Protecting employee and customer information is a top priority for many firms as hacking incidents continue to rise. As a result, internal and external auditors are asking questions about the quality of the security tools and software that management chooses. Failing to document your vendor selection process, especially for security software, leaves you open to countless audit findings. Use these best practices to minimize audit awkwardness.
Buyers Behaving Badly: Procurement in the News
Why should you be worried about auditors looking at your identity management vendor selection process? First, misconduct relating to purchases and expenses is very much in the news, making it a concern for leaders, customers and others. Second, buying ineffective identity and password management tools increases the risk of being hacked. To illustrate the bad publicity associated with “fast and loose” purchases, take note of the following news stories:
- Excessive spending on software. In Peel Region, a suburban area nearby Toronto, auditors pointed out that $200,000 of spending on software licenses far exceeded the municipality’s needs. Such waste suggests serious weaknesses in the procurement process.
- Violation of state procurement policy. A recent audit of the Arizona Department of Public Safety found that “4,050 rounds of ammunition could not be located or accounted for” and that weapons and ammunition lacked effected storage and security.
- Missing procurement documentation triggers an investigation. In Mississippi, the State Auditor has found serious problems relating to technology purchases. As reported in the press, “The purchases were also labeled as contractual services in the state’s accounting system, not information technology. Purchase of more than $50,000 of information technology goods or services would have required approval and oversight from the state Information Technology Services agency.”
You might be tempted to dismiss these events if you are in the private sector. That would be a mistake. Your company’s auditors are likely to consider news reports and actions by other auditors in developing their audit plans. Consistently using a robust vendor selection process is an excellent way to proactively prepare yourself for audit.
Standing Up to Audit in 5 Steps
The following principles and techniques outline to design a robust vendor selection process.
1) Know your company’s purchasing policies and history
Starting with the basics is helpful, especially if you are new to your company. You may discover that your company has special requirements for technology purchases. Understanding these rules will help you avoid nasty audit surprises. Reading a corporate policy may not tell you enough.
You also need to know the company’s history with procurement to find out about hot button issues. Focus your attention on other purchases of similar size and complexity. If you are buying an identity management solution, find out who else in the company has recently made an IT purchase.
2) Create vendor selection criteria to guide your decisions
Setting your buying criteria down on paper is a best practice to follow in all major purchases. Think about buying your home. You probably had multiple criteria: price, location, number of bedrooms and findings on a home inspection report. Likewise, a smart identity management selection process will consider multiple criteria.
3) Document conflicts of interest, if any
If you purchase a solution from a family member’s company, be prepared for face questions. At worst, you may be directly violating company policy. At best, such a purchase may bring your professional judgement into question. The best way to address conflict of interest issues is to ask everyone involved in the purchase to attest that they disclose any connections to vendors being considered.
4) Create a shortlist of vendors to evaluate
Now that you understand company policy and your buying criteria, you can look at the marketplace. Generally speaking, it is smart to look for at least three different vendors. To start building your list, ask peers at other companies which solutions they use. In addition, check publications from research companies such as Gartner.
Tip: Some large companies and governments have a “preferred vendor list” to guide purchases. Ask around internally to find out if there is such a list and whether it applies to your identity management solution purchase.
5) Score the vendors against your selection criteria
In the evaluation stage, you will start to make hard choices. At first, you may have a favorite vendor in mind based on their attractive price. However, that choice may fall apart as you consider other criteria, such as compatibility with your existing systems. Make sure that each vendor on your short list is scored against all of the criteria.
Tip: Use a score weighting system to reflect your priorities. You may decide to weight price as 30% to allow other factors (e.g. after sales support, technical reputation, ease of use) to be fully considered.
6) Invite each short listed vendor to give a presentation to your company
In complex purchases, consider asking each vendor to send a representative to present. Save copies of the presentation files, brochures and responses to your questions. Building a detailed file on each vendor will show your auditors that you have done your homework. To prepare for these presentations, create a list of questions in advance based on your criteria. To ensure you receive useful presentations, make sure each vendor knows your goals for identity management.
Tip: Appoint one person to act as “scribe” so that you have detailed notes from each presentation.
7) Document your negotiation process
Pricing, terms and other factors are frequently hashed out in the negotiation process. If you’re not careful, you may rush through this process because you are so close to completion. To prepare for an effective negotiation, refer back to your selection criteria and corporate policies. If you go “off script” in your buying decisions, you are more likely to be found wanting by your auditors.
Auditor hammers MDE over contracts by Geoff Pender and Bracey Harris (USA Today)
Peel Region audit report flags potential risk in software application purchasing by Roger Belgrave (Brampton Guardian)
Audit: Social services chief stockpiled ‘excessive’ ammo, guns for own police force by Craig Harris (USA Today)