Wednesday, February 11, 2015

Cloud Accounting Due diligence..

Proper due diligence, focuses on identifying the players within the Cloud relationship.
That is, who is actually involved in providing the services and are they the same entity (or entities) that are processing or storing data?
In the case of aggregators, for example, a Cloud user could be dealing with a single entity which itself is provided services by various third parties.


The Add-On Dilemma?
Recently, many Cloud accounting providers, chose to only offer core features. This leads to of the required business functions, are now provided by a range of Add-On providers. You now need to ensure that you perform due diligence on all providers; required to support your operational requirements.

From a contractual and liability perspective, it’s important for the cloud accounting practice and their clients to know whether it has a directly enforceable contract with the key players or whether it is relying on those with whom it does have a contract to enforce relevant provisions.
For example, a review of terms should seek to assess issues such as:
  • The parties in the Cloud stack not just the contracting parties  and their roles, rights and obligations, especially regarding data, its processing, storage location, and ownership;
  • Whether each party has the rights required from other parties in the Cloud stack;
  • The capabilities and liability of other parties in the Cloud stack;
  • Backup/restoring data and disaster recovery plans;
  • Service levels and what happens if the internet is unavailable;
  • Continuous availability of services for business continuity;
  • Treatment of data on termination/insolvency;  
  • What happens in the event of a security breach?, client reporting obligations; and  
  • Issues such as change of control, service levels, service credits, audit rights, compliance with security standards, procedures in the event of a breach, force majeure.
Of course, in terms of risk management, users of Cloud services are to an extent letting go of control over their infrastructure, and software. This element of risk is brought into sharp focus when you consider that providers of IT services often tend to offer their services, without assuming any risk and with an exclusion for all liability where permitted by law. This is reinforced by a reading of some standard disclaimers on Cloud computing sites. It is important that one understands the risks assonated with any decision, Cloud accounting is no different.
If you cannot get answers to all these question then you should consider the Google example below as a typical response for most Cloud providers, and make the appropriate assessment.

Google Apps noted that “... Google and its licensors make no warranty of any kind, whether express, implied, statutory or otherwise, including without limitation warranties of merchantability, fitness for a particular use and/or non-infringement. Google assumes no responsibility for the use of the service(s). Google and its licensors make no representations about any content or information made accessible by or through the service. Google makes no representation that Google (or any third party) will issue updates or enhancements to the service. Google does not warrant that the functions contained in the service will be uninterrupted or error-free.”
Google also has a complex set of corporate relationships where the Australian licenced Google Entity, which in fact may not actually be involved in any Google related activity, typically one can find that one is actually using a foreign Google entity located in Island or Bermuda, rather than the Australian Entity, even if the transaction is totally inside Australian jurisdiction.

Specific Security questions for your cloud providers:

  1. Where is the data hosted, and if outside of Australia is there documented support to meet APP8
  2.  Is all data encrypted in transit, i.e. is it possible to access the site via http:?
  3. Is all data encrypted at rest, on-line and archive (should be a minimum of AES256)
  4. If encryption is used are the keys unique, and under the exclusive control of the Practice
  5. Is there support for Industry standard Multi Factor Authentication(MFA)
  6. Can MFA support be mandated on all outside of Australia logins to support APP8
  7. Does the system support industry standard mandatory password changes, on at least every 60 day basis
  8. Is the system PCI or ISAE3402 certified.

Perform the due diligence, ask the questions, and then assess the Risk vs Benefit..

There is nothing new about Cloud outsourcing, just need to understand the risks for your practice and your PE liability for your clients data, especially the cyber crime related liabilities. The above general questions are designed to assist with this risk assessment.


Disclaimer The contents of this site should not be understood to be accounting, legal or security advice but rather as general educational information that may or may not meet your specific requirements. You are advised to always seek professional advice to meet your specific requirements.

The Cloud ate my data..

Cloud computing can work a bit like Hotel California; you can check your data in OK, but will you ever get it out?

One of the least thought about issues is exactly how does one get data out of the Cloud.
A Practice needs to consider the notion of being locked-in to certain applications or systems,
all Practices' and their clients need to consider the requirements to access data some years into the future for a range of regulatory reasons.

Backup of data may well require the applications which created the data to be available in order to sensibly access it. When was the last time you opened a MYOB-4 archive?
This may be achievable if complete system backups and there exists perpetual licences to applications which allow a user to rebuild a system so as to restore data.  But does this exist in the current Cloud Accounting world?

