Dude, where (and how safe and pristine) is my hosted compensation data?

Sure, anyone observing the enterprise applications market and still naysaying the bright future of the software as a service (SaaS) on-demand deployment model and closely-related Web 2.0 technologies, is in serious denial or similarly delusional. He/she would sound similar to those lost souls that deny even a remote possibility of a global warming and climate changes, but, oops, this is not a political blog...

Anyway, recent predictions for 2008 by the two ZDNet bloggers, Phil Wainewright and Dion Hinchcliffe summarize well the reasons why these phenomena are not only here to stay, but to even take more slices out of the entire applications market pie. At this stage, I am still reluctant to believe that these advancements will render the traditional on-premise integrated (packaged) applications deployment mode completely obsolete any time soon.

In fact, as I have pointed out some ongoing drawbacks of SaaS applications in my recent series of articles, many comments on these two blog posts talk about similar lingering SaaS concerns. Most notably, there is still a discomfort among some users about their hosted data security and integrity, and what these SaaS vendors (and their hosting providers) can do about being more secure and compliant.

Further, in some malfeasance prone areas like managing sales and partners/channel compensation data, there is a pressing need to ensure higher levels of security and process controls for the purpose of the Sarbanes-Oxley Act (SOX) compliance. For that reason, most publicly traded companies and other large-scale enterprises initially rejected the idea of SaaS because they thought they needed to take greater responsibility for their own SOX compliance.

This brings us to the realm of on-demand sales performance management (SPM) and enterprise incentives management (EIM), which has been one of the areas with a significant uptake of SaaS deployments. Indeed, companies of all sizes increasingly use on-demand packages for sales compensation and other incentives management, to accurately and strategically model and forecast commission/incentives costs and benefits, calculate commission and bonus earnings and gain real-time visibility into employees' performance metrics.

These trends have prompted TEC to recently publish the pertinent up-and-coming Incentive and Compensation Management Evaluation Center.

On the other hand, the security and integrity of such remotely held sensitive data and processes has been in the back of every executive's mind and a cause of serious anxiety. Compliance analysts keep on telling Chief Compliance Officers, Chief Financial Officers (CFOs) and Vice Presidents (VPs) of Finance that SaaS solutions are affordable, safe and effective alternatives to traditional on-premise software, but only to the extent that their service providers (vendors) have the necessary controls and audits in place. It is relatively easy to say "Sure, we can do this and that to protect your data", but it is another thing entirely to have those process controls documented, practiced consistently and audited.

Enter Centive, the Burlington, Massachusetts, United States (US)-based provider of on-demand SPM solutions. More than 100 user companies with nearly 16,000 total individual subscribers currently use Centive Compel [evaluate this product], a salesforce.com AppExchange certified solution and a winner of multiple software press/media awards.

Good news is likely to continue coming from Centive in light of its ongoing quarterly product releases, such as Winter 2008. The gist of the latest enhancements would be along the lines of interactive dashboard analytics, which graphically present multi-dimensional, interactive earnings and performance data to help sales representatives and their managers better monitor and measure individual and team performance.

The Winter 2008 release of Compel also features enhanced reporting (dynamic reporting to analyze revenue and commission spend across any transaction or dimension attribute, such as customer, product, territory and region), enhanced document distribution and acceptance workflow, personal multi-currency management (enables local currency views for all sales reps and managers while providing corporate reporting in any relevant currency), and deeper application programming interface (API)-level integration with Salesforce.com [evaluate this product]. Last but not least, a sales commission cost analysis tool can detail the credit distribution and exact commission cost of every sales event, including commissions paid across all plans at all levels of the organization.

Prior to that, the Summer 2007 release of Compel featured enhanced custom reporting capability by adding calculated fields to reports on-the-fly, with full charting and graphing capabilities. The release also added the support for Adobe Flex 2.0 forms and introduced fully auditable and integrated crediting suite to provide crediting on combinations of dimensions, such as territory and product (with the support for direct credit, split credit, team credit, rollup credit, etc.).

