IT Vendor Due Diligence
Jennifer McGill CIA, CISA, CGEITIT Audit Director
Carolinas HealthCare SystemDecember 9, 2014
Carolinas HealthCare System (CHS)
• Second largest not-for-profit healthcare system in the nation
• Largest healthcare system in the Southeast
• 40 hospitals, 11 nursing homes and over 900 outpatient
service locations
• Over 2,300 employed physicians and nearly 400 residents;
More than 40,000 FTEs
• Net operating revenue: $7.8 billion
• AA-rated since 1983
CHS Audit Services
Chief Audit Executive
Reports to Chief Legal Counsel
IT Audit Financial & Operational Audit
Charlotte-area Hospitals
Corporate Operations
Regional NC, SC, GA
Hospitals and Health Systems
Physician Practices
Joint Ventures
Enterprise-wide
14 Computing Environments
1 Director 4 Auditors
1 Director1 Manager 6 Auditors
1 Director1 Manager 5 Auditors
2 Construction Auditors
1 Director 5 Auditors
Agenda
• Learning Objectives
• Background on Healthcare Technology Regulation
• Vendor Management Lifecycle
• Due Diligence as a Focus Area
• Risks and Control Objectives
• Audit and Assessment Techniques
• Connections to IT Investment Management & Cloud Computing
• Questions
Learning Objectives
• Understand the key control objectives in the vendor due diligence process and how they fit into the larger vendor management lifecycle.
• Discuss initial questions that will help determine audit strategy.
• Explore the connection between vendor management and IT investment management.
• Touch on the importance of vendor due diligence related to cloud computing strategy.
In 2001, only 18% of providers
have adopted EMRs
Healthcare Technology Regulation
HIPAA Privacy Rule compliance deadline
HIPAA Security Rule compliance deadline
OIG begins auditing CMS enforcement of Security Rule
HITECH Act requires adoption of EMRs and includes Breach Notification Requirements
Office for Civil Rights slow to start next phase of HIPAA Security compliance audits
2003
2005
Electronic Medical Record systems
have been in existence for
30 years
Late 1990’sHIPAA
Legislation Drafted
2014
6
2009
2008
Healthcare begins to be plagued by
breaches
Concern over credit card breaches
increases awareness of PCI
requirements
In 2013, 78% of
providers have
adopted EMRs
Vendor Management Definitions
Vendor Management: The strategic process that is dedicated tomanagement of vendor relationships so that value creation ismaximized and risk to the enterprise is minimized.
~ISACA
Vendor Management Due Diligence: Third-party vendor due diligenceis a process used to make an informed business decision concerningthe selection of the appropriate vendor. Due diligence is the gatheringand analysis of detailed information about possible vendors. As with allbusiness decisions, there are some risks that cannot be eliminated butcan be managed. The purpose of due diligence is to help choose thebest third-party vendor relationship given the risks and abilities orservices available, and then to negotiate, contract, implement, andmonitor to mitigate any residual risks.
~ CUNA Due Diligence Task Force
Vendor Management Lifecycle
Strategy Questions• Do business line leaders know how to engage with IT to
ask for what they need?• Is IT strategy and business strategy aligned?• Does your organization maintain a record of the
vendors with which it does business?• Are all IT services and solutions procured through a
centralized process? • Does your organization have an established Project
Management Office? • Are processes for engaging with vendors documented?• Is there a separate process for evaluating IT vendor
companies prior to evaluating the solutions or services offered?
Scope Selection
Risks and Control Objectives
Risks
Due Diligence Step
Control Objectives
Participants
Purchase IT services or solutions that do not meet
the needs of the organization
Pay too much for services or solutions;
Process does not comply with policies related to vendor diversity, value
analysis, etc.
