Most businesses ask vendors for references and then ask the easy questions: "Were you happy?" "Would you use them again?" "Did they deliver on time?"
These are social proof requests, not due diligence. They get you testimonials, not truth.
A structured reference check exposes whether the vendor can handle the scenarios that matter for your business. Here are the 5 questions we ask at ITBluPrint, and why most buyers never think to ask them.
What this reveals: Scope creep and vague deliverables.
Good answer: "Very detailed SOW, we reference it regularly and they're good about flagging when something's out of scope."
Red flag: "We had something like a scope document but honestly we just email them when stuff breaks and they bill us."
If the reference can't point to the document that defines what the vendor does, you don't know what you're buying.
What this reveals: Incident response reality.
Good answer: "Our email server died at 2 AM, they had someone on it in 20 minutes and gave us hourly updates until it was fixed."
Red flag: "We had a few issues but nothing major." If nothing ever goes wrong in a 2-year relationship, either they haven't been stress-tested or the reference is protecting them.
What this reveals: Turnover and internal stability.
Good answer: "Same person for 18 months, good relationship."
Red flag: "We've had 3 account managers. The last transition was rough." High turnover at MSPs is a leading indicator of service degradation.
What this reveals: Pricing escalation patterns.
Good answer: "Year two was about 8% more, they explained it upfront and it was mostly storage growth."
Red flag: "Our bill jumped 40% and when we asked about it, they said it was scope creep but couldn't show us the scope." Price creep without transparency is a warning sign.
What this reveals: Cybersecurity reality.
Good answer: "We went through our first HIPAA audit last year, they were responsive to all the control questions and provided documentation on request."
Red flag: "We haven't had any audits yet" or "Honestly we haven't thought about security much." If your vendor hasn't been stress-tested by an actual audit or you don't know their security posture, you're flying blind.
Typical approach: Call 2-3 clients, ask 2 polite questions, get 2 happy testimonials. Done in 20 minutes.
Structured protocol: Identify the reference client's size and industry match, ask all 5 probing questions, document specific answers, compare across all references for patterns. Takes 2-3 hours.
At ITBluPrint, our standard is 5 comparable references with this protocol. Not because 5 is magic, but because red flags often only appear in the 3rd or 4th call. By the time you ask questions 3, 4, and 5 to reference number 5, you've built a pattern across multiple perspectives. That's where you separate real answers from polished testimonials.
Most businesses skip reference checks because they're time-consuming. That's exactly why vendors count on it.
Download our free IT Vendor Selection Checklist (15-point PDF) — it includes the reference protocol questions plus 10 other evaluation criteria that separate a structured selection from a gut-feel decision.