By Eric Mersch
In our engagements at FLG Partners, we often encounter situations in which companies default to systems to try to improve their business processes. Unfortunately, this approach can give a management team a false sense of security and almost always results in performance below expectations. At FLG, we typically find that process gaps are underestimated by company teams and that system gaps tend to be overestimated. For example, a “system-first” response can lead to what is referred to as “SaaS Sprawl,” a situation in which your company can spend tens of thousands of dollars monthly for under-utilized apps and software solutions.
This problem initially arose with the introduction of point SaaS solutions, which are applications that address a single process or step, paid for by small monthly fees with easy on boarding. Often, employees can purchase subscriptions to these point solutions on a corporate or personal credit card with little oversight. The small monthly expenses generated are often too small to trigger purchase order controls. In Accounting, these charges are often overlooked because the SaaS vendor is often misclassified as a non-technology expense. The result is “SaaS Sprawl.”
At FLG, we refer to this situation more formally as Distributed Systems Risk (DSR). Companies exposed to such risk incur higher financial costs, both hard and soft, and increased regulatory and compliance liabilities. In this article, we break down the costs and risks of SaaS Sprawl and provide guidance for managing your systems department as a CFO.
ASSESSING THE RISKS OF SAAS SPRAWL
System Administrator Risks
One issue contributing to distributed systems risk is of the lack of a defined System Administrator.
Today, according to the Blissfully’s “SaaS Explosion creates SaaS Chaos”, SMB SaaS Trends Report, an average 14% of employees serve as a SaaS Subscription System Administrator for their organization. This situation presents several challenges. Often, these employees are a single-point-of-failure for these apps creating disruption risk. Your IT department may not even be aware of these point SaaS systems, neglecting to invest in proper maintenance and upgrades. And, if the System Administrator resigns, a SaaS solution may lose relevance even if they are replaced with another staff member. Inadequate acquisition processes, poor systems management and employee turnover create potentially significant risks.
In a very prominent example, Marketo forgot to renew its domain registration. On July 26, 2017, Marketo’s domain registration expired, shutting down the company’s app. An alert domain name specialist, Travis Prebble, noticed the issue and purchased the domain name, informing the company with a tweet that read, “I renewed your domain @Marketo. Hopefully things will be back up soon.” Hours later, Marketo purchased their domain name from Travis, resolved the DNS issues and restored service. CEO Steve Lucas later tweeted “We identified process errors with auto renewals as well as human errors.”  Marketo clearly did not have a domain name audit process and suffered reputational damage as a result.
Integration & Compatibility Risks
Many SaaS systems are also under-utilized due to lack of integration and enablement with other legacy systems. Even under the best of situations, system integration is challenging. Technical connectivity issues and lack of user adoption top the issues that frustrate CFOs for systems implementations. So, when employees purchase point solutions without oversight, integration problems compound to create headaches for the company. Every SaaS application contains unique programming and employs different API protocols. So, the purchased software may not be designed to integrate as the purchaser expects. Integration issues may require more a more advanced skillset that a purchaser’s IT team may not have. As a result, they may not realize the software’s full potential. And employees may quickly abandon the app even as the company continues to pay for it.
A perfect example comes from a big data company that implemented a contract management system with premium features that allowed integration with its CRM. The system allowed contract details to synch between the two systems, providing instant access to contracts and preventing two people from entering the same information. Unfortunately, the paralegal who purchased the system on her personal card could not configure the system properly. As a result, sales continued to enter data into the CRM while the paralegal performed the exact same work in the contracts database. Compounding matters, sales had to email Legal to get copies of contracts in PDF form, creating even more manual workload.
Historically, a company’s accounting system served as the sole source of truth. Despite the massive data generated by operations, the financials provided the final word on business performance. SaaS sprawl, however, combined with the staggering amount of data generated by today’s businesses, can distort this sole “source of truth.” Business performance data resides in a wide variety of systems and, when viewed in different contexts, are often open to subjective interpretation. This situation creates misalignment among executives who rely upon disparate data sets. Interestingly, this issue often arises because SaaS apps usually provide unique insights into the company’s performance in near-real time, whereas financials are typically published on the 3rd business day of the following month (or much longer in some cases). It’s the age-old tradeoff between accuracy and timeliness. One certainly cannot blame executives and managers for wanting more real-time data.
