Log Out

Transcript: Sherrill Hebert

June 5, 2019

MAUREEN DINGUS: Welcome to Leading Forward, the Virginia Society of CPAs' podcast where we focus on innovation, leadership and the CPA profession. I'm your host, Maureen Dingus, and I invite thought leaders for short casual conversations on topics and trends important to the success of the CPA profession. On this episode, we're talking with Sherrill Hebert, National Sales Director at Cetrom, a cloud solution and managed services provider that works with a lot of CPA firms. We're going to talk about a post busy season cloud computing checklist. Sounds like a mouthful, but Sherrill is going to guide us through that. So before we get too far into it, Sherrill, could you just tell us a little bit more about what Cetrom is and what your role is there?

SHERRILL HEBERT: Sure, thank you very much for having me. Number one, really appreciate the opportunity. Very, very shortly, very briefly, Cetrom provides custom cloud solutions focused on CPA firms. What does that mean? It means we basically build an environment specific to the firm's needs. We have nothing cookie-cutter, we build everything up from the ground up to host their numerous applications. We've been doing this for 18-plus years. We are actually located in the D.C. metro area. And today, we're actually hosting a number of firms in Virginia, as well as around the country. 

We have a lot of experience with the more — I can't say we have experience with every single accounting application out there. But definitely the major ones, we have several clients that are using the CCH application, Thomson applications, you know, Intuit applications like Lacerte, QuickBooks, CaseWare, Sage, so we think we have experience across the board. And one of the things that really separates us from the other folks out there is that we really focused on custom solutions. And we pair that with senior level engineers, supporting our clients. 

MAUREEN: Right. So it sounds like with the vast amount of firms that you've worked with, you've probably seen the best and the worst and what can happen at a CPA firm.

SHERRILL: We've had some interesting stories about, you know — one story I like to tell people is that people always quiz us on security. And then I asked them about their in-house security, and then they point to the server that's in an open closet. So there's a lot of interesting situations like that. We we don't, we don't want to be, you know, any type of God complex or anything like that. We don't know everything, what we always try to keep in mind is that we're trying to provide, you know, guidance for our clients. At the end of the day, our clients are the boss. And we're going to take constructive feedback from them, but we're trying to guide them. And you know, we've all heard this term on best practices. Some of our best practices come down to common sense. And we're really trying to just rein people in and just say, hey, what you're doing may not be the best way to do it from a security aspect, etc.

MAUREEN: Right. So I guess most of us when we've done a big project, or we emerged from like most of our members through a busy season type phase, we sit down and really think about, you know, what worked, what didn't work? What can we do next year to make this even better? And what you be proposes there are there are some questions that they need to be asking specifically about technology. So what what are those types of questions?

SHERRILL: Yeah, like I said, What we try to do is, as you mentioned, you know, when you come out of the when people come out of the haze of busy season, after they take their couple weeks have taken a breath, you know, we want them to really sit down and say, you know, what went good, what went bad, and hopefully not many things went ugly. But really, you know, how things were in regards to technology.

And we've started coming down, drilled it down to a couple of questions. Number one, and you should be asking yourself, number one, did you experience any downtime related to your it? Were you without service? That's first and foremost. Number two, did you experience any, you know, specific outages? If so, what was the cause of the source of the outage? Number three, and this is sort of a look-in-the-mirror type scenario, what could you have done better in terms of IT? You know, what can you be? What can be improved going forward? And number four, you know, do you have the correct IT resources, manpower, outsourcing, whatever that, whatever that definition is, definition is in place to ensure a smooth tax season? Those are the main questions we'd like to ask.

MAUREEN: Yeah, so I guess, you know, a lot of those lead to a cloud as maybe one of the answers that could help answer some of those questions. And, you know, there's certainly a lot of benefits to cloud computing, there are a lot of questions that are asked related around those. If our members were to work through a checklist on what might be the the elements of cloud that could help answer those questions, what would some of those be?

SHERRILL: We sort of drill it down to you know, what, and the essence of time here, we sort of drill it down to five items, that we think cloud computing, you know, sort of cloud computing, post-tax season checklist that might prepare you for future tech seasons — excuse me, busy seasons. First and foremost is security. You know, this is a this is a question you should be asked, Did your firm lose any data or suffer a malware attack during the tax season? And sadly, these scenarios are more common than people think, you know. First and foremost, you know, it's important to review your security measures regularly, whether it's busy season or not, you know, come down to, are you safe? And more importantly, are your users on the same page as you are? Are they? Are they following the suggestive trainings and guidelines? Because the weakest link is usually the individual user that's really introducing stuff into the environment. That's first and foremost.

