In the not-so-distant past, most organizations operated out of physical offices and few, if any, employees worked remotely. Permanent, in-house, staff was mostly the norm, with outside consultants delivering specific support in project-based areas. Since COVID-19, that model has changed. The growth of managed service providers (MSPs) in the pandemic’s wake is only just beginning.
MSPs, which are entirely separate organizations, deliver ongoing support in areas like IT infrastructure, cybersecurity, and client accounting services (CAS). These are not one-off projects, but rather active engagements with regular involvement to help businesses run smoother, better, and more securely. As an example, COVID-19 triggered immediate adoption of automation and virtual workflows – areas where MSPs tend to add the greatest value. As a result, over the next seven years, the MSP market is expected to grow exponentially.
When it comes to choosing the right MSP partner, there are 10 key considerations the leadership team should thoughtfully consider to make sure the decision to work with and select a third-party MSP vendor will best support the organization’s current needs, future goals, and overall security and compliance requirements.
Why Work with a Managed Service Provider?
During the next 18 months, it’s expected that more than 45 percent of global organizations will utilize MSPs. Now that most organizations are operating in a hybrid work structure, they are more reliant on Internet infrastructure and data security than ever before. There are areas that an internal IT team simply cannot keep pace with – machine learning, automation, artificial intelligence, and enhanced cyber controls, to name a few. MSPs can step in, implement best-in-class cyber solutions, improve efficiencies, and better protect an organization’s data while the internal IT team remains focused on overseeing daily maintenance and user support activities.
On the accounting side, a remote workforce and expanded geographical service footprint mean more complicated tax and bookkeeping requirements. What many organizations may not realize is that they could be responsible for withholding and remitting payroll tax based on where the employee is working – not where the office is. This in turn creates more compliance in different jurisdictions, and usually is an issue that most organizations haven’t dealt with much before.
Selling goods and services across state lines now often results in economic nexus, a byproduct of the 2018 Wayfair ruling. Even within the same state, different counties and municipalities tend to have different tax rates. For these reasons, working with an MSP that can stay on top of different tax and bookkeeping compliance rules can drastically reduce errors, save time, and improve existing workflows.
Top 10 Considerations for Choosing a Managed Service Provider
Think of hiring an MSP like a job interview, except the role being offered is to an entire organization, not an individual. Some MSPs can take on more than one area – for example, cybersecurity and outsourced accounting – while others excel in one field. To that end, it’s helpful to evaluate MSPs against the following ten areas.
1. Industry Expertise and Experience
A construction organization wants an MSP familiar with the construction industry. A nonprofit organization wants an MSP knowledgeable about nonprofits. Look for examples of past engagements, current or former clients, success stories, and familiarity with the industry. Contacting current client references on similar engagements to the services you are seeking is another good gauge of client service and specific industry experience. Organizations should also ask about certifications and additional training, both at the organization-level and within the engagement team.
COVID-19 imparted many hard-learned lessons, and contract flexibility was one of them. If circumstances change, make sure the contract can adjust, too. Understand how the service fee may change if the organization experiences significant growth in a certain area, or sales contract, what happens with the ongoing engagement. Agreeing to a strict, rigid contract is probably not beneficial for either party.
3. Scale for Growth
If a businesses’ needs change and significant growth happens, can the MSP scale its services as well? A change in approach and service delivery will be needed as any organization grows; the MSP should be willing and able to grow, too.
4. Engagement Team Structure and Experience
Getting to know the individual team members who will be the main point(s) of contact is critical. In addition to getting along personally, these individuals must be able to give the organization the attention it needs. They should also be well-versed in the industry and experienced enough to handle the engagement.
5. Additional Services
Although MSPs should provide an overview of their entire suite of services, they may not readily offer up other ways they can help; and often, organizations may not even think to ask. It’s important to understand what else they offer in case it would be helpful down the road to add cybersecurity to IT infrastructure, or outsourced CFO to back-office accounting, as examples.
6. Crisis Action Plan
What if the worst happens – there’s a data breach, an IRS audit, identity theft, fraud, or any other unfortunate circumstance? Organizations shouldn’t hear ‘that will never happen’ from their MSP; instead, they should hear the crisis management plan and how the MSP will step up to deal with it for your specific organization. In fact, wording should be included in contract language specifying who is at fault in the event of a breach to ensure the blame game does not occur. Additionally, organizations should confirm that the MSP has their own cybersecurity insurance policy to mitigate risk, and if they don’t that the organization has considered this risk and determined whether your policy provides sufficient coverage.
7. SOC 2 Compliance
MSPs are sought out to help organizations create and maintain a strong security posture – they should not bring more risk to the environment. When engaging with an MSP, your leaders want to know how secure the MSPs organization really is. The MSP should be able to share an updated SOC 2 Type II report and bridge letter or undergo a SOC 2 audit before engaging with their services.
A SOC 2 audit is an important tool to validate the internal controls established by the MSP. It is a framework built on a set of five pillars, which are collectively referred to as Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. The first three criteria attest to the MSP’s security and reliability. The other two speak to the integrity of the MSP’s security processes when managing customer data and cloud security.
Since cybersecurity should be on everyone’s radar, this is an important must-have not only during on-boarding but to review on an annual basis with the MSP.
8. Service-level Agreements and Benchmarks
Ask about metrics, benchmarks, and scope. Understand the details of the engagement, like who’s responsible for what, key definitions, expected response time, and how potential issues will be resolved. Specific service-level agreement (SLA) thresholds should be clearly defined within the contract and should be reviewed by your leadership team to ensure the response thresholds meet your requirements, within a focus on minimal impact to your organization and customer experience. A review should be implemented, at least annually, to confirm the MSA is meeting all defined SLA agreements as defined within the contract language agreed upon.
9. Strategic Planning Considerations
This consideration deals with onboarding and forward thinking. Ensure the MSP has thought through the engagement with respect to changing industry standards and long-term planning. Know how the communication process will work, whether there will be quarterly reports or other timely updates, and that the MSP will proactively look for additional solutions and insights. Having a defined status report deliverable on a quarterly or annual basis is key to ensure the organization has the most up-to-date information to make key strategic planning decisions that align with the organization’s business plan.
10. Metrics of Success
Finally, understand and agree on what success looks like. Whatever the ROI is and however long it takes to get there, it’s important to be on the same page with the MSP.
As more businesses are utilizing outsourced cybersecurity and client accounting services, understanding how a managed service provider fits into the big picture is important. Ultimately, choosing the right MSP comes down to cultural and personal fit as well as technical skills, aptitude, and emphasis on security. Look a little deeper with these questions as a guide, and it will be easier to identify a long-term MSP partner to change and grow with your organization.
Contact your PBMares advisor in Cybersecurity & Control Risk or Client Accounting Services for more information.