In a Cloud setting, rebuilding an application years later so as to make data intelligible in most cases is impossible — and yet that is precisely what organisations might have to be able to do in order to remain compliant with data retention laws and regulation. All records, whether electronic or not, should be retained for at least the minimum period stated in any applicable statute or regulation.

In Australia there are more than 80 acts of legislation, regulations and rules specifying document retention requirements applicable to companies under Australian law. Depending on the situation data needs to be accessible for five, seven or 10 years after creation.

If a court orders a company involved in litigation to make available records from six years ago, or during an ATO audit, excuses such as “the Cloud ate my data” simply won’t wash.
 
Such scenarios should be considered at the outset of any relationship, and give rise to questions such as:
  • If service providers change, can the records be usefully accessed?
  • Can I access archived data, years into he future without the service provider?
  • Are there any lock-ins, such as licensing ( i.e. will the application even open the file if there is no current licence) which prevents access to accounting or SMSF data?
  • Does the supplier limit the data that can be exported from their application, and will such limits still allow one to meet any data retention obligations?
  • Can data be extracted on-demand from the Cloud?
  • When will archive data be transferred and what form will it take?
  • What are the obligations on each party regarding an exit plan?

SAF-T The International Audit and Archive Format
In order to address a number of the issues above, we recommend that when considering any Cloud Accounting service, that as a minimum they support the Internationally standardised OECD SAF-T data archive format.
It is preferable that the SAF-T export is available to a client on-demand, but at a minimum that the Practice performs a yearly SAF-T archive.
Due to the scope of data within the SAF-T archive this file "must" always be exported and encrypted at rest. All major Accounting Software, Oracle, SAP, Cognition etc., support SAF-T exports.

SAF-T can be opened, viewed, and utilised, via any industry standard spread sheet program, our accountants typically make use of Excel.




Disclaimer The contents of this site should not be understood to be accounting, taxation or investment advice but rather as general product related educational information that may or may not meet your specific requirements.

Tuesday, February 10, 2015

BYOD, Those pesty Mobile devices and your Practice...


What BYOD is and isn’t
BYOD – or Bring Your Own Device – is what happens when your employees, clients or guests use their own personal smart phones and tablets to access your Cloud Practice and Accounting Software. They bring their own mobile apps… security risks… privacy demands…with the intent to connect to your cloud enterprise. And they expect you to make it work, this includes managing any increased Cloud and BYOD risks for them.

Because it’s their own the device, uniformity goes out the window. You’re not handing them preconfigured devices to connect to secure enterprise networks, with work applications preloaded,
and all administrative privileges pre-vetted by your IT staff. And you can expect that these devices take the path of least resistance to connect; whether that’s your secure network using existing credentials or the guest network. BYOD means that hundreds or thousands – or tens of
thousands – of essentially rogue devices are interacting with your and your client organisation’s confidential data…and it means that you need to come up with a plan that protects this privacy and your confidential data and is transparent.

Who’s getting the most of it?
There isn’t an industry – or a corner of the globe – that isn’t putting the mobile revolution to work for them.
Here are a few examples of what they’re doing to accommodate BYOD.

Enterprise
Everyone wants to stay connected to the office now. So enterprises are leveraging authentication methods and policies they currently use for IT-managed laptops, and extending them to personal devices.
Education
Higher education practically invented BYOD. Colleges and universities have had to support student-owned devices for many years and have done an excellent job leveraging BYOD to transform the teaching and learning environment. Now, these same institutions are extending BYOD to faculty and staff.
Retail
Retail spaces are completely transforming as a result of mobile devices. While most of these devices used by staff are issued by IT - such as iPads for mobile point-of-sale (POS) - there is a growing trend to also allow BYOD in stores for certain employees. But the big story for BYOD in retail is for shoppers. Armed with smartphones, shoppers are price checking and reading product reviews while in the store – a Google/Think Mobile survey found that 77% of all smartphone users browse while
shopping. Wi-Fi networks can gather information about shoppers; improving the customer experience with real-time product information and special promotions to establish long-term social media connections.
Accounting
The modern Accounting Practice is moving from using commodity third party accounting software ( MYOB, Xero) to their very "own" mobile APP's.
These APPs are targeted to their specific clients, and exploit the over 3 million Android APPS today.
The practice is part of the ecosystem with their clients, delivering professional services around the clock. The modern Cloud Practice now has a "differentiator" in the market, which now includes sticky clients.
The next "big thing" in this space is the upcoming suite of personalised SMSF APPS, keep a look out in 2015, within this space..