MAUREEN: I'm just curious about what what you're seeing in in firms as it relates to security as far as oversight. Who is driving that ship?

SHERRILL: That is a great question. Regards to internally, you know, it really depends on the size of the firm. You know, some firms are large enough that they have a what we call a chief technical officer. Either it's a CTO or an operations person or something, that's some of the sort of in charge of the IT strategy. So that's used on a larger firm, I would say, just to give you an idea, firms that are over 50 people, staff-wise, usually have someone in that role. But a lot of firms that we're dealing with do not have that role. So they're really they're really relying on someone like ourselves, or a third party, we've all heard the, you know, the K2 folks, Randy Johnston, so some people rely on these outside resources.

MAUREEN: Right, right. So it's a variety of a variety of resources. But it does sound like that, internally, there has to be a consensus around policy and performance and adherence to those policies.

SHERRILL: Exactly. That that's key. And like said, whether the firm is where the firm is 1010 people and maybe one or the maybe the office manager-slash-HR person, maybe that's his or her role. And maybe it's the role of one of the partners, or maybe it's the role of one of the the junior folks, but there needs to be someone that's sort of, you know, in charge that just sort of, you know, if nothing else, reminding people of what they should and should not be doing.

MAUREEN: Right. Right. Right. Okay. So check checklist, number one security, what's next? 

SHERRILL: You know, really downtime and support, you know, this really comes down to wanting decide a couple things. You know, AccountingWeb notes that approximately 10 percent of firms experience a network failure, resulting in what they what they deem as major downtime. I'm not sure what that definition means. But so, you know, one in 10, firms are experiencing this downtime. And I think, you know, honestly, I think that's a little low. But, you know, I'll go with their facts. And CPA Practice Advisor estimates that the hourly cost of this downtime is in excess of $500 per hour for every 10 employees. And that also sounds a little bit low to me. So, you know, you can quickly do the math, if your folks let alone, you know, you're talking about missed billing opportunities, but if you have folks that are sitting around idle, that's a whole nother cost associated with that.

MAUREEN: Right? So what are some of the, like, the top causes for down time?

SHERRILL: Really, what it comes down to from our standpoint is not having someone watching the ship. We sort of look at things in two different scenarios. We have what we call an on-premise IT environment — that means you have your servers in-house. Then you have an off-premise, like a hosted environment or managed service provider where your servers, etc., are not in house. So on that in-house variety, we're seeing a lot of things that are causing down time, like power outages — their power could go out in the building and their servers could go offline. That's first and foremost. Or maybe their server literally goes out. We see server failures all the time. One of the benefits of a reputable company like Cetrom is that we probably have servers go out once a week. But we have so much scale and we have so much redundancy built in that most of our users ever know that. It's seamless that we're rolling over. But if you have that on-premise server or servers and one of those servers go out, believe me, you feel that impact immediately.

MAUREEN: Yeah, absolutely. Absolutely. Okay, so what's next?

SHERRILL: Let's say that, you know, support is another aspect that's really key there, you know, not only going back to that firm, whether it's a firm of 100 people that maybe they have two IT people or a firm of 10 persons that has that, quasi-IT person, who is providing support to your users? If someone is having an issue, and of course, you know, you're going to be, you know, I can't open a file or my computer won't boot up or anything in between, you need someone that you can go to. And that's obviously a big piece. So obviously, a reputable firm like ourselves, we have 24-7 support. So as you know, just like I do, these folks are working very long hours during the season. Maybe they don't have the support in-house or out-house — out of the house, excuse me. They can call they can call and you know, have someone help them. So that's really, you know, I mean, come on, let's pair this. These folks are already working a 12-hour day, then they're having an issue. And then they don't have anybody to call that can fix their issue. That's just frustration in a nutshell, right there.

MAUREEN: It takes the stress through the roof.

SHERRILL: That's right.

MAUREEN: So what do you have next?

