For CFOs & Finance Leaders

The CFO's Guide to Evaluating IT Providers

How to assess IT costs, evaluate providers, and make informed technology decisions using the same financial discipline you apply everywhere else in the business.

Written for finance executives who need to understand IT spending without becoming technology experts.

Contents

  1. Understanding the True Cost of IT
  2. IT Budget Framework: What to Actually Expect
  3. Evaluating IT Providers: The Financial Due Diligence Approach
  4. Hidden Costs & Markup Schemes
  5. The Questions You Must Ask
  6. Balancing Technology Investment Against Business Risk
  7. Red Flags That Should Terminate Discussions
  8. Contract Terms That Protect (or Expose) You
Section One

Understanding the True Cost of IT

Most IT proposals obscure total cost of ownership. Providers quote monthly management fees while omitting the largest expense categories: software licenses they resell at markup, "required" tools that generate recurring commissions, and project fees billed separately from monthly agreements.

The Reality

For a 40-person company, the difference between transparent IT management and a traditional MSP can be $40,000-$60,000 annually, money that goes directly to vendor markups and inflated service fees rather than actual technology value.

The Three Cost Categories You're Actually Paying For

1. Software & Cloud Services

This is where most markup occurs. Microsoft 365, security tools, backup solutions, and cloud infrastructure all have published direct pricing. Many IT providers purchase these on your behalf and bill you 25-40% above their cost.

Service Direct Cost (40 users) Typical MSP Billing Annual Markup
Microsoft 365 Business Premium $2,400/month $3,200/month $9,600
Cybersecurity tools (EDR, email security) $900/month $1,400/month $6,000
Backup solution $450/month $750/month $3,600
Cloud infrastructure (AWS/Azure) $1,200/month $1,800/month $7,200
Total Annual Markup $26,400

2. IT Management & Support

This is the actual value-add: monitoring your systems, providing helpdesk support, managing vendors, strategic planning. This should be transparent and predictable.

3. Projects & Initiatives

Migrations, infrastructure upgrades, new system implementations. These should be quoted separately with clear scope and fixed pricing.

Total IT Cost = Direct Software/Services + Management Fee + Projects
If your provider won't break down costs into these three categories, you're likely being overcharged in category one to subsidize artificially low category two pricing.

Common Accounting Problem

Many companies don't realize they're paying for the same Microsoft 365 licenses in three places: direct Microsoft billing, MSP "management fee," and MSP "software licensing." Consolidate these line items to see actual costs.

Section Two

IT Budget Framework: What to Actually Expect

Industry benchmarks like "3-7% of revenue" are useless for budgeting because they're too broad and don't account for business model differences. A professional services firm and a manufacturing company of the same size have completely different IT requirements.

Here's a more useful framework based on actual costs:

For Professional Services / Office-Based Companies

IT Cost Per Employee Per Month = $250 - $450
This includes everything: software licenses, management, support, infrastructure, security.

40 employees × $350/employee = $14,000/month = $168,000/year

What drives costs higher in this range:

What drives costs lower:

The 60/40 Rule

In a well-managed IT environment, costs should split approximately:

Budget Red Flag

If management fees exceed 50% of total IT spending, you're either dramatically under-investing in actual technology, or your provider is marking up software to disguise management costs.

Year-Over-Year Cost Trajectory

IT costs should follow a predictable pattern:

Major Red Flag

If your IT costs per employee are increasing 10-15% annually without headcount growth or major initiatives, you're likely experiencing vendor-driven cost inflation rather than business-necessary spending.

Section Three

Evaluating IT Providers: The Financial Due Diligence Approach

Evaluating IT providers requires the same rigor you'd apply to any significant vendor relationship. The challenge is that most IT providers actively obscure the information you need to make an informed decision.

Apply Standard Vendor Evaluation Criteria

1. Economic Model Transparency

Can they clearly articulate how they make money? If the answer involves vendor partnerships, reseller agreements, or "ecosystem relationships," understand that your interests and theirs may not align.

The Right Answer

"We make money by charging for our expertise and time. We don't earn commissions from any vendors we recommend. When you need software or services, you purchase them directly from vendors at their best available pricing."

2. Cost Structure Breakdown

Request a detailed breakdown of:

If they can't or won't provide this, they're either disorganized or deliberately obscuring markup.

3. Resource Allocation

Who actually works on your account? What are their qualifications and experience levels?