One example of this information asymmetry comes from a pure services company. The COO’s dashboard showed an average services’ sell-through (revenue) rate of $175 per hour and a breakeven direct cost of $120 per hour. This implied a 34% gross profit margin, which is very respectable for a services operation. However, the accounting system showed that the actual profit margin on professional services was far lower. What accounted for the difference? Budget overruns due to prolonged implementation periods for clients and increased need for follow up visits. Further, the breakeven cost did not account for the team’s capacity underutilization. We provided the management team with an improved process to reconcile the difference between their reporting discrepancies, implemented the new process, and gained better management alignment via the new reporting mechanisms.
Data Privacy Leaks
Distributed systems may hold information that is sensitive to a company or, worse, related to Personally Identifiable Information (PII), which refers to any data that could potentially identify a specific individual. Employees with access to such systems may not understand the importance of the data they transfer to and from the systems. The SaaS vendor may not know to isolate the data to a specific virtual instance or to restrict the information geographically. Many SaaS vendors run their apps on multiple cloud providers – thus many companies may not be fully apprised of who stores their data. In this confusing situation, the security of a company’s data can be at high risk.
There is no shortage of regulations that govern the storage and use of PII. On May 25th of this year, the European Union’s General Data Protection Regulation (GDPR) requires companies to restrict EU customer information to the EU’s borders. In November 2018, Oregon Senator Ron Wyden introduced the so-called Consumer Data Protection Act that would require large companies to report on their PII protection methods and require jail time and fees for non-compliance. The risk, and consequences, of data privacy leaks has never been higher.
Data Security Breaches
Distributed system acquisition prevents a company from exercising control over connectivity. Without proper control and management, the SaaS vendor may not know a company’s specific need for regulated access. Additionally, without visibility, the client team may not have the opportunity to evaluate the vendors’ third-party providers. The app may meet security standards, but the hosted solution the vendor uses, may not.
A recent example of this relates to the increasing demand for Encryption at Rest, or “EAR,” which refers to the encryption of data inside the virtual environment. The typical standard among SaaS providers is the encryption of information flowing into and out of the cloud. However, most vendors have not deployed EAR even though cloud providers offer enabling tools. Companies should ensure that their SaaS app vendors all offer this protective feature.
Impact on Manual Workloads
It is an unwritten rule that data contained in separate systems will never reconcile. Commercial contract systems will show different terms than the same customer opportunity in a CRM, which in turn will show recurring revenue that differs from what appears in revenue recognition and invoicing tools. Project management apps track project completion but manual interpretation and adjustments mean that accounting data will not reconcile. Various marketing applications inhibit proper attribution, making ROI analysis nearly impossible. Such disparate data increases the need for employees who need to manually compile data for accounting and business intelligence. CFOs should check to see how much manual compilation is required for the month-end close (or alternatively, if you are a SaaS vendor, check to see how long it takes your FP&A/Business Intelligence team to compile cohort reports).
One relevant example comes from an enterprise software company with a large professional services component. In accordance with GAAP, the company recognized subscription revenue upon completion of projects. Completion was triggered when the head of professional services marked a project as closed. However, this process was not followed consistently; several projects remained active in case follow up visits were necessary. As a result, hundreds of projects were shown to be in process. Instead of attempting to resolve the process issues, the Controller painstakingly evaluated each one of hundreds of projects to determine completion. This process took over 40 hours and delayed the accounting close. After identifying the relevant process issue, our team implemented training for the professional services and accounting teams at the client to ensure they followed outlined procedures and led a project to automate reporting from their project management system.
