Using an application service provider, also known as software as a service or, the latest buzzword, cloud computing, for critical business functions can reduce cost and the technical expertise needed to support your business. But if your company is going to trust important functions to an outside entity, a significant amount of due diligence should be performed.
An ASP can provide common business applications to your company online and on demand. This type of outsourcing (e.g., e-mail, customer relationship management software, payroll, etc.), usually accessed from a Web browser, will continue to expand as the Internet becomes more reliable and pervasive.
Making Sure It’s Secure
Your business buys electricity and water from an outside provider. By and large, it’s not a concern that the power company won’t be supplying electricity to you tomorrow. However, will that ASP supplying your e-mail be in business tomorrow? Will the ASP continue to support your workflow in the future? Will it expose your customer information and business secrets?
The single most important document to ask for from an ASP vendor is an SAS 70 report. SAS 70 is an acronym for Statement on Auditing Standard 70. Specifically, SAS 70 is a report on the processing of transactions by service organizations, where a service auditor (such as an accounting firm) audits and assesses internal controls of a service organization. A properly completed SAS 70 will provide answers to most questions. The fact that an ASP vendor has a SAS 70 makes the vendor more credible.
Your company’s regulatory environment needs to be considered. If you are a financial organization handling personal and financial customer information, the Gramm-Leach-Bliley Act has numerous requirements regarding protection of customer data. If you are involved in the health care industry, the Health Insurance Portability and Accountability Act governs the protection of customer information.
With this in mind, there are three major areas to consider when selecting an ASP vendor. If you are in a heavily regulated industry (such as health care or finance), you are required to evaluate all of the following criteria when selecting an outside vendor.
Technical and Industry Expertise
- Assess experience and ability to provide the necessary services and supporting technology for current and anticipated needs.
- Identify areas where your company would have to supplement the service provider’s expertise to fully manage risk.
- Evaluate the use of third parties or partners in outsourced operations.
- Evaluate the experience in providing services in the anticipated operating environment.
Operations and Controls
- Determine adequacy of standards, policies, and procedures relating to internal controls, facilities management, security, privacy protections, maintenance of records, business resumption contingency planning, systems development and maintenance, and employee background checks.
- Determine whether sufficient security precautions are in place where appropriate (e.g., firewalls, encryption, and customer identity authentication systems) to protect your company resources and to detect and respond to intrusions.
- Evaluate whether your company will have complete and timely access to its information.
- Assess the adequacy of insurance coverage including fidelity, fire, liability, data losses from errors and omissions, and protection of information in transit.
- Analyze the most recent audited financial statements and annual report in addition to other indicators, if available.
- Consider factors such as length of time in business and the service provider’s market share for a given service and how it has fluctuated.
Outsourcing a critical business function to an ASP is a big decision. These companies do cancel products, change offerings and pricing, and go out of business. Paying attention to the previous criteria when selecting a vendor can reduce the risk to your business.
John C. Shovic is a partner in Coeur d’Alene, Idaho–based MiloCreek Consulting.