What about the numbers?
"Worldwide combined shipments of devices (PCs, tablets, ultra mobiles and mobile phones) are projected to reach 2.5 billion units in 2014, a 7.6 percent increase from 2013"
"Mobile phones are expected to dominate overall device shipments, with 1.9 billion mobile phones shipped in 2014, a five percent increase from 2013",
according to Gartner, Inc.
What exactly DO you lose if you don’t move to BYOD?
To put it bluntly... your ability to manage risk.
As users increasingly combine work and personal applications on their devices, your management challenges grow more complex – and the chance that confidential data are leaked rises exponentially.
Devices are replaced, and lost or stolen, without IT being informed. Documents are not encrypted, but then stored in personal cloud applications. Jailbroken devices are infected and then connect to the network, which can have a detrimental effect on other users’ data.
Given that application and data security is the top IT concern regarding BYOD, an emerging approach is to combine device and application management within the network access-management solution.
In other words, an integrated approach.

What is the main security issues with most Cloud Solutions today, and BYOD.
With the move from Corporate to Cloud computing, most of the security infrastructure has been thrown away..
Policies which were developed over many years of operational experience has been lost as new entrants driven solely by cost enter the Cloud market.. Many of these companies did not exist 5 years ago..
Simple test, ask yourself the last time your Cloud anything asked you to change your password!
That's right even basic password policies are missing from these services, what else?
Some simple Questions to ask your "Cloud Software Supplier":
  1. Is my data stored within Australia (APP8)?
  2. Is there a mandatory password change policy in force?
  3. Can I optionally use a Multi-Factor-Authentication to protect my access?
  4. Is my data encrypted at rest?
  5. Are any encryption keys securely stored inside a Hardware Security Module (HSM)?
  6. Is there a disaster recovery plan in place for my practice data?
  7. Can any BYOD APP store user passwords?
  8. Can I enforce a One Time Password (OTP) to protect all BYOD access?
  9. Can "I" revoke an individual device access to any of my services, from within my Practice Console 24*7?
If a Practice is using in/out sourcing, we recommend that Multi-factor-authentication is part of the mandatory remote access policy for all services. Simple password remote access control is a significant risk for any practice and client data. As all major mature Cloud service providers such as Google, Amazon, VillageMall etc today offer MFA support, this should not be an issue, and hence is not in the list above, but you need to check just in case..

If you don't receive a satisfactory answer to all of theses questions, then you need to consider the associated risks Before using the service..
BYOD offers a bright future for Cloud Accounting Practices, as part of the next wave delivering unique Professional Accounting services "directly" to their Clients 24*7*365.

But all opportunities have associated Risks, ensure your Practice understands the risks for your Practice and your clients data..

Ask the Questions, until you are satisfied you understand the Risks for your Practice..


Disclaimer The contents of this site should not be understood to be accounting, taxation or investment advice but rather as general product related educational information that may or may not meet your specific requirements.

Sunday, August 31, 2014

Cognition, Cloud Accounting engine, for Mobile platform developers.

We are witnessing an explosion, of new generation Mobile Platform "Apps", targeted towards business; in particular the sole trader (tradies, consultants ect) and small business owner or operator, and their staff.


Most of these Apps have very simple, and also very good user interfaces, in many cases better than the transitional software developers like ourselves. Additionally they move with the times, it does not take 4 years to get a basic function like an estimate, in many cases new stuff happens weekly or monthly at the longest. The typical Mobile developer looks at business functions with a new insight, they are not "cut down" versions of existing desktop accounting software.


Today you can get a Mobile App to do almost anything.

But any analysis of this market, shows in almost every case (Freshbooks is an example) these Apps lack even the most basic accounting functionality and none of the ones we reviewed had even the basic double entry accounting or complied with any of the accounting standards or registrations. We typically got responses like, "we don't need any accounting standards, as we target non-accountants", but this is no excuse to not comply with reporting and compliance standards. Removing complexity, for a target market is a grand goal, but one still needs the basics. In fact Freshbooks was the catalysis for Cognition, as we needed a engine to allow accountants to perform back office, Activity Statements, and perform basis accounting functions, bank loan reporting, bank feeds, tax returns ect. In many ways Freshbooks was our first Cognition "App" but the integration was done at the back end database, not the front end App developer. This approach has many draw backs, synchronization being the lest of these. We concluded that to be successful, the integration must be done at the developer App level.


