Skip to main content

When Selecting a Qualified MSP, Assume Nothing


Hiring a managed services provider shouldn't be a leap-of-faith decision-making process. Perhaps you have staff that could fulfill their responsibilities, but instead you entrust a key component of your IT infrastructure to another company.

You believe they can do the job better and more efficiently. However, is that belief proven to be justified?

This begs another question: who licenses or certifies a managed service provider?

The topic came onto our radar thanks to a handful of companies claiming SAS 70 certification. The SAS 70 standard was developed by the American Institute of Certified Public Accountants (AICPA) to govern service organizations. (SAS stands for statement of auditing standards; see the AICPA page relating to auditing standards for more information.)

Certification's Real Meaning
You may assume that a managed service provider claiming SAS 70 certification has submitted itself to rigorous tests relating to its internal processes. However, according to Judith Sherinsky, technical manager of audit and attest standards at the AICPA: "There is no such thing as SAS 70 certification."

Sherinsky says that undergoing a SAS 70 audit only results in what she calls a "restricted use report," one intended to help auditors at the customer determine the reliability of transaction processing at the managed service provider.

For such a report to be useful to a customer, it must have meaningful context. "If the service provider organization provides several services, the report is useless if it doesn't cover the services the customer is interested in," she says.

Let's be clear: any MSP willing to undergo an audit is good for the industry, and helpful for the buyer. I'm merely highlighting the need for due diligence.

We'll return to this topic, both to keep you updated on what we learn about other standards and certifications (for instance, the ISO/IEC 20000 standard for service providers, and the MSPAlliance Accreditation program).

Attestation vs. Certification
In fact, Sherinsky suggests that customers of managed service providers check out the AICPA's attestation standards. These encompass a review of engagements that are the responsibility of "another party," that is, a service provider. An attestation report covers the processes between two parties, while an SAS 70 report covers processes internal to a service provider.

When your service provider claims certification under certain standards, don't take them at face value. Ask them exactly what it means, and how it's relevant to your relationship.

Any "seal of approval" is only of value in the procurement process when you have a sense of how stringent the benchmark requirements are, and whether they apply to your specific needs.

Popular posts from this blog

How AI Consulting Enables Business Transformation

Business technology investment continues to evolve. During the last decade, I've had a front-row seat to the meteoric global rise of Artificial Intelligence (AI) and its transformative impact across industries. The AI Consulting professional services market has emerged as a critical enabler of this transformation revolution, helping organizations navigate the complexities of AI adoption and implementation. The global AI consulting market is experiencing ongoing growth, with forecasts indicating it will reach $72.5 billion by 2025. This remarkable expansion is fueled by a compound annual growth rate (CAGR) of 40.3 percent from 2020 to 2027, highlighting the insatiable appetite for broad AI expertise and proven experience. The AI Consulting Market Analysis One of the most striking statistics is that over 80 percent of AI consulting firms report increased demand for their professional services in the past year. This surge in demand is not limited to a single sector but spans across va