AUDITING VENDOR MANAGEMENT Jay Bowman, Director June 19, 2014
Vendor Management
• Frequent regulatory findings:
– Lack of policy and procedures
– Risk assessment not performed
– Lack of ranking scheme
– Due diligence findings
– Vendor oversight issues
– Lack of senior management and Board oversight
© 2014 Accume Partners 2
A Few Questions:
• Does your credit union have a vendor management policy? A
defined program?
• Is responsibility for vendors centralized?
• How many vendors does the credit union rely upon for products and
services?
• Are there review processes for selecting new vendors and
evaluating current ones?
© 2014 Accume Partners 3
Vendor Management Topics
• Policy
• Responsibility
• Risk Assessment
• Selection of New Vendors
• Oversight of Current Vendors
• Reporting
© 2014 Accume Partners 4
Vendor Management Policy
• Establishes:
– Responsibility for program activities
– Triggering thresholds or characteristics
– Risk assessment requirements
– Procedures for selecting new vendors
– Procedures for evaluating current vendors
– Reporting requirements
© 2014 Accume Partners 5
Responsibility for Vendor Management
• Chief Financial Officer
• Chief Information Officer
• Purchasing Manager
• Legal
• Shared
• Other
The VM policy should fix accountability & responsibility.
© 2014 Accume Partners 6
Risk Assessment
(pre-decision to outsource)
• Potential Impact on Strategic Goals
• Management Oversight and Evaluation
• Contingency Plans
• Regulatory Requirements & Guidance
© 2014 Accume Partners 7
Risk Assessment
• Potential Impact on Strategic Goals
– Most vendors will not affect goal attainment
– Factors
• Unique product or service
• Key individuals
• “Significant” portion of revenues/profits
• Reputation
© 2014 Accume Partners 8
Risk Assessment
• Management Oversight
– Does Management have the competence?
– Does Management have the time?
• Contingency Plans
– Do others offer this product/service?
– Can it be brought in house?
• Regulatory Guidance
– What additional requirements are imposed?
© 2014 Accume Partners 9
Vendor Selection Process
• Identification of Potential Vendors
• Due Diligence and Selection
• Contract Negotiation and Award
© 2014 Accume Partners 10
Identification of Potential Vendors
• Trade Literature
• Current Vendors
• Other institutions
• Internet
• Trade Association
• Other
Policy should lay out requirements.
© 2014 Accume Partners 11
Due Diligence and Selection
• Evaluation Criteria
– Ranking
– Subjective vs. Objective
– Binary vs. Weighted
• Request for Proposal (RFP)
• Evaluation Team
• Documentation
• Approval
© 2014 Accume Partners 12
Request for Proposal (RFP)
Advantages:
• Fosters agreement on:
– Scope of services
– Selection criteria
• All vendors on “level playing field”
• Easier to reach selection decision
• Easier to defend selection decision
© 2014 Accume Partners 13
Request for Proposal (RFP)
Tips:
• Evaluation Criteria
– “Mandatory” versus “most important”
– Weighting schemes versus subjective
• Boilerplate
• Deadline Extensions
© 2014 Accume Partners 14
Contract Award & Negotiation
• Scope of Services
• Term
• Price
• Service Level Agreement (SLA)
• Key Personnel
• Termination
• Audit Rights
• Other
© 2014 Accume Partners 15
Service Level Agreements
• Specific, Measureable, Auditable
• Scope of Services
• Requirements of Service Quality
• Measurement of Service Quality
• Credits/Penalties for Achieving/Failing Performance Targets
• Institution’s Responsibilities
• Vendor’s Responsibilities
© 2014 Accume Partners 16
Current Vendor Evaluation
Frequency and scope depend on vendor rankings and characteristics:
• Critical vendors: full scope/annually
• Important vendors: limited scope/annually
• “Commodity vendors”: may be exempted
© 2014 Accume Partners 17
Rankings Considerations
• Annual Expenditures
• Processing of Critical Functions
• Uniqueness of Product or Service
• Access to Customer Information
• Management Discretion
• Other
© 2014 Accume Partners 18
Vendor Evaluation Topics
• Financial Stability
• Performance Against SLAs
• Key Personnel Turnover
• Insurance Coverage
• SSAE 16 Reports (service providers)
• Disaster Recovery Testing & Results
• Protection of Customer Information
© 2014 Accume Partners 19
Vendor Evaluations
Tips:
• Base Evaluations on:
– Why the vendor is important
– The dimensions that carry greatest risk
• Provide for Management Discretion
• Document Evaluations/Maintain Files
© 2014 Accume Partners 20
Reporting
• Annual Summary on Vendor Management
• Prepared by Management
• Presented to Board (or committee)
• Covers:
– VM policy (any recommended changes)
– New critical vendors
– Summary of review of current vendors
– Other key information
© 2014 Accume Partners 21
Vendor Management Framework
22
PILLAR 1
• Cost, benefits and risk
analysis
• Identify performance
criteria, reporting
needs, and contractual
requirements for a
vendor relationship
• Utilize institution
templates and flows to
document this process
PILLAR 2
• Vendor financial
stability
• Vendor’s expertise,
systems, controls
• Vendor’s knowledge of
relevant regulations
• Leveraging institution
purchasing and
contracts management
PILLAR 3
• Service levels
• Pricing
• Business continuity
• Information ownership
• Audit
• Confidentiality and
security
• Limits on liability
PILLAR 4
• Scorecards for each
vendor reported to
bank management for
risk transparency
• Leverage existing
institution controls for
identification and
assessment of risks
• Management and Board
reporting
Regulatory Guidance & Bank Requirements
• FIL-44-2008 “Managing Third-Party Risk”
• FFIEC “Risk Management of Outsourced Technology Services” November 2000
• SR 00-4(SUP) February 2000 “Outsourcing of Information and Transaction Processing”
•Institution’s ”Vendor Management Policy”
© 2014 Accume Partners
Jay Bowman
Director
Mobile Phone: 484.844.7132
For more information please contact:
© 2014 Accume Partners 23