Even non Mobile accounting solutions, like the market leader Xero maintain a set of +/- transactions, rather than the traditional double entry, which one can see within their journal API.

When it comes to functions like BAS, online ATO returns, bank feeds, AAS25 reporting and compliance with accounting standards, the typical "App" is found to be sadly deficient..

Compliance and reporting is the "Hard" bit and takes a lot of time and money to get right..



The new bread of App Developer
The rapid growth within the Apps market, has been driven by "Free" or very low cost applications, which are very easy to use, most cost less than $20.. This means that any paid App needs significant volume to make money..

If an App developer, makes use of an traditional accounting solution say Xero as their engine, they hit the "Fee" brick wall, where the excessive fees, limits the "volume" and in most cases will stall the App take up, free trials do not help. Also these traditional solutions, compete directly with the Apps market developer, this leaves very little market for the agile Mobile developer, and their customers.

We see that there is a fee threshold or about $100 per year, for this market.

Additionally the interfaces for the likes of Xero are way too complex, and not suited to the typical "light weight" application developer.

Volume underpins the success of any mobile platform "App"..

The Future Accountant
Many say the future for accountants is bleak, the increasing pressure from Adviser channels and the cost of new AFSL compliance, makes it all toooo hard. Many who are reaching retirement, see it as time to move on..

We, actually see a rosy future for the new generation accountant especially for those servicing, sole trader, trade persons, consultant, or road warrior small business, offering a local personalized service to their clients.

Most of this markets clients do not really care about BAS/IAS, tax returns, they "need " to focus on their day to day business, the last thing on their "to do list" is producing complaint reporting for Banks or Investors or the ATO.

While the new generation of Apps, can keep track of payments and cash flows, most of the Apps market users are time poor, and more than happy to "in-source" professional advice and specialist services.


The "in-sourced", virtual CFO, the future of accounting..

Also working with accountants over the years, many are latent "developers".. in that they realise the only way to differentiate themselves in the market is to offer unique and personalized services to their clients. If all practices use Xero where is the differentiation, from a clients perspective.

As there are currently over a Million Android Apps, in the market today, so there is no shortage of App developers in the market.
The new generation of Accountants get this differentiation,and have the "savvy" to understand the market changes.

With the release of Cognition, a practice can now offer a totally unique and personalized service to clients via any Mobile Platform..

Accountants simply re-selling Web Site services like Xero, Reckon, MYOB are the "old world"...
The future is unique practice services, delivered directly to your clients, you own and control your destiny.
Bottom line you can provide superior and in almost all cases, a more cost effective solution to your clients.

In marketing world this is called the "sticky client"...



Cognition "The Cloud Accounting Engine"


Enter the Australian first, and only, dedicated cloud accounting engine for Independent Software Developers.
Unlike all other cloud accounting services, Reckon, MYOB, Xero, Sage quicken ect.
Cognition has no user interface, it is exclusively a "engine" for App developers, to provide the Enterprise Accounting back end to their own "Apps".

Developer
Features:

  • Free to all Sole Traders
  • Fixed fee of $50 per year, or $5 per month which includes payroll..
  • Only developers can use engine, as no end client interface, so fee cannot be under cut.
  • Zero account setup fee, above fixed fee can be bundled "in App" all services are white labeled.
  • All access via, secure, light weight REST API, using JSON message sets.
  • API is free, to all registered Australian App developers.
  • No Cognition "App" or web service to compete with.
  • Secure, Enterprise double entry accounting engine, been in use since 2000, long before the likes of Xero even existed.
  • ATO registered, for BAS/IAS with integrated SBR gateway
  • Secure cloud based Auskeys
  • Unlimited translations per entity,
  • Unlimited customers, suppliers per entity
  • Limited to 20 staff (SME market), and fair usage.
  • The API usage is also unlimited, Xero has 1000 transactions, and rate limited.
  • The API has paging, which limits the max set to 100 entries per page.
  • Optional support for SMSF Apps, via our SMSF365 service engine.
Functions
  • Invoicing, Estimates
  • Expenses, Receipts
  • Projects, Tasks
  • Time Entry
  • Payments
  • Items
  • Staff
  • Contractors, Suppliers, Prospects
  • Payroll
  • Tax

