MSPs: Don’t be over audited
Written by: Charles Weaver, co-founder of MSPAlliance
There are more standards, laws, regulations, and frameworks impacting MSPs today than at any previous time in our history. Around the globe, governments, regulators, and industry groups are paying more attention to data privacy, and security, including the role outsourced IT providers (MSPs) have.
More MSPs are beginning to chase the compliance tail, and it needs to stop. Here are some effective techniques to deal with compliance headaches facing MSPs today, and how to avoid getting over audited.
Know Your Controls
Anyone who has been through an MSP Verify, SOC 2, or similar audit project, understands what controls are. Controls govern how an MSP organization operates. The first step in not being over-audited is having a good handle on your MSP organization’s controls. That means knowing what they are, having them documented, and, most importantly, reviewing them regularly to ensure they are current and effective towards your company’s goals.
Understand your Client Control Frameworks
Any worthy MSP understands how their clients operate their businesses, especially when it comes to regulatory requirements. For example, MSPs working within the healthcare sector in the United States know what HIPAA is and how important it is to clients.
Similarly, MSPs need to understand how those frameworks impact the controls affected by the MSP. If a client, regulated by HIPAA, has to demonstrate compliance related to patient and other medical information, the MSP is also implicated in those controls and must demonstrate compliance with those controls.
Avoid “Check the box” Relationships
This is, perhaps, the most crucial guidance we can offer when it comes to avoiding over-auditing. Clients will often attempt a “check the box” compliance model. Compliance “check the box” is when clients try to perform cursory reviews of an MSP to “check the box” related to a certain compliance or control framework important to them.
Often, clients not familiar or experts in control frameworks will ask vague questions such as “are you HIPAA compliant.” This is a tricky question as HIPAA is a US Federal regulation and not a control framework. Moreover, there is no HIPAA certification; you are compliant with that law, or you are not.
MSPs need to determine what the client is looking for and respond quickly. Sometimes, the response will be, “no, I’m not certified here, but we do meet those controls that you said matter most to you.” Certification in a particular area does not always guarantee compliance.
PCI is another area where MSPs are dragged into debates about whether they need to have a full-blown PCI audit when the MSP does not handle any credit card information. In many cases, merely completing the self-assessment PCI form is sufficient to demonstrate compliance with a particular family of controls.
As these control frameworks continue to expand, MSPs need to be responsive to their client compliance requests, but not to indulge wild and ultimately costly audit projects which subject the MSPs to needless examination.