One of the biggest misconception or myths MSPs have about certifications and audits is that if the MSP does not host the data, there is no need to examine the MSP.
This is false!
MSPs have remote access to a lot of information belonging to clients. Regardless of where the data and systems are hosted, the MSPs still control those systems. This is why the question comes up.