Avoid these 5 IT vendor management worst practices to avoid IT audit trouble

Many articles and conference presentations focus on how to choose IT vendors, what to include in contracts and the need for oversight of these vendors after the contract is signed. Because of the nature of contract negotiations, companies may need to compromise on what they are able to include in contracts – including oversight provisions, especially when contracting with a niche market solution or a vendor that dominates the industry. Consolidation among the tech giants adds to the frustration.  When conducting IT audits, it is not unusual for auditors to hear that risk management professionals were either not or minimally involved in the negotiations, and therefore their oversight expectations are limited. Yet, during IT audits we continue to find that both management and the risk function can do a lot more after the signing of the contract to at least ensure that the vendor is fulfilling their signed negotiated commitment. Make sure that your organization avoids these common worst practices.

1. Not preparing a contract extract so that everyone can understand what the responsibilities are

Your organization probably engaged a top-notch law firm to negotiate or at a minimum review the vendor contract provisions. And hopefully all the critical protections that you desired were included in the contract. Problem is that the contract reads more like a text book (both in complexity and number of pages) and the people who work with the vendor never see the contracts so they are not fully aware of commitments made by both parties. A contract extract solves this problem by having the lawyers summarize in easy to understand terms what has been agreed to and what are the obligations. With this tool, operations personnel now understand what is being paid for and are in a better position to oversee vendor promises and performance.

2. Not verifying and recalculating the vendor invoice

No matter what gets done in business it somehow impacts the accounting records. Determining how and for what an IT vendor gets paid can provide great insight on how effectively an organization manages these groups. I’m not saying this just because I am a CPA. But because I am one, I’ve had the opportunity to perform audits of these invoices and experienced many invoice surprises. Like with many business processes, some discrepancies are truly honest mistakes and misunderstanding of contract provisions. Unfortunately, not everything is. Not only should organizations recalculate the mathematical accuracy of invoices and compare the calculation to the contract, but they should very the source of the information (e.g., number of transactions) provided.  If you can’t gain satisfaction over the integrity of your vendor’s billing process, you probably will also have a vendor service delivery oversight problem as well.

3. Not knowing who your vendors are

Unfortunately, this worst practice is more popular than what many organizations would like to admit. Often, corporate politics and silos prevent the risk management and information security functions from having a complete understanding of vendors within the organization. The ability of using cloud computing solutions to avoid large initial disbursements and access software directly through web connections, enables end user departments to circumvent traditional “dollar limits expenditure” oversight from the informing information technology or risk management functions. Because vendors eventually need to get paid, examining technology-related accounts payable or cash disbursement transactions can be an effective way to identify the use of vendors below the corporate radar.

4. Not asking for, reviewing or properly using a 3rd party report

Third party reports where independent outside parties assess the security controls of a service provider can be very useful in an oversight company. For example, Service Organization Control (SOC) reports are prepared by CPAs after examining a service provider’s operations. These reports typically contain background and descriptive information including organization, development, operations and security controls. A section entitled user or client control considerations identify controls that the service provider believes that the customer should implement to manage the processing risks of using the service providers services. Not all vendors need to have a third-party assessment performed on them, but when they are involved in higher risks, such as processing or maintaining protected information, the impact of not having these reports should raise red flags in the oversight program.  

5. Not knowing vendor incident response and business continuity plans

Risk management professionals accept that the occurrence of a breach or other contingency situation is a question of when rather than if. With organizations increasingly relying on (and some would say partnering) with vendors to deliver services to customers, the need to prepare with and integrate contingency plans increases. Items to consider include what constitutes a breach, coordination with law enforcement, necessary insurance coverage, frequency of required test and key assumptions including estimated recovery time objectives. Assumptions and risk acceptance decisions should also be coordinated and compensating strategies as needed developed.

Avoiding the above worst practices can go a long way toward strengthening an organization’s vendor management program. The good news, these worst practices can be avoided with minimal additional financial investments.