By Marija Bulatovic, Global Leader, AWS MSP Program
The AWS Managed Service Provider (MSP) Partner Program recognizes AWS Advanced and Premier Consulting Partners that are highly skilled at providing full lifecycle solutions to customers.
Next-generation AWS MSPs offer the expertise customers need to move through each stage of their cloud adoption journey: Plan & Design > Build & Migrate > Run & Operate > Optimize.
An integral part of the AWS MSP journey is completing the full audit with our third-party auditing firm, Information Security Systems International (ISSI). This post is intended for AWS Partners who are preparing for the AWS MSP audit.
The AWS MSP audit ensures partners demonstrate the business and technical best practices outlined in the AWS MSP Program Validation Checklist in a consistent and accurate way. This validation process assures our customers they are working with a credible, independent third-party audited AWS MSP Partner.
The AWS MSP audit is a two-day engagement known for its rigor and depth. It’s a high bar to meet, so successful partners start preparing well ahead of the audit.
One of the top requests we hear from our AWS MSP Partners is to learn more about the audit process and how to successfully prepare for it. In the first of a two-part APN Blog series, we invited Chang Leong, Global Head of Auditing at ISSI, to help us understand the audit journey from preparation and execution to practice evolution.
With more than 50 consultants and auditors across 30 countries, 15 languages, and 5,000+ audits completed, ISSI has deep insight into the audit experience. The AWS MSP Program team works closely with, enables, and trains ISSI on updated MSP checklist requirements and program updates, to ensure a high quality partner experience and consistent customer outcomes.
In Part 1 of our series, Chang shares insights and tips to successfully prepare for the AWS MSP audit. In Part 2, which we’ll share in January 2021, Chang provides advice for the day of the audit, and best practices for post-audit activities to cover lessons learned.
With this in mind, let’s jump into the Q&A with Chang Leong from ISSI, our third-party auditing firm and an AWS Select Consulting Partner.
Q&A with ISSI
AWS: How long does it take to prepare for the AWS MSP audit? What kind of resources are needed to devote to it?
Chang Leong: Becoming an AWS MSP is a large commitment that demands planning, preparation, and real commitment at all levels of the partner organization. It might seem daunting at first, but organizations that go through the process to become AWS MSP Partners typically are rewarded with significant business growth.
As a rule, we’ve found that partners doing an AWS MSP audit for the first time should expect the pre-audit preparation to take between 3-12 months. Partners who are renewing their MSP designation have a knowledge base to work from, so their prep periods usually run between 1-3 months.
AWS: What can they do to reduce the time as much as possible?
Chang: Several factors can shorten the preparation time. First, it’s helpful to have the technical expertise needed to understand the checklist and tackle the pre-audit preparations. Partners should have a solid understanding of cloud lifecycle concepts that will be applied to customer projects later on, including assessment, design, build, migrate, manage, and optimize.
Partners can shorten the timeline by having the right tools, such as design, cloud management, ticketing, and automation software. Of course, a lot of the audit preparation work may be expedited if a partner has experience going through audits with any of the major cloud vendors.
AWS: What kind of human resources are needed for the pre-audit preparation to be successful?
Chang: Partners that have the best success are the ones who have an executive sponsor and someone else within the organization who will be the “champion” for the project.
The executive sponsor approves the strategy and the budget, makes sure there are adequate resources to successfully implement the recommended best practices and successfully complete the audit, and has regular communications with the champion.
The champion can come from either a technical or business background. The most successful champions typically have a relatively senior position within the company. They have the authority to drive tasks forward and quickly resolve disputes and bottlenecks, and have excellent project management skills.
In terms of time allocation, the champion will need to spend at least 50 percent of their time for at least 3-6 months until the audit preparations are under way. This person will be responsible for continuously tracking updates and changes that may come in from AWS. They will be the point of contact for internal stakeholders and the liaison with AWS.
The organization should also expect to assign at least 4-6 people as subject matter experts (SMEs). Ideally, the SMEs will represent a cross section of disciplines, including professional services, service operations, sales/marketing, accounting, and HR. The SMEs will likely devote between 20-30 percent of their time on project. In addition to focusing on their own areas of expertise, the SMEs will work as a team to help the champion collate required materials and respond to gaps as those are identified.