SHERRILL: Next thing, which we've sort of, for a topic, would be sort of the data capacity. Two pieces of data capacity. Number one is those servers that we talked about, do you have enough resources to run all of your applications, and this world of everything else on the iPhone, and every everything, we want everything so fast. Now, let's — not to pick on CCH, but we have a lot of folks that use CCH applications. And these are big, powerful applications that need a lot of the technical term "horsepower" in the background. So if you have those physical servers and such on-site, and they don't have enough physical capacity to run those, excuse me, run those programs fast. They can be a big slowdown, or what we call lag or latency.

And another thing that sort of goes into that data capacity scenario is, you know, internet capacity, you know, so much as going back and forth. You know, whether you have a true on-prem or a true off-prem, there's so much going through the cloud today, whether you're coming with a true cloud company like ourselves, or using CCH Access, or QuickBooks Online, or whatever the program is out there. If you don't have enough internet capacity between you and — let's pick on FIOS with Verizon locally here in Virginia — you could have an issue. So we really want you know, we want these companies to sort of look at all these different aspects this time of year and say, Hey, you know, do we have enough physical capacity on the servers? Do we have enough bandwidth with our Internet providers?

MAUREEN: So you have a great program, but you just need to be able to use it. Get to it. Yeah. Yeah. So what about mobility? I see that's another thing on the checklist. What are you seeing with mobility?

SHERRILL: You know, mobility, and this is another this is a another quote from AccountingWeb — and this is what's shocking, you know, according to AccountingWeb, over half, 51 percent of accountants, do not have the ability to view, edit or update client informations remotely. In this day and age, that's a shocking figure to myself. So, you know, to say the least, if they don't have that ability to get this information remotely, this limits the flexibility of working, you know, at home or after hours, requiring the staff to spend longer days at the office. You know, I just think of this scenario, you know, if someone figures out there's something wrong with a, a tax return or a file, they have to wait till the next day. In a in a hosted environment, they have all that accessibility, whether they're at the office, whether at home, whether at Panera, whatever the scenario, so they can quickly log in, and update that information. So that having that ability to have everything at your fingertips obviously provides, you know, that that work-life balance we're all looking for and that ultimate flexibility.

MAUREEN: Right, right. So, regarding mobility, we hear that over and over from many of our members that they want to be able to work from anywhere, anytime. But they, then you have a lot of other members who have a lot of concerns about the security, and just many issues that go in into that. How do you help? Or what would be your response to some of those concerns related to mobility?

SHERRILL: Very great question in regards to mobility, and, and the security there. You know, that goes back to hopefully, they're talking to a cloud provider, you know, hopefully they're talking with a reputable cloud provider, hopefully, they're talking with a cloud provider that has a SOC 2 audit that they go through annually. And a lot of these things, AICPA and the SOC Society, you know, make sure that all these everything is being checked, they, you know, we go through this process — Cetrom does and number of our competitors do, which is great. And this is a six- to eight-month process every year. And they're looking at our data center. And they're looking at the security measures that we have the data center, they're looking at our staff, and the background checks that we do on our staff. So if especially folks in Virginia and around the world, you know, data centers are very prevalent, and if you had the ability to go tour one, you'll see all the security aspects that are in place. So that's one thing I tell people, you know, we're not only secure in the, you know, the firm of let's say, 40 people in this example, we're securing you know, 10,000 users in the Cetrom environment, under our roof. So we take, we take security very close to our hearts.

MAUREEN: Right, absolutely, absolutely. Okay, so we're down to number five on the checklist, and I have as maintenance.

SHERRILL: Yeah, like I said, maintenance of your, your, your, your IT environment, you know, this is really goes down to the resources — you know, people, outsourced resources, how much time and dedicated personnel did you have to spend on maintaining the performance of your system? Whether your on-premise hardware, your mobile devices, or your software during busy season? Keep in mind, the numerous applications updates, you know, we're seeing, you know, we have a dedicated third shift in regards to Cetrom that, you know, we're pushing updates for CCH, Thomson, Intuit products literally every day, during the business week, during tax season. So if you're not having someone like ourselves, do that, I mean, that's a lot of time and energy that someone on-site has to do. So that's, that's, that's, that's a big, it's, I call it, you know, technical term here, time suck. 

