Archives For Research

Calling All GL Coders

Jason Mills —  January 12, 2012 — 3 Comments

Yes, accounting and finance departments, we’re talking to you!

With 2012 in full swing, everyone at Expensify is excited by the opportunity to make this year even better. Don’t get us wrong, 2011 was awesome! But we’re a startup, and re-thinking the old to build something new is an oft-repeated mantra. As larger and larger companies increasingly drink the Expensify kool-aid – or our own Expensify beer thanks to a resident brewmaster – our sights are squarely aimed at the scary-sounding world of “enterprise accounting.”

As you may recall, in late-2011 Expensify unveiled functionality that allows anyone to create and edit a very flexible CSV export file. This functionality enables our system’s Categories and Tags to speak the parlance of enterprise accounting and CRM packages. It’s called GL Mapping, and we’re super excited about the potential of this functionality, especially in the context of our self-service, bottom-up adoption model. With that said, we are still in the exploration stage when it comes to enterprise accounting and ERP systems, and for some reason, it conjures images of scary pumpkins. So we thought we should take up some white space to learn what’s out there. Thus far, we’ve talked to customers that use Sage, SAP, Oracle, Netsuite, Intacct, and many others.

But more than names, we’re interested to learn about the types of accounting configurations that we need to support. Past conversations have worked out how to export Expensify’s data into a MySQL database before eventually feeding this information into an accounting package. This was luckily solved by a bit of accounting triage; in other words, correctly mapping the columns in the company’s database. We’ve also seen customers that must track a variety of inter-related GL Codes, both at the expense-level and at the report-level, and this has required a good deal of problem solving for all involved.

This brings us to the interactive part! We’d love to hear from you about your GL setup.  Specifically:

  • Do you have any pain points with Expensify’s existing GL functionality? What are they?
  • Do you feel like Expensify doesn’t support your accounting package or setup? Why?
  • Is accounting integration the most important factor in your purchase decision, or does other functionality like automation matter more?

Please join this conversation in the comments or feel free to email  Thanks!

Remember when Danger lost all their backups?  At that time I wrote about Expensify’s massively redundant, multi-tiered backup system (to two remote locations in realtime, and to two more remote locations nightly) in a passionate appeal to sanity.  Soon after that I turned off my Sidekick for the last time, and turned on my shiny new Palm Pre.  (And I ain’t going back!)

But now I read that RockYou has compromised the usernames and logins to 32 million social networking accounts because they didn’t encrypt a damn thing?  Come on people!  Encryption is so… I don’t know, 1942?

At Expensify, we take security incredibly seriously.  We spent pretty much the entire first year building a geo-redundant, PCI compliant datacenter that achieves… actually, now that I think about it pretty amazingly high uptime, while simultaneously remaining super secure.  It wasn’t easy.  But that’s our job.  It’s not an optional thing.  Either you do it secure, or you don’t do it at all.

In our case, we use a type of encryption called “split knowledge, dual control”.  It’s more complex than this, but we basically split our master encryption key in half, and store each half in a different safe deposit box (Witold controls one, I control the other) such that nobody ever knows the whole thing.  This means nobody can decrypt our data alone, not even me.

Additionally, this key is assembled in memory on our servers using a type of “turn two keys simultaneously” system (akin to a nuclear launch panel) and never written to disk.  So even if you physically stole the servers out of our hardened datacenters (something you’d be a fool to try), they’d be little more than really expensive paperweights.

Anyway, I understand social networking data isn’t as sensitive as financial data.  And I understand most web developers don’t know how to deploy and maintain realtime distributed transaction layers.

But I don’t find those very satisfying excuses, and I doubt you do either.

I was talking with a user today and the subject of expense report fraud came up — specifically, how can Expensify be used to fight it?  Great question, and the short answer is: avoid cash and use Expensify Guaranteed eReceipts.

But stepping back a bit, let’s review the problem.  As incredible as it sounds, the ACFE estimates that over $100B is lost annually to expense reimbursement fraud.  Yes, Billion.  T&E Magazine also report 20% of companies say outright false expenses are commonplace.  So fraud is an enormous problem, and if you don’t think it’s affecting you right now, there’s a good chance you’re wrong.  Indeed, it’s quite possible you have no way of ever knowing.

What can be done about it?  There are as many schemes as there are expense reports, and there is no silver bullet to stop it all in its tracks.  But the most common schemes can be prevented by mandating common-sense expense policy in a way that is respectful of the employee’s privacy and not a waste of their time.  Namely:

  1. Import expenses straight from employee’s credit cards.
  2. One-purchase one-expense.
  3. Discourage cash and capture receipts.

Taking each of these in turn:

1) Import expenses straight from employee’s credit cards.
The key to fighting fraud is tamperproof documentation: if the employee is ever in a position to manually enter expense amounts, the risk of mistake or “mistake” is just too high.  Accordingly, mandate purchases be done electronically, and then import those electronic purchases directly from the bank into your expense report system.  Expensify can import 94% of US credit cards, and offers IRS-ready, Expensify Guaranteed eReceipts in purely electronic form — without the hassle of easily-forged paper receipts.  Not only is it faster and more convenient for your employees to make purchases with a credit card, you get tamperproof documentation straight from the source.

2) One-purchase/one-expense.
Mandate that employees make a separate purchase for each item they intend to expense.  Combined with (1), it ensures each purchase has a separate, tamperproof eReceipt.  In particular: don’t bill meals to hotel rooms, don’t combine personal and business expenses into a single purchase, and basically don’t do anything that will need to be undone later.

