2014.12.09 Presentation-IT Vendor Due Diligence · PDF fileIT Vendor Due Diligence Jennifer...

19
IT Vendor Due Diligence Jennifer McGill CIA, CISA, CGEIT IT Audit Director Carolinas HealthCare System December 9, 2014

Transcript of 2014.12.09 Presentation-IT Vendor Due Diligence · PDF fileIT Vendor Due Diligence Jennifer...

Page 1: 2014.12.09 Presentation-IT Vendor Due Diligence · PDF fileIT Vendor Due Diligence Jennifer McGill CIA, CISA, ... 2014 6 2009 2008 ... (business case) was completed • Interview IT

IT Vendor Due Diligence

Jennifer McGill CIA, CISA, CGEITIT Audit Director

Carolinas HealthCare SystemDecember 9, 2014

Page 2: 2014.12.09 Presentation-IT Vendor Due Diligence · PDF fileIT Vendor Due Diligence Jennifer McGill CIA, CISA, ... 2014 6 2009 2008 ... (business case) was completed • Interview IT

Carolinas HealthCare System (CHS)

• Second largest not-for-profit healthcare system in the nation

• Largest healthcare system in the Southeast

• 40 hospitals, 11 nursing homes and over 900 outpatient

service locations

• Over 2,300 employed physicians and nearly 400 residents;

More than 40,000 FTEs

• Net operating revenue: $7.8 billion

• AA-rated since 1983

Page 3: 2014.12.09 Presentation-IT Vendor Due Diligence · PDF fileIT Vendor Due Diligence Jennifer McGill CIA, CISA, ... 2014 6 2009 2008 ... (business case) was completed • Interview IT

CHS Audit Services

Chief Audit Executive

Reports to Chief Legal Counsel

IT Audit Financial & Operational Audit

Charlotte-area Hospitals

Corporate Operations

Regional NC, SC, GA

Hospitals and Health Systems

Physician Practices

Joint Ventures

Enterprise-wide

14 Computing Environments

1 Director 4 Auditors

1 Director1 Manager 6 Auditors

1 Director1 Manager 5 Auditors

2 Construction Auditors

1 Director 5 Auditors

Page 4: 2014.12.09 Presentation-IT Vendor Due Diligence · PDF fileIT Vendor Due Diligence Jennifer McGill CIA, CISA, ... 2014 6 2009 2008 ... (business case) was completed • Interview IT

Agenda

• Learning Objectives

• Background on Healthcare Technology Regulation

• Vendor Management Lifecycle

• Due Diligence as a Focus Area

• Risks and Control Objectives

• Audit and Assessment Techniques

• Connections to IT Investment Management & Cloud Computing

• Questions

Page 5: 2014.12.09 Presentation-IT Vendor Due Diligence · PDF fileIT Vendor Due Diligence Jennifer McGill CIA, CISA, ... 2014 6 2009 2008 ... (business case) was completed • Interview IT

Learning Objectives

• Understand the key control objectives in the vendor due diligence process and how they fit into the larger vendor management lifecycle.

• Discuss initial questions that will help determine audit strategy.

• Explore the connection between vendor management and IT investment management.

• Touch on the importance of vendor due diligence related to cloud computing strategy.

Page 6: 2014.12.09 Presentation-IT Vendor Due Diligence · PDF fileIT Vendor Due Diligence Jennifer McGill CIA, CISA, ... 2014 6 2009 2008 ... (business case) was completed • Interview IT

In 2001, only 18% of providers

have adopted EMRs

Healthcare Technology Regulation

HIPAA Privacy Rule compliance deadline

HIPAA Security Rule compliance deadline

OIG begins auditing CMS enforcement of Security Rule

HITECH Act requires adoption of EMRs and includes Breach Notification Requirements

Office for Civil Rights slow to start next phase of HIPAA Security compliance audits

2003

2005

Electronic Medical Record systems

have been in existence for

30 years

Late 1990’sHIPAA

Legislation Drafted

2014

6

2009

2008

Healthcare begins to be plagued by

breaches

Concern over credit card breaches

increases awareness of PCI

requirements

In 2013, 78% of

providers have

adopted EMRs

Page 7: 2014.12.09 Presentation-IT Vendor Due Diligence · PDF fileIT Vendor Due Diligence Jennifer McGill CIA, CISA, ... 2014 6 2009 2008 ... (business case) was completed • Interview IT

Vendor Management Definitions

Vendor Management: The strategic process that is dedicated tomanagement of vendor relationships so that value creation ismaximized and risk to the enterprise is minimized.