Accounting Restatement Risk
This risk is a function of information asymmetry and manual workload. As a rule, the greater the dispersion of data and manual workload required, the higher the risk of restatement. If you need data from outside your accounting system to compile your financial reports, assess your risk of reporting inaccurate information and worse, missing revenue or expense data. Further, manual work always provides opportunity for mistakes. If you have team members manually compiling data and making subjective decisions before making journal entries, then investigate your process closely.
An interesting example comes from a former colleague and friend who served as CFO of a publicly-listed subscription company. Following the acquisition of a smaller company, the CFO took ownership of the accounting systems integration. Unfortunately, the target company used a workaround that allowed customers to cancel service without routing the information through their payments processing system. During the acquisition transition, the email address used for cancelling accounts was switched to an email address monitored by the acquiring company’s IT organization, which did not know what to do with the emails. After 18 months of booking revenue from accounts that had been cancelled, the CFO had no choice except to restate revenue and their mistake, unfortunately, cost them their jobs.
MITIGATING THE RISKS OF “SAAS SPRAWL”
In order to reduce and mitigate the risks of SaaS sprawl, our recommendation at FLG is to focus first on fine-tuning your business processes and secondly on your systems. Identify and refine your internal processes and train your people on them. Then, choose the right systems to help automate your processes.
Improve Your Accounting Controls
The purchase order process (POP) is the most cost-effective way in which to combat unauthorized SaaS sprawl. So, if you don’t have one, implement one ASAP. Even if you have a POP process already in place, make sure that you schedule routine team training to ensure compliance. Then, once you’ve solidified your purchase order process, move forward with your selection of a purchase order system.
Close attention to the employee expense process will prevent small SaaS purchases. Most likely, you are using an expense reimbursement system. However, all employees can incur company expenses and, therefore, all have access to the system. Screening occurs after the fact, so the purchase will have already been made by the time your Accounting team sees it. Even then, your team may not recognize the expense as a SaaS subscription. Again, employee training is your best defense here.
On the systems side, we find virtual credit cards (VCNs) extremely valuable. An accounting organization can issue VCNs with customized dollar limit and expiration date. There are a lot of use cases. Employees can use VCNs customized for a specific trip or event to ensure the expenses remain within the budget. Marketing can use a VCN to fund lead generation and ensure that spending remains within a monthly dollar limit. IT can use VCNs to purchase specific software apps with each tied to a specific VCN. This is a good practice for apps with a fixed and variable pricing structure.
Verticalize Your IT Organization
In the past, a company’s IT organization served all departments. So, it made sense to structure it as a horizontal group with highly skilled hardware, software and network technicians. Today’s SaaS sprawl requires deeper IT knowledge of individual business units and of the software they use. Each department should have primary and secondary systems administrators – a dedicated person backed up by a fellow IT team member with some cross-training on those systems.
Each new software application purchase request should be vetted by the primary system administrator for the respective department. Applications that impact multiple departments will require broader review by the IT, legal and finance departments. This process provides operating departments with a streamlined approach to acquiring the software they need to do their jobs while ensuring that the CFO can exercise control over the fiscal, legal and technical complexities of the specific purchase.
Empower your system administrators with the knowledge and skillset to evaluate the privacy and security risks posed by the apps for which they are responsible. Incorporate your director security into the system evaluation process. When fully trained on managing such risks, empower system administrators to seek out system solutions.
During my time on active duty in the US Navy, we conducted training constantly. “Safety, training, and fun,” in that order, was our mantra. As a civilian, I believe in the importance of implementing training in business organizations. Doing so will allow you to close process gaps before you need to purchase systems. And, when you do purchase apps to close system gaps, training will help you get the most value out of your systems. Combining effective staff training within a strict system of internal controls, will ensure that you minimize the many risks associated with today’s Saas sprawl.
 Kieren McCarthy, Marketing giant Marketo forgets to renew domain name. Hilarity ensues, The Register, July 26, 2017
 Barrett, Brian, Security Roundup: New Legislation Champions a Radical Future for US Data Privacy, Wired, November 3, 2018.