And, you know, what are you? What do you spend in time, what fires are you putting out? We all know, in any job, you come in, and you have your tasks for the day, and then you meander based on what fires you had to put out. This is IT in a nutshell. So if you have if you have an IT person or IT staff, they're just jumping from sort of issue to issue. So really look at how can we, you know, make, you know, we — I like to coin the use of the term I saw in an infomercial, you know, set it and forget it. That's our mentality and how we try our best to set up the environment. When someone comes on board with us, we do so much upfront prepping, that once you're on board, it's a set it and forget it. And then if you do have these little issues or blips, you can call us 24-7 for us to fix that. But that's one thing I want firms to look at and say, Hey, you know, how can we make things — you know, how can I work smarter, not harder? That's truly the way to look at it.

MAUREEN: So when we mentioned that there are so many types of firms that that you work with, is there anything on this checklist that might vary depending on the size of firm?

SHERRILL: As a overall topic, I don't think so. I mean, obviously, some firms are obviously much larger, and they have, you know — here's a real example, and talking about the the item we're talking about now is you know, how much dedicated people. This is a real question, a real scenario we go through with prospective clients. One right now, they're 200 people, you know, they have a staff of five people, and they're, this is not our goal, but their intention is, 'Hey, you know, we want to go to someone, like Cetrom and reduce our IT headcount by three people, right?' So they're trying to offset and saying, Hey, you know, we don't want to sound that we don't want to pay someone to reset passwords. I know, they do a lot more than that. But they don't want that, that junior-level person, they want someone like us to handle a lot of that low-level stuff. So every firm is a little bit different. And you know, I think, overall, to answer your question, I think overall, the topics are definitely applicable to everybody. But you know, obviously, the different nuances come to the different size firms.

MAUREEN: So when, if someone is intrigued by many of these things, and maybe has taken advantage of some of the cloud benefits, but wants to really explore this some more, and they're interviewing providers or, you know, checking out different options, what are some of the things that you would recommend they need to, to think about or talk with a with a potential provider? 

SHERRILL: We tell everybody sort of the same thing, you know. First and foremost, talk to references, sooner rather than later. That's one thing we want them find out, find out from their clients, you know, how things are. That's first and foremost, obviously, you know, going back to a talk about make sure  that the company you're talking to is SOC 2 certified. And that's something you know, four or five years ago, I think was five years ago, we were the first one. And now it's becoming more commonplace, thank goodness. And but we're finding out that — and I'm using my quotes in there — that we have these competitors out there that are not. That's one thing I keep asking them — I say, "Hey, who was making sure that everything they're telling you is legit?" And SOC doesn't do all that, but that's, you know, if you go through that six- or eight-month audit program every year, believe me, they're looking, they're looking. 

So look at that. Ask about their up-time history. Ask about their data centers, you know, ask about how many folks they have servicing their clients. How many clients do they have? What are the size of the clients? I mean, these are all, you know, of course, every client out there wants to talk to someone that's as close to them as possible. We're 53 people and we use CCH. We want to talk to a firm that's exactly the same as us. And we try our best and we can't check off every box, but we try to make sure we align the people that are very similar, but these are just some, some common questions. And obviously their experience. I've been with Cetrom six years, and six years ago, we're trying to explain their by what the cloud is. And now it's come full circle. Everybody thinks they know what the cloud is, but still people don't really understand. So trying to educate them, you know, what it is. What are the benefits? And how, you know, importantly, how can it benefit their firm?

MAUREEN: So once someone has selected a provider, and they're reviewing the agreement and ready to sign on, what are some of the key elements of an agreement that our CPAs need to be mindful of?

SHERRILL: Number one, what type of guarantees do they have? We have up-time, you probably heard the term SLA, service level agreement, what does the SLA say? What is the up-time, and it's always going to be 99 point, either 99 or 999 or how many nines they put in there? And what does that mean? What happens if said provider does not provide 99.99? You know, do they get do they get a rebate? Do they get a discount? You know, and what are their terms for terminating the contract? You know, we we typically have three- and five-year contracts, and we have specified terms in our contract. It says, "Hey, if Cetrom does not stand up to our side of the agreement, and it's no sudden certain terms, bam, bam, bam, I think there's 12 different things, they can get out the contract, no ifs, ands, or buts. But we have found that that's not always the case. 

So we really tell people, "Hey, look at that contract. Make sure you understand what you're signing up for." Because, you know, we have we've had several clients that come to us to tell us how bad it is with another cloud provider. And at the end of the day they say, "Well, we can't do anything, because it's going to cost us too much to get out of the contract." Really look at what the fine print says. What are you signing up for? This goes back to the common-sense stuff we talked about.