~ISACA

Vendor Management Due Diligence: Third-party vendor due diligenceis a process used to make an informed business decision concerningthe selection of the appropriate vendor. Due diligence is the gatheringand analysis of detailed information about possible vendors. As with allbusiness decisions, there are some risks that cannot be eliminated butcan be managed. The purpose of due diligence is to help choose thebest third-party vendor relationship given the risks and abilities orservices available, and then to negotiate, contract, implement, andmonitor to mitigate any residual risks.

~ CUNA Due Diligence Task Force

Page 8: 2014.12.09 Presentation-IT Vendor Due Diligence · PDF fileIT Vendor Due Diligence Jennifer McGill CIA, CISA, ... 2014 6 2009 2008 ... (business case) was completed • Interview IT

Vendor Management Lifecycle

Page 9: 2014.12.09 Presentation-IT Vendor Due Diligence · PDF fileIT Vendor Due Diligence Jennifer McGill CIA, CISA, ... 2014 6 2009 2008 ... (business case) was completed • Interview IT

Strategy Questions• Do business line leaders know how to engage with IT to

ask for what they need?• Is IT strategy and business strategy aligned?• Does your organization maintain a record of the

vendors with which it does business?• Are all IT services and solutions procured through a

centralized process? • Does your organization have an established Project

Management Office? • Are processes for engaging with vendors documented?• Is there a separate process for evaluating IT vendor

companies prior to evaluating the solutions or services offered?

Page 10: 2014.12.09 Presentation-IT Vendor Due Diligence · PDF fileIT Vendor Due Diligence Jennifer McGill CIA, CISA, ... 2014 6 2009 2008 ... (business case) was completed • Interview IT

Scope Selection

Page 11: 2014.12.09 Presentation-IT Vendor Due Diligence · PDF fileIT Vendor Due Diligence Jennifer McGill CIA, CISA, ... 2014 6 2009 2008 ... (business case) was completed • Interview IT

Risks and Control Objectives

Risks

Due Diligence Step

Control Objectives

Participants

Purchase IT services or solutions that do not meet

the needs of the organization

Pay too much for services or solutions;

Process does not comply with policies related to vendor diversity, value

analysis, etc.

Select vendors with reputation, financial,

security, design, capacity or service problems

Enter a contractual relationship with a vendor without having reasonable

assurance that requirements will be met

Needs Assessment Request for Proposals

Vendor Analysis Review and Approval

• Need for a solution is identified

• Business requirements are defined

• Regulatory & Info Security requirements are defined

• Approvals to move ahead with identifying a solution are obtained

• Opportunity to bid is presented to multiple vendors

• Information is gathered from vendors and analyzed

• Best vendors are accepted to move to the next step on the due diligence process

• Risk assessment (strategic, reputational, operational, financial, compliance…) is performed

• Financial analysis is performed

• Capability to meet business requirements is evaluated

• Vendor selection is made by authorized participants

• Selection is reviewed and approved by authorized leaders or committees

Selected Vendor Solution Moves to Implementation Phase

Business UnitInformation Services

IT SecurityIT Committees (approvals)

Business UnitInformation Services

IT SecurityIT Committees (establish

expectations for RFP)

Business UnitInformation Services

IT SecurityIT Committees (verification)

Business UnitInformation Services

IT SecurityIT Committees (approval)

Page 12: 2014.12.09 Presentation-IT Vendor Due Diligence · PDF fileIT Vendor Due Diligence Jennifer McGill CIA, CISA, ... 2014 6 2009 2008 ... (business case) was completed • Interview IT

Testing Approach – Needs Assessment

• Obtain access to the minutes from the prior 12 months of IT Steering Committee meetings

• Select a sample of Business Line Leaders who have presented projects for review

• Interview the Leaders to understand the process that they followed

• Review project documentation to determine if needs assessment was conducted

• Interview IT personnel assigned to the project to understand the process that they followed

• Determine if regulatory and information security requirements were defined and addressed

