IT Vendor Due Diligence Jennifer McGill CIA, CISA, CGEIT IT Audit - - PowerPoint PPT Presentation

IT Vendor Due Diligence

Jennifer McGill CIA, CISA, CGEIT IT Audit Director Carolinas HealthCare System December 9, 2014

Carolinas HealthCare System (CHS)

• Second largest not-for-profit healthcare system in the nation
• Largest healthcare system in the Southeast
• 40 hospitals, 11 nursing homes and over 900 outpatient

service locations

• Over 2,300 employed physicians and nearly 400 residents;

More than 40,000 FTEs

• Net operating revenue: $7.8 billion
• AA-rated since 1983

CHS Audit Services

Chief Audit Executive Reports to Chief Legal Counsel IT Audit Financial & Operational Audit Charlotte-area Hospitals Corporate Operations Regional NC, SC, GA Hospitals and Health Systems Physician Practices Joint Ventures Enterprise-wide 14 Computing Environments 1 Director 4 Auditors 1 Director 1 Manager 6 Auditors 1 Director 1 Manager 5 Auditors 2 Construction Auditors 1 Director 5 Auditors

Agenda

• Learning Objectives
• Background on Healthcare Technology Regulation
• Vendor Management Lifecycle
• Due Diligence as a Focus Area
• Risks and Control Objectives
• Audit and Assessment Techniques
• Connections to IT Investment Management & Cloud Computing
• Questions

Learning Objectives

• Understand the key control objectives in the vendor due

diligence process and how they fit into the larger vendor management lifecycle.

• Discuss initial questions that will help determine audit

strategy.

• Explore the connection between vendor management

and IT investment management.

• Touch on the importance of vendor due diligence

related to cloud computing strategy.

In 2001, only 18% of providers have adopted EMRs

Healthcare Technology Regulation

HIPAA Privacy Rule compliance deadline HIPAA Security Rule compliance deadline OIG begins auditing CMS enforcement

• f Security

Rule HITECH Act requires adoption of EMRs and includes Breach Notification Requirements Office for Civil Rights slow to start next phase of HIPAA Security compliance audits

2003 2005

Electronic Medical Record systems have been in existence for 30 years Late 1990’s HIPAA Legislation Drafted

2014

6

2009 2008

Healthcare begins to be plagued by breaches Concern over credit card breaches increases awareness of PCI requirements In 2013, 78% of providers have adopted EMRs

Vendor Management Definitions

Vendor Management: The strategic process that is dedicated to management

• f

vendor relationships so that value creation is maximized and risk to the enterprise is minimized.

~ISACA

Vendor Management Due Diligence: Third-party vendor due diligence is a process used to make an informed business decision concerning the selection of the appropriate vendor. Due diligence is the gathering and analysis of detailed information about possible vendors. As with all business decisions, there are some risks that cannot be eliminated but can be managed. The purpose of due diligence is to help choose the best third-party vendor relationship given the risks and abilities or services available, and then to negotiate, contract, implement, and monitor to mitigate any residual risks.

~ CUNA Due Diligence Task Force

Vendor Management Lifecycle

Strategy Questions

• Do business line leaders know how to engage with IT to

ask for what they need?

• Is IT strategy and business strategy aligned?
• Does your organization maintain a record of the

vendors with which it does business?

• Are all IT services and solutions procured through a

centralized process?

• Does your organization have an established Project

Management Office?

• Are processes for engaging with vendors documented?
• Is there a separate process for evaluating IT vendor

companies prior to evaluating the solutions or services

• ffered?

