BDO AG: Secure Access to the Internet-Treuhänder Using SuisseID

22. November 2010



Mutual trust is an important foundation to a cooperation between a company and a fiduciary. This trust must be demonstrable e.g. via the trustworthiness of the used information systems means. To this end, BDO AG favours authentication with SuisseID for its Internet-Treuhänder (internet fiduciary). By ensuring reliable access mechanisms, clients are willing to transfer the trust from a regular to an Internet-Treuhänder: The Internet-Treuhänder is a so-called “Software as a Service“ solution where client and fiduciary work with the same system and identical data. Complex receipt and data exchanges are no longer necessary. The joint IT platform also increases client flexibility: in case of accounting employee absences, their activities can be easily delegated to BDO.


Fiduciary Services with IT Services

BDO Ltd is one of Switzerland’s leading providers of auditing, fiduciary and consulting services. With 31 offices nationwide, the branch network is the most extensive in the sector. Thanks to this network, BDO operates near its clients and is familiar with the local conditions.
Many BDO clients are SME with often fewer than 30 employees. They are usually owner-shaped companies. Among the clients are public and non-public medium-sized companies, single-person businesses, freelancers, private persons, banks and financial service providers, public administrations and non-profit organisations.
The BDO vision consists in consulting, accompanying, and supporting its clients so that they can focus on their core competences. BDO provides high-quality auditing and consultation services for this purpose. One of the BDO services allows clients to fully or partially outsource accounting in the spirit of Business Process Outsourcing (BPO). Each client has a definite contact partner at BDO that consults expert advice if necessary so that the client obtains all fiduciary services from a single source.
Since 1989, BDO has been software partner of ABACUS Research AG and disposes of specialised consulting experience for supporting companies in introducing and maintaining ABACUS-ERP systems. For many years, BDO has been at the highest level of the ABACUS Partnership programme. Minimum requirements for this quality level are: detailed know-how regarding the entire ABACUS product family, permanent hotline and specialists in the areas of operating systems and network. In the context of the partnership, BDO was one of the first fiduciary companies to include the solution “AbaWebTreuhand“ into its product range in 2007.
The strategy of BDO requires to constantly search for possibilities of rationalising certain activities using IT, thus maximising client advantages. Internet technology enables innovative solutions that in addition to rationalisation also lead to client relation improvements.
The Internet-Treuhänder is such a service. It is based on AbaWebTreuhand and Microsoft SharePoint. AbaWebTreuhand is a product of the “ABACUS vi“ series – vi stands for “Version Internet“. ABACUS vi is an ERP system developed using internet-suitable technologies such as Java. It does not require pre-installed client software. ABACUS vi sets itself apart thanks to the special scalability, the user concept and the support of “Software as a Service“ (SaaS). The advantage of this SaaS ability consists in rendering the installation of an accounting system at the AbaWebTreuhand client void. Clients therefore will not have to worry about servicing or data protection. The client works on the BDO-operated systems via the Internet.

Presentation of business partners

Business software providers
Since 1985, ABACUS Research AG has been a provider of standard business for PME. In addition to developing business software, ABACUS offers service and servicing packages as well as trainings and a hotline to its clients. ABACUS-business software consists of a comprehensive range of modules for various specialised areas and fields.

Realisation partner for data filing functions
The MondayCoffee AG headquartered in Adliswil in the canton of Zurich offers the planning and realisation of comprehensive IT application systems. As consultant and general contractor, the company creates and implements customised solutions. As Microsoft Gold Certified Partner, MondayCoffee is specialised in SharePoint, Office Communications Server, and Exchange.


Decision in Favour of SuisseID

In order to ensure the confidentiality of sensitive client data and to prevent unauthorised access via the Internet from the very start, BDO has opted for a secure certificate for accessing AbaWebTreuhand. It chose the “Postzertifikat” by SwissSign. Since May 2010, a SuisseID can also be used.
Postzertifikat and SuisseID are both based on the X.509 standard [ITU-T Recommendation, 2005]. They both can be used for authentication and electronic signature. SuisseID can however be used universally since many applications already exist for its use and additional are constantly developed. Instead of the Postzertifikat, SwissSign now exclusively offers SuisseID. New BDO clients will therefore gain access via a SuisseID setup. Existing clients with a Postzertifikat will be forced to switch to SuisseID when their Postzertifikat expires.