Also noted has been the mid-2007 partnership with ADP, whereby Centive became a new original equipment manufacturer (OEM) partner for ADP. What that means is that ADP's National Account Services (NAS) division has been selling Centive Compel as privately branded ADP Automated Incentive Compensation Management, and as a natural extension of ADP's business. With $7.8 billion in revenue in 2006 and with about 600,000 customers worldwide, ADP is one of the first in the human resource management system(HRMS) and payroll industry to offer this SPM solution as part of a full-suite of on-demand HRMS offerings [evaluate the ADP Enterprise HRMS product].

Other related ADP on-demand services include, in part bolstered by the 2006 acquisition of Employease: management of payroll and HR systems; benefits administration; time & labor management; and administration of Consolidated Omnibus Budget Reconciliation Act (COBRA) and Flexible Spending Accounts (FSA). Both ADP and former Employease have been on-demand pioneers and savvies, which should bode well for "mashing-up" with Centive's SPM solution. Further, ADP's NAS division serves customers with over 1,000 employees, which should mean much more subscribers' inflow for Centive down the track (currently, an average number of subscribers per customer for Centive is about 150 or so).

However, the most related news to our topic du jour would be the January 7, 2008 announcement by Centive that it has successfully completed an American Institute of Certified Public Accountants (AICPA) Statement on Auditing Standards No. 70 (SAS 70) Type II audit by Ernst & Young. Centive is now the first and only on-demand SPM vendor to be recognized as a SAS-70 Type II service provider.

The SAS 70 Type II report is internationally recognized as the authoritative benchmark of the AICPA against which service providers report control activities and processes to customers and their auditors. The Type II form of SAS 70 examination is the most stringent form; it not only includes the service organization's description of controls related to information technology and security processes, but also includes detailed testing of these controls over a minimum six-month period. This is becoming an increasingly important issue as companies strive to conform to compliance initiatives such as SOX.

A SAS 70 Type II report basically serves as a proxy for a customer’s internal audit (for more on SAS 70, please see this great source ). So for example, when an XYZ Company undergoes its annual audit, the auditors will see that the company outsources some processes and stores some data off-site. They will ask for a SAS 70 Type II report from each service provider XYZ works with, and those reports will serve as a proxy for the security and integrity of the related systems.

We should, however, note that some companies have issued releases about providing a SAS 70 Type I report. This report serves no purpose for the vendor’s customers because it is not recognized by the AICPA as a proxy for an official audit. A Type I report merely says “A company has the following controls in place” but there is no audit to test those controls. For instance, Centive's fierce competitor, Xactly Corporation issued exactly (no pun intended) such a press release back in early 2007.

Also, most SaaS vendors do provide SAS 70 Type II reports, but those reports typically come from their hosting partner (like CSC or MCI). Few vendors have put the proper controls in place and allocated the resources to undergo a six-month audit of their own internal controls. Again, that is what Centive has painstakingly done to supplement the Type II report from its hosting partner - CSC. In this market space, no other vendor currently provides a SAS 70 Type II report verifying their internal controls. For instance, Callidus Software [evaluate this product] and Xactly provide SAS 70 Type II’s from their hosting providers only.

Centive strongly thinks this will definitely help it with wooing future prospects, particularly amid publicly traded companies, but also with private companies that value the effort the vendor has put into ensuring it has the controls and processes in place (and validated by an independent third party) to protect their sensitive data. Centive is optimistic that the audit will make a difference in about half or more of the deals the company hopes to close in 2008.

On the down side, however, the hefty investments by Centive, mentioned above, on product development and the SAS 70 Type II audit will only postpone the break-even point, whereby the company should finally reach profitability. Also, I am not sure whether these moves can address Centive's need for more international expansion. For more on Centive's challenges, see TEC's earlier series of articles on the vendor.

Hence, dear readers, do you feel comfortable enough to turn to on-demand solutions, and, in your vendor selections, do you believe the the SAS 70 Type II compliance audit and safeguards should impact the success or failure of your SOX compliance efforts?

Do you feel now that SaaS companies like Centive are able to offer the security and process controls needed to fully support SOX compliance initiatives for their customers. Do you also think Centive's sizable investment to hereby leapfrog (or separate from) competitors was worthwhile?
comments powered by Disqus