Accountant Only
Features:
  • SBR for activity statements, via AWO
  • Tax returns, via AWO
  • Optional Payroll Processing via AWO
  • Traditional accounting system, journals ect, with AAS25 reporting for SME's
  • Registered with the ATO.
  • Payroll Bureau with AWO
  • Same accounting engine in use since 2000, used in Web Ledger, Web Office and SMSF365 services.
  • Deliver in-sourced, professional accounting services



Cognition: Cloud accounting engine, partners with Australian App developers and Accountant services to deliver the future today.



Availability

  • Trials Q3 2014, available to all Australian App developers, and Accountants
  • Commercial availability Q4 2014.





Disclaimer The contents of this site should not be understood to be accounting, taxation or investment advice but rather as general product related educational information that may or may not meet your specific requirements.

Saturday, July 19, 2014

Bitcoin "Private Money"


With a rush of  people fleeing the various effects of Fiat currencies, especially from China, Greece and Cyprus, digital currencies such as Bitcoin have become part of the financial landscape, with ~ USD$8,000,000,000 in capitalisation today.

The above statement, may sound like, I am a supporter of BitCoin, far from it, I see a number of issues with BitCoin, a hard supply cap, the significant first mover advantage, and liquidity at the Fiat currency interfaces, are but a few, but the discussion around BitCoin and its treatment as a currency or property, needs to be both rational, and have some basic is reality.

The Bitcoin with a hard supply cap, has a built-in deflation, while most western countries including Australia require an underlying inflation rate. The purpose of inflation is to drive people to invest their money into something productive, it also pays of national debt. Deflationary currency undermines productivity, and essentially provides a disincentive to be productive, as all new value created drives down the value of existing property. But I digress..

So back to Oz, the ATO has been grappling with the question of whether to classify Bitcoin as money or property for years, just like the rest of the world.

Bitcoin is effectively pseudonymous and potentially anonymous.  But, it’s important to understand the difference between “anonymous” and “tax fraud.”  Knowingly or intentionally refusing to report or pay taxes on income earned is by definition – tax fraud.  Whether you’re likely to be caught is an entirely other argument.  Mixing the two is a mistake that we shouldn’t make.

The furphy about tax evasion and Bitcoin is just that, tax evasion occurs today inside all of the Fiat currencies worldwide without exception.

Many people believe that if the ATO “doesn’t know who owns the BitCoin” and if their wealth is “entirely in BitCoin,” then the ATO can’t touch them, on the assumption that the ATO does not know who owns a BitCoin. The problem with this argument is that it is short-sighted and factually incorrect. But it is a fact that inside the BitCoin domain there is little or no transitional knowledge, beyond a peer-to-peer exchange.
As an example, John Doe owns a million BitCoins, and spends AUD buying houses, cars ect..The ATO has all of John's AUD transactions from Johns Fiat bank account, and calls and asks where did this money come from?  John can’t explain where the money is coming from and is slapped with a tax bill. The ATO does not need to identify the transactions inside of BitCoin, does not need to know a single BitCoin holder address to affect its tax collection obligations.

Hence in practice, the only way "States" like Australia, have control over Bitcoin flows,and any associated Tax treatment, is to treat BitCoin as Unit of Account, similar to how the ATO treats foreign exchange currencies, and use the banking system (AUD Fiat Currency) to track it once it "leaves" the Bitcoin world.

One can simply forget about the techo waffle of treating BitCoin as property, and tracking Bitcoin addresses (a joke), this is a reaction to Bitcoin being a non Fiat currency, and the need for "States" to have treaties around the control of "Currencies" nothing to do with the reality of BitCoin transactions.

Probably the most thought though classification of Bitcoin comes from Germany, who treats it as unit of account or "Private Money".

"On 19 August 2013, the German Finance Ministry announced that Bitcoin is now essentially a "Unit of account" and can be used for the purpose of tax and trading in the country. It is not classified as a foreign currency or e–money but stands as "private money" which can be used in "multilateral
clearing circles". Then they lost it, with capital gains and sales tax.

The Solution, must be simple..
FX Transactions
Bitcoin trading has FXGains ect.