Watch For This

Many providers sell "senior engineering expertise" but deliver first-line support from junior technicians who escalate anything complex. You're paying premium rates for entry-level labor.

4. Performance Metrics

What metrics do they track and report?

Providers who don't track these either don't know how they're performing or don't want you to know.

5. Customer References

Request references from companies similar to yours in size and industry. Ask those references:

Section Four

Hidden Costs & Markup Schemes

The IT services industry has developed sophisticated approaches to obscuring true costs. Here are the most common:

1. Software Reseller Markup

Provider purchases Microsoft 365 licenses for $22/user/month, bills you $32/user/month, pockets the $10 difference. For 40 users, that's $4,800/year in pure margin.

How to detect it: Ask for a quote on Microsoft 365 (or any software) then check Microsoft's direct pricing. The delta is their markup.

2. "Bundled" Pricing That Prevents Comparison

Everything lumped into one monthly fee with no itemization. Impossible to determine if you're paying $5,000/month for management or if $3,000 of that is marked-up software.

How to detect it: Demand unbundled pricing. Legitimate providers have nothing to hide.

3. The "Minimum Hours" Trap

You're paying for 40 hours of support monthly but only using 12. The provider has no incentive to improve efficiency because unused hours are pure profit.

How to detect it: Request utilization reports showing actual hours worked vs. hours paid for.

4. Project Scope Creep by Design

Projects quoted at $15,000 end up costing $35,000 due to "unforeseen complications" or "additional requirements" that should have been identified in proper scoping.

How to detect it: Review their track record. What percentage of projects come in on original budget? If they can't answer this, they don't track it.

5. Vendor Lock-In Infrastructure

They set up your environment in ways that require their ongoing involvement: licenses in their name, proprietary tools, undocumented configurations. Switching providers requires rebuilding everything.

How to detect it: Ask: "If we decided to switch providers, what's involved in the transition?" If the answer is more than "we hand over documentation and credentials," you're being locked in.

Calculate Hidden Costs

Take your annual IT spending. Subtract what you could purchase the same software and services for directly. The remainder should roughly equal your management fee. If it's 40-50% higher, you're subsidizing significant markup.

Section Five

The Questions You Must Ask

These questions reveal whether a provider operates with transparency or relies on information asymmetry.

"Do you earn commissions, referral fees, or reseller margins from any vendors you recommend to us?"
What You're Actually Asking:
Are your recommendations biased by your economic interests? The only acceptable answer is "No." If they say "yes but that's standard industry practice," understand that their interests and yours are not aligned.
"Can you provide a detailed breakdown showing what I'd pay for software/services directly from vendors vs. what you're charging?"
What You're Actually Asking:
What's your markup? If they refuse, claim it's "complicated," or can't provide this, they're marking up significantly and don't want you to know how much.
"Who specifically will work on our account, what are their qualifications, and will we work with the same people consistently?"
What You're Actually Asking:
Am I getting senior expertise or a rotating cast of junior technicians? If they won't name specific people or guarantee consistency, you're getting whoever's available from their pool.
"Will our vendor relationships (Microsoft, etc.) be under our company name or yours?"
What You're Actually Asking:
Are you creating lock-in? Vendor accounts should always be in your name. If they want them in theirs, they're either planning to mark up pricing or make switching providers difficult.
"What's your average time to resolve technical issues, and what percentage are resolved on first contact vs. requiring escalation?"
What You're Actually Asking:
Do you use tiered support with junior techs, or do I get senior engineers from the start? If they don't track these metrics or won't share them, service quality is inconsistent.
"How much does IT cost per employee per month in a typical engagement like ours?"
What You're Actually Asking:
Is your pricing competitive with market rates? They should be able to give you a range. If they say "it depends on too many factors," they either don't know their own pricing or are avoiding the question.
"If we decide to transition to another provider, what documentation and access will you provide, and how long does the transition typically take?"
What You're Actually Asking:
Are you building in lock-in? The answer should be: "Complete documentation, all credentials, vendor account transfers, typically 2-4 weeks." Anything else suggests intentional barriers to exit.
"Show me three projects from the past year: original quote vs. actual cost, and explain any variances."
What You're Actually Asking:
Do you scope projects accurately or lowball to win business then inflate costs? Track record matters more than promises.
Section Six

Balancing Technology Investment Against Business Risk

IT spending should be driven by business risk assessment, not fear-based selling or vendor recommendations optimized for their revenue.

