Vetting a Vendor: Questions to Ask Before Making an Investment

BY JAMES F. LEON, CPA, ED.D.

October 1, 2010

Please note: This item is from our archives and was published in 2010. It is provided for historical reference. The content may be out of date and links may no longer function.

September 2, 2025

Incorporating prompt engineering into the accounting curriculum

September 1, 2025

Create a dynamic to-do list with Excel’s checkboxes

September 1, 2025

Another way to manage authentication texts

Editor’s note: Also read “Cloud Computing: What Accountants Need to Know” in the October 2010 issue of the JofA.

Ample research must be done before selecting any vendor, but specific areas should be addressed when choosing to move your data to the cloud. The following are some questions to ask a potential provider and other considerations. Note that some of the information can be checked or reviewed in the service-level agreements or contracts.

Costs

Analyze costs carefully. While most vendors offer pay-as-you-go pricing, an annual contract is often required. What is the minimum length of the contract for services? Are there termination fees? Yearly price increases? What happens if you want to add more users or reduce the number of users to the contract?

What are cost estimates for a single user vs. five, dozens, hundreds or thousands (bulk discounts are typically available and usually are not advertised)? Is technical support provided free of charge? Are there early cancellation fees? Charges for upgrades? If the vendor raises its fees, are you locked in to the original price? What additional costs may be incurred beyond routine contractual expenses? Is there a fee to transfer data from another vendor’s application? Is there a fee to transfer your data from the vendor at the end of a contract? Is a free trial available?

Reliability

Analyze performance. What percentage of the time is the data available (uptime)? What is its anticipated scheduled downtime, and how does the vendor notify customers about when it is taking place? Check its reliability statistics. You should be looking for one that is in the 99% or better range. These days it is not uncommon to see 99.999%.

Are there any guarantees for availability or credit for not meeting agreed-upon performance levels? How fast is the response time? What performance issues (if any) exist? How often are upgrades provided and what kind of advance notice and/or training is provided? Can customers control when and whether to turn those upgrades on?

How often is maintenance performed? What happens in the event of a power outage? Is there a disaster recovery plan in case the service’s infrastructure is disabled or destroyed? How fast is disaster recovery? Verify that a full daily backup of data is performed at minimum and that a redundant backup center exists in one or more locations (preferably in different states in case of a natural disaster such as a hurricane or earthquake).

Security

Your company’s critical data is being stored with a third party outside your office walls. Controls need to be in place for transmitting data to the provider securely over the Internet. Are controls in place for storing data, such as encryption? Is a strong user-authentication system in place? Has the provider had an SOC 2 and/or SOC 3 engagement performed on its data center to verify it has proper controls in place? Ask for a copy of the report and a copy of the vendor’s privacy policy. Also inquire as to how security breaches are handled, including specifically how soon customers are notified.

Support

What technical support is available? Is there 24/7 live human support? Does the vendor offer assistance in making the transition (for example, data format conversion) from your current system to theirs? Upon termination of services—when the vendor no longer serves your company—what process will the vendor follow to return your company’s data to you? Is the vendor willing to meet with and demonstrate its applications to decision makers in your company?

Integration and Development

Ease of integration is an important factor to consider when making technology purchasing decisions. While some Web-based applications can easily build upon one another and seamlessly transfer and share data, that is not always the case. Evaluate how well the application integrates with your existing ones (both in the cloud and on-premise).

Some vendors offer application program interfaces (APIs) for your software developers (if you have any). This allows your developers to write custom applications that are hosted by the vendor and also allows developers to integrate those products with on-premise or other Web-based applications. The vendors may also allow for the sharing of applications between customers through an online shopping mall of sorts.

—By James F. Leon, CPA, Ed.D., visiting assistant professor, Department of Computer Science, Northern Illinois University.

Smart Strategies in Data Security and Risk Management

In an increasingly digital profession, data security has become one of the most critical challenges facing finance and accounting professionals today. Stay up to date with practical guidance to help you mitigate these risks and strengthen your security posture.

MAGAZINE

Vetting a Vendor: Questions to Ask Before Making an Investment

Incorporating prompt engineering into the accounting curriculum

Create a dynamic to-do list with Excel’s checkboxes

Another way to manage authentication texts

Features

Calming nervous clients nearing retirement

7 retirement tips for small firm CPAs

Building a better CPA firm: Stepping up service offerings

2025 tax software survey

SPONSORED REPORT

Smart Strategies in Data Security and Risk Management

From The Tax Adviser

2025 tax software survey

Are you doing all you can to keep the cash method for your clients?

Current developments in S corporations

Paid student-athletes: Tax implications for universities and donors

MAGAZINE

HOME

ABOUT

SUBSCRIBE

AICPA & CIMA SITES