• Look for documented approvals

Page 13: 2014.12.09 Presentation-IT Vendor Due Diligence · PDF fileIT Vendor Due Diligence Jennifer McGill CIA, CISA, ... 2014 6 2009 2008 ... (business case) was completed • Interview IT

Testing Approach – Request for Proposals

• Review project documentation to determine if the opportunity to bid was presented to multiple vendors

• Interview IT personnel assigned to the project to determine what information was requested from vendors in the Request for Proposals (RFP)

• Determine if regulatory and information security requirements were addressed in the RFP document

• Review project documentation to see which vendors responded to the RFP, examine the responses, and look for a comparative analysis of the responses

• Look for documented justification for the vendors accepted to move to the next step

Page 14: 2014.12.09 Presentation-IT Vendor Due Diligence · PDF fileIT Vendor Due Diligence Jennifer McGill CIA, CISA, ... 2014 6 2009 2008 ... (business case) was completed • Interview IT

Testing Approach – Vendor Analysis

• Find out if there is a security committee, architectural review committee, and/or other oversight group(s) with responsibility for reviewing vendor information prior to final selection

• Review project documentation to determine if vendor risk assessment was conducted

• Determine if a financial analysis (business case) was completed

• Interview IT personnel to understand how they were involved in making the determination that the vendor would be able to meet identified needs

Page 15: 2014.12.09 Presentation-IT Vendor Due Diligence · PDF fileIT Vendor Due Diligence Jennifer McGill CIA, CISA, ... 2014 6 2009 2008 ... (business case) was completed • Interview IT

Testing Approach – Review and Approval

• Interview the Business Line Leaders to understand the process that they followed to make the final vendor selection

• Review project documentation to determine if the selection was reviewed and approved by authorized leaders or committees

Page 16: 2014.12.09 Presentation-IT Vendor Due Diligence · PDF fileIT Vendor Due Diligence Jennifer McGill CIA, CISA, ... 2014 6 2009 2008 ... (business case) was completed • Interview IT

Results

• Identified need for comprehensive, documented process– All parties involved followed a process, but it differed from one

project team to the next– None of the Business Line Leaders were familiar with the

process– Documentation was inconsistent, project names shifted from

start to finish, IT personnel handed projects off from phase to phase

– IT personnel did not assert subject matter leadership to guide Business Line Leaders to make selections inclusive of IT strategy as well as business strategy

• Found a loophole in a fundamental organizational policy– If responsibility for all IT vendor relationships and IT solution

management resides with IT, make sure the policy states it explicitly

Page 17: 2014.12.09 Presentation-IT Vendor Due Diligence · PDF fileIT Vendor Due Diligence Jennifer McGill CIA, CISA, ... 2014 6 2009 2008 ... (business case) was completed • Interview IT

IT Investment Management Overview

IT-enabled investments will:• Be managed as a portfolio of investments• Include the full scope of activities required to achieve business value• Be managed through their full economic life cycle

Value delivery practices will:• Recognize there are different categories of investments that will be

evaluated and managed differently• Define and monitor key metrics and respond quickly to any changes

or deviations• Engage all stakeholders and assign appropriate accountability for

the delivery of capabilities and the realization of business benefits• Be continually monitored, evaluated and improved

~ISACA Val IT Guidance

Page 18: 2014.12.09 Presentation-IT Vendor Due Diligence · PDF fileIT Vendor Due Diligence Jennifer McGill CIA, CISA, ... 2014 6 2009 2008 ... (business case) was completed • Interview IT

Cloud Computing Strategy

• Cloud computing means that the computer hardware and software we use is provided for us as a service by another company and is accessed over the Internet, rather than sitting on our desktops or somewhere inside our network.

• The term "moving to the cloud" refers to an organization moving away from a traditional capital expenditure model (buy dedicated hardware and depreciate it over a period of time) to an operating expense model (use a shared cloud infrastructure and pay as we use it).

Strong vendor due diligence practices are critical to protecting the organization’s interests in this type of arrangemen t.

Page 19: 2014.12.09 Presentation-IT Vendor Due Diligence · PDF fileIT Vendor Due Diligence Jennifer McGill CIA, CISA, ... 2014 6 2009 2008 ... (business case) was completed • Interview IT

Questions & Discussion

[email protected]