My 9 year son started playing basketball in a YMCA league, and instantly fell in love with the sport. All he wants to do is shoot hoops, and last week, he decided to make a basketball goal he could hang on his wall so he could practice inside. I found out about the homemade basketball goal when he showed me what he had made so far. It was a wire hanger shaped roughly in the shape of a circle and tied together with a string. He was trying to figure out how to attach that to the wall when I suggested that he buy one that he can hang from his door. He immediately went online and started looking for one he could buy, and found one that he could purchase and pick up a local store. It was only $15.99.
Well you probably can guess what happened to it from my title and punchline. After two or three days of use, the backboard cracked, and the rim came off.
We, as professionals, understand instinctively that you get what you pay for, and observe this in every area of our lives where quality matters. That being said, please review the wording in this request for quotation (RFQ) that I came across recently.
Lest there be any doubt about whether other criteria might be considered, please see the following comment that was included in the Q&A attachment:
This is what third party assurance about a service organization's internal controls has become thanks to the misuse of SAS70 reports.
Some may say, "What does quality have to do with a report from an auditor anyway? Who cares? All of these reports are the same! I just need something to give my customers that says SSAE16 on it, and they will be satisfied."
The organization that sent out this RFQ clearly does not understand the importance or value of a quality third party risk assurance, and like my son's basketball goal, the assurance they purchased will break. Please let me explain.
The details of an award to a different RFQ, that was not quite as blatant, were made public. This provided me details of the outcome of this kind of mentality to analyze.
- The details in both RFQs made it clear that the organization was seeking assurance about security, availability, processing integrity, confidentiality, and/or privacy. The attestation standard is clear: SSAE 16 is not designed to provide assurance regarding security, availability, processing integrity, confidentiality, or privacy, and yet the winning bid was awarded a five (5!) fiscal year contract to provide SSAE 16 reports to the organization. I hope there is a clause in the contract that lets them get out if the report is rejected by customers because it is not applicable to what they want to know about. Broken. At least the store my son got his basketball goal from has a money back guarantee. Does the CPA firm that was awarded the contract?
- The RFQ contained an "Unqualified Peer Review" pre-requisite (shown below), but if the CPA firm that won the five year contract undergoes a peer review in year two of this contract, they could end up getting a qualified opinion based on the SSAE 16 they provided this very organization. Please see my post titled "Who will be held responsible...?" for more details on peer review. Will they still be as concerned about the qualified peer review when they are the ones that caused it? Will they even check in year two? Broken.
- The contract was awarded to a firm that no one has ever heard of, and it is easy to verify that they are extremely small with the click of a mouse. What good is assurance from someone unless I know that people trust what they have to say about me? Facebook is releasing their IPO next week. Did they shop around for the lowest cost CPA firm to provide them an audit of their financial statements? No, they naturally chose a firm that they thought would inspire the most confidence with their potential investors. Sure, the organization above got a REALLY good "Cost" which was what they were looking for, but as we learn in life, usually it's either you pay now, or you pay later. My guess is that this organization is going to be entertaining auditors exercising their "right to audit" for about 5 years. Broken.
I think companies like Cbeyond have the right idea. Please see this press release from Cbeyond. (@Cbeyondinc) I have set up an interview with Fred White, Product Management - Cloud Services at Cbeyond (@FredintheClouds) to find out more about their decision making process, and will post the video once it is available.
I know what everyone is thinking...we are not that big, and cannot afford to have a Big 4 firm come in and do this for us. All I have to say in response is that there is a wide gap between the Big 4 and the company that won the above mentioned award Let's all select both the type of risk assurance we need, and the service auditor we use wisely because we know that quality matters in the long run.