Framework for IT Investment Decisions

Evaluate every technology investment using this framework:

ROI = (Risk Reduction + Efficiency Gain + Revenue Impact) / Total Cost
If you can't articulate how a proposed IT investment delivers in at least one of these three categories, it's not justified.

Risk Reduction: What bad outcome does this prevent?
Efficiency Gain: What time/cost does this save?
Revenue Impact: What revenue does this enable?

Common IT Investments Evaluated

Example 1: $75,000 Security Infrastructure Upgrade

Risk-Based Analysis

What's the actual risk? Company has customer data. Breach could cost $500K in response, legal fees, customer notification, reputation damage.

What does $75K solve? Reduces breach probability from ~5% to ~0.5% annually.

Expected value: $500K × 4.5% reduction = $22,500 annual risk reduction.

Payback: 3.3 years. Questionable investment unless other benefits exist or risk estimate is conservative.

Example 2: $2,400/year Multi-Factor Authentication

Risk-Based Analysis

What's the actual risk? Compromised credentials leading to business email compromise, wire fraud, or data breach.

What does $2,400 solve? Reduces credential-based attack success from ~15% to ~1%.

Expected value: Even one prevented incident ($50K average cost) makes this extremely high ROI.

Payback: Immediate. Clear investment.

Questions to Ask About Any Proposed IT Spending

  1. What specific problem does this solve? (If the answer is vague technical jargon, it's not solving a real problem.)
  2. What's the business impact if we don't do this? (Quantify the risk in dollars and probability.)
  3. What's the least expensive way to address this problem? (Many IT providers won't volunteer that a $2,000 solution exists if they can sell you a $30,000 one.)
  4. What happens in 12 months if we do nothing? (Some "urgent" problems aren't.)
  5. Is this vendor/provider the only one who can solve this, or are there alternatives? (Competition creates better pricing.)

Red Flag: Fear-Based Selling

If an IT provider uses phrases like "hackers are targeting companies like yours," "your network is exposed," or "critical vulnerabilities require immediate attention" without specific, quantified risk analysis, they're selling through fear rather than helping you make informed decisions.

Section Seven

Red Flags That Should Terminate Discussions

Some issues indicate fundamental problems with how a provider operates. These should end the evaluation immediately:

Deal-Breaking Red Flags

Section Eight

Contract Terms That Protect (or Expose) You

IT service agreements often contain terms that create significant financial exposure or lock-in. Here's what to watch for:

Critical Contract Terms

1. Price Escalation Clauses

What You Want

Fixed pricing for the initial term, or price increases capped at CPI or a specific percentage (e.g., "not to exceed 5% annually").

What to Avoid

"Provider may adjust pricing at any time" or "pricing subject to vendor cost increases." This gives them carte blanche to raise prices.

2. Scope Definition

What You Want

Detailed list of what's included in base service vs. what costs extra. Clear definitions prevent surprise charges.

What to Avoid

Vague scope language like "standard IT support" without defining what "standard" means. Leads to disputes about what's included.

3. Vendor Relationship Ownership

What You Want

"All software licenses, cloud services, and vendor relationships will be established under Client's name and account."

What to Avoid

Any language that allows provider to purchase services "on your behalf" under their accounts. This creates dependency and hides pricing.

5. Documentation & Transition Requirements

What You Want

"Provider will maintain complete documentation of Client's environment and provide all documentation, credentials, and vendor account access upon termination."

What to Avoid

No mention of documentation requirements or language that documentation is provider's "intellectual property." Your infrastructure documentation belongs to you.

6. Limitation of Liability

What You Want

Liability cap no lower than 12 months of fees. For critical systems, consider higher caps or carved-out categories (e.g., unlimited liability for data breaches caused by provider negligence).

What to Avoid

Liability limited to one month of fees or "fees paid in preceding 30 days." If they cause a $100K problem, you want recourse beyond $5K.

The "Exit Test"

Before signing any IT service agreement, ask yourself: "If we decided to terminate this relationship in 6 months, what would be required?"

If the answer involves:

...then the contract terms expose you to lock-in. Renegotiate or walk away.

Let's Discuss Your IT Requirements

If you're evaluating IT providers or looking to understand your current IT costs better, we're happy to have a conversation about your specific situation.

Schedule Consultation