The Internet-Treuhänder

Business View and Process
In times prior to Internet-Treuhänder services, two types of cooperation between client and fiduciary were possible.

  • Fiduciaries were in charge of financial accounting: the client entrusted the fiduciary with all necessary documents – e.g. receipts and invoices – for client accounting.
  • The client was in charge of financial accounting: Accounting data of the client ERP system were exchanged with the fiduciary via export and import after which the fiduciary supported the client selectively with his expert knowledge.

The solution involving the Internet-Treuhänder is the third alternative now. The main characteristic of this solution consists in client and fiduciary working on the same system while the task distribution between client and fiduciary may individually vary. The complex exchange of receipts and data as well as interface problems and different ERP systems are now completely eliminated.


Figure 1: Business scenario for a possible job sharing with the Internet-Treuhänder [according to Heck 2008]


Figure 1: Business scenario for a possible job sharing with the Internet-Treuhänder [according to Heck 2008]


Working on the same system has the advantage that the fiduciary can better support the client. The fiduciary can immediately see what the client has booked without having to previously import data; and vice versa. Working on the same system however also requires that the client and fiduciary must exactly coordinate their task distribution, even if work distribution can in principle become more flexible.
The objective of BDO with its Internet-Treuhänder is to provide the client with possibilities increasing its flexibility. This might for example be the simple shift of business processes to BDO, such as the accounting of invoices in the context of a vacation substitute for an employee.
The added value of such temporary outsourcing consists in the IT solution empowering BDO to support its clients as expert contact point for fiduciary services also during their operative day-to-day business. In accordance with the various combination possibilities of independent activities and obtained services, BDO has defined various functional bundles for the participants. The bundles correspond to the standardised user profiles so that each AbaWebTreuhand user will be allocated a respective functional bundle corresponding to the concrete tasks. Profile “Fibu 1 (Vorerfassung)” is for example designed for SME in which a person is charged with preparing accounts by filing receipts and preparing initial account assignment. The BDO fiduciary verifies the preliminary accounting and conducts all further accounting tasks. For profile “Fibu 2 (FibuLight)”, clients assume all accounting tasks themselves. The BDO fiduciary supports the client in coordinated partial areas wherever necessary – e.g. for ensuring the two-person principle for selected tasks such as final booking or for substitutions. Clients with the more comprehensive “Finanzpaket 1” profile conduct their financial accounting, creditor and debtor accounting as well as electronic banking themselves. The profiles are constantly adjusted to client needs. New functional bundles are compiled when there is a market demand for them.
For the electronic exchange of documents, BDO uses web-based data filing based on Microsoft SharePoint in addition to AbaWebTreuhand. Especially small PME use data filing since they do not have their own server and often intend to access it from various locations, e.g. at work or at home. Data filing is a component to all profiles that BDO offers its clients.
AbaWebTreuhand and data filing contain many sensitive and confidential data such as personnel dossiers and contracts with business partners. Client authentication with SuisseID ensures that only authorised persons can access the respective data. It guarantees data confidentiality.

Application View
As mentioned in Chapter "Fiduciary Services with IT Services" AbaWebTreuhand is based on ABACUS vi. the ABACUS vi client is a Java-programmed “Rich Internet Application“ (RIA). This means that it is platform-independent and requires no additional versions for various web browsers or operating systems. The application is based on the client-server architecture: the AbaWebTreuhand client is used for data entry and provision and for the user transaction. The entire application logic is conducted on the AbaWebTreuhand server.

