The Outsourcing Continuum, Part VIII: Certificates

Now that you’ve decided that outsourcing is an option that you want to pursue, you’ll need to find a service provider that will meet your companies needs. There a number of factors that need to be considered when choosing a service provider.

First and foremost, the question needs to be asked: Do you want a partner or a vendor? This question is tough to answer, because in the strictest sense, it is always a vendor relationship. Sometimes it takes time to grow a vendor relationship into a partnership. You can get a sense of how a service vendor interacts with their clients by talking to some of their reference clients. Questions that you should ask are:

• Does this vendor work with you to develop a strategy for the success of your organization?
• Does the vendor have established processes for reviewing and upgrading the services provided?
• Is the service process flexible enough to provide for special needs that your organization may have or does it just offer a menu of services with no provision for unique requirements?
• Does the vendor provide a service level that matches your organization’s internal service level commitments?
• Is there a written service level agreement (SLA)? The SLA should address regular communications on a proactive basis. Simply reacting is not good enough anymore.
• Is the vendor committed to maintaining certifications that ensure that you and your organization comply with the various regulatory bodies’ requirements and that your data is held securely? For example, do they support your Sarbanes-Oxley requirements?

Since I have addressed many on the other questions in previous articles, today I am going to focus on which certifications you should keep in mind when hiring a partner and why.

Certifications

When you review the qualifications of a service provider you need to consider what, if any, certifications are needed for your industry as well as general certifications that cross industry lines. For most companies two important certifications are required. Particularly important for public companies is the SAS-70 audit because it is one of the foundations for Sarbanes-Oxley regulations. In addition, many service vendors are coming to realize that the information technology infrastructure library (ITIL) is a way to provide consistently superior service to their clients. Although there is currently no ITIL compliant certification for organizations, those that have implemented ITIL processes may be able to achieve compliance with and seek certification under ISO/IEC 20000, the international standard for IT service management.

If you happen to be in a business that accepts or handles credit card information, you will want to know that your service provider complies with the payment card industry data security standard (PCI DSS). This standard is a set of requirements designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment.

SAS-70

SAS-70 sets out the detailed guidelines and the standards of reporting on the effectiveness and adequacy of internal control procedures and activities by the service organization. SAS-70 requires an independent auditor or auditing firm to examine the implemented controls in a service organization and report on the effectiveness and adequacy of the control activities, procedures and objectives in place in the service organization. The SAS-70 audit report includes the auditor’s opinion on the effectiveness of the controls in use as practiced in the organization under audit.

There are two different types of SAS-70 reports. The first type, commonly referred to as Type I, includes an opinion written by the service auditor. Type I reports describe the degree to which the service organization fairly represents its services in regard to controls that have been implemented.