Partners renewing their MSP certification will probably spend just a fraction of that time—perhaps just 25 percent of the time spent by a new partner—if they maintain compliance procedures. But if they have neglected these procedures, they may have to start all over again. So it’s a really good idea to ensure that once MSP certification is attained, baseline maintenance processes are kept in place to streamline renewals down the road.
AWS: You mention gaps. Can you elaborate on what those are?
Chang: They really vary. Gaps can occur when a step or a piece of information is missing, or documents are out of order, or when a critical step was not carried out. That’s why it’s important for the champion and SMEs working on the audit preparation to carefully read the “evidence required” checklists provided by AWS, and then maintain a project tracking system and workflow to ensure that the checklists are properly monitored and completed.
Keep in mind that when gaps are identified, it’s important for partners to institute a “corrective action” and not just a “correction.” The difference is subtle but important and is based on the ISO 9000 quality management systems standards.
A correction is typically a simple, quick action to fix a gap or error. A corrective action entails not just fixing the gap or error, but also finding the root cause and fixing any process or oversight so the gap or error doesn’t happen again. For example, suppose a partner did not provide required evidence of a validation-and-test report. A correction would simply be filling out the report and handing it to the auditor.
A corrective action, on the other hand, would include an investigation into why the report was not filled out, implementing corrective action, and confirming that the corrective action is effective and will eliminate the original oversight.
These are the kinds of topics that ISSI covers in the pre-assessment workshops. The pre-assessment workshop is also an AWS MDF-eligible activity, so if a partner has Market Development Funds (MDF) available, they can leverage it to cover 50 percent of the pre-assessment cost.
AWS: Can you provide other tips for ensuring a smooth preparation?
Chang: Every organization will tackle the process in its own unique way based on company culture and the resources it’s devoting to the audit prep. But there are some high-level best practices that are consistently present in companies that have successful audits.
First, remember that preparation takes place over a lengthy period, and the company’s environment or personnel may change. Be sure to have backup resources ready to keep the preparations going so time isn’t lost.
There are other best practices that seem obvious, but we’ve seen partners neglect them. For example, set a realistic time frame based on how efficiently the champion and SMEs are working. Workloads should be clearly defined and delegated, but don’t work in silos. Make sure there is regular communication among all team members and stakeholders, including the executive sponsor.
AWS: During the pre-assessment workshops, does ISSI encounter partners who have tried to take shortcuts?
Chang: Fortunately, it doesn’t happen very much. But it has happened on occasion. We all know there may be a temptation to cut corners in a process that is time-consuming and resource intensive. We strongly advise partners not to do that. The AWS audits are rigorous, and a company that takes short cuts will be spotted. It could lead to a failure of the audit and heightened scrutiny of the partner on subsequent audits.
AWS: What feedback have you heard from partners about the process or the value to their business?
Chang: When a partner first starts preparing, it seems daunting. They are not always sure where or how to start, or who should be involved. Then, as they get into the preparation activities, they are surprised by what they learn and what’s revealed about their own processes. Gaps and misalignments are more apparent, and it becomes increasingly clear why they need to involve almost every aspect of the company’s operations.
During the actual audit, partners will get suggestions and recommendations that are benchmarked to international and industry best practices. This provides additional opportunities to make more improvements. On the whole, partners find that the pre-audit preparation and the audit itself deliver greater internal cohesion for their operations, which in the long run delivers long-term value to their business.
Learn More About the AWS MSP Audit
We encourage AWS MSP Partners to continue to explore this blog post covering 5 Tips to Help Partners Prepare for the AWS MSP Audit:
- Engage your AWS Partner team.
- Organize a project team to drive preparation.
- Carefully read (and understand) the AWS MSP Validation Checklist.
- Score yourself fairly on the AWS MSP Self-Scoring Checklist.
- Perform the pre-assessment.
In Part 2 of this series, coming in January 2021, we’ll talk more with Chang Leong from ISSI about preparing for the day of the audit, and best practices for activities once the audit is completed.
ISSI – AWS Partner Spotlight
ISSI is an AWS Select Consulting Partner and consulting, auditing, and marketing company focused primarily on Managed Service Provider (MSP) channel partners.
*Already worked with ISSI? Rate the Partner
*To review an AWS Partner, you must be a customer that has worked with them directly on a project.