www.aspnews.com/analysis/analyst_cols/article.php/386631
By Todd Boyle May 15, 2000 One of the economic engines powering the growth of BSPs (business service providers) into SME markets is cost savings. Printing, postage, trips to the bank, and, most of all, bookkeeping and accounting busywork are being automated out of the system. ASPs and BSPs are developing new interfaces to extending automation. As well as B2B interfaces which exchange purchase and sales with third parties, there are new XML interfaces for A2A - Application to Application integration between and among themselves. These interfaces are designed to execute every type of transaction as expeditiously as possible. Each step in these business processes is coming under widespread scrutiny by web developers in each of the respective horizontal platforms. BSPs are exerting considerable will and resources to systematically mine and extract the labor and financial savings by efficient, tight integrations. However, most BSPs do not realize the gravity or scope of the internal control risks that will emerge from this whole transaction fabric. For example, consider the case of three BSPs:
Link the separate applications together and the scale of the control problem is multiplied. When a webledger provider provides banking services, in effect there will not be any difference between books and bank. When a webledger provider provides integration between subscribers' Accounts Payable (AP) and their trading partners' Accounts Receivable (AR), there will never be any differences between those systems. This is categorically different from the internal control systems of the past. Accountants have no experience other than segregation of duties within the company. Even the decades of system experience by banking regulators leaves them unprepared for a situation where customers would be literally helpless to detect balance fraud because the subscribers' general ledger is automatically kept equal to the bank. There is an intrinsic, inverse relationship between greater integration and internal control. Every point of excess labor, duplication or separation that is removed from a business process usually removes certain components of internal control, but it less often removes the associated risk. Any webledger that doesn't have payments-grade security should not be in business. Full, payments-grade security is a baseline requirement for a general ledger, because any thief who can get into your general ledger, AR, AP or inventory accounts, can convert some of it to cash. There is far too little discussion and academic consideration of this problem between BSPs. You want efficiency, and you can save 10 million man-years every year by eliminating redudancy and duplication. To reach these savings, however, you need to develop a whole new set of internal control practices and methods. Those internal controls can be very largely automated and in any case will cost no more than 10 cents on the dollar, compared with the present brute force, manual reconciliation and standalone ledgers. But these new controls will definitely cost money. The Internet is so different that it requires a whole new intellectual effort. These internal control mechanisms will probably have to be achieved by yet another set of BSPs on the Internet because they span enterprises. There are a number of ways the BSPs themselves could contract for internal control services, thus segregating them completely out of their organizations. Remember this is not just a matter of TCP/IP and routers. Telcos and software companies are not going to be able to go into the XML traffic itself and apply a professional level of internal control logic. What's required is an intricate system for modelling the permissions of various parties, the presentments that have been verified via the subscribers' and reviewers' interface, etc. You need continual reviews, both detailed and aggregate totals. Establishing a comprehensive conceptual framework for this security challenge will apparently take many years, if the present behavior of ASPs, BSPs and dot-coms are any indication. Those of their employees who understand this problem cannot speak. They are all locked up by non-disclosures and forced by their CEOs to work on their own, or in tight partnerships. That's why the ASP Consortium and the Internet Business Services Initiative (IBSI) have been silent on these matters, since birth. Most e-commerce sites won't contribute to a conceptual framework much less populate it with solutions because of a) the cost of articulating the framework, b) once built the framework would be a roadmap for newcomers into the market, c) CEOs know their security isn't ideal and don't want to provide a roadmap for crackers, d) developers know their security skills are not up to par, and don't want to discuss it at least until their options vest, and e) the large established providers have economic incentives not to assist internal control initiatives which empower the smaller BSP and dot-com providers. They know that security failures at the dot-coms drive consumers back to closed, turnkey systems on private networks, systems which simply ignore open commerce. |