IT Vendor Due Diligence Jennifer McGill CIA, CISA, CGEIT IT Audit Director Carolinas HealthCare System December 9, 2014
Carolinas HealthCare System (CHS) • Second largest not-for-profit healthcare system in the nation • Largest healthcare system in the Southeast • 40 hospitals, 11 nursing homes and over 900 outpatient service locations • Over 2,300 employed physicians and nearly 400 residents; More than 40,000 FTEs • Net operating revenue: $7.8 billion • AA-rated since 1983
CHS Audit Services Reports to Chief Legal Counsel Chief Audit Executive IT Audit Financial & Operational Audit Charlotte-area Physician Enterprise-wide Regional NC, Hospitals Practices SC, GA 14 Computing Hospitals and Corporate Environments Health Systems Joint Ventures Operations 1 Director 1 Director 1 Manager 1 Director 1 Director 1 Manager 5 Auditors 5 Auditors 4 Auditors 6 Auditors 2 Construction Auditors
Agenda • Learning Objectives • Background on Healthcare Technology Regulation • Vendor Management Lifecycle • Due Diligence as a Focus Area • Risks and Control Objectives • Audit and Assessment Techniques • Connections to IT Investment Management & Cloud Computing • Questions
Learning Objectives • Understand the key control objectives in the vendor due diligence process and how they fit into the larger vendor management lifecycle. • Discuss initial questions that will help determine audit strategy. • Explore the connection between vendor management and IT investment management. • Touch on the importance of vendor due diligence related to cloud computing strategy.
Healthcare Technology Regulation In 2013, 78% of providers have Healthcare begins adopted to be plagued by 2014 EMRs breaches 2009 Electronic Medical Record 2008 systems Office for Civil have been in Rights slow to start existence for HITECH Act next phase of HIPAA 30 years requires Security compliance 2005 OIG begins adoption of audits auditing CMS EMRs and enforcement includes of Security Breach HIPAA Rule Notification 2003 Concern over credit Security Rule Requirements compliance card breaches deadline increases awareness of PCI HIPAA Privacy requirements Rule compliance deadline In 2001, only Late 1990’s 18% of providers have adopted HIPAA Legislation EMRs Drafted 6
Vendor Management Definitions Vendor Management: The strategic process that is dedicated to management of vendor relationships so that value creation is maximized and risk to the enterprise is minimized. ~ISACA Vendor Management Due Diligence: Third-party vendor due diligence is a process used to make an informed business decision concerning the selection of the appropriate vendor. Due diligence is the gathering and analysis of detailed information about possible vendors. As with all business decisions, there are some risks that cannot be eliminated but can be managed. The purpose of due diligence is to help choose the best third-party vendor relationship given the risks and abilities or services available, and then to negotiate, contract, implement, and monitor to mitigate any residual risks. ~ CUNA Due Diligence Task Force
Vendor Management Lifecycle
Strategy Questions • Do business line leaders know how to engage with IT to ask for what they need? • Is IT strategy and business strategy aligned? • Does your organization maintain a record of the vendors with which it does business? • Are all IT services and solutions procured through a centralized process? • Does your organization have an established Project Management Office? • Are processes for engaging with vendors documented? • Is there a separate process for evaluating IT vendor companies prior to evaluating the solutions or services offered?
Scope Selection
Risks and Control Objectives Pay too much for Purchase IT services or Select vendors with Enter a contractual services or solutions; solutions that do not meet reputation, financial, relationship with a vendor Risks Process does not comply the needs of the security, design, capacity without having reasonable with policies related to organization or service problems assurance that vendor diversity, value requirements will be met analysis, etc. Due Diligence Request for Needs Assessment Review and Approval Vendor Analysis Step Proposals • Vendor selection is • Need for a solution is • Opportunity to bid is • Risk assessment made by authorized identified presented to multiple (strategic, reputational, participants • Business requirements vendors operational, financial, • Selection is reviewed are defined • Information is gathered compliance…) is and approved by Control • Regulatory & Info from vendors and performed authorized leaders or Security requirements analyzed • Financial analysis is Objectives committees are defined • Best vendors are performed • Approvals to move accepted to move to the • Capability to meet ahead with identifying a next step on the due business requirements solution are obtained diligence process is evaluated Business Unit Business Unit Business Unit Business Unit Information Services Information Services Information Services Information Services Participants IT Security IT Security IT Security IT Security IT Committees IT Committees (establish IT Committees (approvals) IT Committees (approval) (verification) expectations for RFP) Selected Vendor Solution Moves to Implementation Phase
Testing Approach – Needs Assessment • Obtain access to the minutes from the prior 12 months of IT Steering Committee meetings • Select a sample of Business Line Leaders who have presented projects for review • Interview the Leaders to understand the process that they followed • Review project documentation to determine if needs assessment was conducted • Interview IT personnel assigned to the project to understand the process that they followed • Determine if regulatory and information security requirements were defined and addressed • Look for documented approvals
Testing Approach – Request for Proposals • Review project documentation to determine if the opportunity to bid was presented to multiple vendors • Interview IT personnel assigned to the project to determine what information was requested from vendors in the Request for Proposals (RFP) • Determine if regulatory and information security requirements were addressed in the RFP document • Review project documentation to see which vendors responded to the RFP, examine the responses, and look for a comparative analysis of the responses • Look for documented justification for the vendors accepted to move to the next step
Testing Approach – Vendor Analysis • Find out if there is a security committee, architectural review committee, and/or other oversight group(s) with responsibility for reviewing vendor information prior to final selection • Review project documentation to determine if vendor risk assessment was conducted • Determine if a financial analysis (business case) was completed • Interview IT personnel to understand how they were involved in making the determination that the vendor would be able to meet identified needs
Testing Approach – Review and Approval • Interview the Business Line Leaders to understand the process that they followed to make the final vendor selection • Review project documentation to determine if the selection was reviewed and approved by authorized leaders or committees
Results • Identified need for comprehensive, documented process – All parties involved followed a process, but it differed from one project team to the next – None of the Business Line Leaders were familiar with the process – Documentation was inconsistent, project names shifted from start to finish, IT personnel handed projects off from phase to phase – IT personnel did not assert subject matter leadership to guide Business Line Leaders to make selections inclusive of IT strategy as well as business strategy • Found a loophole in a fundamental organizational policy – If responsibility for all IT vendor relationships and IT solution management resides with IT, make sure the policy states it explicitly
IT Investment Management Overview IT-enabled investments will: Be managed as a portfolio of investments • Include the full scope of activities required to achieve business value • Be managed through their full economic life cycle • Value delivery practices will: Recognize there are different categories of investments that will be • evaluated and managed differently Define and monitor key metrics and respond quickly to any changes • or deviations Engage all stakeholders and assign appropriate accountability for • the delivery of capabilities and the realization of business benefits Be continually monitored, evaluated and improved • ~ISACA Val IT Guidance
Recommend
More recommend