(Though it seems convenient at the time to do this, it just passes the buck off until later: when filing the expense, they’ll need to manually separate them back out anyway, so that “convenience” actually just creates more work for everyone in the end.)

A one-purchase/one-expense policy saves the employee from needing to manually split expenses at the end of the trip, and helps ensure each purchase is separately documented in a tamperproof way.

3) Discourage cash and capture receipts.
Virtually everyone takes credit cards anymore, especially in the US.  Even taxis in most major cities take credit cards.  There’s almost no need to pay for anything on a typical business trip with cash, so cash purchases should be strongly discouraged and flagged for special attention in the approval process.

That said, in some rare occasions, cash can’t be avoided.  In these cases, require the employee to capture an image of the paper receipt at the time of purchase, so there is no opportunity for a key receipt to be “lost” prior to reimbursement.  It’s almost impossible to get a phone without a camera anymore; just have them take a picture of the receipt before putting it in their pocket.  The iPhone 3GS and Palm Pre have excellent cameras with auto-focus, and other phones often have “macro lens” attachments that enable good closeups (eg, the “Griffin Clarifi” case for the iPhone 3G).  Expensify also has an iPhone application (BlackBerry on the way!) to simplify this further.

These three rules are handy because they not only reduce opportunity for fraud, they’re actually the most convenient way for an employee to create expense reports.  It’s a true win/win situation: employers get better records, and employees create those records faster than they could have by hand.

To drive some of this home, let’s take a look at some of the most common forms of expense report fraud and show how these rules implicitly prevent it, without any extra work (and indeed less work) to any party:

  • Tip inflation. Write a small tip into the merchant copy of the receipt, and a large tip into the customer copy turned in for reimbursement.  Expensify Guaranteed eReceipts prevent this because they show the actual amount paid by the employee, not just what’s written on the receipt.
  • Taxis. Most taxis just give you a blank receipt at the end of the trip and it’s up to the employee to write in however much they spent. Paying by credit card produces a verified eReceipt.
  • Collusion. Where multiple employees share an expense (taxi, hotel room, internet, etc) but report it separately.  Again, paying by credit card and producing an eReceipt prevents this.
  • Duplication. It’s easy to copy a paper receipt and submit it in two separate expense reports.  Expensify only allows each expense (and corresponding eReceipt) to be added to a single report, implicitly preventing accidental or intention expense duplication.
  • Forgery. I won’t go so far as to link to any, but a quick search turn up countless services for creating authentic looking receipts for just about anything.  And what the services can’t do, Photoshop can.  Expensify Guaranteed eReceipts are verifiable — if there’s ever any doubt that the purchase is for real, we can trace it on command all the way back to the original electronic purchase recorded by the bank.

And so on.  Expensify helps you keep expenses in electronic form all the way from purchase to reimbursement.  Not only does this deter fraud and reduce error (which is equally important), it simplifies the lives of everyone involved.

Does this make sense, and do you agree?

- David Barrett (

You should follow us on Twitter at @expensify

I’ve never been hip to the latest social networks. Lurking within this astonishingly charming and modest exterior is a true introvert, so I’m as far outside the social networking target demographic as you can be. But one thing I do like is Expensify, and I want everybody to know it.

So when my buddy and trusted advisor Travis Kalanick suggested I start tweeting away my Expensiphilia (behold the birth of a new Googlenique word!) I was initially pretty skeptical: nobody follows me, because I never post there. And I’ve no interest in posting there because I don’t follow anybody else. The network effect cuts both ways, and it’s kept me out of one social network after the next.

But Travis is not to be underestimated, as he had a brilliant idea: find people complaining about expense reports on, and then tell them about Expensify with an @reply. It’s so obvious, that couldn’t actually work… or could it?

It does. In fact, it works incredibly well. My data is early, but I find over 90% of users given a link in an @reply will click on it. After that it’s up to the website to convert those links to users, but the @reply technique works incredibly well.

Which makes me wonder: *why* does it work that well? I mean, I know Expensify is awesome. And I know *I’m* awesome. But if I could convince everybody of that in 140 characters or less with >90% success rate… well let’s say I’d have done a lot more dating.

On top of this, it makes me think “OMG, this is going to be so horribly abused.” I’ll admit, I’m new to the Twitter scene. But if this keeps being as effective as it seems to be, this is going to catch on like wildfire — opening a floodgate of spam.

So with this in mind, let me toss out some groundrules on not only how to be effective with this technique, but how to be a good citizen:

  1. Keep it personal. Only send messages from real people, to real people. Leave the faceless boxes on Google and maintain the social foundation of Twitter.
  2. Keep it timely. A huge benefit of Twitter is you can go straight the people who are experiencing the problem at that exact moment. Leave the huge backlog of past posters alone and stay focused on the present.
  3. Keep it relevant. The temptation is overwhelming to just blast this out to everybody. But resist that temptation and focus on the people who are actually calling out for your thing.

Basically, if you wouldn’t say it when standing next to them in line, don’t say it online.

So those are my thoughts on the matter. Granted, I’m a total newb here, so I could be way off. But I’m also trying to learn the ropes, so help me out. What do you think?

Update: I *knew* it was too good to be true. Turns out there’s a very good reason 100% of links posted to Twitter get clicked immediately: there are a host of bots that pounce on the link immediately! Ok, going to filter those guys out and see if that brings the data back into the sphere of reality.