Scope Selection

Risks and Control Objectives

Risks Due Diligence Step Control Objectives Participants

Purchase IT services or solutions that do not meet the needs of the

• rganization

Pay too much for services or solutions; Process does not comply with policies related to vendor diversity, value analysis, etc. Select vendors with reputation, financial, security, design, capacity

• r service problems

Enter a contractual relationship with a vendor without having reasonable assurance that requirements will be met

Needs Assessment Request for Proposals Vendor Analysis Review and Approval

• Need for a solution is

identified

• Business requirements

are defined

• Regulatory & Info

Security requirements are defined

• Approvals to move

ahead with identifying a solution are obtained

• Opportunity to bid is

presented to multiple vendors

• Information is gathered

from vendors and analyzed

• Best vendors are

accepted to move to the next step on the due diligence process

• Risk assessment

(strategic, reputational,

• perational, financial,

compliance…) is performed

• Financial analysis is

performed

• Capability to meet

business requirements is evaluated

• Vendor selection is

made by authorized participants

• Selection is reviewed

and approved by authorized leaders or committees

Selected Vendor Solution Moves to Implementation Phase

Business Unit Information Services IT Security IT Committees (approvals) Business Unit Information Services IT Security IT Committees (establish expectations for RFP) Business Unit Information Services IT Security IT Committees (verification) Business Unit Information Services IT Security IT Committees (approval)

Testing Approach – Needs Assessment

• Obtain access to the minutes from the prior 12

months of IT Steering Committee meetings

• Select a sample of Business Line Leaders who

have presented projects for review

• Interview the Leaders to understand the process

that they followed

• Review project documentation to determine if

needs assessment was conducted

• Interview IT personnel assigned to the project to

understand the process that they followed

• Determine if regulatory and information security

requirements were defined and addressed

• Look for documented approvals

Testing Approach – Request for Proposals

• Review project documentation to determine if the
• pportunity to bid was presented to multiple

vendors

• Interview IT personnel assigned to the project to

determine what information was requested from vendors in the Request for Proposals (RFP)

• Determine if regulatory and information security

requirements were addressed in the RFP document

• Review project documentation to see which

vendors responded to the RFP, examine the responses, and look for a comparative analysis of the responses

• Look for documented justification for the vendors

accepted to move to the next step

Testing Approach – Vendor Analysis

• Find out if there is a security committee,

architectural review committee, and/or other

• versight group(s) with responsibility for reviewing

vendor information prior to final selection

• Review project documentation to determine if

vendor risk assessment was conducted

• Determine if a financial analysis (business case)

was completed

• Interview IT personnel to understand how they

were involved in making the determination that the vendor would be able to meet identified needs

Testing Approach – Review and Approval

• Interview the Business Line Leaders to understand

the process that they followed to make the final vendor selection

• Review project documentation to determine if the

selection was reviewed and approved by authorized leaders or committees

Results

• Identified need for comprehensive, documented process

– All parties involved followed a process, but it differed from one project team to the next – None of the Business Line Leaders were familiar with the process – Documentation was inconsistent, project names shifted from start to finish, IT personnel handed projects off from phase to phase – IT personnel did not assert subject matter leadership to guide Business Line Leaders to make selections inclusive of IT strategy as well as business strategy

• Found a loophole in a fundamental organizational policy

– If responsibility for all IT vendor relationships and IT solution management resides with IT, make sure the policy states it explicitly

IT Investment Management Overview

IT-enabled investments will:

• Be managed as a portfolio of investments
• Include the full scope of activities required to achieve business value
• Be managed through their full economic life cycle

Value delivery practices will:

• Recognize there are different categories of investments that will be

evaluated and managed differently

• Define and monitor key metrics and respond quickly to any changes
• r deviations
• Engage all stakeholders and assign appropriate accountability for

the delivery of capabilities and the realization of business benefits

• Be continually monitored, evaluated and improved

~ISACA Val IT Guidance

Cloud Computing Strategy

• Cloud computing means that the computer hardware and software

we use is provided for us as a service by another company and is accessed over the Internet, rather than sitting on our desktops or somewhere inside our network.

• The term "moving to the cloud" refers to an organization moving

away from a traditional capital expenditure model (buy dedicated hardware and depreciate it over a period of time) to an operating expense model (use a shared cloud infrastructure and pay as we use it). Strong vendor due diligence practices are critical to protecting the

• rganization’s interests in this type of arrangement.

Questions & Discussion

Jennifer.McGill@carolinashealthcare.org 704-512-5895