I’m joined by David Barrett of Expensify.com to talk about how the team built a SaaS and mobile-enabled service to make “expenses reports that don’t suck.” We talk security, data integrations (like with Intuit), and approaches to marketing SaaSes.
Download the episode directly right here, subscribe to the feed in iTunes or other podcatcher to have episodes downloaded automatically, or just click play below to listen to it right here:
Show Notes
- Why do expense reports?
- Overview of offering – scenarios of use – fun integrations, what are the challenges of UX?
- On small business as a market: “Small businesses are not small, big businesses.” – “How the real world is kind of weird.”
- What’s the architecture, stack, and technologies used?
- How do they plugin to the Intuit Partner Platform with all this? They do a federated application and use IPP as a good channel for selling to accountants.
- What authentication and authorization protocols are used? SAML, OpenID, etc. but mostly stuff like PCI.
- We get into some of the PCI-driven and other security stuff, and doing “real financial transactions.”
Transcript
Michael Coté: Well, hello everybody! This is another edition of the make all
podcast, the podcast about fun and interesting stuff going on in the software development – or just software – world, stuff with those “damn computers.”
And as always, this is one of your co-host – or one of your host, Michael Coté, available at PeopleOverProcess.com.
In this episode, we have got a fun topic sponsored by Intuit, and we are going be talking about one of the applications, if you will, if things can still be called that, that’s using the Intuit Partner Platform. With that, would you like to introduce yourself guest?
David Barrett: Hi there! My name is David Barrett, and I am with Expensify. We do expense reports that don’t suck, and we do that by importing your expenses and your receipts right from your credit cards and mobile phones, so we have been doing expense reports through email and then reimbursing everything online, in the glory of QuickBooks and Direct Deposit.
Michael Coté: I was noticing your excellent motto when I was looking at your stuff a little bit ahead of time, and as someone who works at a small consultancy kind of company and travels a lot, you can imagine I have a lot of expenses. So I was getting a little excited about what was going on there because —
David Barrett: That’s right, because we don’t actually tend to make them fun, we just try to make them not suck.
Michael Coté: I think that’s a good qualification there. But yeah, I mean filing expenses is always terrible, especially with older systems. But one thing I was for — as sort of boring of a nook of the world as expense reports are, I was curious why you decided to start an expensing startup. Like how did you convince yourself like, “I want to be in expense filing”?
David Barrett: Yeah, exactly. When I was a kid, I just wanted to be an expense report magnate, I figured that would be — all the chicks would really go for that.
Michael Coté: You had big like Cognos posters on the walls?
David Barrett: Exactly, exactly. No, I think it really happened — probably the decisive moment when I knew is I was filing an expense report, and so our company, every year we take the company overseas. So we take the whole company overseas for about a month, and this one time we went to India, and this miniature sort of economy built up around the receipts, where a $10 receipt, you could buy from someone else for $8, because the pain of actually trying to get that receipt reimbursed was so painful, they would just like basically take a 20% discount just to get the cash upfront.
So I was the sucker who was buying up all these receipts, and I had this gigantic stack of receipt, which I was going to make bank on, and then I would go to actually get it reimbursed. And it took me two weeks to fill up one expense report, and it just took so long, and the entire time I was just pulling my hair out and thinking, there is no way it needs to be this bad.
This occurred to me that, every company I had been at, be it small companies, big companies, expense reporting was always the biggest pain in the ass, so I just decided, we can do this better, this just needs to be done a better way. So I figured, well, there is a good opportunity there.
Michael Coté: And so I mean, not to get too advertising-y, but I am really — since I have to deal with it, I really am interested like, what are those things you do to make it better, like what — as an analogy, I use sites like TripIt and Dopplr for my sort of travel organizing. It seems like a lot of what they do is what I would call, like they do things — they basically don’t do stupid things.
And they do things that are kind of obvious. You can just email your itinerary to it and you can get like an iCal feed and things like that. But I am curious, in the expensing area, like what are those sort of like helpful — they always seem like the kind of obvious, but people just don’t — companies just don’t spend the time to like automate it.