Non FX Financial Transactions
Financial transactions have Capital Gains using Bitcoin FXrates same as any currency, as Bitcoin is a non Fiat currency, there is no currency tax, just normal taxes within the actual financial transaction which use Bitcoin as the foreign currency.
Bitcoin is always a foreign currency for all parties.

Where to Tax
For this to work, taxes are applied to all transactions which pass outside of the Bitcoin world (currency), i.e at the point of entry into any entities domiciled Fiat currency. All "States" have the ability to track all such transactions today, so also nothing new required.

This matches the existing cash economy today.

There are no taxes inside Bitcoin (same as no GST on bank transactions ect), this is constant as there is no taxes with "Cash" transactions today.

Bitcoin is just a non fiat currency, all the same currency rules should apply, simple.

The classification of Bitcoin as "Private Money" gets around a lot the treaty issues and matches more closely with the real world..

Australia either plays in the big pond, or becomes irrelevant as a significant number of Chinese, Russians (Cyprus) and Greeks have already voted with their feet and left the Fiat currencies.



Approach
Keep it simple, require minimal changes, i.e reuse as much as possible of existing legislation and infrastructure, and address issues as they evolve..



1. Bitcoin's deflation problem
2. A unit of account is a standard monetary unit of measurement of value/cost of goods, services, or assets. It is one of three well-known functions of money.[1] It lends meaning to profits, losses, liability, or assets.


Disclaimer The contents of this site should not be understood to be accounting, taxation or investment advice but rather as general product related educational information that may or may not meet your specific requirements.

Wednesday, May 7, 2014

Cloud Accounting, it's not all roses..

There has been a recent rush, to Cloud based Accounting, and also Cloud based Practice Management solutions, but what is the downside issues to consider..

As one of the pioneers in Cloud based solutions from back in 1999, there are a few things a Practice partner should consider..

The advantages are spruiked in numerous places, hence in this posting, we will look at some of the potential disadvantages and how these may be addressed.


The Accounting Practice
A Practice needs to be able provide evidence to authorities to justify our accounts and tax claims - possibly years after the fact, satisfy legal requirements to keep records, answer owners questions, satisfy ethical requirements of documentation.


1. Back Up and Restore
The accountant who maintains accounts that (legally) belong to someone else, and now all the data is outside of the control of both the accountant and the client.
a) In the old days, one simply saved a copy of the client accounts in MYOB or whatever, as at the date the end of year or BAS was prepared. One could simply load back the saved file into the accounting program and all was available.
b) In most cloud based systems, there is very little archive or even back up capabilities, and even less ability to restore any of these files to a specific client account.
c) When the client stops paying for the service, what use is a proprietary exported file, that cannot be accessed, anyway?

2. Service Disruptions
All computer systems have a uptime which is not 100%.
a) What is the maximum loss of data (time period)  in the case of an service disruption?
b) What is the maintenance schedule.
The ATO recently closed down its entire SBR for over 4 days to do a "update"?
While no-one has any control over the ATO, one should ensure that ones accounting system, and data, is able to be used when one "needs" to..

3. Disaster recovery
When clouds have issues, they tend to affect all of their users.
One could consider the Megaupload case as an extreme example, but can one be sure..
"MYOB General Manager Julian Smith says the data sovereignty issues in this case fall into a “grey area” of US law."  The issue is foreign and even our governments will give priority to their own considerations, the users as in this case are "collateral damage"..
a) "Hurricane Katrina created a number of challenges for Gulf Coast businesses, chief among them being data protection. While many companies utilized remote data backup services - or had the foresight to ensure that their backups were completely safe – others were left with submerged computers and no backups".
b) In the last Brisbane floods, several organisations who has stored paper records, and computer backup tapes, in their basements found them destroyed.

4. Service Level Agreements
These Cloud services support your business, so you need to know exactly what you are paying for, and if it is approperate for your operational requirements.
a) Check out if there is an SLA at all?
b) If there is a SLA look to see if they actually pay penalties, when they breach their SLA; always a good litmus test

5. Security.
Saw a recent positing, on one of the major Accounting providers, basically stating that they use SSL, so clients don't need to care about their data or any security! Also this specific positing started with "Our Security Experts" and then left these as anonymous.
a) Any security professional knows security is never equal to "encryption" or in fact any single security mechanism. There is a basic premise around "security in depth".
b) the recent Heartbleed SSL bug, is but one example of how silly,and potentially liable these types of statements are.


