When Selecting a Qualified MSP, Assume Nothing
Hiring a managed services provider shouldn't be a leap-of-faith decision-making process. Perhaps you have staff that could fulfill their responsibilities, but instead you entrust a key component of your IT infrastructure to another company.
You believe they can do the job better and more efficiently. However, is that belief proven to be justified?
This begs another question: who licenses or certifies a managed service provider?
The topic came onto our radar thanks to a handful of companies claiming SAS 70 certification. The SAS 70 standard was developed by the American Institute of Certified Public Accountants (AICPA) to govern service organizations. (SAS stands for statement of auditing standards; see the AICPA page relating to auditing standards for more information.)
Certification's Real Meaning
You may assume that a managed service provider claiming SAS 70 certification has submitted itself to rigorous tests relating to its internal processes. However, according to Judith Sherinsky, technical manager of audit and attest standards at the AICPA: "There is no such thing as SAS 70 certification."
Sherinsky says that undergoing a SAS 70 audit only results in what she calls a "restricted use report," one intended to help auditors at the customer determine the reliability of transaction processing at the managed service provider.
For such a report to be useful to a customer, it must have meaningful context. "If the service provider organization provides several services, the report is useless if it doesn't cover the services the customer is interested in," she says.
Let's be clear: any MSP willing to undergo an audit is good for the industry, and helpful for the buyer. I'm merely highlighting the need for due diligence.
We'll return to this topic, both to keep you updated on what we learn about other standards and certifications (for instance, the ISO/IEC 20000 standard for service providers, and the MSPAlliance Accreditation program).
Attestation vs. Certification
In fact, Sherinsky suggests that customers of managed service providers check out the AICPA's attestation standards. These encompass a review of engagements that are the responsibility of "another party," that is, a service provider. An attestation report covers the processes between two parties, while an SAS 70 report covers processes internal to a service provider.
When your service provider claims certification under certain standards, don't take them at face value. Ask them exactly what it means, and how it's relevant to your relationship.
Any "seal of approval" is only of value in the procurement process when you have a sense of how stringent the benchmark requirements are, and whether they apply to your specific needs.