David Barrett: Well, that’s exactly right. I think it’s — I will be honest, it’s a pretty low bar to jump. The typical expense report would be, you have an Excel spreadsheet, you make a bunch of purchases with the cash, and your personal credit cards. You would pick up all the receipts, you got this big stack, and somehow maybe you tape it down on paper, and then photocopy it, and mail it, and all this junk. It’s such a horrible antiquated process, it doesn’t take a lot of creativity to do right.
So the way that we do it is, so first we really — everyone pretty much makes purchases in their personal credit cards anyway, and so we will just, like mint.com, we will just import your expenses straight off from your credit card. And because we are doing that, we are connecting directly to your banking website, which gives us very clear, very clean, tamperproof datasheets, which allow us to satisfy the IRS requirements directly off your credit card.
So for any purchase under $75, we can give you an IRS ready, paper receipt equivalents in purely electronic form, right from your credit card. So for about four out of five paper receipts you would pick up in a business trip, you can literally just throw away entirely. You just don’t have to keep it at all, because we can take care of all of your records straight off of your credit card.
For most of the purchases above that, we find they are done online, like airfare, car rentals, things like this, take the email receipt that you were sent from the booking website, forward it to [email protected], and we will take care of it.
It’s kind of like TripIt, how they read the information off the receipts. They are a bit more advanced than we are there. But we basically will take the receipt image and basically keep track of it, such that when it comes time to create the expense report, all of those receipts are already in place. And then for those few straggler paper receipts that remain, we have native apps for iPhone, Android, BlackBerry, and Palm Pre, just take a picture of the receipt, it will upload straight to our servers.
So basically, when you are on the road, when you are just making your purchases, we make it such that you can throw away all your receipts the second you get them, and as a result, when it comes time to make the expense report, well, most of it’s already done for you, and the rest of it is just a couple of clicks away.
Michael Coté: And an implicit thing in there is that, you guys are a SaaS basically, or to use the gold plated buzziness of the contemporary times, you are a cloud based application.
David Barrett: Yes, that’s right. We are in the cloud.
Michael Coté: I mean, it sounds like there is basically this model of like a user, and the user is collecting all these various receipts from, whether it’s kind of like images of the receipts that they have or the integration that you are sucking in from their credit cards, and then there is also like a workflow for approval and things like that, right? I mean, that’s part of —
David Barrett: Oh, yeah, of course, of course. So Expensify is a little unusual in that, the first person we go to in a company is typically not the manager, we go straight to the employee. We just go to the employee and say, if you hate your expense reports, don’t wait to be asked, don’t ask permission, just sign up for Expensify, create an expense report, submit it to your boss, and see what happens. And more often than not the boss is like, great, this looks really awesome!
So typically, the employee will create an expense report, submit to the boss. Boss would be like, this looks good, they will submit it to their accountants. The accountant will be like, wow, this looks pretty good, but the categories are just all totally wrong. They will link up their Expensify account to QuickBooks, will synchronize with the QuickBooks Chart of Accounts and basically take care of all the accounting backend. And then we will turnaround and share and create what’s called an Expense Policy, which will be shared out with the rest of the company.
So basically, we try to use the employees as lead generators, in that every time you submit an expense report, in essence you are introducing us to someone more important than you; your boss, your finance department, things like this. So we try to use the employees as lead generation into the company, and then we turn around and we convert the entire company at a time using an Expense Policy that has, for example, that workflow defined, it specifies who submits to who, who is able to approve reports, reimburse reports, and things like that.
And then of course I should also mention that Expensify has its own integrated payment network, so we can withdraw funds directly from the employer’s account and deposit them directly into the employee’s account through direct deposit. So we try to make the entire expense process, from purchase to reimbursement, electronic.
Because I mean typically — it seems really antiquated that you make a purchase with the credit card, which is electronic, and then you get a paper receipt. And then you take that paper receipt and you type it into Excel, which is electronic, but then you print it out. And then you take that printout and you give it to the accountants, who types it back into QuickBooks again, and then they give you a paper check, and then the paper check is actually deposited again.
There is this huge paper based process that’s typically there, we are just trying to get rid of the paper, such that it’s electronic from purchase, all the way to the reimbursement, takes away opportunities for fraud and error, and just makes it clean for everyone.
Michael Coté: I think that workflow you described is why I haven’t filed expenses since, like, November, just because — I mean, filing expenses is one of those things that the longer you wait, the worse it gets, so the less you want to do it I guess. And it’s also bad from the angle that, like, you are basically screwing yourself out of some money.
