As clients migrate more and more mission-critical applications to the cloud, there are some questions that CPA firms should be ask before pulling the trigger with the vendor. Keep in mind, just because the applications, data and hardware are no longer located onsite, doesn’t necessarily mean that you are better off. Doing some up-front homework and asking the right questions will help to ensure a more successful selection of a vendor in this space.
There is no magic associated with migrating to the cloud. All too often I witness a recurring scenario: CPA firms or client evaluates a limited number of vendors in the cloud-computing space and then, without doing the proper homework, migrates a substantial amount of mission-critical applications and data to this platform.
Selecting a vendor with a cloud offering is no different than selecting a vendor with an in-house solution. However, given the cloud platform, there are very different questions that should be asked of that vendor before making the final decision.
Ten Questions You Should Ask a Cloud Service Provider
Here are some of the top questions that I would recommend asking before making your final decision (in no specific order, as order of importance will vary depending on the type of data and application deployed):
Where will my data be stored?
I know that this may sound simple, but believe it or not, it varies tremendously from one vendor to another. Depending on the vendor’s financial resources and infrastructure design, your data could “virtually” be anyplace. If your vendor is located in New York City, your data could be anywhere from New York City to Beijing, points in between or even spread over multiple locations and continents.
What type of security and controls are in place to protect confidential and sensitive client data?
Don’t assume that just because the vendor is in the cloud your client data will be more secure offsite than onsite. Do your homework. If practical, insist on paying a visit to the vendor’s data storage facility. Get a first-hand view of the physical conditions and controls in place surrounding servers and networking equipment. Simple things, like who has the ability to enter the physical data storage facility will be an indicator of the high-level controls the vendor may or may not have in place. Then ask questions concerning the non-visible controls. Ask about SAS 70 or other reports the vendor may have available for inspection that demonstrate third-party, independent evaluations of controls and safeguards that may be in place. For more information on SAS 70, view SAS 70 Transformed.
What type of redundancy does the vendor have in place?
Redundancy issues for the cloud platform are equally as important as they are under the in-house model. The inability to access your mission-critical data stored on a vendor site can cause a significant disruption to your business model. Ask specific questions concerning redundancy and what happens in the event the vendor has a loss of Internet connectivity with its primary pipeline. Ask the vendor about their “up-time” as opposed to their “down-time.” Follow up with references on other users for that specific vendor solution. Also, ask specifically about vendor maintenance. Vendors that do maintenance on weekends between February and April could cause a significant problem for almost every firm in our industry.
What is the vendor’s data retention policy?
Although often over looked, knowing a vendor’s data retention policy is extremely important. Every attempt should be made to align the vendor’s retention policy with the retention policy of the firm. Having years of historical data in existence that exceeds the parameters of the firm’s data retention policy can work against the firm in the event of litigation.
Who will have ownership of that data?
Don’t assume that just because you had ownership of your data while stored internally, that you will have ownership once stored on the cloud. Don’t settle for anything less than full ownership and rights to that data. In addition, ensure that your agreement with the vendor does not provide for any third-party access or mining of such data.
In what type of format will my data be stored?
Often overlooked, most CPA companies are under the wrong assumption that migration from cloud vendor to cloud vendor is an easy and smooth process. Many vendors, without the client’s knowledge, convert once readable data to proprietary formats to work with their applications. Getting that data back, in a usable format, can sometimes be a challenge. I would recommend requesting either frequent back-ups in a common readable format (Excel, Word, text, PDF, etc.) or at a minimum, access to data archives in such format.
What happens in the event of data loss or corruption?
Ask about the vendor’s past history with data integrity and corruption issues. It can be a pretty embarrassing situation if you somehow have another firm’s client data co-mingled with yours. Corruption may happen, but what may be more important is how quickly the vendor reacts to correct such irregularities.
What happens in the event of loss of data? Who is responsible?
Another often overlooked are is insurance coverage. I would recommend revisiting your current coverage once you move your data to the cloud platform. Most firms have found existing policies only cover data stored under the direct control of the firm. If your policy is silent on this fact, ask your insurance carrier. In addition, your service provider may offer you coverage under their policy, which could help to minimize your cyber-risk in this space. Having said that, insurance companies that cover the CPA industry have been introducing coverage protecting the firm in the event of breach of data. I have also witnessed policies with provisions that reimburse the firm for public relations and/or damage control expenditures subsequent to such breach. This is definitely an area that should be investigated when migrating to the cloud.
What if you end up in a fee dispute or disagreement with the vendor?
Generally speaking, the Service Level Agreement (or SLA as it is commonly referred) will usually drive the answer to this question. If at any point it makes sense to get legal counsel involved, this is it. Before finalizing your SLA, engage an attorney who actively has a practice in this space, to review the agreement and make recommendations. Spending the extra time and effort up-front can save a significant amount of time and uncertainty in the event a fee dispute or disagreement occurs during your vendor relationship.
How financially stable is the vendor and who or what is behind their primary funding source?
Would it bother you if you found out that a competitive CPA firm in your marketplace actually owns the cloud vendor that you are considering? Would you be concerned if the vendor has been struggling financially and is experiencing difficulty in securing capital to fund expansion? Ask these and other questions and do the same due diligence you would do if you were considering dealing with any other vendor that was going to play a critical role in your business. Know your business partner!
Although in no specific order, and definitely not limited to “10,” this list is simply meant to assist your firm with making the initial transition to the cloud model. If you have already migrated some mission-critical applications to the cloud, and you now see some potential holes in your understanding, there is no better time than the present to close that exposure.
|Rate this article 5 (excellent) to 1 (poor). Send your responses here
James C. Bourke, CPA.CITP.CFF, is a partner at WithumSmith+Brown where he is director of Firm Technology. He is a past president of the New Jersey Society of CPAs and currently serves on AICPA Council and the Chair of the AICPA CITP Credential Committee. He has been named by Accounting Today as one of the Top 100 Most Influential People in the Profession.