in the nascent ASP industry, most companies are already familiar with partner certifications from the likes of Sun, Microsoft and Cisco, but a relatively new standard, SysTrust, is now making its way onto ASPs’ radar as a way to verify they have the systems and processes in place to back up their service-level agreements (SLAs).

The Audit Trail
Are audits such as SysTrust what the ASP industry needs be seen as stable and reliable? ASPnews Discussion Forum

Microsoft/Great Plains is one of a group independent software vendors (ISVs) that have given SysTrust a boost in recent months by requiring all of its resellers that wish to engage in co-marketing and receive extended technical support to become either SysTrust or Microsoft Gold certified, Jim Traynor, MS/GP’s director of ASP Business Development, told ASPnews. “It will evolve to be the bar that companies will have to reach to call themselves an ASP,” he said.

Introduced by American Institute of Certified Public Accountants in early 2000, SysTrust is a certification process that examines and tests an ASP’s ability to deliver in four key areas: security, integrity, maintainability and availability. “If all those [four] components are working together properly, the information that comes out of (the system) is reliable,” Christopher Leach, national director of Technology Risk Management for the CPA firm of Grant Thornton and a SysTrust certification auditor, told ASPnews.

The audits are conducted by third-party CPAs and cost anywhere from $15,000 to upwards of $250,000 depending on the complexity and size of the audit.

Roll Your Own Audit

If you wish to perform your own internal best-practices audit, CPAs can also purchase the SysTrust guidelines for a mere $13 . But, in practice, there may not be a great deal of value in an internal audit. ASPs that conduct their own audits cannot claim they are SysTrust-certified and therefore will not have the marketing advantages of a third-party audit, Anthony Pugliese, AICPA’s vice pressident of Member Innovation, told ASPnews.

Other certifications exist for ASPs including WebTrust, which was also developed by the AICPA to audit the delivery of e-commerce applications. In fact, the two standards are currently in the process of being “harmonized,” according to Pugliese because they cover so many of the same standards. The main difference between the two is SysTrust is so broad and encompassing it can be performed on any ASP operation, such as in a manufacturing environment, but WebTrust is focused squarely on the delivery of e-commerce applications.

Improving Processs and Procedure

Beyond simply verifying an ASP can deliver on its promises, the certification process also helps ASPs — long consumed with developing their core technology and infrastructure — ensure they have the processes in place that allow them to function smoothly, said Traynor. “SysTrust and WebTrust force you into process and procedure,” he said.

One ASP, Lexington MA-based Surebridge, which became SysTrust certified in April, found this to be the case, John Georgevits, Surebridge’s director of Quality Assurance, told ASPnews. Because of the audit, Surebridge instituted a “radical change” to its change management procedures.

“It really forced the company to focus on getting a complete framework in place instead of doing things piecemeal,” he said.

From the customer perspective, SysTrust-certified ASPs have a marketing advantage since they can point to their certification and say their systems and process have received third-party approval, Traynor said.

“(Customers) have been asking for some level of assurance … that UL on the plug,” he said.

ASP eVision Systems, a Houston Texas-based MS/GP reseller that passed its SysTrust audit in May has already begun acquiring new leads because of its certification status, Mindy Dunne, eVision’s controller, told ASPnews.

“I think the public is really asking for this now to get a comfort level,” she said.

Investors as well are looking for some type of assurance they are investing in a company that can deliver the goods, Grant Thornton’s Leach said. “They want to make sure they are investing in a reliable business model,” he said.

The reason SysTrust works is because its designers have broken down the basic building blocks of any IT system, regardless of where or how it is being used, into quantifiable components. Once a system’s boundaries are identified, these components can be tested and approved by the same processes time after time, said Pugliese.

SysTrust, like other broad certification processes, “looks at things that are similar to all IT systems,” he said. “You can argue that a system is reliable if it is all of four things: Reliable being secure — there’s a strong security element to this; it has integrity, which means it processes data in the way it was intended; that’s it’s maintainable, which means that the system can be brought up and down as needed; and that it is also available when the user needs it to be.”

Even though it has not endorsed SysTrust outright, the ASP Industry Consortium is behind third-party certification because its research indicates customers are still fearful of entrusting their applications to an outside vendor, Sheila Lugenbuehl, Hewlett Packard’s Business Development manager and vice president of the ASPIC, told ASPnews.

“The ASP model needs to develop that level of trust,” she said. “(Certification) is proof of ability to meet the end user’s needs.”

News Around the Web