David Barrett: Yeah. You are basically extending a zero interest loan to your employer, and then you have to act as your own repo-man to get paid back.
Michael Coté: Exactly. One other thing, as I dork out on expense filing, is there a way you kind of can establish like reoccurring expenses, like if I get reimbursed for like broadband to my house or broadband, I am using like 90s lingo —
David Barrett: My “dial-up connection.”
Michael Coté: That’s right. Do you guys handle those kinds of things?
David Barrett: Yeah. Not as well as we can. Expense reporting is, as humble a field as it is, it’s actually sort of complicated, and there is just so many different things to do, especially in the small business space.
Because I would say the big lesson that we have learned is that, small business are not small big business, they are just an entirely different breed, and they have very — a lot of sort of ambiguous and complicated relationships, and so it’s taking us time to really just work out a product that works in the real world.
Like to give a couple of examples of how — the real world is kind of weird – early on we found that barely half of our expense reports were submitted to someone in the same domain name. Initially we thought, it’s like, oh, people are going to neatly group up by domain name, that just wasn’t the case. And then we started talking to these people, we asked them, it’s like, “what’s your relationship with this other user?” And they are like, “well, he is just this guy, he just works for me some times, sometimes I pay him.”
It’s like, “oh, okay, great!” Well then, you have got this really weird relationships down there, and trying to build or accommodate these unusual relationships is just taking time.
So yeah, there is a ton of stuff that we want to do, like the recurring expense is a great one. OCR and the receipt images is another great one. There is all sorts of really cool stuff to do. We are going to do it all, but it’s just another time.
Michael Coté: Right, that makes sense. So getting into the technology side, I mean, can you describe the basic stack that you guys have? I mean, you have already told us, we have already gone over that it’s a SaaS application, so it’s hosted somewhere, and you have got like various mobile apps that are kind of inputting sources. But I am curious like what you guys built it on from a high level architectural overview?
David Barrett: Sure! So one thing, it’s also a little unusual is, because we don’t just deal with bikes, we deal with real money, like actual dollars flow through our system, and as a result security is just paramount.
So from the very get-go, we had to build a very secure infrastructure, not just because it’s a good idea, but because we have actual banking partners that won’t allow us to operate if we can’t.
So we have sort of three geo-redundant, real-time synchronized data centers. We have basically a C++ and PHP layer for the business logic. We have all the classic web stack for the front-end. Basically it’s a pretty standard web-based application, except with a lot of emphasis on maintaining very, very tight security, much more so than just your typical website.
Michael Coté: It sounds like a lot of the work — how do you handle all the sort of like — for lack of a better phrase, kind of, like, what’s the bus for all the data integration that you are doing, like how are you guys doing that?
David Barrett: Well, yeah. It can get messy. Because we are taking in data from so many different places and spitting it back out even more.
So for example, what we have is this giant import pipeline, such that we can import the information, strengthen the banking websites, and that can get pretty gnarly.
Furthermore, we have all of our mobile apps, that we can take in — like receipts in through email, receipts in through all these different mobile applications. And then of course we have a variety of partners that we work with. Probably the most notable of our partners is Intuit, and we work with something called the Intuit Partner Program.
So there is this — I think it’s really interesting in that — it’s kind of like — I call it the iPhone App Store, but for accountants. It’s built into QuickBooks. There is this big button on the top of QuickBooks you click to get to the workplace, and then it lists a whole bunch of applications that are integrated with QuickBooks, and then Expensify is one of those applications.
The Intuit Partner Program has been really great to us. I would say that it brings a steady stream of very highly qualified leads, because though we typically will go to the employee first in order to get into the company, a much more powerful, sort of high leverage point is if you can go straight to the accountants.
But from the marketing perspective, a classic advertising and the ad spend that gets straight to accountants is so expensive, to actually like acquire an accountant onto your system would cost a ton of money. But the Intuit Workplace gives us a direct pathway straight to these accountants. So it’s a very low-cost of sale channel to sign up accountants onto the system, and then from there, we don’t just get a single company, but we can sign up multiple companies, because accountants, especially in the small business space, rarely work for a single company, but manage the books of many companies.
