Healthy scepticism is vital when buying and onboarding large-scale software products. A recent surge of interest in the scandal around Horizon – the IT system that was meant to make accounting at the Post Office more efficient, but instead led to hundreds of branch managers being wrongfully prosecuted – raises questions around IT procurement risks.

Code check

To deal with current economic strains and prepare for the future, accounting firms will be looking to transform their systems with new technology. But they may not have the knowledge to understand what a piece of software might contain.

“Coders often look for shortcuts,” says ICAEW Fellow Nick Wildgoose, Independent Supply Chain Risk Consultant with Supplien Consulting and Director of Procurement Advantage. “As a result, more than 80% of code is reused. So, I encourage firms that are looking for new IT systems to pay careful attention to what’s called the ‘software bill of materials’ (SBOM).”

Provided by best-practice vendors, an SBOM is a detailed breakdown of where the code in a software product has come from. “It’s about having visibility and transparency,” Wildgoose explains. “Plus, assurance that the software has been quality-checked and tested. This is important at a time of high alert over malware and spyware. You don’t want anything in there that could either prevent the system from working properly, or leak client data.”

Scope creep

It is also crucial for buyers to cover any knowledge gaps between themselves and their suppliers. “If you don’t think you have the internal knowledge to discuss technical points as equals with vendors, then you should absolutely seek some form of external support,” says ICAEW Head of Data Analytics and Tech, Ian Pay.

Buyers must understand how to ask the right questions, he notes, rather than taking a vendor’s line without knowing what it means. “Having the insight to challenge and question a supplier’s answers is critical,” Pay says. “It’s healthy to be sceptical. Many vendors will promise the stars and then hand you a ladder. When it comes to go/no-go decision-making, you must have all the facts you need so you’re not afraid to say, ‘We’re not ready to go yet. We’re not ready to sign this off.’”

Another key concern is what Pay calls ‘scope creep.’ He points out that, like many public-sector IT projects, Horizon morphed and grew over time. Such changes can put a strain on vendors who are eager to please. “Be mindful of your requirements,” he says. “Try not to shift them or throw in too many extras. You may end up creeping away from the comfort zone of a supplier who will be less and less likely to say no the further they get into the project.”

Edge cases

Pay warns buyers not to take a rose-tinted view of their new system as they bed it in. “Software is written by humans and humans make mistakes. So, whether the system is bespoke or not, there will always be a level of testing.”

It is impossible to test every scenario, he explains, because that would involve making the system live. But you must test a representative range, including less-likely edge cases.

“Push the system’s limits,” Pay says. “Kick its tyres and see how it behaves under stress. Keep your eyes open to the fact that when it goes live, there will be bugs. It’s much better to take that onboard and be transparent about it than to try and act as if bugs don’t exist, which appears to be what happened with Horizon.”

Pay notes that standard IT contracts tend to include a ‘hyper-care’ phase. That’s when the vendor works very closely with the buyer after the live date to monitor how well the system is performing in real time.

Both parties will have a chance to nip emerging problems in the bud, resolve critical issues and tackle any major themes that crop up in support tickets. In time, daily meetings will shift to twice-weekly, weekly, fortnightly and then monthly – moving eventually to business as usual.

Two-way street

For Wildgoose, accounting firms could learn a lot from buyers in physical supply chains about how to manage long-term relationships with software vendors.

“I once dealt with an Australian mining company and the CEO made it his business to know the bosses of his three main equipment suppliers. He’d play golf or dine out with them every quarter. His view was: ‘That’s part of my job because when I have an issue, or my business demands shift, I can make a personal request for the right gear, even though we’re not one of their biggest clients.’”

That relationship can then flourish from service to collaboration. “The more known you are to a supplier, the more likely it is that they will say to you: ‘We’ve made an enhanced version-10 of this software you’re using, with a suite of new features. Would your firm like to pilot it and give us some feedback?’ That’s a fruitful, two-way street.”

In Pay’s view, transparency between buyer and vendor is key. “With file sharing and video calls, there’s no excuse not to be as open as possible. A ‘no secrets’ approach is the only way to go.”

Save the date!

For further thoughts on best-practice management of key business processes, join ICAEW’s Corporate Governance Conference 2024 on 5 March.