Case Study: Unix brings sanity to an accounting services firm

The purpose of this article is to examine the long-term effects of the Unix vs. Windows decision with respect to the business needs of a hypothetical medium-size auditing and related services firm.

Like virtually all of its competitors, the firm has a very complex IT architecture, built around the people and management methods that go with:

Microsoft PC servers Microsoft PC desktops Microsoft PC laptops Microsoft PC palmtops Cisco networking gear and Nokia (or similar) cell phones and other instant-messaging gear, such as RIM's Blackberry.

Development of this overall structure has generally been a reactive, ad-hoc kind of process. Certainly no one at the firm sat down a few years ago and consciously planned an explosion in server populations, telecom services bills, laptop thefts, IT staffing, drive-by hackings, Microsoft Enterprise Licensing 6.0 or the effects that wireless-access demand would have on switching-based PC networks.

And in this corner, Unix

The Unix decision will mean replacing almost all of this -- including many of the people now working in systems support -- with open-source ideas and the people and gear that go along with them.

Specifically, a Unix decision made now would mean aiming at a spring 2005 architecture in which:

* Processing takes place on centralized Unix servers

* All desktops have smart displays

* Most of the firm's home-users have adopted Linux

* All the handheld gear has been replaced with playphones

* All the network switches are gone

* The firm has evolved, tested and implemented an audit appliance

Some of these terms will be new to most people. First, what's a playphone? Well, it's my name for the kind of converged GameBoy/cell-phone/PDA we're just starting to see now.

For example, the playphone pictured above is made by Motorola, runs Linux and is described as:

The A760 handset, Motorola's initial Linux/Java handset offering, combines the functions of a mobile phone, PDA, digital camera, video player, MP3 player, speakerphone, messaging, Internet access, and Bluetooth wireless technology. Motorola says they will initially launch the A760 in Asia in 2003. MontaVista Software supplied its embedded Linux OS.

This thing runs Linux, and that opens up a range of possibilities for things you can do with it, from using it as part of an identification system to having it run your personal Web server.

For senior-level employees, that means a single device that extends the office network to wherever they are and provides all the messaging and information-management capabilities needed to be effective outside the office.

Secondly, what's a smart display? The little black box beside the monitor here is the guts of thing. It's roughly the size of a paperback book; plug in a monitor, keyboard, and mouse, and away you go. The 15-inch SunRay LCD packs two to a briefcase, keyboards, and mice included.

Smart displays provide powerful graphics-environments fronting server-based processes. Consequently, they're so quiet and reliable that they blend into the background as things to be used instead of imposing themselves on the user as things to be managed, placated, or learned.

Third, what's an audit appliance? It's a combination of several things that cover the connectivity, authorization, data-retrieval, and security needs of an audit or related services team working out of a client's offices.

Audit appliances 101

Audit appliances don't exist... yet. To explain how one would work, let's start with current conventions and reshape them accordingly. Right now, you start a SunRay session with a Java card that uniquely identifies itself to the system. Now:

Imagine that this function is replaced with a proximity sensor that works with the playphone. If you give that phone an encrypted, higher speed IPsec TCP/IP channel back to the server and a processor that can handle the load (the Motorola A760 points the way to those), it's really a Linux-based Java-execution machine now.

Add a local network connector that can auto-negotiate an interface to the customer's network without inadvertently creating another route from that network to the Internet via the workgroup link to the firm's offices. In the longer run, Sun's Jini technology looks pretty good for this, although some fairly low-end gear from Avaya can already do almost everything needed.

Add server-based software incorporating the know-how to interrogate the databases used in client applications. Back it with serious analytical software, and the combination gives you an audit appliance: a secured workgroup in a box that auto-deploys when unpacked on site. From a hardware perspective, think of it as extending the playphone to groupware using the big screen and keyboard of the smart display. From the software perspective, think of it as a connector between the client's applications and the firm's accumulated knowledge of the processes and data structures embedded in those applications.