Michael Coté: So I guess, especially in that scenario, of an outsourced accountant, if you will, that’s managing very — whether it being — as opposed to being an in-house one, that’s managing various other companies like — so that’s another sort of small business weird thing that — I mean, it sounds like every relationship you have is usually many to many. Like there is not people on the same domain name and the accountants aren’t working for one company and people are probably expensing the multiple companies, so things get in that very unpure state of end to end.
David Barrett: Yeah. Initially, we were just terrified of this. We were like, oh my God, this is such a mess, but then we realized, this creates a great opportunity. Because of this many-to-many relationship, it makes an inherently vital product, in a few different ways.
Like the first, as I mentioned was, employees introduce us to their employers. So that’s great. Then employers introduce us to their accountants, who introduce us to other employers. So that’s great too.
But then a third one is, as you alluded to, when a company has consultants, and the company tells the consultant to use Expensify, the consultant turns around and use Expensify for the next company as well. So in all these different ways, we get incredibly organic and just this natural viral growth through the mere act of using the product itself.
Of course we can do a bunch of things to really, in sense, the natural viral activity, except it’s great that all of our traffic comes organic. We don’t buy any of our users, they all come to us through these different natural channels.
Again, because the small business is a huge opportunity, but it’s a hugely fragmented opportunity. So you have to have an incredibly low cost of sale, and these different channels, be it like Intuit Workplace, be it like the mobile applications, all provide great low-cost ways to sign up paying users.
Michael Coté: And so like looking at IPP, in particular, like how do you guys integrate into that workflow? I mean, I assume you are not just sort of doing ads through it or whatever, but it actually sort of fits into QuickBooks. I think the concept of like, someone inputs all these expenses and at some point an accountant or someone has to sort of approve it, and then you reimburse them. But what does that kind of integration look like – what does IPP do for you that lets you plug into it?
David Barrett: So there is a couple of different ways. So IPP has its own cloud hosted Flash-based development environment, which is actually really cool, but we don’t use that part. The part that we use is something called a Federated Application. Meaning, we are a website that we host ourselves, but they have tools that allow us to integrate with the Intuit Workplace to do things like centralized billing and single sign-on and essential employee management.
So to give some examples of how that works from, like, an end-user perspective. Let’s say you are an accountant, you are inside QuickBooks, you click the Workplace button. You see a bunch of applications like Expensify. You say, hey, I want to give Expensify a shot. You click the Expensify button. Because it’s built into QuickBooks, it means that we are already connected to that particular QuickBooks file in this very secure fashion.
So when you sort of install Expensify into that QuickBooks file, basically it means that you are already configuring Expensify to use that particular QuickBooks company file, and so as result, from the very start, we already know, oh, okay, this guy is an accountant, we know what company he is at, we know all the employees, we know the ledger system, the categories, we know everything.
So we just jump straight to this various streamlined setup process, where we can say, okay, well, here’s what we think all the categories are, here’s who we think all your employees and contractors are, click this one button and we are just going to set everything up and you are going to be good to go.
Michael Coté: So basically you can sort of pre-populate all the data and the people and like you are saying the categories that you need for expense filing?
David Barrett: Exactly! So additionally, the Workplace has a variety of applications. I mean, probably one of the more notable ones I would say is the — Intuit uses the Intuit Workplace for their applications as well, and like for example, the payroll, Intuit Payroll has this application called ViewMyPaycheck. So if your employees are already signing into Intuit Workplace to do payroll related things, it’s a supernatural point to have them also do expense related things, and they can use the same exact account.
So they don’t have to have a new password, they don’t have to go to the Expensify website or learn anything about us, they just keep going to the Intuit Workplace, as they are already accustomed to, and then they can just click onto Expensify and go straight to us.
Michael Coté: So like you guys are doing — this integration happens basically over the Internet, right? I mean, is it done over SOAP or something else or like how is that stuff playing out?
David Barrett: So I believe it uses SAML as the single sign-on technology, uses — yeah, different SOAP based — actually it came out with SOAP or XML-RPC, one of the two. It’s a super straightforward process.