Select vendors with reputation, financial,
security, design, capacity or service problems
Enter a contractual relationship with a vendor without having reasonable
assurance that requirements will be met
Needs Assessment Request for Proposals
Vendor Analysis Review and Approval
• Need for a solution is identified
• Business requirements are defined
• Regulatory & Info Security requirements are defined
• Approvals to move ahead with identifying a solution are obtained
• Opportunity to bid is presented to multiple vendors
• Information is gathered from vendors and analyzed
• Best vendors are accepted to move to the next step on the due diligence process
• Risk assessment (strategic, reputational, operational, financial, compliance…) is performed
• Financial analysis is performed
• Capability to meet business requirements is evaluated
• Vendor selection is made by authorized participants
• Selection is reviewed and approved by authorized leaders or committees
Selected Vendor Solution Moves to Implementation Phase
Business UnitInformation Services
IT SecurityIT Committees (approvals)
Business UnitInformation Services
IT SecurityIT Committees (establish
expectations for RFP)
Business UnitInformation Services
IT SecurityIT Committees (verification)
Business UnitInformation Services
IT SecurityIT Committees (approval)
Testing Approach – Needs Assessment
• Obtain access to the minutes from the prior 12 months of IT Steering Committee meetings
• Select a sample of Business Line Leaders who have presented projects for review
• Interview the Leaders to understand the process that they followed
• Review project documentation to determine if needs assessment was conducted
• Interview IT personnel assigned to the project to understand the process that they followed
• Determine if regulatory and information security requirements were defined and addressed
• Look for documented approvals
Testing Approach – Request for Proposals
• Review project documentation to determine if the opportunity to bid was presented to multiple vendors
• Interview IT personnel assigned to the project to determine what information was requested from vendors in the Request for Proposals (RFP)
• Determine if regulatory and information security requirements were addressed in the RFP document
• Review project documentation to see which vendors responded to the RFP, examine the responses, and look for a comparative analysis of the responses
• Look for documented justification for the vendors accepted to move to the next step
Testing Approach – Vendor Analysis
• Find out if there is a security committee, architectural review committee, and/or other oversight group(s) with responsibility for reviewing vendor information prior to final selection
• Review project documentation to determine if vendor risk assessment was conducted
• Determine if a financial analysis (business case) was completed
• Interview IT personnel to understand how they were involved in making the determination that the vendor would be able to meet identified needs
Testing Approach – Review and Approval
• Interview the Business Line Leaders to understand the process that they followed to make the final vendor selection
• Review project documentation to determine if the selection was reviewed and approved by authorized leaders or committees
Results
• Identified need for comprehensive, documented process– All parties involved followed a process, but it differed from one
project team to the next– None of the Business Line Leaders were familiar with the
process– Documentation was inconsistent, project names shifted from
start to finish, IT personnel handed projects off from phase to phase
– IT personnel did not assert subject matter leadership to guide Business Line Leaders to make selections inclusive of IT strategy as well as business strategy
• Found a loophole in a fundamental organizational policy– If responsibility for all IT vendor relationships and IT solution
management resides with IT, make sure the policy states it explicitly
IT Investment Management Overview
IT-enabled investments will:• Be managed as a portfolio of investments• Include the full scope of activities required to achieve business value• Be managed through their full economic life cycle
Value delivery practices will:• Recognize there are different categories of investments that will be
evaluated and managed differently• Define and monitor key metrics and respond quickly to any changes
or deviations• Engage all stakeholders and assign appropriate accountability for
the delivery of capabilities and the realization of business benefits• Be continually monitored, evaluated and improved
~ISACA Val IT Guidance
Cloud Computing Strategy
• Cloud computing means that the computer hardware and software we use is provided for us as a service by another company and is accessed over the Internet, rather than sitting on our desktops or somewhere inside our network.
• The term "moving to the cloud" refers to an organization moving away from a traditional capital expenditure model (buy dedicated hardware and depreciate it over a period of time) to an operating expense model (use a shared cloud infrastructure and pay as we use it).
Strong vendor due diligence practices are critical to protecting the organization’s interests in this type of arrangemen t.
Questions & Discussion