AUDITING VENDOR MANAGEMENT - ACUIA.org - Third Party Vendor...Vendor Management • Frequent regulatory findings: –Lack of policy and procedures –Risk assessment not performed

AUDITING VENDOR MANAGEMENT

Jay Bowman, Director June 19, 2014

Vendor Management

• Frequent regulatory findings:

– Lack of policy and procedures

– Risk assessment not performed

– Lack of ranking scheme

– Due diligence findings

– Vendor oversight issues

– Lack of senior management and Board oversight

© 2014 Accume Partners 2

A Few Questions:

• Does your credit union have a vendor management policy? A

defined program?

• Is responsibility for vendors centralized?

• How many vendors does the credit union rely upon for products and

services?

• Are there review processes for selecting new vendors and

evaluating current ones?


Vendor Management Topics

• Policy

• Responsibility

• Risk Assessment

• Selection of New Vendors

• Oversight of Current Vendors

• Reporting


Vendor Management Policy

• Establishes:

– Responsibility for program activities

– Triggering thresholds or characteristics

– Risk assessment requirements

– Procedures for selecting new vendors

– Procedures for evaluating current vendors

– Reporting requirements


Responsibility for Vendor Management

• Chief Financial Officer

• Chief Information Officer

• Purchasing Manager

• Legal

• Shared

• Other

The VM policy should fix accountability & responsibility.


Risk Assessment

(pre-decision to outsource)

• Potential Impact on Strategic Goals

• Management Oversight and Evaluation

• Contingency Plans

• Regulatory Requirements & Guidance


Risk Assessment

• Potential Impact on Strategic Goals

– Most vendors will not affect goal attainment

– Factors

• Unique product or service

• Key individuals

• “Significant” portion of revenues/profits

• Reputation


Risk Assessment

• Management Oversight

– Does Management have the competence?

– Does Management have the time?

• Contingency Plans

– Do others offer this product/service?

– Can it be brought in house?

• Regulatory Guidance

– What additional requirements are imposed?


Vendor Selection Process

• Identification of Potential Vendors

• Due Diligence and Selection

• Contract Negotiation and Award


Identification of Potential Vendors

• Trade Literature

• Current Vendors

• Other institutions

• Internet

• Trade Association

• Other

Policy should lay out requirements.


Due Diligence and Selection

• Evaluation Criteria

– Ranking

– Subjective vs. Objective

– Binary vs. Weighted

• Request for Proposal (RFP)

• Evaluation Team

• Documentation

• Approval


Request for Proposal (RFP)

Advantages:

• Fosters agreement on:

– Scope of services

– Selection criteria

• All vendors on “level playing field”

• Easier to reach selection decision

• Easier to defend selection decision


Request for Proposal (RFP)

Tips:

• Evaluation Criteria

– “Mandatory” versus “most important”

– Weighting schemes versus subjective

• Boilerplate

• Deadline Extensions


Contract Award & Negotiation

• Scope of Services

• Term

• Price

• Service Level Agreement (SLA)

• Key Personnel

• Termination

• Audit Rights

• Other


Service Level Agreements

• Specific, Measureable, Auditable

• Scope of Services

• Requirements of Service Quality

• Measurement of Service Quality

• Credits/Penalties for Achieving/Failing Performance Targets

• Institution’s Responsibilities

• Vendor’s Responsibilities


Current Vendor Evaluation

Frequency and scope depend on vendor rankings and characteristics:

• Critical vendors: full scope/annually

• Important vendors: limited scope/annually

• “Commodity vendors”: may be exempted


Rankings Considerations

• Annual Expenditures

• Processing of Critical Functions

• Uniqueness of Product or Service

• Access to Customer Information

• Management Discretion

• Other


Vendor Evaluation Topics

• Financial Stability

• Performance Against SLAs

• Key Personnel Turnover

• Insurance Coverage

• SSAE 16 Reports (service providers)

• Disaster Recovery Testing & Results

• Protection of Customer Information


Vendor Evaluations

Tips:

• Base Evaluations on:

– Why the vendor is important

– The dimensions that carry greatest risk

• Provide for Management Discretion

• Document Evaluations/Maintain Files


Reporting

• Annual Summary on Vendor Management

• Prepared by Management

• Presented to Board (or committee)

• Covers:

– VM policy (any recommended changes)

– New critical vendors

– Summary of review of current vendors

– Other key information


Vendor Management Framework

22

PILLAR 1

• Cost, benefits and risk

analysis

• Identify performance

criteria, reporting

needs, and contractual

requirements for a

vendor relationship

• Utilize institution

templates and flows to

document this process

PILLAR 2

• Vendor financial

stability

• Vendor’s expertise,

systems, controls

• Vendor’s knowledge of

relevant regulations

• Leveraging institution

purchasing and

contracts management

PILLAR 3

• Service levels

• Pricing

• Business continuity

• Information ownership

• Audit

• Confidentiality and

security

• Limits on liability

PILLAR 4

• Scorecards for each

vendor reported to

bank management for

risk transparency

• Leverage existing

institution controls for

identification and

assessment of risks

• Management and Board

reporting

Regulatory Guidance & Bank Requirements

• FIL-44-2008 “Managing Third-Party Risk”

• FFIEC “Risk Management of Outsourced Technology Services” November 2000

• SR 00-4(SUP) February 2000 “Outsourcing of Information and Transaction Processing”

•Institution’s ”Vendor Management Policy”

© 2014 Accume Partners

Jay Bowman

Director

Mobile Phone: 484.844.7132

[email protected]

For more information please contact:


AUDITING VENDOR MANAGEMENT - ACUIA.org - Third Party Vendor...Vendor Management • Frequent regulatory findings: –Lack of policy and procedures –Risk assessment not performed

Documents