I mean, one thing I have been actually really pleased working with Intuit on this, is they put a lot — I mean, this is a very strategic focus of Intuit; making this work is very, very critical to the company. They are putting a lot of resources to make this seamless for the partners and they have given us a tremendous amount of support throughout building the application, and then even, perhaps more importantly, after the application has been built, they have really helped us promote it.
They do a lot to optimize their stores to really push certain applications, to really optimize the conversion. And they have made a number of really significant changes and many in direct response to our feedback. So I feel like we have had a really productive relationship, and it has definitely worked out very well for us.
Michael Coté: And like you said, the point of — all the stuff is nice and secure enough for you guys to use, right?
David Barrett: Oh, yeah. Well, I mean, this is operating out of the same datacenter that Intuit uses to process, I think it was something like a trillion transactions through the — I mean, they do the TurboTaxes out of the same place. I mean, they process the Intuit Payment Networks out of there, and so it’s the real deal.
I mean, they have incredible security. I mean, certainly they have been doing financial security as long as anybody, and so as a result there is — which is actually sort of a nice thing, because we deal with a lot of partners, and most people don’t really understand financial security, and so it’s actually quite a pleasure to work with Intuit in that respect, because they understand the importance of this and it’s not just lip service.
Michael Coté: And so along those lines, I am curious, in the same way that sort of Intuit is kind of opening up their platform to other people, like do you guys have sort of opening up and integrating with other people, like are there ways people kind of use Expensify as a platform, or are you guys more of an input situation?
David Barrett: So we actually do have an API, and we have — so, for example, we have a couple of customers that have done their own custom integrations with Expensify. So we have, for example, our own single sign-on technology. So you can build Expensify into your existing intranet, for example.
We have some other partners that have done applications using our credit card import, for example. We have some partners working on some things in the mobile side. So yeah, I think no one doubts the value of having these APIs to enable great integrations with big partners like Intuit, or smaller partners like Outright, and basically partners up and down the board.
Michael Coté: I am also curious, like when it comes to, on the whole point of being secure, like are there — what are sort of the protocols, and like you were mentioning, Intuit uses SAML and things like that, but are there other sort of authentication and authorization protocols that you are seeing are popular, like are there newer ones like OAuth and OpenID, do those even kind of pass muster, or do you have to use sort of the enterprise-grade ones?
David Barrett: No, OAuth, OpenID, these are all — I mean, they are all well-thought out. I mean, nobody is going to come up with a secure authentication protocol that’s not genuine and secure. I mean, no one is going to tolerate that. So OpenID, OAuth, SAML, these all do the trick. They have different pros and cons, and I think all of them are far more complicated than they need to be.
Michael Coté: Right.
David Barrett: But really, very rarely is technology sort of the problem. I would say the important things when it comes to real — when we start talking about real financial security, it’s not so much about protocols, it’s more about standards.
So one of the core — sort of the gold standard in financial security is called the PCI DSS, the Payment Card Industry Data Security Standard. It’s the security standard written by Visa and MasterCard. It’s a global standard. It’s the actual standard used by real banks and real financial institutions. So Expensify complies with the PCI DSS standard. So I think that if you are looking for real security, you should be looking for the PCI compliance.
Michael Coté: That’s basically a list of things: PCI is basically a list of things you should be doing with your service or your technology that makes it so that you are secure enough or whatever, right?
David Barrett: Exactly! It’s like — I think it’s a 280-point security standard, regulating everything from like, how often you change your passwords, all they way up to, the sort of super secure encryption that you use.
Like there is this one piece I think is really cool, I would say it’s the heart of PCI, is something called the Split Knowledge, Dual Control Key, and that is, it’s a type of encryption key that nobody in the world has the ability to decrypt by themselves.
So for example, I have access to half of the key, and then my co-founder has access to the other half of the key, and neither of us can actually decrypt any of our data ourselves.
So even if you were to steal all of our servers and take me hostage, you still couldn’t get any of our data, because that’s not enough. So I think this type of building security by design, where it’s actually sort of mathematically impossible for any individual to get access to the data, is the heart of the PCI DSS, and I think it’s the heart of real financial security.
Michael Coté: Yeah, it’s kind of like those old movies, where there is the nuclear launch guys that have two separate keys, right?