Figure 2: Application view BDO Internet-Treuhänder [according to Heck 2008]


Figure 2: Application view BDO Internet-Treuhänder [according to Heck 2008]


AbaWebTreuhand is a mandate-capable solution. So is “Microsoft SharePoint“ data filing. For BDO, a mandate is a completed unit, both from an organisational and data perspective. In mandate-capable solutions, individual clients simultaneously work on the same software and hardware infrastructures but as fully separated data domains. Only the basic application configurations such as the combination of modules for various performance areas (Fibu, Accounting, etc.) or the selected languages are jointly used by the mandates.
In order to be able to use the Internet-Treuhänder, a client must log in online via the BDO website www.internet-treuhaender.ch. Prior to login, he must have connected his BDO-registered and valid SuisseID to the computer. For calculating the client SuisseID, BDO requires some data on his SuisseID: This includes the SuisseID number, the e-mail address and the name and first name registered with SuisseID. Those data allow BDO to set up user account and to clear them for accessing the client mandate account.
The client can select whether he prefers to log in via AbaWebTreuhand or via data filing. Login via data filing merely requires a web browser installed on the computer. The AbaWebTreuhand additionally requires the Java Runtime Environment (JRE). These days, a JRE has already been pre-installed when purchasing a computer system.
The Internet-Treuhänder platform identifies and authenticates the user via SuisseID. As is the case for other SuisseID applications, the user will be logged into the system after having entered the personal SuisseID identification code (PIN) and/or password. No further data, such as username and password, are required.
When logging in with SuisseID, a connexion between the AbaWebTreuhand-Server and the ABACUS Support Center authentication server will be established in the background. The authentication server verifies the validity of the used SuisseID via the Identity Provider/Claim Assertion Service (IdP/CAS) of the respective SuisseID provider. The AbaWebTreuhand user will be identified thereafter [cf. Quade, 2010: p. 20]. The authentication server simultaneously assigns the pre-set profile to the client. The profile will determine the scope of functions for the AbaWebTreuhand-mandate (cf. Chapter "Business View and Processes").
When logging in via data filing, Microsoft SharePoint will request the BDO-internal user administration (Windows Active Directory). Windows Active Directory verifies the validity of the used SuisseID also via IdP/CAS of the SuisseID provider and authenticates the client according to the Active Directory-attributed data filing authorisations.
From the moment of login, the communication between the Internet-Treuhänder and the client will be encrypted via Transport Layer Security (TLS). This will enable the client to transmit even confidential data such as labour contracts and account statements via the Internet.
Among the SuisseID elements and functions, the Internet-Treuhänder will choose simple authentication. No additional functions or identity provider attributes are required.


Project Flow and Operation

The project idea for the Internet-Treuhänder arose in the spring of 2006. A jointly used IT solution was meant to replace the complex and time-consuming process of exchanging receipts and data between client and fiduciary "Business View and Processes".
ABACUS Research AG had already decided in 2004 to completely redevelop the ABACUS products using Internet technology and SaaS concepts. ABACUS is thus implementing its strategy of constantly updating its business software introduced to the market 25 years ago: after developing platforms on the bases of MS-DOS in the eighties and Windows in the nineties, the developments based on Internet technologies are but the logical step for the first decade in the new millennium. In 2007, the first version of ABACUS vi was ready.
As ABACUS Goldpartner, BDO was one of the first fiduciary companies in Switzerland to favour the new ABACUS generation and in autumn 2007, it realised a pilot installation by the Internet-Treuhänder. During the pilot phase, BDO clients working with a locally installed ABACUS FibuLight were offered a complementary switch to the Internet-Treuhänder. During the first test already, client data security was the centre of attention: Since no SuisseID existed at the time, the company used the equally effective Postzertifikat by SwissSign.
Thanks to the good pilot project experience, BDO decided at the end of 2007 to definitely implement the Internet-Treuhänder. It provided the necessary financial means for developing and constructing the infrastructure.