The Unix architecture has a very different direct-cost structure, offering both operational and capital cost-savings relative to the existing Microsoft architecture. Make the usual assumptions about transitions and the cost of retaining Microsoft concurrency, and you get a gross-cost comparison between the two environments.

Cheaper vs. smarter

It's nice to save money, but bear in mind that cheaper isn't better unless it's also smarter for your business. After all, as HP seems intent on demonstrating, you can cost-cut your way into bankruptcy while reporting increasing quarterly profits.

Operationally, the Unix architecture is more inclusive, more reliable, and more secure. For example:

* The unified communications environment increases reliability while decreasing barriers to effective use

* All of the pieces are relatively immune to the nearly daily security alerts characterizing the Microsoft environment

* The smart displays completely eliminate the desktop failures and product-churn that drag down user productivity in the Microsoft-PC environment.

These things have significant and immediate implications for the daily cost of systems-use, but the biggest benefits will come from the system's role in reshaping the way employees perceive and perform work. Although that's unpredictable at the detail level, we can probably draw some sensible generalizations from an analysis of how PC-use affected the industry in the past.

A parallel change took place in the firm's fundamental product.

Previously, the firm offered expertise and used time spent as part of a proxy for its value. After the change, audit firms including this one generally sold time.

This, too, reflected the dominance of process over outcome and contributed to the same changes in the organization. It caused the firms involved to increase the proportion of junior staff and changed the partner's role from professional decision-maker to that of a sales-manager.

If the industry pendulum swings back to focus on the numbers and thus becomes driven by outcomes, expect this to change. Competitive advantage will again flow from expertise, not billable time.

In the world of auditing, the biggest external change that's taken place in the past 30 years has been the shift in focus from "the numbers" to the processes behind those numbers. That started as a sensible response to both litigation and the complexity involved in any attempt to verify data for companies using Material Requirements Planning (MRP) and Enterprise Resource Planning (ERP) packages. As the idea took hold that junior personnel following carefully scripted procedures could construct engagements, the idea became something else entirely.

The firms involved saw the partner-to-employee ratio shift in favor of far more juniors, which indirectly changed the partner's role from judgment-based decision-maker to management- and criterion-based attester.

For example, Systrust and Webtrust are licensed AICPA/CICA attestation products that qualified personnel can deliver via Systrust or Webtrust engagements. These follow a very tight script that sets out the conditions for attestation, and they are process-driven, in terms of both how they're done and what is attested to. As such, they illustrate the basic premise behind the valuation of process over outcome in all kinds of audit-engagements. Specifically:

A Systrust engagement is based on the premise that system controls that are operating effectively enable a system to perform reliably.

This seems logical, but there are hidden assumptions that mean it usually it doesn't go far enough. In the particular case of the Systrust/Webtrust pair, the fundamental problem is that the controls assume that all major-market commercial computer-systems have roughly comparable operating characteristics -- something we know isn't true.

Consequently, Microsoft became one of the first companies to support SysTrust; you can now get both Webtrust and Systrust attestations for systems running Windows 2000 Server with SQL-Server in an e-commerce environment. The parallel I see to Enron's CFO accepting CFO Magazine's 1999 National Award for Excellence and Innovation in Financial Management may be unfortunate, but it's closely associated with what I think will happen to these two types of engagement: they'll change to focus on outcomes or fade into history.

I think that the lesson learned from Enron, Tyco, Worldcom, and too many others is that this has to happen to other forms of attestation-engagement, too. Either the audit firms go back to focusing on the numbers, or investors and bankers will devalue their sign-offs to the point of irrelevance.

If I'm right, it means that firms that go "back to the future" and provide judgment-based attestations rather than criterion-based attestations will gain significant competitive advantage over those that don't.

For the last 12-to-15 years, the Microsoft PC has defined the tools and thinking used to drive a focus on process-based auditing in the industry. In the late 1980s, people tried to build custom competitive-advantage software for this, but all of these projects more or less failed. By the mid-1990s, nearly everyone in the business was extending functionality within Microsoft Office (or Lotus Notes) to create something I think of as jobware -- software to ensure that everyone involved in standard assignments followed identical steps to dot the same i's and cross the same t's.