David Barrett: That’s exactly the same thing. In fact, it’s a big nuisance, because it means every time that we start our servers, we essentially have to do this simultaneous key turn. So of course — what’s interesting about that, from an engineering perspective is there are a lot of people who start and go, oh, I am going to make a website, it’s going to swap MySQL up there. I am going to build all this junk, and then at the end, right before I launch, I am going to make it secure.
But the problem with that is, by that time you are screwed, because to do it secure, means that it actually really reflects a lot of your technology choices.
So for example, this is sort of geeking out on the backend side a little bit. But let’s say that, if you are dealing with real money, you want to make sure that your data is — it’s like, if you are moving like a $10,000 expense report, and your server crashes halfway through, like you want to know, like did that money move or not?
So as a result, every time you write any data to disk, you want to make sure that you replicate it to at least one other offsite location.
So at the very start, before you do anything, you really have to have at least two data centers and they have to be replicated in real-time using distributed transactions. That’s just like a bare minimum if you are going to do real financial sort of applications.
Then the third part is, if — in a real world, data centers go down all the time, it’s not unusual for the best data centers in the world, Rackspace and things like this, to go down for hours, days, and so as a result if you need two data centers online at any point in time and either of them go, it means you have to have at least three in order to tolerate the real world. So you have to have at least three real-time synchronized data centers, to do real financial activity, in a way that’s actually sort of reliable and secure. So before you have even started, you have to have sort of these three different data centers.
And then when it comes to like these other requirements, like, okay, this sort of split key requirement, so now it means, you can’t make your servers automatically start themselves, because they require two different people. You can’t just of course upload your key and store it on disk, that doesn’t make any sense. So you have to build for incredibly high uptime, because you don’t want to be in the middle of the night, your servers are going down and you have to keep uploading your keys. That’s such a big thing.
So I think this is why — basically the first year, we spent just building up the secure infrastructure to have this sort of real-time geo-redundant data centers synchronized in a very secure, PCI compliant fashion. It’s a lot of work.
Michael Coté: No – it sounds like it [is a lot of work]. With all the cloud hoopla nowadays, there has been — there is finally like a fair amount of pushback on things, and one of them is just like, “oh, the lawyers won’t let us do it.” But like you are going over like what I think is one of the more technologically sound reasons.
Just like you were saying, if you had one cloud provider, even if they are supposed to be up all the time, eventually they will go down. So you already need two and then you are really going to need three, right? So it’s sort of like, you are going to need to — you need some way of satisfying those physical requirements, and then at some point the cloud becomes a lot less magic cloud stuff and it’s just a good old fashion, like running a —
David Barrett: Yeah. Well, it’s sort of interesting, because yeah, there is a series of things that individually all sound obvious. It’s like, “oh, that’s such a good idea, we should totally do that.” And then when you put like 30 of those back to back, it’s like, “oh my God, to actually do all 30 of these really obviously things is actually quite difficult.”
Michael Coté: Right, definitely. Well, great! That was — like I said, I do a lot of expenses, so talking anything about improving my expense process is great. So that was good stuff.
Long ago in the 1990s, I worked at an online banking startup, where we had many of the same kind of issues, so it’s always nice to dork out about that kind of stuff.
So the last thing I am interested in, I am going to have to go try Expensify to see if I can finally do my six months of expenses. What do you guys have in the future, what are you planning on?
David Barrett: Great! Well, I would say, frankly, more of the same. I know it’s a little bit unorthodox to say that we are just going to really do things — do what we do, just do it better. But we are not trying to do everything in the world here. We try to pick one problem and do it incredibly well.
So let’s see, I started the company in April of 2008. We launched an open beta in sort of April 2009. So we have only been really open for business for like a little bit over a year, a-year-and-a-half, and I feel like we have done a lot of learning throughout that year. And though I feel very good about — we have got lots of users using it and the growth is really good, whenever I look at it, I just see, it’s like, wow, we can do this so much better.
So before we really start expanding in scope too much, I think we are just going to do what we currently do a whole lot better.
Michael Coté: Yeah. Sure. That makes sense. Well, great! Well, thanks for taking all this time to talk with us. It’s good to hear about Expensify and how you guys are integrating with all sorts of services, like the Intuit Partner Platform.
David Barrett: Great! Hey, well, thanks for having me.
Disclosure: Intuit is a client and sponsored this podcast.
http://www.truereligions.in/