The Solution
Ok, so we get the picture, so what can we do about it.
1. Backup and Restore
As one cannot own the accounting software one need to have a non-proprietary format which can be stored under the Practice or Client control. It is preferable that this file can be given to the ATO, if required without change, the second best is  the ability to use industry standard products like Excell or any Spreadsheet to provide the required evidence.

Within all VillageMall solutions including Practice Manager,  we make use of the international
OECD SAF-T archive formats.

2. The minimum acceptable level, should be the ability to recover, in a stable state, for at least the previous night, some providers will do this on an hours basis.. The "stable state" is particularly important as most cloud based systems are multi-tenanted databases, i.e a single database is service all clients.

3. Disaster Recovery
With the availablity of several enterprise Australian based data centers, and the new APP 8 privacy act requirements, there is simply no reason to take on the risks associated with storing client and practice data outside of Australian jurisdictions. In the case when data needs to be stored outside of Australia to meet geographical independence, then this data should be 100% encrypted in transit and at rest.


Cloud services have lots of upside, so keep smelling the roses, as you find them...

Disclaimer The contents of this site should not be understood to be accounting, taxation or investment advice but rather as general product related educational information that may or may not meet your specific requirements.

Tuesday, April 15, 2014

The $1.7 Billion "Flush", of Tax and Superannuation members dollars..


Like one of the silent "majority" of tax payers, it is with some despair, that one watches tax money being flushed down the drain.

A few facts to start with, which politicians seem to miss:
  • politics is not the best way to pick market, or technology winners or losers
  • political interference, be it well intentioned, almost always distorts markets, and can actually destroy existing market participants (pink bats, solar energy)
  • government departments with unlimited tax payer funding, should not compete with commercial entities on an non-commercial basis. A level playing field must actually be level.
  • if a specific technology needs to be "mandated" to get anyone to use it, should sound alarm bells.
The programs in question are the Standard Business Reporting (SBR), and more recently Superstream.

These government run program names, are always interesting, SBR is anything but "standards" based, and superstream is only "super" in its ability to spend tax payers and superannuation members money.

The first look

This particular SBR program is quite strange, some obvious aspects:
  • run by treasury, actually a front for the ATO, obviously some internal political issue?
  • no review or accountability on any aspect of the project to-date
  • after many years, and millions of $$$ already spent, almost zero adoption by any commercial organisations
  • unknown millions wasted by commercial organisations, when promised returns are never realised.
  • after many years, still cannot process a basic "Individual Tax Return"
  • recently closed down for 4 days for "updates".. this is simply not commercially viable.
  • use of ATO propriety technologies, that have never been deployed anywhere in the world, for this type of application, the sole country with limited usage, is Denmark, and they could not get any commercial take up
  • technologies that any competent technologist, would advise again using, as simply not fit for purpose.
Yet it continues... and in fact this year..
To overcome the almost zero adoption of the program, the current government has decided to mandate usage, rather than doing a traditional review of the BC, this is after an expenditure in excess of $400 Million to date.

If it looks like a dodo, acts like a dodo, it is likely to actually be extinct.
Bit like John Cleese's "parrot" it is only on the perch because it is nailed there, it is actually deceased.

Superstream is a good example, of something gone amiss.
"The main purpose of SuperStream is to ensure employer contributions are paid in a consistent, timely and efficient manner to a member’s account."

Today, and for the last 15 years to my knowledge, employers of all sizes have been paying and reporting member payments to superannuation funds via their payroll system, and BECS for almost zero additional cost. All banks are capable of passing member data though to funds, via their existing bank data feeds.
The Problem to be solved as identified above, simply does not exist...

For anyone involved in rollovers of members superannuation funds, knows it is the Superannuation fund "hoops"  that is always the issue, not the transfer technologies.

Technologies are never good at solving "people" or "business process" issues.
Hence to suggest that something which is not broken, requires $1.2 Billion to be spent, could only exist inside a tax payer funded, government department, perhaps looking at building a "Yes Minister" empire?