MAUREEN: What about the location of data centers? I've heard some members talk about that as a question, whether it's U.S.-based or other types of issues related to location.

SHERRILL: Well, I think in, especially in the CPA profession, I think it's a no-brainer that it should be a U.S.-based data center. That's just one thing you should be keeping in mind. You know, we have two data centers, one in Virginia, one in Colorado, so we sort of do the east-west philosophy, and regards to where they're homed. But you know, going back to your question, I think it's very important to have something in the U.S. base, because it obviously has to, that goes back to the SOC audit. And that's one thing you'll you know, some of the other, you know, Amazon, of course, everybody knows Amazon Web Services are big. And they have, last I heard, they have over 300 data centers around the USA, excuse me, around the world. And just, you know, I know if I was a CPA firm, and I had you know, confidential information, I'd be very skeptical of stuff sitting in a data center in, not to pick on China, but China, for example. So I think that is applicable. 

But I think one thing that really comes up as regards to the speed of, you know, the applications and how everything was your response. So like, in our scenario, you're never far from, you're never that far away from one of our data centers, which makes you know, the keystrokes you know, very fast back and forth. And we look at everything as we call latency, you know, how fast when you push your key, it should not be discernible to your eye. Right? You should be typing along. And there should be no lag or latency. But we do hear issues with clients say, Hey, you know, when I run engagement through my current, when I run engagement through my current provides is very slow. Right, and we don't have that situation based on where our data centers are located.

MAUREEN: All right. Well, we are going to wrap up here, I just have a couple more questions for you. So we're just broadly looking out to the business world and talking to our business leaders, what's one thing that you would want them to be thinking about in the next year, whether it's related to cloud computing or anything? What's on your mind?

SHERRILL: What's on my mind? You know, just keeping it — what's on my mind is I think technology is getting a little too far ahead. That's personally. You know, I might be a little bit older-generation. You know, so I know that with the millennials out there, we keep talking about, you know, I go to a lot of the CPA conferences in regards to, you know, they keep talking about a talent shortage, right. And as, as the father of a 17-year-old daughter, I know that that generation, everybody's buried in their phones. So for me, that sort of worries me as a dad, and as you know, where the workforce is coming up. So if that's, you know, I think people should think about, you know, how technology is really impacting them. Obviously, there's a lot of good things in technology can bring to the table, but I just think I'm just really worried about that from the social media standpoint, and just how attached everybody is to their mobile devices right now. Right. So that's just that's just stuff that's on my mind, personally. Yeah.

MAUREEN: Well, I mean, I think that is a — there's a lot to that. And as a mother of a 17-year-old, I'm with you. Maybe we can commiserate when we see each other at an upcoming conference. Well, kind of going down that, that, maybe the angle of the personal side, what what do you do for fun? What have you been reading or watching? What do you think about when you're not thinking about the cloud?

SHERRILL: Well, I'm also a big college basketball fan, I went to the other big school in Virginia. So I wasn't I was not pulling for the same team Chip [Knighton] was last night. [EDITOR'S NOTE: He's referring to the Virginia Cavaliers, who won the NCAA men's basketball championship the night before this podcast was recorded. You might have heard about it.] But I have been enjoying, I've been enjoying the bracket. 

You know, my wife and I, we're crazy nuts. And we bought an RV about three years ago. So that's, that's sort of our personal hobby. And we've actually taken our daughter on spring break next week, and we're visiting three potential colleges on our trip. So that's one thing that we really, we really like doing. And you know, we're kind of animal fanatics, we have a large bloodhound, which we love. And we have a cat, both of which were rescues. So we're big into the sort of the rescue community. And so that's some of the things that we like to do. We like to be outside as much as we can and not think about the cloud as much as I can.

MAUREEN: Not on your phone.


MAUREEN: All right, well, thank you so much. It was nice to get to know you a little bit and hear about your professional side and on all the things that you can do for for our CPAs out there and help them work better, work smarter and have a better tax season next year, hopefully. So thank you so much for hanging out with us today. I really appreciate it.

SHERRILL: No worries. I do hope people find this information useful.

MAUREEN: All right. Yeah, absolutely. So thank you, everyone, for listening to Leading Forward, please make sure that you subscribe to our podcast, tell a friend, pass the word around, and we will catch up with you soon.

SHERRILL: Thank you very much. Appreciate it.