vendor management assessment checklist

8/10/2019 Vendor Management Assessment Checklist

1/16

Vendor Management Category Review Results

No. Summary Checklist Question Red

(No)

Yellow

(Partial)

Green

(Yes)

N/A

I D ri ver s

1 Has the management been a through a comprehensive decision making

process to solicit reasons to outsource a function?

2 Have there been formal meetings and communications to identify and

discuss the potential of outsourcing as a strategy?

3 Has management researched other organizations plans to utilize

outsourcing within the same industry?

I I Feasib i li ty Study

1 Did management formally study the adequacy of its internal human,

financial, and technological resources to effectively support an outsourcing

relationship?

2 Does management have formal policies and procedures to address the

selection process and management of the service provider?

3 Did management formally assess and analyze whether it was necessary to

outsource the function to an external service provider?

4 Did management research the outsourcing trends and best practices

currently being utilized in management's business environment?5 Did management research whether it is possible to outsource a function

within management's regulatory framework?

6 Did management research the adequacy of available service providers (in

quantity and quality) to be contracted for the outsourced function?

7 Has management analyzed and documented the impact from outsourcing a

function on technological and business aspects of client operations?

8 Were objections and/or issues regarding the outsourcing selection and

decision process identified and documented?

9 Did the decision to outsource go through formal authorization / consistent

procedures as though a new line of businesses is being approved?

10 Is management's IT environment that is being considered for outsourcing

centralized?

Assessment

Objective: The Vendor Management Summary Checklist is designed to gain a high-level understanding of certain critical areas of management-service

provider relationship.

Created: 8/6/99Modified and Printed on: 11/5/2014 Summary Checklist Page 1 of 16


2/16



(No)

Yellow

(Partial)

Green

(Yes)

N/A

Assessment

I II Con trac t

1 Is the existing contract a detailed contract (vs. a relational

contract/partnership) that binds management and service provider to specific

terms and conditions?

2 Are all relevant parties (both management and the service provider) involved

in the contract negotiations?

3 Has management hired external experts, consultants, or used in-house staff

to help negotiate specific sections of the contract?

4 Is there a formal contract review process in place (management and service

provider) ensure that all their individual concerns and needs have been

addressed in the contract and complete before signing?

5 Has the contract been through legal scrutiny or review to ensure its legality

and that all legal rights and obligations have been addressed for bothmanagement and service provider?

6 Is the contract benchmarked against international/national standards

organizations or regulatory agencies to ensure that all necessary areas have

been addressed?

7 Are the items in the contract flexible to accommodate changes in the service

environment?

8 Does the contract address data privacy and confidentiality?



3/16



(No)

Yellow

(Partial)

Green

(Yes)

N/A

Assessment

IV Serv ice Level Agreements (SLA)

1 Is there a formal, documented Service Level Agreement between

management and service provider?2 Does the SLA include a section that documents the standards and

processes, to mitigate the risk of operational failure or l iabilities that

includes:

a a provision for the appropriate level of technical support for all

hardware, operating systems and application software?

b the maintenance of physical and logical security environments to the

service standards?

c change management procedures?

d scheduled maintenance plans?

e the need for a documented Business Continuity Plan and/or Disaster

Recovery Plan from management and service provider?

f escrow agreements on source code developed by the service

provider to ensure that the code is not lost?

g insurance for client and service provider which adequately protects

assets against damage or loss?

h the need for the service provider to sign confidentiality agreements to

protect management from fraudulent use of intellectual property and

proprietary assets?

i that requires the service provider to create useful documentation (i.e.

maintenance checklists, user's and systems manuals) for

management?j specifying the formal procedures for identifying, documenting, and

monitoring conflicts of interest?

k the performance measurement methods and processes?

l the specific performance analysis reports needed to be created during

performance measurement monitoring?

m the penalties charged to the service provider in the event of non-

performance or SLA violations?

n problem management and escalation procedures?

o terms for computer operations including backups and monitoring

computer utilization?

p the requirement, frequency, and by whom an independent audit of theoperations of the service provider would be conducted and the

specific use of the reports by management?

q the formal periodic reviews and evaluations to validate service

provider continuance?

r the ownership of physical and non-physical assets?

s data retention agreements?

t the termination of a service provider?



4/16



(No)

Yellow

(Partial)

Green

(Yes)

N/A

Assessment

3 Does the SLA include a detailed section listing all the systems, applications,

and databases supported by the work of the service provider?

4 Are the clauses in the SLA flexible to accommodate changes in the service

environment?

5 Is the SLA benchmarked against best practices, regulatory agencies, or

international/national standards?

V Organizat ional /Accountabi l i ty

1 Are detail employee position descriptions and responsibilities formally

documented of both client and service provider?

2 Does management have the necessary management skills to effectively

manage the service provider relationship?

3 Does management perform background check to verify the service provider

employees for the necessary technical skills and business knowledge to

perform in their roles?

4 Is there a centralized management function/team within management that is

responsible for managing the entire client-service provider relationship?

5 Are there small teams within central management function/team that are

responsible for managing specific areas in the service provider relationship?

