Information Technology Vendor Management

Photo illustration: A silhouette of two men shaking hands in front of a window, interlaced with graphics of technology-related icons and the appearance of a frozen computer screen.

Objective

The objective of our audit of the city’s information technology vendor management was to assess the effectiveness of Technology Services’ processes for vendor management governance, continuous monitoring, and compliance with agency policies and procedures.

Background

An effective information technology vendor management process controls costs, promotes excellent service, and reduces risks to ensure the organization gets the best value from its vendors.

Technology Services is the city’s agency responsible for information technology. It provides information technology-related infrastructure, systems, and services to most city agencies. This responsibility includes selecting third-party vendors for specialized technology needs and overseeing these vendors to ensure they provide the best value to taxpayers.

Why this matters

Technology Services’ delay in establishing a comprehensive governance structure risks the city not getting what it pays for from outside vendors. If technology vendors do not adequately protect city data or if they do not deliver services as promised, city agencies and residents could be affected and the city’s reputation is at risk.

Findings

FINDING — Technology Services Does Not Systematically Manage Its Vendors

The agency’s oversight of its information technology vendors is inadequate. Agency leaders delayed finalizing a proposed vendor management policy — a crucial component of a comprehensive governance structure — until after this audit was completed.

Specifically, Technology Services is missing:

  • Official policies and procedures to guide its employees, enforce requirements, and hold vendors accountable.
  • Defined roles and responsibilities or designated authority for the specific employees involved with vendor management.
  • Budgetary plans to fund and adequately staff the vendor management function.
  • Training plans to educate employees about how to monitor vendors in line with approved policy.

Meanwhile, we also found Technology Services does not:

  • Consistently monitor its vendors for existing security controls.
  • Hold these vendors accountable for meeting contract requirements.
  • Have a consistent process when vendors stop working for the city.
  • Store vendors’ data in a central system.

Recommendations

1.1 Establish Organizational Structure – The city’s Technology Services agency should perform a staffing analysis to determine budget and staffing needs for the vendor management process. Based on this staffing analysis, the chief information officer should establish a staffing plan and designate an organizational structure, with a designated authority, for the vendor management team. The chief information officer should then document this structure in an approved vendor management policy.

Agency Response: Agree, Implementation Date – March 14, 2023

1.2 Refine Strategic Plan Objectives – The city’s Technology Services agency should refine its strategic plan to include sufficient detail about how it will plan the vendor management process — including:

  • Performance indicators for monitoring vendors’ contract compliance.
  • Securing data and network infrastructure.
  • Training city staff.
  • Engaging proactively with vendors and partners.
  • Improving how it selects and contracts with critical vendors to save taxpayer money.
  • Monitoring other city agencies’ compliance with technology plans, budgets, standards, and policies and procedures.

Each objective should have a measurable timeline.

Agency Response: Agree, Implementation Date – March 14, 2023

1.3 Refine, Approve, and Implement Vendor Management Policy and Procedures – The city’s Technology Services agency should refine its draft vendor management policy with more detail about the organizational structure, how it will communicate staff’s roles and responsibilities, and how it will train staff. In addition, Technology Services should create all needed procedures that will be referenced in the policy, including but not limited to procedures described in recommendations 1.5, 1.6, and 1.7. Once the agency completes these procedures, the chief information officer should approve the revised draft vendor management policy as soon as possible.

Agency Response: Agree, Implementation Date – March 14, 2023

1.4 Develop and Conduct Training – The city’s Technology Services agency should develop a training plan to ensure staff with roles and responsibilities for information technology vendor management are aware and informed of how the process is structured and how it should operate.

Agency Response: Agree, Implementation Date – March 14, 2023

1.5 Develop and Approve Security Review Procedures – As part of implementing Recommendation 1.3, the city’s Technology Services agency should develop and implement security review procedures to ensure staff comprehensively and continuously monitor all information technology vendors for security concerns. These procedures should include at a minimum:

  • Security reviews at intake and on a regular basis thereafter, at least once a year.
  • Documentation for why a vendor is excluded from annual security reviews.
  • Current independent security assessments.

Agency Response: Agree, Implementation Date – March 14, 2023

1.6 Develop and Approve Performance-Monitoring Procedures – As part of implementing Recommendation 1.3, the city’s Technology Services agency should:

  • Populate ServiceNow with the service-level objectives.
  • Develop and incorporate procedures to ensure staff are comprehensively and continuously monitoring all vendors to verify they are meeting contract terms and the requirements of their service-level agreements.
  • Include steps in procedures to ensure contracts contain service-level agreements and service-level objectives and that these service-level objectives are relevant, enforceable, and measurable.
  • Define and implement a process for seeking restitution when vendors break agreed-upon performance objectives.

Agency Response: Agree, Implementation Date – Dec. 14, 2022

1.7 Develop and Approve Vendor-Separation Procedures – As part of implementing Recommendation 1.3, the city’s Technology Services agency should develop and approve a process for when vendors separate from the city, and then management should communicate these procedures to relevant staff.

Agency Response: Agree, Implementation Date – Nov. 14, 2022

1.8 Implement a Single System of Record for Vendor Management – The city’s Technology Services agency should establish a single system of record, such as ServiceNow, for vendor management data and monitoring activities. Once Technology Services establishes a single system of record, it should create a process for reviewing vendor management-related data to ensure accuracy.

Agency Response: Agree, Implementation Date – Sept. 15, 2023

Auditor's Letter

September 15, 2022

We audited how the city’s Technology Services agency handles vendor management to assess how effectively it oversees its information technology vendors, monitors their performance, and has established policies, procedures, and other processes it follows to ensure good governance. I now present the results of this audit.

The audit revealed Technology Services has no comprehensive structure for vendor management. The agency has an incomplete strategy and lacks several key components of effective governance — including detailed and approved policies and procedures; defined roles and responsibilities; and plans for staffing, budget, and training. Because of this, the agency does not effectively monitor its vendors to ensure they have safeguards to secure city data and that they provide services as they are contractually required. Technology Services is also not holding these vendors accountable when they fail to meet contractually required objectives, and the agency does not track when vendors stop working for the city. Additionally, we found Technology Services’ data for vendor management is decentralized.

By implementing recommendations for a stronger vendor management governance structure, Technology Services will be better equipped to effectively manage and monitor the city’s information technology vendors and hold them accountable to providing the services they were hired for.

This performance audit is authorized pursuant to the City and County of Denver Charter, Article V, Part 2, Section 1, “General Powers and Duties of Auditor.” We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

We appreciate the leaders and team members in Technology Services who shared their time and knowledge with us during the audit. Please contact me at 720-913-5000 with any questions.

Denver Auditor

Auditor's Signature
Timothy O'Brien, CPA


Tim_mug.png

AUDITOR TIMOTHY O'BRIEN, CPA
Denver Auditor



Denver Auditor´s Office

201 W. Colfax Ave. #705 Denver, CO 80202
Emailauditor@denvergov.org
Call: 720-913-5000
Follow us on Facebook     Connect with us on Twitter
Read our social media policy

Auditor´s Office Logos for Footer