Airport Information Technology Vendor Management Follow-Up
Denver International Airport’s Business Technologies Division fully implemented five recommendations made in the original audit report, but only partially implemented four others.
In less than one year, Business Technologies implemented and operationalized an information technology vendor risk management program. As part of the implementation, it developed a strategic vendor management lifecycle management plan, implemented policies and procedures, trained staff on vendor management processes, and improved the continuous monitoring of vendors. Implementing these recommendations helps reduce the airport’s exposure to unapproved technology vendor risks and enhances its overall security.
Remaining Risks
The recommendations Business Technologies did not fully implement present several lingering risks. Among them:
-
Business Technologies did not fully implement an automated single source of record for its vendors and relies on a controlled spreadsheet on SharePoint. The lack of an automated system may increase the likelihood a vendor may not be included in the airport’s vendor risk management process.
-
Business Technologies did not develop and finalize supporting procedures for some vendor management lifecycle management processes. Failure to document processes may lead to inconsistent performance of tasks associated with the airport’s vendor risk management process.
Auditor's Letter
November 7, 2024
In keeping with generally accepted government auditing standards and Auditor’s Office policy, as authorized by city ordinance, we have a responsibility to monitor and follow up on audit recommendations to ensure city agencies address audit findings through appropriate corrective action and to aid us in planning future audits.
In September 2023, we audited Airport Information Technology Vendor Management and found risks that included: no documented policies, procedures, or training plans for monitoring vendors; no centralized system for tracking technology vendors; no requirements for monitoring service-level agreements in technology contracts; and inconsistent documentation of lessons learned after major incidents.
We recently followed up and found Denver International Airport’s Business Technologies Division fully implemented five recommendations and partially implemented four recommendations.
Although Business Technologies has made significant progress, it did not fully address all the risks associated with our original findings. Consequently, we may revisit these risk areas in future audits to ensure the city takes appropriate corrective action.
We appreciate the leaders and team members at Business Technologies who shared their time and knowledge with us throughout the audit and the follow-up process. Please contact me at 720-913-5000 with any questions.
Denver Auditor's Office
Timothy O'Brien, CPA
AUDITOR TIMOTHY O'BRIEN, CPA
Denver Auditor
Denver Auditor´s Office