6 Do polices (documented separately or as part of the SLA or contract) exist

that specify the insurance coverage?7 Do policies (documented separately or as part of the SLA or contract) exist

that specify the decisions regarding acquiring equipment, hardware, and

applications?

8 Do polices (documented separately or as part of the SLA or contract) exist

that specify the parties accountable for staffing issues?

9 Does management monitor in-house and service provider employee turnover

for trends or concerns?

10 Did management take responsibility for managing conflict of interest?

11 Is there appropriate separation of duties between client and service provider

employees?

12 Does management and/or service provider have a security policy in place

addressing service provider access?



5/16



(No)

Yellow

(Partial)

Green

(Yes)

N/A

Assessment

VI Contro l Envi ronment /Moni tor ing

Control Environment

1 Have the reporting lines (organizational structure) been reviewed foreffectiveness in communication and knowledge transfer?

a Are there regular reviews of service provider policies and procedures

against management's policies and strategy to ensure alignment between

policy standards?

b Are policies and procedures monitored for compliance with governing

regulatory agencies?

c Does Beacon's and service provider's insurance coverage reflect any and all

changes to the service relationship and environment?

d Are audits of the service provider performed internally or externally on a

periodic basis?

e How are Beacon communications, change requests, etc. received and

monitored by service provider management?

f Are separate budgets, strategic initiatives, and capital expenditures kept and

monitored by service provider management for Beacon?

Monitoring

2 Does the service provider have an benchmarks that can be measured?

a Is there is specific team or division at the service provider in charge of

gathering the data, analyzing measurements, producing reports, and

ensuring monitoring procedures as specified in the SLA/contract?

b If yes, is the monitoring process automated?c Are measurements and calculations recorded for the service provider's

performance level done in a timely manner and reviewed periodically?

d Are performance measurements reports that analyze the results and trends

computed and reviewed by service provider management? Are these

reports provided to management?

e Are the documents that were used in creating calculating performance

measurements kept on file (paper or electronically) for future reference and

audits?

f Are there necessary tools available to effectively measure and report on

service provider performance?

g Are any performance weaknesses or exceptions addressed by the serviceprovider and their status reported to management?

h Are periodic meetings held with the service provider in order to discuss

monitoring weaknesses?

I Are penalties enforced to the service provider for non-performance as

specified in the SLA?

Operations

3 Are there formal policies and procedures for computer operations including

backups, computer utilization, and data retention?



6/16


7/16



(No)

Yellow

(Partial)

Green

(Yes)

N/A

Assessment

d Are security reviews performed of service provider employee access to

applications?

e Are access requirements for service provider employees tested to determineif the access is proper for their roles and responsibilities?

f Are service provider employees required to obtain ID's and security access

cards to client buildings and secured areas?

g For networking/web projects, are firewalls installed to restrict unauthorized

access?

h Are activity levels for the network/websites monitored for security issues?

I Is the service provider's environment physically secure? Are any client's

assets at the service provider secured?

j Is access to client data appropriately restricted to the proper service provider

employees?

k Are service provider employees required to sign non-disclosure (of client

information/data) agreements?

l If a privacy and confidentiality agreement exists, does management require

that service provider employees are aware of and kept current on the

confidentiality agreement and its provisions?

If yes, does management require that all service provider employees have

signed a confidentiality agreement?

m Is the service provider in compliance with key data privacy and security

regulations (e.g. HIPAA, GLBA, etc.)? What evidence exists?



8/16



(No)

Yellow

(Partial)

Green

(Yes)

N/A

Assessment

VII Service Level Problem Management and Escalat ion Procedures

1 Are escalation procedures formally documented in the SLA and agreed upon

by both management and service provider?2 Is the person(s) or team(s) that caused the issues/problems identified at the

outset of an issue/problem?

3 Are there specific, appropriate reporting lines established within the

organization for the escalation and reporting of issues/problems that gives a

division ownership of the resolution of issues/problems?

4 Are problems and issues documented and tracked through to its resolution?

5 Are problems and issues prioritized?

6 Are there methods for tracking the effectiveness and usefulness of the

problem management and service level escalation procedures?

VII I Bi l l ing/Invoice Processing

1 Is the bill/invoice compared to the contract specifications by management for

accuracy and reasonableness?

2 Are there formal policies and procedures involved in disputing a bill/invoice?

IX Annual Serv ice Provider Reassessment

1 Do all service provider relationships receive a formal periodic review and

evaluation by management to validate continuance of the SLA/contract?

2 Is there a formal evaluation and review matrix that details what

characteristics the evaluation should focus on and the critical areas to

study?

3 Is there a requirement for a periodic independent audit of the service

provider?

4 Is management also periodically reviewed for compliance with the contract

and service level agreement?

5 Are the performance levels of each individual employee of the service

provider, assigned to work for management, evaluated and reported on?



9/16

Recommendations



10/16

Recommendations



11/16

Recommendations

Created: 8/6/99

Modified and Printed on: 11/5/2014 Summary Checklist Page 11 of 16


12/16

Recommendations

Created: 8/6/99



13/16

Recommendations

Created: 8/6/99



14/16

Recommendations

Created: 8/6/99



15/16

Recommendations

Created: 8/6/99



16/16

Recommendations

Created: 8/6/99


vendor management assessment checklist

Documents