So what went wrong?
  • why is treasury doing commercial software development?
  • why is there zero accountability for any deliverables under the program?
  • why is a basic Individual Tax Returns not supported after many years?
  • why is a working ELS system being trashed? rather than replacing the antiquated ATO proprietary bits with commercial technologies?.
  • why are their zero client deliverables, all are internal?
  • why does the system need to be closed down completely, for up to 4 days at a time, just to "update"
  • why is there no review of the past $400+ million expenditure?
  • when was the original BC reviewed?
  • why is no common sense or normal business accountability being applied to this program?
  • why would anyone invest an additional $1.2 Billion to achieve a saving of less than a cup of coffee?
  • why is there a mandatory levy, to pay for the program which no-one wants (other than those with a financial gain from the program) that can be done today, using existing commercial infrastructure, for almost zero additional cost.
This program is technically flawed, would not make it past the "initial" gating process in any commercial organisation, yet has spent in excess of ~$400M (no-one has an actual figure, even treasury) to date, with zero return or quantified savings over existing systems. Plus has had a  "negative affect" on Australian Developers (the ATO paying millions to overseas companies is not developing jobs for Australians, just like we funded 100+ of factories in china to make pink bats, and sent local Australian companies broke), and is planning to spend $1.2 Billion to solve a problem that does not exist..

The technical issues are very straight forward, the politics seems confused at best..

Bottom line, after almost 10 years (2005), not a single cent has been quantified as actual savings, which is a direct result of SBR, and yet without any review another $1.2 Billion is planned to be wasted..

If the current Government was actually interested in reducing waste, they would start by looking inside the Treasurers own department..

Litmus Test
1. Google Standard Business Report or SBR, and look for any independent support, i.e not from a government department?
2. Look for any expenditure reporting and qualified savings for this program?
3. Look for any factual basis for the "potential" savings of $800 Million anywhere?
4. Look for a comparison of SBR with the existing ELS and other existing electronic programs?
5. Look for any accountable "person", political or otherwise.

This is a "Yes Minister" program, worthy of its own episode.


-- Links and additional information.
1. Extract of email to Joe Hockey, April 2015.
To: Joe Hockey
Treasurer
CC: Chris.Bowen, Wayne Swan, Emily Devine (SBR)

Dear Joe  Hockey,

Within your department there is an planned expenditure which is seriously flawed in both design and implementation, this program is a legacy from the previous Government, but has the potential to exceed the likes of the "Pink Bats" and  "School Sheds" programs.

 ...
I don't get involved in politics, I am part of the silent majority..
       But wasting $1.7 Billion to get a  return of less than a cup of coffee, is just too much to sit by and let happen.

...
Australian Software developers are one of the few areas that Australia does better than anyone else in the world today, and most likely into the future, it has the potential to replace the old world jobs rapidly disappearing in Australian..
But all of this is in jeopardy, in the same manner as poor government decisions destroyed the "home instillation", zero jobs today,and it looks like the same with the Solar Industry.."
-- end snip


2. The objective of the SBR Program in Australia is to reduce the cost of reporting for business by A$800 million over six years at a cost of A$320 million over the same period.[5]

In October 2005 the Australian government commissioned the "Task force on Reducing Regulatory Burdens on Business," known as the Banks Review. Recommendation 6.3 called for the development and adoption of a business reporting standard, which became "Standard Business Reporting."

The SBR strategic plan was approved with a Commonwealth commitment of $243 million over four years.
On 3 July 2008 COAG endorsed Standard Business Reporting as one of nine additions to the regulation reform agenda (COAG Communique, 2008).

The business case developed by the Australian Treasury estimates that the average costs of implementing SBR by businesses will be $403 per business.

3. The costs associated with the implementation of the Super Stream measures will be collected as part of the superannuation industry levies.
The levies will recover the full cost of the implementation of SuperStream reforms and will be imposed as a temporary levy on APRA-regulated superannuation funds from 2012-13 to 2017-18 inclusive.
The amount of levy payable is subjected to the Minister’s determination.
The costs associated with the implementation of the SuperStream reforms are $121.5 million in 2012-13, $111.1 million in 2013-14, $83.1 million in 2014-15, $69.3 million in 2015-16, $41.2 million in 2016-17 and $40.9 million in 2017-18.

4. No SuperStream silver bullet: Bravura

5. Funds deeply unprepared for SuperStream

6. Using Tax File Numbers as the primary superannuation identifier

7. SuperStream working group· Tax File Numbers and account consolidation

8. The Tax File Number Scheme:  A Case Study of Political Assurances and Function Creep

Disclaimer The contents of this site should not be understood to be accounting, taxation or investment advice but rather as general product related educational information that may or may not meet your specific requirements.