The medium is the massage

Marshall McLuhan, Scott McNealy's only serious competitor as king of the pithy quotables, said that in The Medium is the Massage. In this case, working within the limitations of the PC gradually changed the way the work being done was perceived and packaged. This, of course, is the tool wagging the business dog, but it's a natural consequence of working with monopoly software where you have no choice but to learn and adopt its way of doing things. Unfortunately, there's a side effect that tends to become the main event: over time, your commitment to the tool starts to dictate not just your actions, but your perceptions of the work to be done. The result is a kind of technology-specific Stockholm syndrome, where the one "right way" becomes so deeply embedded that other toolsets, implying other "right ways," are deliberately shunted aside.

It's one thing to see nails because you have a hammer, but it's something else to find yourself becoming a carpenter when you thought you were going to be a CPA. That, however, is what I believe happened to this industry and this firm. In the 1980s, the firm's employee-to-partner ratio ran about 10:1. Now it's closer to 40:1, and most juniors never become seasoned evaluators and decision-makers. Instead, they become salespeople or move out, leaving the firm and the profession much the poorer.

That's where the great potential lies for open systems in this industry. The most fundamental characteristic of Unix and open source is that there are choices. Because you have choices, you can adapt systems to the business vision rather than blindly following the lead of Microsoft and your competitors.

For example, with Linux you don't need to coerce the Openoffice.org word-processor or spreadsheet into functioning as an application front-end. That's not what they're for, and there are better choices. In all likelihood, the firm would convert all of those things to Web-based services as part of the transition. That not only saves money on maintenance, but it also makes them more secure, more accessible, more consistent and independent of changes to the underlying OS or the OpenOffice.org suite.

Of course, there are costs to this kind of transition too. Untangling those applications and rethinking work processes will cost time and money. As the firm transitions to open source, it will lose people; some people are just so committed to Microsoft they'll quit or force the firm to fire them rather than change. There'll be other problems too, but the overall costs will be minor relative to the benefits.

Those benefits start with cash savings, and some big problems that just go away. Nevertheless, the most important issues are far subtler than that.

On the cash side, the actual savings depend greatly on the skill and behavior of your staff. Put people without Unix skills in charge and you won't save a nickel; put the best available people in place, let them do their jobs without excessive second-guessing by top-level management, and you'll get better systems at about half the cost.

With the right people, much of the security problem simply goes away. Playphones can use encrypted channels; a Unix design network running smart displays doesn't need all those high-risk switches and is inherently state-of-the-art for security. There are no information-integrity issues if someone steals a playphone, a SunRay, or even an audit appliance. The session and the data are on the server, not the display. People can steal the hardware but not the client information.

With this kind of system, you can use that audit appliance to suck down customer data for analysis and be reasonably sure that it would take intentional malfeasance to put those numbers on the front page of the Wall Street Journal. That's a pretty big win for a simple technology change.

Benefits abound

From a total-cost-of-ownership (TCO) perspective, we can probably tie cost numbers to that by looking at time- and insurance-costs for remediation and palliation. The big numbers, however, are in things we can't currently quantify.

If open source enables a "back to the future" move, the result would confer industry-wide competitive advantage. It would let the firm re-invent judgment-based decision-making for attestation, thereby bringing it back for the full range of other business services for which the traditional audit is a loss-leader.

This kind of thing is unquantifiable, but it's the killer issue. The real long-term benefit open source offers the firm's partners and employees has a little bit to do with cash, quite a lot to do with security and, most fundamentally, makes work fun again by revaluing the human part of the organizational equation.

A 20:1 advantage for Unix?

Bill Vass, Sun's CIO, recently did a presentation about running Sun on Sun. He has 25,000 SunRays installed worldwide and averages one administrator for every 1,000 user desktops.

Those desktops run against servers managed by other people, but it's an order of magnitude better than the most optimistic claims offered by the Microsoft Windows community.