Is Your Outsourcing Provider a Partner or a Vendor?

By Mike Scheuerman

(Back to article)

Today many organizations are considering whether to keep IT functions internal or outsource them to a third party. There a number of factors that need to be considered when choosing a service provider. (Or, if you already have one, you can still evaluate their role in your organization using these guidelines.)

First and foremost this question needs to be asked: Do you want a partner or a vendor? This one's tough to answer because, in the strictest sense, it is always a vendor relationship. Sometimes it takes time to grow a vendor relationship into a partnership. You can get a sense of how a service vendor interacts with their clients by talking to some of their reference clients. The questions that you should ask are:

1.    Does this vendor work with you to develop a strategy for the success of your organization?

2.    Does the vendor have established processes for reviewing and upgrading the services provided?

3.    Is the service process flexible enough to provide for special needs that your organization may have or does it just offer a menu of services with no provision for unique requirements?

4.    Does the vendor provide a service level that matches your organization’s internal service level commitments?

5.    Is there a written service level agreement (SLA)? The SLA should address regular communications on a proactive basis. Simply reacting is not good enough anymore.

6.    Is the vendor committed to maintaining certifications that ensure that you and your organization comply with the various regulatory bodies’ requirements? For example do they support your Sarbanes-Oxley requirements?


When you review the qualifications of a vendor you need to consider what, if any, certifications are needed for your industry as well as general certifications that cross industry lines. For most companies there are two important certifications that are required.

Particularly important for public companies is the SAS-70 audit because it is the foundation for Sarbanes-Oxley regulations. In addition many service vendors are coming to realize that the Information Technology Infrastructure Library (ITIL) is a way to provide consistently superior service to their clients. Although there is currently no "ITIL compliant" certification for organizations, those that have implemented ITIL processes may be able to achieve compliance with and seek certification under ISO/IEC 20000, the international standard for IT Service Management.


SAS-70 sets out the detailed guidelines and the standards of reporting on the effectiveness and adequacy of internal control procedures and activities by the service organization. SAS-70 requires an independent auditor or auditing firm to examine the implemented controls in a service organization and report on the effectiveness and adequacy of the control activities, procedures and objectives in place in the service organization. The SAS-70 audit report includes the auditor’s opinion on the effectiveness of the controls in use as practiced in the organization under audit.

There are two different types of SAS-70 reports. The first type, commonly referred to as Type I, includes an opinion written by the service auditor. Type I reports describe the degree to which the service organization fairly represents its services in regard to controls that have been implemented.

Type II reports are similar to Type I, however an additional section is added. Type II reports are more complete, because the auditor gives an opinion on how effective the controls operated during the defined period of the review. Type I only lists the controls, but Type II tests the efficacy of these controls to reasonably assure that they are working correctly.


ITIL is published in a series of books published by the U.K.'s Office of Government Commerce, each of which cover a wide range of IT management topics. ITIL gives a detailed description of the best practices of a number of important IT processes with comprehensive checklists, tasks and procedures that can be tailored to any IT organization.

ITIL is in its third revision now after its initial development in the late 1980’s. ITIL v3, published in May 2007, is comprised of 5 key volumes:

1.    Service Strategy

2.    Service Design

3.    Service Transition

4.    Service Operation

5.    Continual Service Improvement

While ITIL covers a wide range of topics on IT service management, the most widely used portion of the library is the Service Management set. The service management set covers topics such as service desk operation, incident management, software asset management, change management and service level management. All of these are important areas that, if implemented properly, can provide a much more stable and secure technology environment.

In short, any service vendor that is committed to providing ITIL training and process development will most likely be focused on providing a superior level of service to you and your organization.


Finding a service partner that fits your organization’s needs is challenging. Talking to their current clients will give you a sense of how well the vendors works with others and how they might fit your organization. Looking at their certifications and commitments to providing excellent service will tell you whether they have clear understanding of what it takes to be a true partner for you and your organization.

Mike Scheuerman is an independent consultant with more than 25 years experience in strategic business planning and implementation. His experience from the computer room to the boardroom provides a broad spectrum view of how technology can be integrated with and contributes significantly to business strategy. Mike can be reached at mike@scheuerman.org.