A CPA firm in San Jose signs a managed IT services agreement in January. By April, they’re six weeks into a regulatory audit and discover their provider can’t produce a complete log of who accessed client files. The contract never required it. The sales call never mentioned it.
This happens more than it should. Here’s how to make sure it doesn’t happen to you.
The Problem: Most MSP Evaluations Miss What Actually Matters
Most professional services firms evaluate IT providers the same way they’d shop for office supplies: get three quotes, pick the one that sounds credible and costs less, sign the contract.
That works fine when stakes are low. It falls apart when you’re handling sensitive client data under GLBA, attorney-client privileged communications, or tax return data governed by IRS Publication 4557.
The issue isn’t bad decision-making. It’s that firms are looking at the wrong things. A provider’s price sheet won’t tell you how they’ll respond when a phishing attack hits your office at 6 p.m. on Friday. Their website won’t explain whether they’ll notify you of a breach within the window your state legally requires.
Generic MSPs—the ones serving restaurants, retail shops, and construction companies—built their operations around those clients’ needs. They’re not bad at what they do. They’re just not built for the regulatory exposure, confidentiality obligations, and liability risks that come with your work.
By the time you realize the mismatch, you’ve already signed a multi-year contract.
Why This Matters for Your Firm
Your IT vendor isn’t just a tech supplier. They’re a third party who touches client data—which means you may be legally required to oversee them, document the relationship, and verify their security controls.
GLBA’s Safeguards Rule (updated in 2023) covers most CPA firms and financial advisors. It requires written agreements with service providers and verification of their security practices. The FTC has been aggressive about enforcement, and state attorneys general are following suit.
Law firms face professional responsibility obligations under state bar Rules of Professional Conduct. The ABA Model Rules now explicitly require competence in technology and protection of client confidentiality. Your IT provider is part of how you meet those rules.
The financial hit from a breach is real. A 15-person firm can easily face hundreds of thousands in notification costs, regulatory fines, client remediation, and reputation damage. Your IT provider’s security posture either reduces that risk or creates it.
The evaluation you do before signing determines which one it becomes.
How to Evaluate an MSP: A Practical Framework
Start With Fit, Not Features
Before comparing pricing, confirm the provider actually serves firms like yours. Ask directly:
- “What percentage of your current clients are professional services firms—CPA, legal, or financial advisory?”
- “Can you name two or three clients in our industry we can speak with?”
- “Have you supported a firm through a regulatory audit or data breach notification? What did you do?”
Vague answers or a pivot to generic case studies means they don’t have relevant experience. A provider with actual work in your space will answer without hesitation.
Read the Contract Before You Fall for the Pitch
Four contract terms that firms routinely skip over:
Data ownership. Who owns your data if you leave? The contract should state clearly that your firm retains full ownership at all times, with no conditions attached.
Sub-processor disclosure. Does your MSP use third-party vendors—backup providers, security tools, offshore support teams? You need to know who they are and have the right to object. This matters under GLBA and most state privacy laws.
Incident notification timelines. If there’s a breach, how quickly do they notify you? “As soon as practical” is worthless. You need a specific window—24 or 48 hours is standard—because your own regulatory deadlines are fixed.
Termination and data return. What happens to your data when the contract ends? Make sure the provider will deliver a complete, usable export within a defined period and will certify deletion of your data afterward.
Assess Their Actual Security Practices
Marketing claims don’t mean anything. Here’s what does:
- SOC 2 Type II report. Ask for it. A SOC 2 Type II is an independent audit of a provider’s security controls over a defined period—not just a snapshot at one moment in time. If they don’t have one, ask why.
- Background check policy. Anyone accessing your systems or client data should have passed a background check. Get the policy in writing.
- How they vet their own vendors. A provider with solid security practices can describe their third-party risk management without being asked.
Use a Weighted Scorecard
A non-technical administrator can lead this evaluation. Build a simple spreadsheet with criteria and weights:
| Criteria | Weight |
|---|---|
| Experience with regulated professional services firms | 20% |
| Contract terms (data ownership, notification, termination) | 20% |
| Verified security practices (SOC 2, policies) | 20% |
| Response time SLAs—specific, measurable, with penalties | 15% |
| Reference quality (same industry, similar size) | 15% |
| Transparency about tools and sub-processors | 10% |
Score each finalist 1-5 on each criterion, multiply by weight, and compare. The math won’t decide for you, but it forces an honest comparison beyond “they seemed knowledgeable.”
What to Look for in an IT Partner
A few specific things worth pushing on during evaluation:
SLAs need real teeth. An SLA that says “best effort” or has no consequences for missed targets is a promise with no enforcement. Ask: “What happens if you miss your response time? Is there an automatic credit?”
Ask about their onboarding process. How long does it take to move your firm over? Is there a parallel support period where both systems run together? A provider that’s done this many times has a documented process. One that hasn’t will give you a vague estimate.
Get reference calls, not testimonials. Testimonials are marketing material. A 15-minute conversation with a managing partner at a similar firm is real. If a provider won’t connect you with industry references, that answer is telling.
Ask who answers the phone at 8 p.m. Is there 24/7 support? Where is it? What’s the escalation path for a security incident? These details matter when something goes wrong.
The Bottom Line
Picking an MSP based on price and a good sales presentation is how firms end up in contract disputes, compliance gaps, and vendor lock-in. The evaluation framework here—fit, contract terms, verified security practices, and a weighted scorecard—takes a few extra hours upfront and can save your firm from an expensive discovery later. Do it before you sign.
Frequently Asked Questions
What questions should I ask an MSP before signing a contract?
Ask about their experience with regulated professional services firms and request references from similar clients. Request a copy of their SOC 2 report. Review the contract carefully for data ownership language, sub-processor disclosure, incident notification timelines, and what happens to your data at termination. The sales presentation alone is never enough.
What is a SOC 2 report and why does it matter for choosing an IT provider?
A SOC 2 (System and Organization Controls 2) report is an independent audit of a service provider’s security, availability, and confidentiality controls. A Type II report covers a period of time—typically six to twelve months—which is far more meaningful than a Type I snapshot. For firms handling regulated client data, a SOC 2 Type II report is one of the most reliable ways to verify a provider’s actual security practices.
How do I know if an MSP has real experience with law firms or CPA firms?
Ask directly what percentage of their client base is professional services firms, and ask for the names of current clients in your specific industry you can contact. A provider with genuine experience will answer without hesitation and can speak knowledgeably about GLBA, IRS Publication 4557, or state bar technology guidelines. Generic talk about “serving a variety of industries” means professional services isn’t their focus.
What happens to my firm’s data if I need to leave an MSP?
This depends entirely on your contract—which is why reading this section before signing is critical. A solid agreement specifies that you retain full data ownership, that the provider will deliver a complete and usable export of your data within a defined timeframe after termination, and that they’ll provide written certification your data has been deleted. If the contract is silent on these points, negotiate them before you sign.
If you’re working through managed IT provider selection at your firm, let’s talk. One82 works exclusively with CPA firms, law firms, and financial advisory companies in the Bay Area.