Solution Development and Implementation
The Internet-Treuhänder was developed jointly with ABACUS Research and MondayCoffee. The development mainly comprised the configuration of AbaWebTreuhand and the implementation of Microsoft SharePoint according to the BDO requirements. The various function and service profiles were thus combined and the application design was harmonised with the BDO appearance.
ABACUS developed the solution for authentication with SuisseID. ABACUS had originally developed the solution for authentication with the Postzertifikat. In the wake of the SuisseID launch, the function was expanded by including the four SuisseID providers. The extension comprised the implementation of the confidentiality relations to the Public Key Infrastructure (PKI) of the SuisseID providers.
The hardware and software infrastructure required for operating the Internet-Treuhänder was established at the BDO computing centre. A solution with an outsourcing partner was not an option since the majority of BDO clients responded in a survey that they did not want their data stored on systems outside of BDO’s responsibility sphere. In fact, BDO is expected to run the system at its own computing centre that its own employees control and maintain. The great demand for security by clients reinforced BDO in its intention to request a secure certificate for accessing the Internet-Treuhänder from the very beginning. While a simple solution with username and password as offered by other fiduciaries would have been easier to handle, it would also have been less secure.
The Internet-Treuhänder was introduced in the spring of 2008 and was supported through various promotional offers, e.g. a complimentary entry phase for founders of new companies. For existing ABACUS FibuLight clients, incentives were created for encouraging a switch to the Internet-Treuhänder. Cost comparisons illustrated the saving potentials of the new solutions and were particularly convincing to smaller companies. The saving potentials results from lower licensing and servicing costs and from the fact that companies no longer have to ensure data protection themselves [Heck, 2008].

Continuous Maintenance and Planned Further Development
BDO fully handles the setup of new mandate and user accounts on the Internet-Treuhänder. BDO will merely report a number to ABACUS Research for setting up the subscriber and the profiles. ABACUS will not learn what mandate number BDO assigns to what company. BDO itself links user accounts to a SuisseID number.
Due to the launch of SuisseID, the processes required adjustments to the implementation of a new mandate account for AbaWebTreuhand. Previously, the quotes offered ordering and setting up the Postzertifikat with BDO support. In addition to adjusting the quotes for those clients, the internal checklist for setting up new clients had to be adjusted for the Internet-Treuhänder.
And new processes also had to be introduced, e.g. when a client switches from a Postzertifikat to SuisseID. At the time of case study creation, the transfer from Postzertifikats to SuisseID is still on-going: in the context of the exchange campaign by SwissSign, clients may replace their Postzertifikat with a SuisseID.
BDO has established an internal support structure for the employees acting as fiduciaries. When compiling an offer for introducing the Internet-Treuhänder to a client, they address the Product Leader. Questions mostly revolve around the issue of the right client profile and the scope of Internet-Treuhänder functions. Once a client has ordered the product, questions regarding the acquisition of SuisseID arise: Where can clients order SuisseID and what SuisseID is the right one? Once product and SuisseID have been ordered, question regarding the setup of a mandate account and the client SuisseID on the AbaWebTreuhand servers arise. In order to secure sufficient support, BDO determined an Internet-Treuhänder superuser for each branch. A superuser generally knows more about operating and configuring the system than a normal user. The role of the superuser comprises the support of internal employees and of the clients. As first-level support, he is the first contact point in case of questions regarding handling and configuration and in case of possible problems.
Disturbances at the central systems occur rarely. Client disturbances can occur upon first login with the Internet-Treuhänder. Web browsers and JRE are possible disturbance sources. It happens quite frequently that both must be updated before clients can work with the Internet-Treuhänder. Disturbances for the Postzertifikat and/or SuisseID are rare. If they do, they also happen upon first login, e.g. when the client has not yet proceeded to activating the SuisseID.
The further development and the technical servicing of the system are the responsibility of ABACUS and MondayCoffee. A further development by ABACUS comprises the use of a qualified electronic signature directly with AbaWebTreuhand. In the future, it should be possible to open and legally sign different document formats (e.g. PDF, Word, Excel) directly in AbaWebTreuhand.


Experiences

In using the Internet-Treuhänder, most clients value the near-time processing and the quick compilation of reports without the time-consuming shipment and exchange of data.
Less computer-adept clients are often overstrained with the use of the new technologies. During the initial use of the Internet-Treuhänder and SuisseID, BDO will therefore support them. Clients will also obtain support when ordering and installing SuisseID on their computers. Some clients feel overwhelmed by e.g. the new terms used in the context of SuisseID. Many among them are furthermore unsure, which SuisseID product is the right one for them.


