How to Vet Your Outsourced IT Services

In the new age of software as a service and cloud computing, companies often rely on vendors, third-party support, contractors, consultants, and other outsourced solutions. Whether it’s e-mail service, a customer relationship management service, or document and data storage, your business is dependent on these outside vendors to do their job so you can do yours. You don’t just have a vendor relationship with these kinds of service providers, you’re partners with them and their failure can lead to your failure.

Before introducing a new technology resource, product, or service, the internal controls, maintenance of, and/or financial condition of the third-party vendor need to be carefully evaluated. You also need to carefully review each vendor’s competence when it comes to outsourced work. In other words, to protect your business you have to do your due diligence on these service providers. It really comes down to risk management.

Here’s what you need to consider when vetting these third parties.

• Technical and industry expertise: Does the provider have supporting technology for the current and anticipated needs of your company? It’s important to identify areas where your company would have to supplement the service provider’s expertise to fully manage risk. One of the areas often overlooked is how your service provider may use additional third parties to support your company’s outsourced operations. Also find out what the vendor’s ability to respond to problems is and what plan is in place to take care of service disruptions. Be sure to contact references and user groups to learn about the reputation and performance of the vendor.
• Operation and controls: Does your vendor properly care for your data? You’ll need to determine adequacy of standards, policies, and procedures relating to internal controls, facilities management, security, privacy protections, maintenance of records, business resumption contingency planning, and systems development and maintenance. Also ask if a vendor does employee background checks. On the computer security side, determine if sufficient security precautions are in place where appropriate (i.e. firewalls, encryption, and customer identity authentication systems).
• Financial condition: Analyze a service provider’s most recent audited financial statements and annual report in addition to other indicators, if available. It’s generally a good idea to check out its Data Universal Numbering System (DUNS) ratings and reports too. Consider factors such as how long a vendor has been in business and its market share for a given service and how it’s fluctuated. Generally speaking, it’s not good to select a startup or unprofitable company to provide an essential service. The company could disappear. Keep an eye out for news on the Internet that may have to do with your vendor. A great way of doing this is to create a Google account and set up Google Alerts on the company name. Google will periodically send you reports with new information about your vendor that appears on the Internet.
• SAS 70: The single most useful document that you can get from a vendor is a Statement on Auditing Standards Number 70 report. The SAS 70 is a widely recognized auditing standard developed by the American Institute of Certified Public Accountants. A report done by an independent auditor following this standard is widely recognized because it represents that a service organization has been through an in-depth audit of its control objectives and control activities, which often include controls over IT processes. Getting this document from a vendor will dramatically simplify your due diligence process.

Having a robust vetting procedure in place for your outside IT vendors can lower the risk that your company takes by outsourcing these functions and services.

John C. Shovic is a partner at MiloCreek Consulting in Coeur d’Alene, Idaho.