Success Factors

In addition to the security aspect, BDO favours SuisseID for a further reason: everyone can purchase a SuisseID. The buyer must neither be a Swiss citizen, nor work or live in Switzerland. In a concrete example, two clients in America purchased a SuisseID for accessing AbaWebTreuhand. They did not have to come to Switzerland for that purpose but could identify using a notarised form for acquiring SuisseID.
Many BDO clients have originally acquired the Postzertifikat exclusively for the use of the Internet-Treuhänder. They could use their Postzertifikat practically only for logging into the Internet-Treuhänder. Those clients therefore welcome the launch of SuisseID. The SuisseID initiative by the State Secretariat for Economic Affairs SECO now creates many utilisation possibilities that provide the BDO clients with additional advantages.
The main reason for clients to use the Internet-Treuhänder consists in conditions that are more economical than an installation. Especially the Fibu 1 profile will allow for significant client savings – not only because of the investment and the recurring costs but also because clients could carry out the time-consuming accounting entries themselves.

Solution Particularities
Thanks to the SaaS concept by the Internet-Treuhänder, the fiduciary-typical data exchange becomes obsolete when the client and the fiduciary work on different systems.
Joint data filing furthermore facilitates the exchange of documents. The fiduciary can easily provide the client with analyses and other reports by using the joint data-filing domain. Physical shipment is no longer necessary.

Lessons Learned
The weak point in security is frequently of human and not of technical nature. When handling SuisseID, clients are sometimes careless. It has for example happened that a boss has given his SuisseID to an employee, who in turn can then log into an Internet-Treuhänder. Further instruction with regard to the proper handling of SuisseID is required.


References

Bürge, Urs; Zweiacker, Marc (2010): SuisseID Specification V1.3. Bern: Staatssekretariat für Wirtschaft SECO.

Heck, Uwe (2008): "BDO Visura / UFD AG: Internet-Treuhand-Plattform". In: Schubert, Petra; Wölfle, Ralf (Hrsg.): Wettbewerbsvorteile in der Kundenbeziehung durch Business Software. München, Wien: Hanser Verlag. p. 225-238.

ITU-T Recommendation (2005): X.509: Information technology - Open Systems Interconnection - The Directory: Public-key and attribute certificate frameworks. Geneva: International Telecommunication Union.

Quade, Michael (2010): Fachbeitrag "Was ist die SuisseID?", in: Quade, Michael; Wölfle, Ralf; (2010): SuisseID in der Praxis - Grundlagen und Fallstudien zum elektronischen Identitätsnachweis der Schweiz, Basel: edition gesowip, 2010. p. 13-34.


Betreiber der Lösung

BDO AG
Markus Gebhard, Treuhänder und Product Leader AbaWebTreuhand
Markus Horisberger, Treuhänder und Superuser AbaWebTreuhand
Branche: Revision/Treuhand/Unternehmensberatung, Wirtschaftsprüfung, Treuhand, Beratung
Unternehmensgrösse: GrossunternehmenBDO AG

Lösungspartner

Joachim Vetter, Developer & Customer Relationships
ABACUS Research AG
Reto Meneghini
MondayCoffee AG

Autoren der Fallstudie

Michael H. Quade
Fachhochschule Nordwestschweiz FHNW

22. November 2010
Quade; Michael (2010): Fallstudie BDO AG: Sicherer Zugriff auf den Internet-Treuhänder mit der SuisseID; in: Quade; Michael; Wölfle; Ralf; (2010): SuisseID in der Praxis - Grundlagen und Fallstudien zum elektronischen Identitätsnachweis der Schweiz; Basel: edition gesowip; 2010. S. 77-88.

Zu dieser Fallstudie sind keine Anhänge verfügbar.
1712
bdo-abacus-en
http://www.experience-online.ch/de/9-case-study/1712-bdo-abacus-en
0